@askexenow/exe-os 0.9.86 → 0.9.88

package/dist/mcp/server.js

@@ -889,8 +889,8 @@ async function embedDirect(text3) {
   const llamaCpp = await import("node-llama-cpp");
   const { MODELS_DIR: MODELS_DIR2 } = await Promise.resolve().then(() => (init_config(), config_exports));
   const { existsSync: existsSync42 } = await import("fs");
-  const path55 = await import("path");
-  const modelPath = path55.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
+  const path56 = await import("path");
+  const modelPath = path56.join(MODELS_DIR2, "jina-embeddings-v5-small-q4_k_m.gguf");
   if (!existsSync42(modelPath)) {
     throw new Error(`Embedding model not found at ${modelPath}. Run '/exe-setup' to download it.`);
   }
@@ -2180,6 +2180,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config2) {
   if (_walCheckpointTimer) {
@@ -2221,6 +2222,16 @@ async function initDatabase(config2) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config2.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config2.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -3723,7 +3734,7 @@ async function tryKeytar() {
 }
 function deriveMachineKey() {
   try {
-    const crypto20 = __require("crypto");
+    const crypto21 = __require("crypto");
     const material = [
       os5.hostname(),
       os5.userInfo().username,
@@ -3732,7 +3743,7 @@ function deriveMachineKey() {
       // Machine ID on Linux (stable across reboots)
       process.platform === "linux" ? readMachineId() : ""
     ].join("|");
-    return crypto20.createHash("sha256").update(material).digest();
+    return crypto21.createHash("sha256").update(material).digest();
   } catch {
     return null;
   }
@@ -3746,9 +3757,9 @@ function readMachineId() {
   }
 }
 function encryptWithMachineKey(plaintext, machineKey) {
-  const crypto20 = __require("crypto");
-  const iv = crypto20.randomBytes(12);
-  const cipher = crypto20.createCipheriv("aes-256-gcm", machineKey, iv);
+  const crypto21 = __require("crypto");
+  const iv = crypto21.randomBytes(12);
+  const cipher = crypto21.createCipheriv("aes-256-gcm", machineKey, iv);
   let encrypted = cipher.update(plaintext, "utf-8", "base64");
   encrypted += cipher.final("base64");
   const authTag = cipher.getAuthTag().toString("base64");
@@ -3757,13 +3768,13 @@ function encryptWithMachineKey(plaintext, machineKey) {
 function decryptWithMachineKey(encrypted, machineKey) {
   if (!encrypted.startsWith(ENCRYPTED_PREFIX)) return null;
   try {
-    const crypto20 = __require("crypto");
+    const crypto21 = __require("crypto");
     const parts = encrypted.slice(ENCRYPTED_PREFIX.length).split(":");
     if (parts.length !== 3) return null;
     const [ivB64, tagB64, cipherB64] = parts;
     const iv = Buffer.from(ivB64, "base64");
     const authTag = Buffer.from(tagB64, "base64");
-    const decipher = crypto20.createDecipheriv("aes-256-gcm", machineKey, iv);
+    const decipher = crypto21.createDecipheriv("aes-256-gcm", machineKey, iv);
     decipher.setAuthTag(authTag);
     let decrypted = decipher.update(cipherB64, "base64", "utf-8");
     decrypted += decipher.final("utf-8");
@@ -4801,6 +4812,24 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "When an agent encounters a suspected Exe OS bug, update breakage, MCP/tool failure, installer issue, memory/orchestration defect, or customer-local patch need, it MUST use create_bug_report. Do this before or alongside any local workaround so the report reaches AskExe support directly via the customer's license. Do NOT ask the founder for permission to file a required bug report. If create_bug_report is deferred/lazy-loaded, load it and call it. If it is unavailable in the live MCP surface, report 'create_bug_report unavailable in this session' and save a local report in exe/output \u2014 never claim the tool does not exist unless the live MCP surface was checked. If upstream delivery fails, call support_test (MCP) and include its result in the local report so AskExe can distinguish customer setup, license provisioning, and server intake issues; only ask the founder to run `exe-os support test` if MCP is disconnected/unavailable. Classify first: upstream_bug = reproducible exe-os/platform defect; customer_customization = identity, behavior, procedure, config, branding, workflow preference that belongs in customer-owned layers; emergency_hotfix = temporary local patch. For upstream bugs/emergency hotfixes include version, repro steps, expected/actual, files changed, workaround, and local diff summary. Avoid permanent platform-code patches unless founder approves; if a hotfix is unavoidable, document it in the bug report and re-check after npm update."
       },
+      {
+        title: "Bug report status check \u2014 surface available fixes on boot",
+        domain: "support",
+        priority: "p1",
+        content: "Once per session (COO boot only, never repeat), call list_my_bug_reports to check if any previously filed bug reports have been fixed by AskExe. If any report has status 'fixed' with a fixed_version, surface it to the founder immediately: '\u{1F527} N bug fix(es) available \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no reports exist or none are fixed, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+      },
+      {
+        title: "Feature request triage \u2014 upstream feature vs local customization",
+        domain: "support",
+        priority: "p0",
+        content: "When an agent or founder identifies a desired capability that exe-os does not yet provide, the COO (or equivalent coordinator) must decide: is this a local customization (identity, behavior, procedure, config, branding, workflow preference that can be configured in customer-owned layers) or an upstream feature request (a platform capability that requires changes to exe-os code, shipped via npm update)? Local customizations: implement immediately using store_behavior, update_identity, company_procedure, or config changes. Upstream features: use create_feature_request to submit to AskExe. Include use case, business impact, and current workaround. Do NOT ask the founder for permission to file a feature request \u2014 file it proactively when the need is clear."
+      },
+      {
+        title: "Feature request status check \u2014 surface shipped features on boot",
+        domain: "support",
+        priority: "p1",
+        content: "Once per session (COO boot only, never repeat), call list_my_feature_requests to check if any previously filed feature requests have been shipped by AskExe. If any request has status 'shipped' with a shipped_version, surface it to the founder immediately: '\u{1F680} N feature(s) shipped \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no requests exist or none are shipped, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -7321,10 +7350,10 @@ async function hybridSearch(queryText, agentId, options) {
     };
     try {
       const fs = await import("fs");
-      const path55 = await import("path");
+      const path56 = await import("path");
       const os21 = await import("os");
-      const logPath = path55.join(os21.homedir(), ".exe-os", "search-quality.jsonl");
-      fs.mkdirSync(path55.dirname(logPath), { recursive: true });
+      const logPath = path56.join(os21.homedir(), ".exe-os", "search-quality.jsonl");
+      fs.mkdirSync(path56.dirname(logPath), { recursive: true });
       fs.appendFileSync(logPath, JSON.stringify(logEntry) + "\n");
     } catch {
     }
@@ -8617,8 +8646,8 @@ __export(wiki_client_exports, {
   listDocuments: () => listDocuments,
   listWorkspaces: () => listWorkspaces
 });
-async function wikiFetch(config2, path55, method = "GET", body) {
-  const url = `${config2.baseUrl}/api/v1${path55}`;
+async function wikiFetch(config2, path56, method = "GET", body) {
+  const url = `${config2.baseUrl}/api/v1${path56}`;
   const headers = {
     Authorization: `Bearer ${config2.apiKey}`,
     "Content-Type": "application/json"
@@ -8651,7 +8680,7 @@ async function wikiFetch(config2, path55, method = "GET", body) {
       }
     }
     if (!response.ok) {
-      throw new Error(`Wiki API ${method} ${path55}: ${response.status} ${response.statusText}`);
+      throw new Error(`Wiki API ${method} ${path56}: ${response.status} ${response.statusText}`);
     }
     return response.json();
   } finally {
@@ -9408,7 +9437,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync9(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync9(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync4(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -12786,12 +12815,14 @@ On EVERY new conversation, before doing anything else:
 1. **Memory scan**: Run recall_my_memory with broad queries \u2014 "project", "client", "pipeline", "campaign", "deal", "decision", "blocker". Summarize what you find.
 2. **Task scan**: Run list_tasks to see what's open, in progress, blocked, or needs review across all employees.
 3. **Team check**: Run ask_team_memory for recent activity from CTO/CMO/engineers.
-4. **Present the brief**: Give the founder a concise status report:
+4. **Bug fix check** (one-time, never repeat): Call list_my_bug_reports to see if AskExe has fixed any previously filed bugs. If any have status "fixed" with a fixed_version, tell the founder: "\u{1F527} N bug fix(es) available \u2014 run \`exe-os update\` to get version X.Y.Z." Skip silently if none or if the call fails.
+5. **Present the brief**: Give the founder a concise status report:
    - What's active and progressing
    - What's blocked and needs attention
    - What decisions are pending
+   - Available bug fixes (from step 4, if any)
    - What you recommend doing next
-5. Then ask: "What's the priority?"
+6. Then ask: "What's the priority?"
 
 If this is your FIRST ever conversation (few or no prior memories):
 - Search more broadly: "product", "SEO", "meeting", "strategy", "revenue"
@@ -12811,6 +12842,8 @@ Never say "I have no memories" without first searching broadly. Your memory may
 - **get_identity** \u2014 read any agent's identity for coordination
 - **set_agent_config** \u2014 view or change which tool (Claude Code, Codex, OpenCode) and model each agent uses. Call with no args to show all agents' current settings. Call with agent_id + runtime + model to change.
 - **send_message** \u2014 direct intercom to employees
+- **create_bug_report** \u2014 file a bug when you encounter an Exe OS platform issue
+- **list_my_bug_reports** \u2014 check status of filed bugs (boot check: surface available fixes to founder)
 ${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
@@ -13974,6 +14007,21 @@ var init_crdt_sync = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/tmux-status.ts
 import { execSync as execSync13 } from "child_process";
 function inTmux() {
@@ -14208,7 +14256,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { spawn as spawn4 } from "child_process";
 import { existsSync as existsSync41, openSync as openSync4, mkdirSync as mkdirSync23, closeSync as closeSync4, readFileSync as readFileSync36 } from "fs";
-import path54 from "path";
+import path55 from "path";
 import os20 from "os";
 import { fileURLToPath as fileURLToPath7 } from "url";
 
