@askexenow/exe-os 0.9.86 → 0.9.88

package/dist/bin/cli.js

@@ -1229,6 +1229,15 @@ async function registerMcpServer(packageRoot, homeDir = os6.homedir()) {
     delete claudeJson.mcpServers[MCP_LEGACY_KEY];
     process.stderr.write("exe-os: migrated MCP server key exe-mem \u2192 exe-os\n");
   }
+  if (claudeJson.projects) {
+    for (const [projectPath, projectConfig] of Object.entries(claudeJson.projects)) {
+      if (projectConfig.mcpServers?.[MCP_LEGACY_KEY]) {
+        delete projectConfig.mcpServers[MCP_LEGACY_KEY];
+        process.stderr.write(`exe-os: removed stale project-level exe-mem from ${projectPath}
+`);
+      }
+    }
+  }
   const currentOs = claudeJson.mcpServers[MCP_PRIMARY_KEY];
   const osMatches = currentOs && JSON.stringify(currentOs) === JSON.stringify(newEntry);
   if (osMatches) {
@@ -4340,6 +4349,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync3 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config) {
   if (_walCheckpointTimer) {
@@ -4381,6 +4391,16 @@ async function initDatabase(config) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync3(config.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync3(config.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -5743,6 +5763,7 @@ import { fileURLToPath as fileURLToPath3 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath3(importMetaUrl));
@@ -6556,6 +6577,21 @@ var init_crdt_sync = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/db-backup.ts
 var db_backup_exports = {};
 __export(db_backup_exports, {
@@ -6669,6 +6705,7 @@ __export(cloud_sync_exports, {
   cloudPull: () => cloudPull,
   cloudPullBehaviors: () => cloudPullBehaviors,
   cloudPullBlob: () => cloudPullBlob,
+  cloudPullCodeContext: () => cloudPullCodeContext,
   cloudPullConversations: () => cloudPullConversations,
   cloudPullDocuments: () => cloudPullDocuments,
   cloudPullGlobalProcedures: () => cloudPullGlobalProcedures,
@@ -6678,6 +6715,7 @@ __export(cloud_sync_exports, {
   cloudPush: () => cloudPush,
   cloudPushBehaviors: () => cloudPushBehaviors,
   cloudPushBlob: () => cloudPushBlob,
+  cloudPushCodeContext: () => cloudPushCodeContext,
   cloudPushConversations: () => cloudPushConversations,
   cloudPushDocuments: () => cloudPushDocuments,
   cloudPushGlobalProcedures: () => cloudPushGlobalProcedures,
@@ -6756,7 +6794,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result = await pool.query(query, values);
@@ -7301,6 +7340,17 @@ async function cloudSync(config) {
   } catch (err) {
     logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
   }
+  let codeContextResult = { pushed: 0, pulled: 0 };
+  try {
+    codeContextResult.pushed = await cloudPushCodeContext(config);
+  } catch (err) {
+    logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    codeContextResult.pulled = await cloudPullCodeContext(config);
+  } catch (err) {
+    logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -7310,7 +7360,8 @@ async function cloudSync(config) {
     tasks: tasksResult,
     conversations: conversationsResult,
     documents: documentsResult,
-    roster: rosterResult
+    roster: rosterResult,
+    codeContext: codeContextResult
   };
 }
 function recordRosterDeletion(name) {
@@ -7948,7 +7999,99 @@ async function cloudPullDocuments(config) {
   }
   return { pulled };
 }
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH;
+async function cloudPushCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  if (!existsSync16(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync2(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path16.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync16(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync12(metaPath, "utf-8"));
+    } catch {
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path16.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat2 = statSync4(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat2.mtimeMs <= lastPushed) continue;
+      const content = readFileSync12(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat2.mtimeMs;
+        pushed++;
+      }
+    } catch {
+    }
+  }
+  if (pushed > 0) {
+    try {
+      writeFileSync10(metaPath, JSON.stringify(syncMeta));
+    } catch {
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config) {
+  assertSecureEndpoint(config.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync9(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path16.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync16(localPath)) {
+          writeFileSync10(localPath, content, "utf-8");
+          pulled++;
+        } else {
+          const localContent = readFileSync12(localPath, "utf-8");
+          if (localContent.length !== content.length) {
+            writeFileSync10(localPath, content, "utf-8");
+            pulled++;
+          }
+        }
+      } catch {
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH, CODE_CONTEXT_DIR;
 var init_cloud_sync = __esm({
   "src/lib/cloud-sync.ts"() {
     "use strict";
@@ -7969,6 +8112,7 @@ var init_cloud_sync = __esm({
     _pgFailed = false;
     CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
     ROSTER_DELETIONS_PATH = path16.join(EXE_AI_DIR, "roster-deletions.json");
+    CODE_CONTEXT_DIR = path16.join(EXE_AI_DIR, "code-context");