@@ -18596,12 +18644,12 @@ function registerExportGraph(server2) {
         }
         const html = await exportGraphHTML(client);
         const fs = await import("fs");
-        const path55 = await import("path");
+        const path56 = await import("path");
         const os21 = await import("os");
-        const outDir = path55.join(os21.homedir(), ".exe-os", "exports");
+        const outDir = path56.join(os21.homedir(), ".exe-os", "exports");
         fs.mkdirSync(outDir, { recursive: true });
         const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-").slice(0, 19);
-        const filePath = path55.join(outDir, `graph-${timestamp}.html`);
+        const filePath = path56.join(outDir, `graph-${timestamp}.html`);
         fs.writeFileSync(filePath, html, "utf-8");
         return {
           content: [
@@ -19918,6 +19966,130 @@ import { existsSync as existsSync24, readFileSync as readFileSync20 } from "fs";
 import path30 from "path";
 import { homedir as homedir4 } from "os";
 import { z as z54 } from "zod";
+
+// src/mcp/license-gate.ts
+init_license();
+var _cachedLicense = null;
+var _hasLicenseKey = false;
+async function initLicenseGate() {
+  const key = loadLicense();
+  _hasLicenseKey = key !== null && key.length > 0;
+  if (_hasLicenseKey) {
+    try {
+      _cachedLicense = await checkLicense();
+    } catch {
+      _cachedLicense = null;
+    }
+    return { license: _cachedLicense, hasKey: true };
+  }
+  return { license: null, hasKey: false };
+}
+function getCachedLicenseGate() {
+  return {
+    license: _cachedLicense,
+    hasKey: _hasLicenseKey
+  };
+}
+
+// src/mcp/tool-telemetry.ts
+var _toolCalls = /* @__PURE__ */ new Map();
+var _sessionStartedAt = Date.now();
+var _flushTimer2 = null;
+function recordCall(toolName, action, isError) {
+  let record = _toolCalls.get(toolName);
+  if (!record) {
+    record = { count: 0, actions: /* @__PURE__ */ new Map(), lastCalledAt: 0, errors: 0 };
+    _toolCalls.set(toolName, record);
+  }
+  record.count++;
+  record.lastCalledAt = Date.now();
+  if (isError) record.errors++;
+  if (action) {
+    record.actions.set(action, (record.actions.get(action) ?? 0) + 1);
+  }
+}
+function wrapServerWithTelemetry(server2) {
+  const originalRegisterTool = server2.registerTool.bind(server2);
+  server2.registerTool = (name, config2, handler) => {
+    const wrappedHandler = async (input, extra) => {
+      const action = input.action;
+      try {
+        const result3 = await handler(input, extra);
+        const isError = result3?.isError === true;
+        recordCall(name, action, isError);
+        return result3;
+      } catch (err) {
+        recordCall(name, action, true);
+        throw err;
+      }
+    };
+    return originalRegisterTool(name, config2, wrappedHandler);
+  };
+  return server2;
+}
+function getToolUsageStats() {
+  let totalCalls = 0;
+  let totalErrors = 0;
+  const tools = {};
+  for (const [name, record] of _toolCalls) {
+    totalCalls += record.count;
+    totalErrors += record.errors;
+    const entry = {
+      calls: record.count,
+      errors: record.errors,
+      lastCalledAt: new Date(record.lastCalledAt).toISOString()
+    };
+    if (record.actions.size > 0) {
+      entry.actions = Object.fromEntries(record.actions);
+    }
+    tools[name] = entry;
+  }
+  return {
+    sessionStartedAt: new Date(_sessionStartedAt).toISOString(),
+    uptimeMs: Date.now() - _sessionStartedAt,
+    totalCalls,
+    totalErrors,
+    tools
+  };
+}
+var FLUSH_INTERVAL_MS = 5 * 60 * 1e3;
+var _lastFlushedAt = 0;
+async function flushToMemory() {
+  const stats = getToolUsageStats();
+  if (stats.totalCalls === 0) return;
+  if (stats.totalCalls === _lastFlushedAt) return;
+  try {
+    const { getClient: getClient2, isInitialized: isInitialized2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    if (!isInitialized2()) return;
+    const client = getClient2();
+    const toolSummary = Object.entries(stats.tools).sort((a, b) => b[1].calls - a[1].calls).map(([name, t]) => {
+      const actionStr = t.actions ? ` (${Object.entries(t.actions).sort((a, b) => b[1] - a[1]).map(([a, c]) => `${a}:${c}`).join(", ")})` : "";
+      return `${name}: ${t.calls} calls${t.errors > 0 ? ` (${t.errors} errors)` : ""}${actionStr}`;
+    }).join("\n");
+    const raw_text = `Tool usage since ${stats.sessionStartedAt} (${Math.round(stats.uptimeMs / 6e4)}min):
+Total: ${stats.totalCalls} calls, ${stats.totalErrors} errors
+
+${toolSummary}`;
+    await client.execute({
+      sql: `INSERT INTO memories (id, agent_id, raw_text, memory_type, project_name, importance, created_at, updated_at)
+            VALUES (?, 'system', ?, 'telemetry', 'exe-os', 2, datetime('now'), datetime('now'))`,
+      args: [
+        `telemetry-tools-${Date.now()}`,
+        raw_text
+      ]
+    });
+    _lastFlushedAt = stats.totalCalls;
+  } catch {
+  }
+}
+function startToolTelemetryFlush() {
+  if (_flushTimer2) return;
+  _sessionStartedAt = Date.now();
+  _flushTimer2 = setInterval(() => void flushToMemory(), FLUSH_INTERVAL_MS);
+  _flushTimer2.unref();
+}
+
+// src/mcp/tools/mcp-ping.ts
 var PID_PATH3 = path30.join(homedir4(), ".exe-os", "exed.pid");
 function isDaemonAlive2() {
   try {
@@ -19944,6 +20116,7 @@ function registerMcpPing(server2) {
       const daemon = isDaemonAlive2();
       const summary = summarizeMcpTransport();
       writeMcpTransportSummary();
+      const gate = getCachedLicenseGate();
       const status2 = daemon.alive ? "ok" : "degraded";
       return {
         content: [
@@ -19952,8 +20125,14 @@ function registerMcpPing(server2) {
             text: JSON.stringify({
               status: status2,
               daemon,
+              licenseGate: {
+                hasKey: gate.hasKey,
+                plan: gate.license?.plan ?? "none",
+                valid: gate.license?.valid ?? false
+              },
+              toolUsage: getToolUsageStats(),
               mcpTransport: summary,
-              remediation: daemon.alive ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
+              remediation: daemon.alive ? gate.hasKey ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "No license key found. Run: echo 'exe_sk_YOUR_KEY' > ~/.exe-os/license.key then reconnect MCP." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
             }, null, 2)
           }
         ]
@@ -20159,6 +20338,7 @@ import { fileURLToPath as fileURLToPath4 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath4(importMetaUrl));
@@ -21575,7 +21755,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result3 = await pool.query(query, values);
@@ -22104,6 +22285,17 @@ async function cloudSync(config2) {
   } catch (err) {
     logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
   }
+  let codeContextResult = { pushed: 0, pulled: 0 };
+  try {
+    codeContextResult.pushed = await cloudPushCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    codeContextResult.pulled = await cloudPullCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -22113,7 +22305,8 @@ async function cloudSync(config2) {
     tasks: tasksResult,
     conversations: conversationsResult,
     documents: documentsResult,
-    roster: rosterResult
+    roster: rosterResult,
+    codeContext: codeContextResult
   };
 }
 var ROSTER_DELETIONS_PATH = path37.join(EXE_AI_DIR, "roster-deletions.json");
@@ -22741,6 +22934,99 @@ async function cloudPullDocuments(config2) {
   }
   return { pulled };
 }
+var CODE_CONTEXT_DIR = path37.join(EXE_AI_DIR, "code-context");
+async function cloudPushCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  if (!existsSync32(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync11(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path37.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync32(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync25(metaPath, "utf-8"));
+    } catch {
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path37.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat = statSync7(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat.mtimeMs <= lastPushed) continue;
+      const content = readFileSync25(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config2.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config2.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat.mtimeMs;
+        pushed++;
+      }
+    } catch {
+    }
+  }
+  if (pushed > 0) {
+    try {
+      writeFileSync18(metaPath, JSON.stringify(syncMeta));
+    } catch {
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config2.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config2.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync16(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path37.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync32(localPath)) {
+          writeFileSync18(localPath, content, "utf-8");
+          pulled++;
+        } else {
+          const localContent = readFileSync25(localPath, "utf-8");
+          if (localContent.length !== content.length) {
+            writeFileSync18(localPath, content, "utf-8");
+            pulled++;
+          }
+        }
+      } catch {
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
 
 // src/mcp/tools/cloud-sync.ts
 init_config();
@@ -23580,9 +23866,9 @@ var HostingerApiClient = class {
     }
     this.lastRequestTime = Date.now();
   }
-  async request(method, path55, body) {
+  async request(method, path56, body) {
     await this.rateLimit();
-    const url = `${this.baseUrl}${path55}`;
+    const url = `${this.baseUrl}${path56}`;
     const headers = {
       Authorization: `Bearer ${this.apiKey}`,
       "Content-Type": "application/json",
@@ -23655,8 +23941,8 @@ async function requestCloudflare(cfApiToken, zoneId, options) {
   }
   return envelope.result;
 }
-function buildUrl(zoneId, path55 = "/dns_records", query) {
-  const normalizedPath = path55.startsWith("/") ? path55 : `/${path55}`;
+function buildUrl(zoneId, path56 = "/dns_records", query) {
+  const normalizedPath = path56.startsWith("/") ? path56 : `/${path56}`;
   const url = new URL(
     `${CLOUDFLARE_API_BASE_URL}/zones/${zoneId}${normalizedPath}`
   );
@@ -26899,6 +27185,22 @@ async function getExeDbReadClient() {
   }
   if (!prismaPromise3) {
     prismaPromise3 = (async () => {
+      const readonlyUrl = process.env.MCP_READONLY_DATABASE_URL;
+      if (readonlyUrl) {
+        const { Pool } = await import("pg");
+        const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+        const pool = new Pool({ connectionString: readonlyUrl, ...pgSslConfig2() });
+        return {
+          async $queryRawUnsafe(query, ...values) {
+            const result3 = await pool.query(query, values);
+            return result3.rows;
+          },
+          async $disconnect() {
+            await pool.end();
+          }
+        };
+      }
+      console.warn("[exe-db-read] WARNING: MCP_READONLY_DATABASE_URL not set \u2014 falling back to admin role");
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
         const mod2 = await import(pathToFileURL5(explicitPath).href);
@@ -27367,14 +27669,206 @@ Upstream status: ${upstreamStatus}`
   );
 }
 
-// src/mcp/tools/support.ts
+// src/mcp/tools/create-feature-request.ts
+init_embedder();
+init_active_agent();
+init_config();
+init_license();
+init_store();
 import { z as z89 } from "zod";
+import crypto19 from "crypto";
+import { mkdir as mkdir7, writeFile as writeFile8 } from "fs/promises";
+import path50 from "path";
+var CATEGORY = z89.enum([
+  "upstream_feature",
+  "local_customization",
+  "integration",
+  "unclear"
+]);
+var PRIORITY = z89.enum(["p0", "p1", "p2", "p3"]);
+function slugify3(input) {
+  return input.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80) || "feature-request";
+}
+function section2(title, body) {
+  return `## ${title}
+
+${body?.trim() || "Not provided"}`;
+}
+function buildMarkdown2(input) {
+  return [
+    `# Feature Request \u2014 ${input.title}`,
+    "",
+    `id: ${input.id}`,
+    `category: ${input.category}`,
+    `priority: ${input.priority}`,
+    `filed_by: ${input.agentId} (${input.agentRole})`,
+    `package_version: ${input.packageVersion}`,
+    `project: ${input.projectName ?? "unknown"}`,
+    `created_at: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+    "",
+    section2("Description", input.description),
+    section2("Use Case", input.useCase),
+    section2("Current Workaround", input.currentWorkaround),
+    section2("Proposed Solution", input.proposedSolution),
+    section2("Business Impact", input.businessImpact)
+  ].join("\n");
+}
+async function maybeSendUpstream2(payload) {
+  const config2 = await loadConfig();
+  const routerUrl = process.env.API_ROUTER_URL?.replace(/\/+$/, "");
+  const endpoint2 = config2.support?.featureRequestEndpoint || process.env.EXE_FEATURE_REQUEST_ENDPOINT || (routerUrl ? `${routerUrl}/v1/support/feature-requests` : "https://askexe.com/v1/support/feature-requests");
+  const token = config2.support?.featureRequestToken || process.env.EXE_FEATURE_REQUEST_TOKEN;
+  const licenseKey = loadLicense() || process.env.EXE_LICENSE_KEY || config2.cloud?.apiKey;
+  const licenseToken = readCachedLicenseToken();
+  if (!endpoint2) {
+    return "not_configured";
+  }
+  try {
+    const parsed = new URL(endpoint2);
+    if (parsed.protocol !== "https:" && !["localhost", "127.0.0.1", "::1"].includes(parsed.hostname)) {
+      return "failed: insecure endpoint rejected";
+    }
+    const response = await fetch(parsed, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...token ? { authorization: `Bearer ${token}` } : {},
+        ...licenseKey ? { "x-exe-license-key": licenseKey } : {},
+        ...licenseToken ? { "x-exe-license-token": licenseToken } : {}
+      },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!response.ok) return `failed: HTTP ${response.status}`;
+    return "sent";
+  } catch (err) {
+    return `failed: ${err instanceof Error ? err.message : String(err)}`;
+  }
+}
+function registerCreateFeatureRequest(server2) {
+  server2.registerTool(
+    "create_feature_request",
+    {
+      title: "Create Feature Request",
+      description: "File a feature request for exe-os: upstream_feature (requires platform changes), local_customization (configurable in customer layers), integration (third-party), or unclear. Writes a local report, stores memory, and optionally sends to AskExe.",
+      inputSchema: {
+        title: z89.string().min(3).describe("Short descriptive title"),
+        category: CATEGORY.describe(
+          "upstream_feature = platform capability change; local_customization = configurable in customer layers; integration = third-party connector; unclear = needs product triage"
+        ),
+        priority: PRIORITY.default("p2").describe("p0 critical \u2192 p3 low"),
+        description: z89.string().min(10).describe("What capability is needed and why"),
+        use_case: z89.string().optional().describe("Concrete scenario where this feature would be used"),
+        current_workaround: z89.string().optional().describe("How the need is currently addressed, if at all"),
+        proposed_solution: z89.string().optional().describe("Suggested implementation approach"),
+        business_impact: z89.string().optional().describe("Impact on business/workflow if this ships"),
+        package_version: z89.string().optional().describe("Installed @askexenow/exe-os version"),
+        project_name: z89.string().optional().describe("Project/customer context"),
+        send_upstream: z89.boolean().default(true).describe("Attempt to POST to configured AskExe support endpoint")
+      }
+    },
+    async ({
+      title,
+      category,
+      priority,
+      description,
+      use_case,
+      current_workaround,
+      proposed_solution,
+      business_impact,
+      package_version,
+      project_name,
+      send_upstream
+    }) => {
+      const { agentId, agentRole } = getActiveAgent();
+      const id = crypto19.randomUUID();
+      const version = package_version ?? "unknown";
+      const markdown = buildMarkdown2({
+        id,
+        title,
+        category,
+        priority,
+        agentId,
+        agentRole,
+        packageVersion: version,
+        description,
+        useCase: use_case,
+        currentWorkaround: current_workaround,
+        proposedSolution: proposed_solution,
+        businessImpact: business_impact,
+        projectName: project_name
+      });
+      const outDir = path50.join(EXE_AI_DIR, "feature-requests");
+      await mkdir7(outDir, { recursive: true });
+      const reportPath = path50.join(outDir, `${(/* @__PURE__ */ new Date()).toISOString().slice(0, 10)}-${slugify3(title)}-${id.slice(0, 8)}.md`);
+      await writeFile8(reportPath, markdown, "utf-8");
+      let vector = null;
+      try {
+        vector = await embed(markdown);
+      } catch {
+        vector = null;
+      }
+      await writeMemory({
+        id,
+        agent_id: agentId,
+        agent_role: agentRole,
+        session_id: process.env.SESSION_ID ?? "manual",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tool_name: "create_feature_request",
+        project_name: project_name ?? "support",
+        has_error: false,
+        raw_text: markdown,
+        vector,
+        source_path: reportPath,
+        source_type: "feature_request",
+        memory_type: "feature_request",
+        tier: 1,
+        importance: priority === "p0" ? 10 : priority === "p1" ? 9 : priority === "p2" ? 7 : 5,
+        intent: "request",
+        domain: "support",
+        file_paths: null
+      });
+      await flushBatch();
+      const upstreamStatus = send_upstream ? await maybeSendUpstream2({
+        id,
+        title,
+        category,
+        priority,
+        description,
+        use_case,
+        current_workaround,
+        proposed_solution,
+        business_impact,
+        package_version: version,
+        project_name,
+        agent_id: agentId,
+        agent_role: agentRole
+      }) : "skipped";
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Feature request created.
+ID: ${id}
+Category: ${category}
+Local report: ${reportPath}
+Memory stored: ${id}
+Upstream status: ${upstreamStatus}`
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/mcp/tools/support.ts
+import { z as z90 } from "zod";
 
 // src/bin/exe-support.ts
 init_config();
 init_license();
 import { mkdirSync as mkdirSync21, readFileSync as readFileSync32, unlinkSync as unlinkSync12, writeFileSync as writeFileSync23 } from "fs";
-import path50 from "path";
+import path51 from "path";
 import { randomUUID as randomUUID9 } from "crypto";
 var DEFAULT_BUG_ENDPOINT = "https://askexe.com/v1/support/bug-reports";
 var DEFAULT_ADMIN_ENDPOINT = "https://askexe.com/admin/support/bug-reports";
@@ -27495,8 +27989,8 @@ async function resolveEndpoints() {
   return { bugEndpoint, healthEndpoint, adminEndpoint };
 }
 function checkLocalWrite() {
-  const dir = path50.join(EXE_AI_DIR, "bug-reports");
-  const testPath = path50.join(dir, ".support-write-test");
+  const dir = path51.join(EXE_AI_DIR, "bug-reports");
+  const testPath = path51.join(dir, ".support-write-test");
   try {
     mkdirSync21(dir, { recursive: true, mode: 448 });
     writeFileSync23(testPath, "ok\n", { mode: 384 });
@@ -27512,10 +28006,10 @@ function checkLocalWrite() {
   }
 }
 function writeLocalTestReport(id, project, version) {
-  const dir = path50.join(EXE_AI_DIR, "bug-reports");
+  const dir = path51.join(EXE_AI_DIR, "bug-reports");
   mkdirSync21(dir, { recursive: true, mode: 448 });
   const date = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
-  const filePath = path50.join(dir, `${date}-support-intake-test-${id.slice(0, 8)}.md`);
+  const filePath = path51.join(dir, `${date}-support-intake-test-${id.slice(0, 8)}.md`);
   writeFileSync23(filePath, `# TEST \u2014 ${project} support intake
 
 Report ID: ${id}
@@ -27557,15 +28051,15 @@ async function maybeCloseAdmin(id, adminEndpoint, version) {
   }
 }
 function readPackageVersion2() {
-  let dir = path50.dirname(new URL(import.meta.url).pathname);
+  let dir = path51.dirname(new URL(import.meta.url).pathname);
   for (let i = 0; i < 6; i++) {
-    const pkg = path50.join(dir, "package.json");
+    const pkg = path51.join(dir, "package.json");
     try {
       const parsed = JSON.parse(readFileSync32(pkg, "utf8"));
       if (parsed.version) return parsed.version;
     } catch {
     }
-    dir = path50.dirname(dir);
+    dir = path51.dirname(dir);
   }
   return "unknown";
 }
@@ -27632,7 +28126,7 @@ function registerSupportTools(server2) {
       title: "Support Test",
       description: "End-to-end support intake smoke test. Files a clearly marked test report upstream and auto-closes it on AskExe machines with admin credentials.",
       inputSchema: {
-        project: z89.string().default("support-smoke").describe("Customer/project name, e.g. hygo")
+        project: z90.string().default("support-smoke").describe("Customer/project name, e.g. hygo")
       }
     },
     async ({ project }) => {
@@ -27650,8 +28144,8 @@ function registerSupportTools(server2) {
       title: "My Bug Reports",
       description: "List bug reports you've filed, scoped to your license. Shows status (open/triaged/fixed/closed), severity, and fixed_version so you know when to update.",
       inputSchema: {
-        status: z89.enum(["all", "open", "triaged", "fixed", "closed", "wontfix"]).default("all").describe("Filter by status. Default: all"),
-        limit: z89.number().min(1).max(50).default(25).describe("Max results")
+        status: z90.enum(["all", "open", "triaged", "fixed", "closed", "wontfix"]).default("all").describe("Filter by status. Default: all"),
+        limit: z90.number().min(1).max(50).default(25).describe("Max results")
       }
     },
     async ({ status: status2, limit }) => {
@@ -27667,7 +28161,10 @@ function registerSupportTools(server2) {
       endpoint2.searchParams.set("status", status2);
       endpoint2.searchParams.set("limit", String(limit));
       const headers = { "content-type": "application/json" };
-      if (licenseKey) headers["x-exe-license-key"] = licenseKey;
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
       if (licenseToken) headers["x-exe-license-token"] = licenseToken;
       try {
         const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
@@ -27707,12 +28204,79 @@ function registerSupportTools(server2) {
       }
     }
   );
+  server2.registerTool(
+    "list_my_feature_requests",
+    {
+      title: "My Feature Requests",
+      description: "List feature requests you've filed, scoped to your license. Shows status (open/planned/in_progress/shipped/closed), priority, and shipped_version so you know when to update.",
+      inputSchema: {
+        status: z90.enum(["all", "open", "planned", "in_progress", "shipped", "closed", "wontdo"]).default("all").describe("Filter by status. Default: all"),
+        limit: z90.number().min(1).max(50).default(25).describe("Max results")
+      }
+    },
+    async ({ status: status2, limit }) => {
+      const licenseKey = loadLicense();
+      const licenseToken = readCachedLicenseToken();
+      if (!licenseKey && !licenseToken) {
+        return {
+          content: [{ type: "text", text: "No license key found. Run `exe-os setup` or `exe-os cloud setup` first." }],
+          isError: true
+        };
+      }
+      const endpoint2 = new URL("https://askexe.com/v1/support/my-feature-requests");
+      endpoint2.searchParams.set("status", status2);
+      endpoint2.searchParams.set("limit", String(limit));
+      const headers = { "content-type": "application/json" };
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
+      if (licenseToken) headers["x-exe-license-token"] = licenseToken;
+      try {
+        const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
+        if (!res.ok) {
+          const body = await res.text().catch(() => "");
+          return {
+            content: [{ type: "text", text: `Failed to fetch feature requests: HTTP ${res.status}${body ? ` \u2014 ${body}` : ""}` }],
+            isError: true
+          };
+        }
+        const data = await res.json();
+        if (data.count === 0) {
+          return {
+            content: [{ type: "text", text: `No feature requests found${status2 !== "all" ? ` with status '${status2}'` : ""}.` }],
+            structuredContent: { items: [], count: 0 }
+          };
+        }
+        const lines = [`Feature requests (${data.count}):`, ""];
+        for (const r of data.items) {
+          const priIcon = r.priority === "p0" ? "\u{1F534}" : r.priority === "p1" ? "\u{1F534}" : r.priority === "p2" ? "\u{1F7E0}" : "\u{1F7E2}";
+          const statusIcon = r.status === "shipped" ? "\u2705" : r.status === "closed" ? "\u2611\uFE0F" : r.status === "planned" ? "\u{1F4CB}" : r.status === "in_progress" ? "\u{1F528}" : r.status === "wontdo" ? "\u26D4" : "\u{1F535}";
+          lines.push(`${priIcon} ${r.priority.toUpperCase()} ${statusIcon} ${r.status} \u2014 ${r.title}`);
+          lines.push(`   ID: ${r.id} | Filed: ${r.created_at?.slice(0, 10) ?? "?"}`);
+          if (r.shipped_version) lines.push(`   \u{1F680} Shipped in: ${r.shipped_version} \u2014 run \`exe-os update\` to get this feature`);
+          if (r.target_version) lines.push(`   \u{1F3AF} Target: ${r.target_version}`);
+          if (r.response_notes) lines.push(`   \u{1F4DD} AskExe: ${r.response_notes}`);
+          lines.push("");
+        }
+        return {
+          content: [{ type: "text", text: lines.join("\n") }],
+          structuredContent: data
+        };
+      } catch (err) {
+        return {
+          content: [{ type: "text", text: `Error fetching feature requests: ${err instanceof Error ? err.message : String(err)}` }],
+          isError: true
+        };
+      }
+    }
+  );
 }
 