   }
 });
 
@@ -8719,6 +8863,24 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "When an agent encounters a suspected Exe OS bug, update breakage, MCP/tool failure, installer issue, memory/orchestration defect, or customer-local patch need, it MUST use create_bug_report. Do this before or alongside any local workaround so the report reaches AskExe support directly via the customer's license. Do NOT ask the founder for permission to file a required bug report. If create_bug_report is deferred/lazy-loaded, load it and call it. If it is unavailable in the live MCP surface, report 'create_bug_report unavailable in this session' and save a local report in exe/output \u2014 never claim the tool does not exist unless the live MCP surface was checked. If upstream delivery fails, call support_test (MCP) and include its result in the local report so AskExe can distinguish customer setup, license provisioning, and server intake issues; only ask the founder to run `exe-os support test` if MCP is disconnected/unavailable. Classify first: upstream_bug = reproducible exe-os/platform defect; customer_customization = identity, behavior, procedure, config, branding, workflow preference that belongs in customer-owned layers; emergency_hotfix = temporary local patch. For upstream bugs/emergency hotfixes include version, repro steps, expected/actual, files changed, workaround, and local diff summary. Avoid permanent platform-code patches unless founder approves; if a hotfix is unavoidable, document it in the bug report and re-check after npm update."
       },
+      {
+        title: "Bug report status check \u2014 surface available fixes on boot",
+        domain: "support",
+        priority: "p1",
+        content: "Once per session (COO boot only, never repeat), call list_my_bug_reports to check if any previously filed bug reports have been fixed by AskExe. If any report has status 'fixed' with a fixed_version, surface it to the founder immediately: '\u{1F527} N bug fix(es) available \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no reports exist or none are fixed, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+      },
+      {
+        title: "Feature request triage \u2014 upstream feature vs local customization",
+        domain: "support",
+        priority: "p0",
+        content: "When an agent or founder identifies a desired capability that exe-os does not yet provide, the COO (or equivalent coordinator) must decide: is this a local customization (identity, behavior, procedure, config, branding, workflow preference that can be configured in customer-owned layers) or an upstream feature request (a platform capability that requires changes to exe-os code, shipped via npm update)? Local customizations: implement immediately using store_behavior, update_identity, company_procedure, or config changes. Upstream features: use create_feature_request to submit to AskExe. Include use case, business impact, and current workaround. Do NOT ask the founder for permission to file a feature request \u2014 file it proactively when the need is clear."
+      },
+      {
+        title: "Feature request status check \u2014 surface shipped features on boot",
+        domain: "support",
+        priority: "p1",
+        content: "Once per session (COO boot only, never repeat), call list_my_feature_requests to check if any previously filed feature requests have been shipped by AskExe. If any request has status 'shipped' with a shipped_version, surface it to the founder immediately: '\u{1F680} N feature(s) shipped \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no requests exist or none are shipped, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+      },
       // --- Operations ---
       {
         title: "Managers must supervise deployed workers",
@@ -13300,7 +13462,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir2();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync18(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync18(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync5(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -18017,12 +18179,14 @@ On EVERY new conversation, before doing anything else:
 1. **Memory scan**: Run recall_my_memory with broad queries \u2014 "project", "client", "pipeline", "campaign", "deal", "decision", "blocker". Summarize what you find.
 2. **Task scan**: Run list_tasks to see what's open, in progress, blocked, or needs review across all employees.
 3. **Team check**: Run ask_team_memory for recent activity from CTO/CMO/engineers.
-4. **Present the brief**: Give the founder a concise status report:
+4. **Bug fix check** (one-time, never repeat): Call list_my_bug_reports to see if AskExe has fixed any previously filed bugs. If any have status "fixed" with a fixed_version, tell the founder: "\u{1F527} N bug fix(es) available \u2014 run \`exe-os update\` to get version X.Y.Z." Skip silently if none or if the call fails.
+5. **Present the brief**: Give the founder a concise status report:
    - What's active and progressing
    - What's blocked and needs attention
    - What decisions are pending
+   - Available bug fixes (from step 4, if any)
    - What you recommend doing next
-5. Then ask: "What's the priority?"
+6. Then ask: "What's the priority?"