 // src/mcp/tools/cli-parity.ts
 import { execFile as execFile2 } from "child_process";
 import { promisify as promisify2 } from "util";
-import { z as z90 } from "zod";
+import { z as z91 } from "zod";
 
 // src/bin/exe-status.ts
 init_employees();
@@ -27773,22 +28337,22 @@ if (isMainModule(import.meta.url)) {
 
 // src/bin/exe-healthcheck.ts
 import { existsSync as existsSync39, readFileSync as readFileSync33, readdirSync as readdirSync14 } from "fs";
-import path51 from "path";
+import path52 from "path";
 import { execSync as execSync14 } from "child_process";
 import { fileURLToPath as fileURLToPath6 } from "url";
 init_config();
 function findPackageRoot2() {
-  let dir = path51.dirname(fileURLToPath6(import.meta.url));
-  const { root } = path51.parse(dir);
+  let dir = path52.dirname(fileURLToPath6(import.meta.url));
+  const { root } = path52.parse(dir);
   while (dir !== root) {
-    if (existsSync39(path51.join(dir, "package.json"))) return dir;
-    dir = path51.dirname(dir);
+    if (existsSync39(path52.join(dir, "package.json"))) return dir;
+    dir = path52.dirname(dir);
   }
   throw new Error("Cannot find package root");
 }
 function checkBuildIntegrity(pkgRoot) {
   const results = [];
-  const tsupConfig = path51.join(pkgRoot, "tsup.config.ts");
+  const tsupConfig = path52.join(pkgRoot, "tsup.config.ts");
   if (!existsSync39(tsupConfig)) {
     return [{ name: "build/tsup-config", pass: false, detail: "tsup.config.ts not found" }];
   }
@@ -27798,7 +28362,7 @@ function checkBuildIntegrity(pkgRoot) {
   let total = 0;
   for (const match of entryMatches) {
     const outputKey = match[1];
-    const expectedPath = path51.join(pkgRoot, "dist", `${outputKey}.js`);
+    const expectedPath = path52.join(pkgRoot, "dist", `${outputKey}.js`);
     total++;
     if (!existsSync39(expectedPath)) {
       missing.push(`dist/${outputKey}.js`);
@@ -27822,7 +28386,7 @@ function checkBuildIntegrity(pkgRoot) {
 }
 function checkEmbedPipeline(pkgRoot) {
   const results = [];
-  const daemonPath = path51.join(pkgRoot, "dist", "lib", "exe-daemon.js");
+  const daemonPath = path52.join(pkgRoot, "dist", "lib", "exe-daemon.js");
   if (!existsSync39(daemonPath)) {
     results.push({
       name: "exed/daemon-exists",
@@ -27834,17 +28398,17 @@ function checkEmbedPipeline(pkgRoot) {
   results.push({ name: "exed/daemon-exists", pass: true, detail: "dist/lib/exe-daemon.js exists" });
   const entryDirs = ["dist/hooks", "dist/bin", "dist/mcp"];
   for (const dir of entryDirs) {
-    const fullDir = path51.join(pkgRoot, dir);
+    const fullDir = path52.join(pkgRoot, dir);
     if (!existsSync39(fullDir)) continue;
     let walkDir = fullDir;
-    const { root } = path51.parse(walkDir);
+    const { root } = path52.parse(walkDir);
     let foundRoot = null;
     while (walkDir !== root) {
-      if (existsSync39(path51.join(walkDir, "package.json"))) {
+      if (existsSync39(path52.join(walkDir, "package.json"))) {
         foundRoot = walkDir;
         break;
       }
-      walkDir = path51.dirname(walkDir);
+      walkDir = path52.dirname(walkDir);
     }
     if (!foundRoot) {
       results.push({
@@ -27854,7 +28418,7 @@ function checkEmbedPipeline(pkgRoot) {
       });
       continue;
     }
-    const resolvedDaemon = path51.join(foundRoot, "dist", "lib", "exe-daemon.js");
+    const resolvedDaemon = path52.join(foundRoot, "dist", "lib", "exe-daemon.js");
     const reachable = existsSync39(resolvedDaemon);
     results.push({
       name: `exed/reachable-from-${dir}`,
@@ -27866,7 +28430,7 @@ function checkEmbedPipeline(pkgRoot) {
 }
 function checkTaskSystem(pkgRoot) {
   const results = [];
-  const scannerPath = path51.join(pkgRoot, "dist", "bin", "scan-tasks.js");
+  const scannerPath = path52.join(pkgRoot, "dist", "bin", "scan-tasks.js");
   if (!existsSync39(scannerPath)) {
     results.push({ name: "tasks/scanner", pass: false, detail: "scan-tasks.js not found" });
     return results;
@@ -27889,7 +28453,7 @@ function checkTaskSystem(pkgRoot) {
 }
 function checkWorkerSpawning(pkgRoot) {
   const results = [];
-  const workerPath = path51.join(pkgRoot, "dist", "hooks", "ingest-worker.js");
+  const workerPath = path52.join(pkgRoot, "dist", "hooks", "ingest-worker.js");
   if (!existsSync39(workerPath)) {
     results.push({ name: "workers/ingest-worker", pass: false, detail: "ingest-worker.js not found" });
     return results;
@@ -27904,14 +28468,14 @@ function checkWorkerSpawning(pkgRoot) {
       detail: `Parse error: ${err instanceof Error ? err.message.slice(0, 200) : String(err)}`
     });
   }
-  const hooksDir = path51.join(pkgRoot, "dist", "hooks");
+  const hooksDir = path52.join(pkgRoot, "dist", "hooks");
   if (existsSync39(hooksDir)) {
     const hookFiles = readdirSync14(hooksDir).filter((f) => f.endsWith(".js") && !f.endsWith(".js.map"));
     let hooksPassed = 0;
     const hooksFailed = [];
     for (const hook of hookFiles) {
       try {
-        execSync14(`node --check "${path51.join(hooksDir, hook)}" 2>&1`, { timeout: 1e4, encoding: "utf-8" });
+        execSync14(`node --check "${path52.join(hooksDir, hook)}" 2>&1`, { timeout: 1e4, encoding: "utf-8" });
         hooksPassed++;
       } catch {
         hooksFailed.push(hook);
@@ -27935,8 +28499,8 @@ function checkWorkerSpawning(pkgRoot) {
 }
 function checkMcpTransport() {
   const results = [];
-  const pidPath = path51.join(EXE_AI_DIR, "exed.pid");
-  const tokenPath = path51.join(EXE_AI_DIR, "exed.token");
+  const pidPath = path52.join(EXE_AI_DIR, "exed.pid");
+  const tokenPath = path52.join(EXE_AI_DIR, "exed.token");
   let daemonAlive = false;
   if (existsSync39(pidPath)) {
     try {
@@ -27983,7 +28547,7 @@ function checkMcpTransport() {
   results.push({
     name: "mcp/monitor-summary",
     pass: true,
-    detail: `Privacy-safe local monitor summary: ${path51.join(EXE_AI_DIR, "monitor", "mcp-transport-summary.json")}`
+    detail: `Privacy-safe local monitor summary: ${path52.join(EXE_AI_DIR, "monitor", "mcp-transport-summary.json")}`
   });
   return results;
 }
@@ -28041,7 +28605,7 @@ function checkClaudeCodeInstall() {
       detail: "Failed to check claude binary path"
     });
   }
-  const versionsDir = path51.join(
+  const versionsDir = path52.join(
     process.env.HOME ?? process.env.USERPROFILE ?? "",
     ".local",
     "share",
@@ -28131,7 +28695,7 @@ function runHealthCheck() {
   const failed = results.filter((r) => !r.pass).length;
   return { results, passed, failed };
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("exe-healthcheck")) {
   const { results, passed, failed } = runHealthCheck();
   console.log("\n  exe-os Health Check\n");
   for (const r of results) {
@@ -28148,9 +28712,9 @@ if (isMainModule(import.meta.url)) {
 // src/lib/update-check.ts
 import { execSync as execSync15 } from "child_process";
 import { readFileSync as readFileSync34 } from "fs";
-import path52 from "path";
+import path53 from "path";
 function getLocalVersion(packageRoot) {
-  const pkgPath = path52.join(packageRoot, "package.json");
+  const pkgPath = path53.join(packageRoot, "package.json");
   const pkg = JSON.parse(readFileSync34(pkgPath, "utf-8"));
   return pkg.version;
 }
@@ -28218,12 +28782,12 @@ function registerCliParityTools(server2) {
     title: "Doctor",
     description: "Run exe-os doctor audit. Defaults to read-only diagnostics; optional dry-run/fix flags mirror CLI.",
     inputSchema: {
-      agent: z90.string().optional(),
-      project: z90.string().optional(),
-      verbose: z90.boolean().default(false),
-      conflicts: z90.boolean().default(false),
-      dry_run: z90.boolean().default(false),
-      fix: z90.boolean().default(false)
+      agent: z91.string().optional(),
+      project: z91.string().optional(),
+      verbose: z91.boolean().default(false),
+      conflicts: z91.boolean().default(false),
+      dry_run: z91.boolean().default(false),
+      fix: z91.boolean().default(false)
     }
   }, async ({ agent, project, verbose, conflicts, dry_run, fix }) => {
     const args = [];
@@ -28240,9 +28804,9 @@ function registerCliParityTools(server2) {
     title: "Rename Employee",
     description: "Rename an employee using the same path as `exe-os rename <old> <new>`. Use for customer roster/identity renames.",
     inputSchema: {
-      old_name: z90.string().min(1),
-      new_name: z90.string().min(1),
-      dry_run: z90.boolean().default(false)
+      old_name: z91.string().min(1),
+      new_name: z91.string().min(1),
+      dry_run: z91.boolean().default(false)
     }
   }, async ({ old_name, new_name, dry_run }) => {
     if (dry_run) {
@@ -28255,7 +28819,7 @@ function registerCliParityTools(server2) {
   server2.registerTool("status_brief", {
     title: "Status Brief",
     description: "Return current employee/tmux status. Mirrors `exe-status` and supports optional deep view for one employee.",
-    inputSchema: { employee: z90.string().optional() }
+    inputSchema: { employee: z91.string().optional() }
   }, async ({ employee }) => {
     const text3 = await status(employee);
     return result2(text3, { ok: true, employee: employee ?? null });
@@ -28263,7 +28827,7 @@ function registerCliParityTools(server2) {
   server2.registerTool("pending_work_summary", {
     title: "Pending Work Summary",
     description: "Return pending reviews, messages, and notifications using the same summaries as the CLI tools.",
-    inputSchema: { agent: z90.string().optional() }
+    inputSchema: { agent: z91.string().optional() }
   }, async ({ agent }) => {
     const parts = await Promise.all([
       runCommand("exe-pending-reviews", [], 3e4),
@@ -28284,7 +28848,7 @@ function registerCliParityTools(server2) {
   server2.registerTool("key_rotation_preflight", {
     title: "Key Rotation Preflight",
     description: "Dry-run key rotation/update preflight. No destructive changes.",
-    inputSchema: { mode: z90.enum(["rotate", "update"]).default("rotate") }
+    inputSchema: { mode: z91.enum(["rotate", "update"]).default("rotate") }
   }, async ({ mode }) => {
     const out = await runCommand("exe-os", ["key", mode, "--dry-run"], 6e4);
     return result2(out.text, { ok: out.ok, command: out.command, mode }, !out.ok);
@@ -28303,11 +28867,11 @@ function registerCliParityTools(server2) {
     title: "Stack Update Check",
     description: "Plan/check a customer stack update without applying Docker changes. Mirrors `exe-os stack-update --check`.",
     inputSchema: {
-      target: z90.string().optional(),
-      manifest: z90.string().optional(),
-      compose_file: z90.string().optional(),
-      env_file: z90.string().optional(),
-      deployment_persona: z90.enum(["customer", "askexe-control-plane"]).default("customer")
+      target: z91.string().optional(),
+      manifest: z91.string().optional(),
+      compose_file: z91.string().optional(),
+      env_file: z91.string().optional(),
+      deployment_persona: z91.enum(["customer", "askexe-control-plane"]).default("customer")
     }
   }, async ({ target, manifest, compose_file, env_file, deployment_persona }) => {
     const args = ["stack-update", "--check", "--deployment-persona", deployment_persona];
@@ -28331,7 +28895,7 @@ function registerCliParityTools(server2) {
 // src/mcp/tools/get-session-events.ts
 init_active_agent();
 init_fast_db_init();
-import { z as z91 } from "zod";
+import { z as z92 } from "zod";
 
 // src/lib/session-events.ts
 init_task_scope();
@@ -28418,7 +28982,7 @@ async function listRecentSessionEvents(client, options) {
 }
 
 // src/mcp/tools/get-session-events.ts
-var EVENT_TYPE = z91.enum([
+var EVENT_TYPE = z92.enum([
   "user_prompt",
   "assistant_response",
   "tool_call",
@@ -28448,11 +29012,11 @@ function registerGetSessionEvents(server2) {
       title: "Get Session Events",
       description: "Return exact recent chronological user prompts, assistant responses, and tool calls from the append-only session journal. Use this when asked what happened last, not semantic memory search.",
       inputSchema: {
-        agent_id: z91.string().optional().describe("Agent to inspect. Defaults to active agent. COO/CTO may inspect others."),
-        session_id: z91.string().optional().describe("Optional exact runtime session id."),
+        agent_id: z92.string().optional().describe("Agent to inspect. Defaults to active agent. COO/CTO may inspect others."),
+        session_id: z92.string().optional().describe("Optional exact runtime session id."),
         event_type: EVENT_TYPE.optional().describe("Filter to one event type."),
-        project_name: z91.string().optional().describe("Optional project filter. Pass 'all' for all projects."),
-        limit: z91.number().int().min(1).max(100).default(20).describe("Number of events to return.")
+        project_name: z92.string().optional().describe("Optional project filter. Pass 'all' for all projects."),
+        limit: z92.number().int().min(1).max(100).default(20).describe("Number of events to return.")
       }
     },
     async ({ agent_id, session_id, event_type, project_name, limit }) => {
@@ -28488,8 +29052,8 @@ function registerGetLastAssistantResponse(server2) {
       title: "Get Last Assistant Response",
       description: "Return the exact last assistant response for an agent from the session event journal. Use for 'what was the last thing you said?'",
       inputSchema: {
-        agent_id: z91.string().optional().describe("Agent to inspect. Defaults to active agent. COO/CTO may inspect others."),
-        project_name: z91.string().optional().describe("Optional project filter. Pass 'all' for all projects.")
+        agent_id: z92.string().optional().describe("Agent to inspect. Defaults to active agent. COO/CTO may inspect others."),
+        project_name: z92.string().optional().describe("Optional project filter. Pass 'all' for all projects.")
       }
     },
     async ({ agent_id, project_name }) => {
@@ -28519,32 +29083,106 @@ function registerGetLastAssistantResponse(server2) {
 }
 
 // src/mcp/tools/code-context.ts
-import { z as z92 } from "zod";
+import { z as z93 } from "zod";
 