 
 If this is your FIRST ever conversation (few or no prior memories):
 - Search more broadly: "product", "SEO", "meeting", "strategy", "revenue"
@@ -18042,6 +18206,8 @@ Never say "I have no memories" without first searching broadly. Your memory may
 - **get_identity** \u2014 read any agent's identity for coordination
 - **set_agent_config** \u2014 view or change which tool (Claude Code, Codex, OpenCode) and model each agent uses. Call with no args to show all agents' current settings. Call with agent_id + runtime + model to change.
 - **send_message** \u2014 direct intercom to employees
+- **create_bug_report** \u2014 file a bug when you encounter an Exe OS platform issue
+- **list_my_bug_reports** \u2014 check status of filed bugs (boot check: surface available fixes to founder)
 ${PLAN_MODE_COMPAT}
 ## Completion Workflow
 
@@ -18467,7 +18633,7 @@ import {
   readFileSync as readFileSync26,
   writeFileSync as writeFileSync23,
   mkdirSync as mkdirSync22,
-  chmodSync as chmodSync3,
+  chmodSync as chmodSync4,
   readdirSync as readdirSync9,
   unlinkSync as unlinkSync15
 } from "fs";
@@ -18488,7 +18654,7 @@ function generateSessionWrappers(packageRoot, homeDir) {
   for (const src of candidates) {
     if (existsSync31(src)) {
       writeFileSync23(exeStartDst, readFileSync26(src));
-      chmodSync3(exeStartDst, 493);
+      chmodSync4(exeStartDst, 493);
       break;
     }
   }
@@ -18552,7 +18718,7 @@ exec "${exeStartDst}" "$0" "$@"
 exec node "${codexLauncher}" --agent ${emp.name} "$@"
 `;
       writeFileSync23(wrapperPath, content);
-      chmodSync3(wrapperPath, 493);
+      chmodSync4(wrapperPath, 493);
       created++;
     }
   }
@@ -18562,7 +18728,7 @@ exec node "${codexLauncher}" --agent ${emp.name} "$@"
 function writeWrapper(wrapperPath, content) {
   try {
     writeFileSync23(wrapperPath, content);
-    chmodSync3(wrapperPath, 493);
+    chmodSync4(wrapperPath, 493);
   } catch {
   }
 }
@@ -19656,6 +19822,10 @@ async function runUpdate(cliArgs) {
 \u{1F4E6} Update available: v${result.localVersion} \u2192 v${result.remoteVersion}
 `);
   let proceed = autoMode;
+  if (!proceed && !process.stdin.isTTY) {
+    console.log("Non-interactive mode detected (no TTY). Use --yes to auto-confirm, or run interactively.");
+    process.exit(1);
+  }
   if (!proceed) {
     const rl = createInterface5({ input: process.stdin, output: process.stdout });
     const answer = await new Promise((resolve) => {
@@ -20107,8 +20277,9 @@ function hydrateEnv(raw, opts) {
     else if (key === "MONITOR_AGENT_KEY") continue;
     else if (key === "EXE_GATEWAY_WS_RELAY_AUTH_TOKEN") replacements[key] = randomHexSecret(24);
     else if (key.endsWith("_PASSWORD")) replacements[key] = randomSecret(24);
-    else if (key.endsWith("_SECRET") || key.endsWith("_TOKEN") || key.endsWith("_KEY") || key.endsWith("_SALT")) replacements[key] = value.replace(/CHANGEME[A-Z0-9_]*/g, randomSecret(32));
-    else if (key === "EXED_MCP_TOKEN") replacements[key] = randomSecret(32);
+    else if (key.endsWith("_TOKEN")) replacements[key] = randomHexSecret(32);
+    else if (key.endsWith("_SECRET") || key.endsWith("_SALT")) replacements[key] = randomSecret(32);
+    else if (key.endsWith("_KEY") && key !== "EXE_LICENSE_KEY") continue;
   }
   if (domain) next = next.replaceAll("CHANGEME_DOMAIN", domain);
   next = patchEnv(next, replacements);
@@ -20505,8 +20676,8 @@ Options:
 }
 function printChanges(changes, composeFile, envFile) {
   if (changes.length === 0) {
-    const running = areCliContainersRunning(composeFile, envFile);
-    if (running) {
+    const running2 = areCliContainersRunning(composeFile, envFile);
+    if (running2) {
       console.log("Stack .env matches target manifest. Checking container health...\n");
       const unhealthy = printContainerHealth(composeFile, envFile);
       if (unhealthy > 0) {
@@ -20515,16 +20686,28 @@ function printChanges(changes, composeFile, envFile) {
       } else {
         console.log("\n\u2705 Stack already matches target manifest. All services healthy.");
       }
+      return unhealthy;
     } else {