 // src/lib/code-context-index.ts
 init_config();
-import crypto19 from "crypto";
-import path53 from "path";
+import crypto20 from "crypto";
+import path54 from "path";
 import { existsSync as existsSync40, mkdirSync as mkdirSync22, readFileSync as readFileSync35, readdirSync as readdirSync15, statSync as statSync9, writeFileSync as writeFileSync24 } from "fs";
 import { spawnSync } from "child_process";
+init_exe_daemon_client();
+var VECTOR_STORE_VERSION = 1;
+var EMBED_BATCH_SIZE = 64;
+function vectorStorePath(projectRoot) {
+  const rootHash = hashText(projectRoot).slice(0, 16);
+  return path54.join(indexDir(), `${rootHash}.vectors.json`);
+}
+function loadVectorStore(projectRoot) {
+  const file = vectorStorePath(projectRoot);
+  if (!existsSync40(file)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync35(file, "utf8"));
+    if (parsed.version !== VECTOR_STORE_VERSION) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function saveVectorStore(projectRoot, store) {
+  writeFileSync24(vectorStorePath(projectRoot), JSON.stringify(store));
+}
+function cosineSimilarity3(a, b) {
+  let dot = 0, normA = 0, normB = 0;
+  for (let i = 0; i < a.length; i++) {
+    dot += a[i] * b[i];
+    normA += a[i] * a[i];
+    normB += b[i] * b[i];
+  }
+  const denom = Math.sqrt(normA) * Math.sqrt(normB);
+  return denom === 0 ? 0 : dot / denom;
+}
+async function embedSymbols(index) {
+  const rootHash = hashText(index.projectRoot).slice(0, 16);
+  const existing = loadVectorStore(index.projectRoot);
+  const store = {
+    version: VECTOR_STORE_VERSION,
+    projectRootHash: rootHash,
+    vectors: {}
+  };
+  const allSymbols = [];
+  for (const file of Object.values(index.files)) {
+    for (const symbol of file.symbols) {
+      if (existing?.vectors[symbol.id]) {
+        store.vectors[symbol.id] = existing.vectors[symbol.id];
+      } else {
+        allSymbols.push({ id: symbol.id, text: symbol.summary || `${symbol.kind} ${symbol.name} in ${symbol.filePath}` });
+      }
+    }
+  }
+  if (allSymbols.length === 0) {
+    saveVectorStore(index.projectRoot, store);
+    return store;
+  }
+  const connected = await connectEmbedDaemon().catch(() => false);
+  if (!connected) {
+    saveVectorStore(index.projectRoot, store);
+    return store;
+  }
+  for (let i = 0; i < allSymbols.length; i += EMBED_BATCH_SIZE) {
+    const batch = allSymbols.slice(i, i + EMBED_BATCH_SIZE);
+    const texts = batch.map((s) => s.text);
+    try {
+      const vectors = await embedBatchViaClient(texts, "low");
+      if (vectors && vectors.length === batch.length) {
+        for (let j = 0; j < batch.length; j++) {
+          store.vectors[batch[j].id] = vectors[j];
+        }
+      }
+    } catch {
+    }
+  }
+  saveVectorStore(index.projectRoot, store);
+  return store;
+}
 var INDEX_VERSION = 2;
 var DEFAULT_MAX_FILES = 5e3;
 var IGNORE_SEGMENTS = /* @__PURE__ */ new Set(["node_modules", "dist", ".git", "coverage", ".worktrees", ".next", "build", "target", "vendor"]);
 function normalizeProjectRoot(projectRoot) {
-  return path53.resolve(projectRoot || process.cwd());
+  return path54.resolve(projectRoot || process.cwd());
 }
 function hashText(text3) {
-  return crypto19.createHash("sha256").update(text3).digest("hex");
+  return crypto20.createHash("sha256").update(text3).digest("hex");
 }
 function indexDir() {
-  const dir = path53.join(EXE_AI_DIR, "code-context");
+  const dir = path54.join(EXE_AI_DIR, "code-context");
   mkdirSync22(dir, { recursive: true });
   return dir;
 }
 function getCodeContextIndexPath(projectRoot) {
   const root = normalizeProjectRoot(projectRoot);
   const rootHash = hashText(root).slice(0, 16);
-  return path53.join(indexDir(), `${rootHash}.json`);
+  return path54.join(indexDir(), `${rootHash}.json`);
 }
 function currentBranch(projectRoot) {
   const result3 = spawnSync("git", ["branch", "--show-current"], { cwd: projectRoot, encoding: "utf8", timeout: 2e3 });
@@ -28557,8 +29195,8 @@ function shouldIgnore(relPath) {
 }
 function listRecursive(projectRoot, dir = projectRoot, out = []) {
   for (const entry of readdirSync15(dir, { withFileTypes: true })) {
-    const abs = path53.join(dir, entry.name);
-    const rel = path53.relative(projectRoot, abs).replaceAll(path53.sep, "/");
+    const abs = path54.join(dir, entry.name);
+    const rel = path54.relative(projectRoot, abs).replaceAll(path54.sep, "/");
     if (shouldIgnore(rel)) continue;
     if (entry.isDirectory()) listRecursive(projectRoot, abs, out);
     else if (entry.isFile()) out.push(rel);
@@ -28574,7 +29212,7 @@ function listCodeFiles(projectRoot, maxFiles) {
     const rg = spawnSync("rg", ["--files"], { cwd: projectRoot, encoding: "utf8", timeout: 5e3, maxBuffer: 1024 * 1024 * 16 });
     files = rg.status === 0 && rg.stdout.trim() ? rg.stdout.split("\n").map((s) => s.trim()).filter(Boolean) : listRecursive(projectRoot);
   }
-  return files.map((file) => file.replaceAll(path53.sep, "/")).filter((file) => isChunkable(file) && !shouldIgnore(file)).slice(0, maxFiles).sort();
+  return files.map((file) => file.replaceAll(path54.sep, "/")).filter((file) => isChunkable(file) && !shouldIgnore(file)).slice(0, maxFiles).sort();
 }
 function parseImportPaths(importText) {
   const paths = [];
@@ -28587,13 +29225,13 @@ function parseImportPaths(importText) {
 }
 function resolveImport(fromFile, importPath, allFiles) {
   if (!importPath.startsWith(".")) return null;
-  const base = path53.posix.normalize(path53.posix.join(path53.posix.dirname(fromFile.replaceAll(path53.sep, "/")), importPath));
+  const base = path54.posix.normalize(path54.posix.join(path54.posix.dirname(fromFile.replaceAll(path54.sep, "/")), importPath));
   const withoutKnownExt = base.replace(/\.(?:[a-z0-9]+)$/i, "");
   const candidates = [base];
   for (const ext of ["ts", "tsx", "js", "jsx", "py", "rs", "go", "java", "cs", "cpp", "c", "rb", "php", "swift", "kt", "scala", "sql", "md", "json", "yaml", "yml"]) {
     candidates.push(`${withoutKnownExt}.${ext}`, `${base}.${ext}`);
   }
-  for (const indexName of ["index.ts", "index.tsx", "index.js", "mod.rs", "__init__.py"]) candidates.push(path53.posix.join(base, indexName));
+  for (const indexName of ["index.ts", "index.tsx", "index.js", "mod.rs", "__init__.py"]) candidates.push(path54.posix.join(base, indexName));
   return candidates.find((candidate) => allFiles.has(candidate)) ?? null;
 }
 function symbolId(filePath, chunk) {
@@ -28614,7 +29252,7 @@ function saveIndex(index) {
   writeFileSync24(getCodeContextIndexPath(index.projectRoot), JSON.stringify(index, null, 2));
 }
 function buildFileRecord(projectRoot, relPath, allFiles, previous) {
-  const absPath = path53.join(projectRoot, relPath);
+  const absPath = path54.join(projectRoot, relPath);
   let stat;
   try {
     stat = statSync9(absPath);
@@ -28652,13 +29290,13 @@ function buildCodeContextIndex(options = {}) {
   const branch = currentBranch(projectRoot);
   const previous = options.force ? null : loadIndex(projectRoot);
   const files = listCodeFiles(projectRoot, maxFiles);
-  const allFiles = new Set(files.map((file) => file.replaceAll(path53.sep, "/")));
+  const allFiles = new Set(files.map((file) => file.replaceAll(path54.sep, "/")));
   const fileRecords = {};
   let rebuiltFiles = 0;
   let reusedFiles = 0;
   let skippedFiles = 0;
   for (const rel of files) {
-    const normalized = rel.replaceAll(path53.sep, "/");
+    const normalized = rel.replaceAll(path54.sep, "/");
     const { record, reused } = buildFileRecord(projectRoot, normalized, allFiles, previous?.files[normalized]);
     if (record) {
       fileRecords[normalized] = record;
@@ -28687,11 +29325,11 @@ function loadOrBuildCodeContextIndex(options = {}) {
     if (loaded) {
       const currentFiles = listCodeFiles(projectRoot, options.maxFiles ?? DEFAULT_MAX_FILES);
       const unchanged = currentFiles.every((rel) => {
-        const normalized = rel.replaceAll(path53.sep, "/");
+        const normalized = rel.replaceAll(path54.sep, "/");
         const existing = loaded.files[normalized];
         if (!existing) return false;
         try {
-          const stat = statSync9(path53.join(projectRoot, normalized));
+          const stat = statSync9(path54.join(projectRoot, normalized));
           return stat.mtimeMs === existing.mtimeMs && stat.size === existing.size;
         } catch {
           return false;
@@ -28744,9 +29382,9 @@ function globToRegex(pattern) {
 }
 function matchesPath(filePath, patterns) {
   if (!patterns || patterns.length === 0) return true;
-  const normalized = filePath.replaceAll(path53.sep, "/");
+  const normalized = filePath.replaceAll(path54.sep, "/");
   return patterns.some((pattern) => {
-    const p = pattern.replaceAll(path53.sep, "/").replace(/^\.\//, "");
+    const p = pattern.replaceAll(path54.sep, "/").replace(/^\.\//, "");
     return normalized === p || normalized.startsWith(`${p}/`) || normalized.endsWith(p) || globToRegex(p).test(normalized);
   });
 }
@@ -28805,7 +29443,7 @@ function filteredFiles(index, options = {}) {
     return matchesPath(file.path, options.paths);
   });
 }
-function searchCodeContext(query, options = {}) {
+function lexicalSearch(query, options = {}) {
   const terms = tokenize(query);
   if (terms.length === 0) return [];
   const index = loadOrBuildCodeContextIndex({ projectRoot: options.projectRoot, force: options.force || options.refreshIndex, maxFiles: options.maxFiles });
@@ -28831,6 +29469,82 @@ function searchCodeContext(query, options = {}) {
   const limit = options.limit ?? 20;
   return results.sort((a, b) => b.score - a.score || a.filePath.localeCompare(b.filePath)).slice(offset, offset + limit);
 }
+function searchCodeContext(query, options = {}) {
+  return lexicalSearch(query, options);
+}
+var RRF_K2 = 60;
+async function searchCodeContextSemantic(query, options = {}) {
+  const terms = tokenize(query);
+  if (terms.length === 0) return [];
+  const index = loadOrBuildCodeContextIndex({ projectRoot: options.projectRoot, force: options.force || options.refreshIndex, maxFiles: options.maxFiles });
+  const projectRoot = normalizeProjectRoot(options.projectRoot);
+  const vectorStore = loadVectorStore(projectRoot);
+  if (!vectorStore || Object.keys(vectorStore.vectors).length === 0) {
+    return lexicalSearch(query, options);
+  }
+  let queryVector = null;
+  try {
+    const connected = await connectEmbedDaemon().catch(() => false);
+    if (connected) {
+      const result3 = await embedBatchViaClient([query], "high");
+      if (result3 && result3.length === 1) queryVector = result3[0];
+    }
+  } catch {
+  }
+  if (!queryVector) return lexicalSearch(query, options);
+  const files = filteredFiles(index, options);
+  const candidates = [];
+  for (const file of files) {
+    for (const symbol of file.symbols) {
+      const lexical = scoreSymbol(symbol, terms);
+      const vec = vectorStore.vectors[symbol.id];
+      const vectorScore = vec ? cosineSimilarity3(queryVector, vec) : 0;
+      if (lexical.score > 0 || vectorScore > 0.3) {
+        candidates.push({
+          symbol,
+          lexicalScore: lexical.score,
+          vectorScore,
+          matches: lexical.matches
+        });
+      }
+    }
+  }
+  const byLexical = [...candidates].sort((a, b) => b.lexicalScore - a.lexicalScore);
+  const byVector = [...candidates].sort((a, b) => b.vectorScore - a.vectorScore);
+  const lexicalRank = /* @__PURE__ */ new Map();
+  const vectorRank = /* @__PURE__ */ new Map();
+  byLexical.forEach((c, i) => lexicalRank.set(c.symbol.id, i + 1));
+  byVector.forEach((c, i) => vectorRank.set(c.symbol.id, i + 1));
+  const VECTOR_WEIGHT = 0.6;
+  const LEXICAL_WEIGHT = 0.4;
+  const fused = candidates.map((c) => {
+    const lRank = lexicalRank.get(c.symbol.id) ?? candidates.length + 1;
+    const vRank = vectorRank.get(c.symbol.id) ?? candidates.length + 1;
+    const rrfScore = VECTOR_WEIGHT * (1 / (RRF_K2 + vRank)) + LEXICAL_WEIGHT * (1 / (RRF_K2 + lRank));
+    return {
+      symbol: c.symbol,
+      score: rrfScore,
+      matches: c.vectorScore > 0.3 ? [...c.matches, `semantic=${c.vectorScore.toFixed(3)}`] : c.matches,
+      filePath: c.symbol.filePath,
+      language: c.symbol.language,
+      content: c.symbol.text,
+      startLine: c.symbol.startLine,
+      endLine: c.symbol.endLine
+    };
+  });
+  const offset = Math.max(0, options.offset ?? 0);
+  const limit = options.limit ?? 20;
+  return fused.sort((a, b) => b.score - a.score || a.filePath.localeCompare(b.filePath)).slice(offset, offset + limit);
+}
+async function buildCodeContextIndexWithEmbeddings(options = {}) {
+  const index = buildCodeContextIndex(options);
+  const existingStore = loadVectorStore(index.projectRoot);
+  const existingCount = existingStore ? Object.keys(existingStore.vectors).length : 0;
+  const store = await embedSymbols(index);
+  const vectorCount = Object.keys(store.vectors).length;
+  const newEmbeddings = vectorCount - Math.min(existingCount, vectorCount);
+  return { index, vectorCount, newEmbeddings };
+}
 function dependentsMap(index) {
   const map = /* @__PURE__ */ new Map();
   for (const file of Object.values(index.files)) {
@@ -28864,7 +29578,7 @@ function traceCodeSymbol(symbolName, options = {}) {
 }
 function resolveTargetFile(index, input) {
   if (input.filePath) {
-    const normalized = input.filePath.replaceAll(path53.sep, "/").replace(/^\.\//, "");
+    const normalized = input.filePath.replaceAll(path54.sep, "/").replace(/^\.\//, "");
     if (index.files[normalized]) return { filePath: normalized, target: normalized };
     const suffix = Object.keys(index.files).find((file) => file.endsWith(normalized));
     if (suffix) return { filePath: suffix, target: input.filePath };
@@ -28894,7 +29608,7 @@ function analyzeBlastRadius(input) {
       }
     }
   }
-  const targetBase = path53.basename(target.filePath).replace(/\.[^.]+$/, "").toLowerCase();
+  const targetBase = path54.basename(target.filePath).replace(/\.[^.]+$/, "").toLowerCase();
   const symbolLower = input.symbol?.toLowerCase();
   const tests = Object.keys(index.files).filter((file) => {
     const lower = file.toLowerCase();
@@ -28933,23 +29647,24 @@ function jsonResult(value) {
 function registerCodeContext(server2) {
   server2.registerTool("code_context", {
     title: "Code Context",
-    description: "Persistent codebase context engine. One consolidated tool to avoid MCP bloat. Actions: index, search, trace, blast_radius, stats.",
+    description: "Persistent codebase context engine with semantic vector search. One consolidated tool to avoid MCP bloat. Actions: index (structural only), index_embed (structural + vector embeddings), search (semantic+lexical hybrid), trace, blast_radius, stats. Search uses RRF fusion of Jina v5 embeddings (cosine similarity) + lexical scoring. Falls back to lexical if daemon unavailable.",
     inputSchema: {
-      action: z92.enum(["index", "search", "trace", "blast_radius", "stats"]).describe("Code context operation"),
-      project_root: z92.string().optional().describe("Repository root. Defaults to current working directory."),
-      query: z92.string().optional().describe("Search query for action=search"),
-      symbol: z92.string().optional().describe("Symbol/function/class/type name for trace or blast_radius"),
-      file_path: z92.string().optional().describe("File path for blast_radius"),
-      force: z92.boolean().optional().describe("Force rebuild before answering"),
-      limit: z92.coerce.number().int().min(1).max(100).optional().describe("Max results"),
-      offset: z92.coerce.number().int().min(0).optional().describe("Search pagination offset"),
-      refresh_index: z92.boolean().optional().describe("Refresh/rebuild index before searching"),
-      languages: z92.array(z92.string()).optional().describe('Language filters, e.g. ["python", "typescript"]'),
-      paths: z92.array(z92.string()).optional().describe("Path/glob filters"),
-      depth: z92.coerce.number().int().min(1).max(5).optional().describe("Dependent traversal depth for blast_radius"),
-      max_files: z92.coerce.number().int().min(1).max(1e4).optional().describe("Max code files to index")
-    }
-  }, async ({ action, project_root, query, symbol, file_path, force, limit, offset, refresh_index, languages, paths, depth, max_files }) => {
+      action: z93.enum(["index", "index_embed", "search", "trace", "blast_radius", "stats"]).describe("Code context operation. index_embed = index + generate embeddings for semantic search."),
+      project_root: z93.string().optional().describe("Repository root. Defaults to current working directory."),
+      query: z93.string().optional().describe("Natural language search query (e.g. 'authentication logic', 'database migration'). Semantic search finds conceptual matches, not just keywords."),
+      symbol: z93.string().optional().describe("Symbol/function/class/type name for trace or blast_radius"),
+      file_path: z93.string().optional().describe("File path for blast_radius"),
+      force: z93.boolean().optional().describe("Force rebuild before answering"),
+      limit: z93.coerce.number().int().min(1).max(100).optional().describe("Max results"),
+      offset: z93.coerce.number().int().min(0).optional().describe("Search pagination offset"),
+      refresh_index: z93.boolean().optional().describe("Refresh/rebuild index before searching"),
+      languages: z93.array(z93.string()).optional().describe('Language filters, e.g. ["python", "typescript"]'),
+      paths: z93.array(z93.string()).optional().describe("Path/glob filters"),
+      depth: z93.coerce.number().int().min(1).max(5).optional().describe("Dependent traversal depth for blast_radius"),
+      max_files: z93.coerce.number().int().min(1).max(1e4).optional().describe("Max code files to index"),
+      lexical_only: z93.boolean().optional().describe("Force lexical-only search (skip vector similarity). Default: false \u2014 uses semantic hybrid search.")
+    }
+  }, async ({ action, project_root, query, symbol, file_path, force, limit, offset, refresh_index, languages, paths, depth, max_files, lexical_only }) => {
     const opts = { projectRoot: project_root, force, maxFiles: max_files };
     if (action === "index") {
       const index = buildCodeContextIndex(opts);
@@ -28959,7 +29674,24 @@ function registerCodeContext(server2) {
         indexedAt: index.indexedAt,
         files: Object.keys(index.files).length,
         symbols: Object.values(index.files).reduce((sum, file) => sum + file.symbols.length, 0),
-        imports: Object.values(index.files).reduce((sum, file) => sum + file.resolvedImports.length, 0)
+        imports: Object.values(index.files).reduce((sum, file) => sum + file.resolvedImports.length, 0),
+        note: "Structural index only. Use action=index_embed to also generate vector embeddings for semantic search."
+      });
+    }
+    if (action === "index_embed") {
+      const { index, vectorCount, newEmbeddings } = await buildCodeContextIndexWithEmbeddings(opts);
+      const totalSymbols = Object.values(index.files).reduce((sum, file) => sum + file.symbols.length, 0);
+      return jsonResult({
+        projectRoot: index.projectRoot,
+        branch: index.branch,
+        indexedAt: index.indexedAt,
+        files: Object.keys(index.files).length,
+        symbols: totalSymbols,
+        imports: Object.values(index.files).reduce((sum, file) => sum + file.resolvedImports.length, 0),
+        vectorCount,
+        newEmbeddings,
+        embeddingCoverage: totalSymbols > 0 ? `${(vectorCount / totalSymbols * 100).toFixed(1)}%` : "0%",
+        note: "Structural index + vector embeddings. Semantic search is now available."
       });
     }
     if (action === "stats") {
@@ -28967,14 +29699,28 @@ function registerCodeContext(server2) {
     }
     if (action === "search") {
       if (!query) return errorResult10('code_context action "search" requires query');
+      const searchOpts = { ...opts, limit, offset, refreshIndex: refresh_index, languages, paths };
+      if (lexical_only) {
+        return jsonResult({
+          query,
+          mode: "lexical",
+          limit: limit ?? 20,
+          offset: offset ?? 0,
+          languages: languages ?? [],
+          paths: paths ?? [],
+          results: searchCodeContext(query, searchOpts)
+        });
+      }
+      const results = await searchCodeContextSemantic(query, searchOpts);
+      const hasSemantic = results.some((r) => r.matches.some((m) => m.startsWith("semantic=")));
       return jsonResult({
         query,
+        mode: hasSemantic ? "semantic+lexical" : "lexical-fallback",
         limit: limit ?? 20,
         offset: offset ?? 0,
-        refresh_index: refresh_index ?? false,
         languages: languages ?? [],
         paths: paths ?? [],
-        results: searchCodeContext(query, { ...opts, limit, offset, refreshIndex: refresh_index, languages, paths })
+        results
       });
     }
     if (action === "trace") {
@@ -28992,9 +29738,9 @@ function registerCodeContext(server2) {
 }
 
 // src/mcp/tools/support-inbox.ts
-import { z as z93 } from "zod";
+import { z as z94 } from "zod";
 var DEFAULT_ENDPOINT = "https://askexe.com/admin/support/bug-reports";
-var STATUS = z93.enum(["open", "triaged", "fixed", "closed", "wontfix"]);
+var STATUS = z94.enum(["open", "triaged", "fixed", "closed", "wontfix"]);
 function adminToken() {
   return process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN;
 }
@@ -29033,9 +29779,9 @@ function registerListBugReports(server2) {
       title: "List Bug Reports",
       description: "AskExe-internal only: list incoming customer bug reports from the support inbox.",
       inputSchema: {
-        status: z93.enum(["all", "open", "triaged", "fixed", "closed", "wontfix"]).default("open"),
-        severity: z93.enum(["p0", "p1", "p2", "p3"]).optional(),
-        limit: z93.number().int().min(1).max(100).default(25)
+        status: z94.enum(["all", "open", "triaged", "fixed", "closed", "wontfix"]).default("open"),
+        severity: z94.enum(["p0", "p1", "p2", "p3"]).optional(),
+        limit: z94.number().int().min(1).max(100).default(25)
       }
     },
     async ({ status: status2, severity, limit }) => {
@@ -29054,7 +29800,7 @@ function registerGetBugReport(server2) {
     {
       title: "Get Bug Report",
       description: "AskExe-internal only: fetch one customer bug report with full markdown payload.",
-      inputSchema: { id: z93.string().min(8) }
+      inputSchema: { id: z94.string().min(8) }
     },
     async ({ id }) => {
       const data = await requestJson(`${endpoint()}/${encodeURIComponent(id)}`);
@@ -29069,12 +29815,12 @@ function registerTriageBugReport(server2) {
       title: "Triage Bug Report",
       description: "AskExe-internal only: update bug report status and link task/commit/release metadata.",
       inputSchema: {
-        id: z93.string().min(8),
+        id: z94.string().min(8),
         status: STATUS.optional(),
-        triage_notes: z93.string().optional(),
-        linked_task_id: z93.string().optional(),
-        linked_commit: z93.string().optional(),
-        fixed_version: z93.string().optional()
+        triage_notes: z94.string().optional(),
+        linked_task_id: z94.string().optional(),
+        linked_commit: z94.string().optional(),
+        fixed_version: z94.string().optional()
       }
     },
     async ({ id, status: status2, triage_notes, linked_task_id, linked_commit, fixed_version }) => {
@@ -29086,6 +29832,294 @@ function registerTriageBugReport(server2) {
     }
   );
 }
+var FEATURE_STATUS = z94.enum(["open", "planned", "in_progress", "shipped", "closed", "wontdo"]);
+function featureEndpoint() {
+  return endpoint().replace(/\/bug-reports\/?$/, "/feature-requests");
+}
+function registerListFeatureRequests(server2) {
+  server2.registerTool(
+    "list_feature_requests",
+    {
+      title: "List Feature Requests",
+      description: "AskExe-internal only: list incoming customer feature requests from the support inbox.",
+      inputSchema: {
+        status: z94.enum(["all", "open", "planned", "in_progress", "shipped", "closed", "wontdo"]).default("open"),
+        priority: z94.enum(["p0", "p1", "p2", "p3"]).optional(),
+        limit: z94.number().int().min(1).max(100).default(25)
+      }
+    },
+    async ({ status: status2, priority, limit }) => {
+      const url = new URL(featureEndpoint());
+      url.searchParams.set("status", status2);
+      url.searchParams.set("limit", String(limit));
+      if (priority) url.searchParams.set("priority", priority);
+      const data = await requestJson(url.toString());
+      return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+    }
+  );
+}
+function registerGetFeatureRequest(server2) {
+  server2.registerTool(
+    "get_feature_request",
+    {
+      title: "Get Feature Request",
+      description: "AskExe-internal only: fetch one customer feature request with full payload.",
+      inputSchema: { id: z94.string().min(8) }
+    },
+    async ({ id }) => {
+      const data = await requestJson(`${featureEndpoint()}/${encodeURIComponent(id)}`);
+      return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+    }
+  );
+}
+function registerTriageFeatureRequest(server2) {
+  server2.registerTool(
+    "triage_feature_request",
+    {
+      title: "Triage Feature Request",
+      description: "AskExe-internal only: update feature request status, response notes, and version metadata.",
+      inputSchema: {
+        id: z94.string().min(8),
+        status: FEATURE_STATUS.optional(),
+        response_notes: z94.string().optional(),
+        target_version: z94.string().optional(),
+        shipped_version: z94.string().optional()
+      }
+    },
+    async ({ id, status: status2, response_notes, target_version, shipped_version }) => {
+      const data = await requestJson(`${featureEndpoint()}/${encodeURIComponent(id)}`, {
+        method: "PATCH",
+        body: JSON.stringify({ status: status2, response_notes, target_version, shipped_version })
+      });
+      return { content: [{ type: "text", text: JSON.stringify(data, null, 2) }] };
+    }
+  );
+}
+
+// src/mcp/tools/decision.ts
+import { z as z95 } from "zod";
+function buildHandlers6() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerStoreDecision(fake);
+  registerGetDecision(fake);
+  return tools;
+}
+var ACTION_TO_TOOL3 = {
+  store: "store_decision",
+  get: "get_decision"
+};
+function registerDecision(server2) {
+  const handlers = buildHandlers6();
+  server2.registerTool(
+    "decision",
+    {
+      title: "Decision",
+      description: "Store or retrieve authoritative decisions. Actions: store (persist a decision by domain), get (look up a decision by domain/query).",
+      inputSchema: {
+        action: z95.enum(["store", "get"]).describe("Decision operation"),
+        domain: z95.string().optional().describe("Decision domain (e.g. 'architecture', 'hiring')"),
+        decision: z95.string().optional().describe("Decision text for action=store"),
+        rationale: z95.string().optional().describe("Why this decision was made (action=store)"),
+        query: z95.string().optional().describe("Search query for action=get"),
+        limit: z95.coerce.number().optional().describe("Max results for action=get")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL3[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown decision action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/session.ts
+import { z as z96 } from "zod";
+function buildHandlers7() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerGetSessionEvents(fake);
+  registerGetLastAssistantResponse(fake);
+  return tools;
+}
+var ACTION_TO_TOOL4 = {
+  events: "get_session_events",
+  last_response: "get_last_assistant_response"
+};
+function registerSession2(server2) {
+  const handlers = buildHandlers7();
+  server2.registerTool(
+    "session",
+    {
+      title: "Session",
+      description: "Session inspection tools. Actions: events (get session event log), last_response (get the most recent assistant response text).",
+      inputSchema: {
+        action: z96.enum(["events", "last_response"]).describe("Session operation"),
+        session_id: z96.string().optional().describe("Session ID for action=events"),
+        limit: z96.coerce.number().optional().describe("Max events for action=events")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL4[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown session action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/support-consolidated.ts
+import { z as z97 } from "zod";
+function buildHandlers8() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCreateBugReport(fake);
+  registerCreateFeatureRequest(fake);
+  registerSupportTools(fake);
+  registerListBugReports(fake);
+  registerGetBugReport(fake);
+  registerTriageBugReport(fake);
+  registerListFeatureRequests(fake);
+  registerGetFeatureRequest(fake);
+  registerTriageFeatureRequest(fake);
+  return tools;
+}
+var ACTION_TO_TOOL5 = {
+  create_bug: "create_bug_report",
+  create_feature: "create_feature_request",
+  list_my_bugs: "list_my_bug_reports",
+  list_my_features: "list_my_feature_requests",
+  list_bugs: "list_bug_reports",
+  get_bug: "get_bug_report",
+  triage_bug: "triage_bug_report",
+  list_features: "list_feature_requests",
+  get_feature: "get_feature_request",
+  triage_feature: "triage_feature_request",
+  health: "support_health",
+  test: "support_test"
+};
+function registerSupportConsolidated(server2) {
+  const handlers = buildHandlers8();
+  server2.registerTool(
+    "support",
+    {
+      title: "Support",
+      description: "Bug reports, feature requests, and support system. Actions: create_bug, create_feature, list_my_bugs, list_my_features, list_bugs, get_bug, triage_bug, list_features, get_feature, triage_feature, health, test.",
+      inputSchema: {
+        action: z97.enum([
+          "create_bug",
+          "create_feature",
+          "list_my_bugs",
+          "list_my_features",
+          "list_bugs",
+          "get_bug",
+          "triage_bug",
+          "list_features",
+          "get_feature",
+          "triage_feature",
+          "health",
+          "test"
+        ]).describe("Support operation"),
+        title: z97.string().optional().describe("Bug/feature title"),
+        description: z97.string().optional().describe("Bug/feature description"),
+        steps_to_reproduce: z97.string().optional().describe("Steps to reproduce (bugs)"),
+        expected_behavior: z97.string().optional().describe("Expected behavior (bugs)"),
+        actual_behavior: z97.string().optional().describe("Actual behavior (bugs)"),
+        severity: z97.string().optional().describe("Severity: p0/p1/p2/p3"),
+        use_case: z97.string().optional().describe("Use case (features)"),
+        proposed_solution: z97.string().optional().describe("Proposed solution (features)"),
+        priority: z97.string().optional().describe("Priority (features)"),
+        id: z97.string().optional().describe("Bug/feature ID for get/triage"),
+        status: z97.string().optional().describe("Filter by status"),
+        classification: z97.string().optional().describe("Triage classification"),
+        resolution: z97.string().optional().describe("Triage resolution"),
+        notes: z97.string().optional().describe("Triage notes (mapped to triage_notes for bug/feature triage)"),
+        triage_notes: z97.string().optional().describe("Triage notes (legacy field name)"),
+        linked_task_id: z97.string().optional().describe("Linked task ID for triage"),
+        linked_commit: z97.string().optional().describe("Linked commit hash for triage"),
+        fixed_version: z97.string().optional().describe("Version that fixes this bug"),
+        limit: z97.coerce.number().optional().describe("Max results")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL5[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown support action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      if ((action === "triage_bug" || action === "triage_feature") && args.notes && !args.triage_notes) {
+        args.triage_notes = args.notes;
+        delete args.notes;
+      }
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/diagnostics.ts
+import { z as z98 } from "zod";
+function buildHandlers9() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCliParityTools(fake);
+  return tools;
+}
+function registerDiagnostics(server2) {
+  const handlers = buildHandlers9();
+  const toolNames = Array.from(handlers.keys());
+  void (toolNames.length > 0 ? toolNames : ["healthcheck"]);
+  server2.registerTool(
+    "diagnostics",
+    {
+      title: "Diagnostics",
+      description: `System diagnostics and admin operations. Actions: ${toolNames.join(", ")}. Covers health checks, update status, cloud status, key management, and employee rename.`,
+      inputSchema: {
+        action: z98.string().describe(`Diagnostic operation: ${toolNames.join(", ")}`),
+        // Pass-through params used by various sub-tools
+        name: z98.string().optional().describe("Employee name (rename_employee)"),
+        new_name: z98.string().optional().describe("New employee name (rename_employee)"),
+        query: z98.string().optional().describe("Search/filter query"),
+        format: z98.string().optional().describe("Output format")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const handler = handlers.get(action);
+      if (!handler) {
+        return {
+          content: [{ type: "text", text: `Unknown diagnostics action: ${action}. Available: ${toolNames.join(", ")}` }],
+          isError: true
+        };
+      }
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
 
 // src/mcp/tool-gates.ts
 var TOOL_GATES = {
@@ -29142,6 +30176,11 @@ var TOOL_CATEGORIES = {
   registerGetSessionEvents: "core",
   registerGetLastAssistantResponse: "core",
   registerCodeContext: "graph-read",
+  // consolidated tools
+  registerDecision: "core",
+  registerSession: "core",
+  registerSupportConsolidated: "core",
+  registerDiagnostics: "admin",
   registerListBugReports: "admin",
   registerGetBugReport: "admin",
   registerTriageBugReport: "admin",
@@ -29235,6 +30274,36 @@ var TOOL_CATEGORIES = {
   registerListGlobalProcedures: "orchestration",
   registerDeactivateGlobalProcedure: "orchestration"
 };
+var PLAN_TIERS = {
+  free: 0,
+  pro: 1,
+  team: 2,
+  agency: 3,
+  enterprise: 4
+};
+var PLAN_GATES = {
+  core: "free",
+  tasks: "free",
+  comms: "free",
+  reminders: "free",
+  "graph-read": "free",
+  licensing: "free",
+  // always allow checking/managing own license
+  "graph-write": "pro",
+  wiki: "pro",
+  crm: "pro",
+  "raw-data": "pro",
+  documents: "pro",
+  gateway: "pro",
+  admin: "pro",
+  orchestration: "pro"
+};
+function isToolAllowedForPlan(registerFnName, plan) {
+  const category = TOOL_CATEGORIES[registerFnName];
+  if (!category) return true;
+  const requiredPlan = PLAN_GATES[category] ?? "free";
+  return PLAN_TIERS[plan] >= PLAN_TIERS[requiredPlan];
+}
 var CHIEF_OF_STAFF_READ_TOOLS = /* @__PURE__ */ new Set([
   "registerRecallMyMemory",
   "registerAskTeamMemory",
@@ -29270,9 +30339,17 @@ function isToolAllowed(registerFnName) {
 }
 
 // src/mcp/register-tools.ts
-function registerAllTools(server2) {
+var ALWAYS_ALLOWED = /* @__PURE__ */ new Set([
+  "registerMcpPing",
+  "registerGetLicenseStatus",
+  "registerActivateLicense"
+]);
+function registerAllTools(server2, license, hasKey) {
   const gate = (name, fn) => {
-    if (isToolAllowed(name)) fn(server2);
+    if (!isToolAllowed(name)) return;
+    if (hasKey === false && !ALWAYS_ALLOWED.has(name)) return;
+    if (license && !isToolAllowedForPlan(name, license.plan)) return;
+    fn(server2);
   };
   const mcpToolSurface = process.env.EXE_MCP_TOOL_SURFACE ?? "legacy";
   const exposeConsolidatedTasks = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
@@ -29293,6 +30370,14 @@ function registerAllTools(server2) {
   const exposeLegacyGraph = mcpToolSurface !== "consolidated";
   const exposeConsolidatedConfig = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
   const exposeLegacyConfig = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDecisions = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDecisions = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSession = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySession = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSupport = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySupport = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDiagnostics = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDiagnostics = mcpToolSurface !== "consolidated";
   if (exposeConsolidatedMemory) {
     gate("registerMemory", registerMemory);
   }
@@ -29406,19 +30491,43 @@ function registerAllTools(server2) {
   if (exposeLegacyMemory) {
     gate("registerSearchEverything", registerSearchEverything);
   }
-  gate("registerStoreDecision", registerStoreDecision);
-  gate("registerGetDecision", registerGetDecision);
-  gate("registerCreateBugReport", registerCreateBugReport);
-  gate("registerSupportTools", registerSupportTools);
-  gate("registerCliParityTools", registerCliParityTools);
-  gate("registerGetSessionEvents", registerGetSessionEvents);
-  gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
-  gate("registerCodeContext", registerCodeContext);
-  if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
-    gate("registerListBugReports", registerListBugReports);
-    gate("registerGetBugReport", registerGetBugReport);
-    gate("registerTriageBugReport", registerTriageBugReport);
+  if (exposeConsolidatedDecisions) {
+    gate("registerDecision", registerDecision);
+  }
+  if (exposeLegacyDecisions) {
+    gate("registerStoreDecision", registerStoreDecision);
+    gate("registerGetDecision", registerGetDecision);
+  }
+  if (exposeConsolidatedSupport) {
+    gate("registerSupportConsolidated", registerSupportConsolidated);
   }
+  if (exposeLegacySupport) {
+    gate("registerCreateBugReport", registerCreateBugReport);
+    gate("registerCreateFeatureRequest", registerCreateFeatureRequest);
+    gate("registerSupportTools", registerSupportTools);
+    if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
+      gate("registerListBugReports", registerListBugReports);
+      gate("registerGetBugReport", registerGetBugReport);
+      gate("registerTriageBugReport", registerTriageBugReport);
+      gate("registerListFeatureRequests", registerListFeatureRequests);
+      gate("registerGetFeatureRequest", registerGetFeatureRequest);
+      gate("registerTriageFeatureRequest", registerTriageFeatureRequest);
+    }
+  }
+  if (exposeConsolidatedDiagnostics) {
+    gate("registerDiagnostics", registerDiagnostics);
+  }
+  if (exposeLegacyDiagnostics) {
+    gate("registerCliParityTools", registerCliParityTools);
+  }
+  if (exposeConsolidatedSession) {
+    gate("registerSession", registerSession2);
+  }
+  if (exposeLegacySession) {
+    gate("registerGetSessionEvents", registerGetSessionEvents);
+    gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
+  }
+  gate("registerCodeContext", registerCodeContext);
   if (exposeLegacyConfig) {
     gate("registerGetAgentSpend", registerGetAgentSpend);
   }
@@ -29533,9 +30642,13 @@ var _backfillTimer = null;
 var _ppidWatchdog = null;
 var _shuttingDown = false;
 instrumentServer(server);
-registerAllTools(server);
+var wrappedServer = wrapServerWithTelemetry(server);
+var _licenseGate = await initLicenseGate();
+registerAllTools(wrappedServer, _licenseGate.license, _licenseGate.hasKey);
+startToolTelemetryFlush();
 var _gatedRole = process.env.AGENT_ROLE ?? "standalone";
-process.stderr.write(`[exe-os] Tool gating: role=${_gatedRole}
+var _gatedPlan = _licenseGate.license?.plan ?? (_licenseGate.hasKey ? "validating" : "no-key");
+process.stderr.write(`[exe-os] Tool gating: role=${_gatedRole} plan=${_gatedPlan}
 `);
 try {
   await initStore();
@@ -29585,7 +30698,7 @@ try {
     }
   }, 3e4);
   _ppidWatchdog.unref();
-  const MCP_VERSION_PATH = path54.join(os20.homedir(), ".exe-os", "mcp-version");
+  const MCP_VERSION_PATH = path55.join(os20.homedir(), ".exe-os", "mcp-version");
   let _currentMcpVersion = null;
   try {
     _currentMcpVersion = existsSync41(MCP_VERSION_PATH) ? readFileSync36(MCP_VERSION_PATH, "utf8").trim() : null;
@@ -29627,14 +30740,14 @@ try {
 `
       );
       const thisFile = fileURLToPath7(import.meta.url);
-      const backfillPath = path54.resolve(
-        path54.dirname(thisFile),
+      const backfillPath = path55.resolve(
+        path55.dirname(thisFile),
         "../bin/backfill-vectors.js"
       );
       if (existsSync41(backfillPath)) {
         const { EXE_AI_DIR: exeDir } = await Promise.resolve().then(() => (init_config(), config_exports));
-        const logPath = path54.join(exeDir, "workers.log");
-        mkdirSync23(path54.dirname(logPath), { recursive: true });
+        const logPath = path55.join(exeDir, "workers.log");
+        mkdirSync23(path55.dirname(logPath), { recursive: true });
         let logFd = "ignore";
         try {
           logFd = openSync4(logPath, "a");