       console.log("\u26A0\uFE0F  Stack .env matches target manifest but containers are not running. Will start them.");
+      return 1;
     }
-    return;
   }
   console.log("Planned image tag changes:");
   for (const c of changes) {
     console.log(`  - ${c.service}: ${c.key}`);
     console.log(`      ${c.before ?? "<unset>"} \u2192 ${c.after}`);
   }
+  const running = areCliContainersRunning(composeFile, envFile);
+  if (running) {
+    console.log("\nCurrent container health:");
+    const unhealthy = printContainerHealth(composeFile, envFile);
+    if (unhealthy > 0) {
+      console.log(`
+\u{1F534} ${unhealthy} service(s) currently unhealthy or crashlooping.`);
+    }
+    return unhealthy;
+  }
+  return 0;
 }
 function areCliContainersRunning(composeFile, envFile) {
   try {
@@ -20634,9 +20817,12 @@ async function main7(args2 = process.argv.slice(2)) {
   console.log(`Compose:  ${opts.composeFile}`);
   console.log(`Env:      ${opts.envFile}
 `);
-  printChanges(plan.changes, opts.composeFile, opts.envFile);
+  const unhealthyCount = printChanges(plan.changes, opts.composeFile, opts.envFile);
   printBreaking(plan.breakingChanges);
-  if (opts.check || opts.dryRun) return;
+  if (opts.check || opts.dryRun) {
+    if (unhealthyCount > 0) process.exitCode = 1;
+    return;
+  }
   if (!opts.yes) {
     console.error("\nRefusing to update without --yes. Re-run with --yes after reviewing the plan.");
     process.exit(2);
@@ -35190,16 +35376,89 @@ var code_context_index_exports = {};
 __export(code_context_index_exports, {
   analyzeBlastRadius: () => analyzeBlastRadius,
   buildCodeContextIndex: () => buildCodeContextIndex,
+  buildCodeContextIndexWithEmbeddings: () => buildCodeContextIndexWithEmbeddings,
   getCodeContextIndexPath: () => getCodeContextIndexPath,
   getCodeContextStats: () => getCodeContextStats,
   loadOrBuildCodeContextIndex: () => loadOrBuildCodeContextIndex,
   searchCodeContext: () => searchCodeContext,
+  searchCodeContextSemantic: () => searchCodeContextSemantic,
   traceCodeSymbol: () => traceCodeSymbol
 });
 import crypto14 from "crypto";
 import path51 from "path";
 import { existsSync as existsSync36, mkdirSync as mkdirSync25, readFileSync as readFileSync32, readdirSync as readdirSync11, statSync as statSync7, writeFileSync as writeFileSync26 } from "fs";
 import { spawnSync as spawnSync3 } from "child_process";
+function vectorStorePath(projectRoot) {
+  const rootHash = hashText(projectRoot).slice(0, 16);
+  return path51.join(indexDir(), `${rootHash}.vectors.json`);
+}
+function loadVectorStore(projectRoot) {
+  const file = vectorStorePath(projectRoot);
+  if (!existsSync36(file)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync32(file, "utf8"));
+    if (parsed.version !== VECTOR_STORE_VERSION) return null;
+    return parsed;
+  } catch {
+    return null;
+  }
+}
+function saveVectorStore(projectRoot, store) {
+  writeFileSync26(vectorStorePath(projectRoot), JSON.stringify(store));
+}
+function cosineSimilarity(a, b) {
+  let dot = 0, normA = 0, normB = 0;
+  for (let i = 0; i < a.length; i++) {
+    dot += a[i] * b[i];
+    normA += a[i] * a[i];
+    normB += b[i] * b[i];
+  }
+  const denom = Math.sqrt(normA) * Math.sqrt(normB);
+  return denom === 0 ? 0 : dot / denom;
+}
+async function embedSymbols(index) {
+  const rootHash = hashText(index.projectRoot).slice(0, 16);
+  const existing = loadVectorStore(index.projectRoot);
+  const store = {
+    version: VECTOR_STORE_VERSION,
+    projectRootHash: rootHash,
+    vectors: {}
+  };
+  const allSymbols = [];
+  for (const file of Object.values(index.files)) {
+    for (const symbol of file.symbols) {
+      if (existing?.vectors[symbol.id]) {
+        store.vectors[symbol.id] = existing.vectors[symbol.id];
+      } else {
+        allSymbols.push({ id: symbol.id, text: symbol.summary || `${symbol.kind} ${symbol.name} in ${symbol.filePath}` });
+      }
+    }
+  }
+  if (allSymbols.length === 0) {
+    saveVectorStore(index.projectRoot, store);
+    return store;
+  }
+  const connected = await connectEmbedDaemon().catch(() => false);
+  if (!connected) {
+    saveVectorStore(index.projectRoot, store);
+    return store;
+  }
+  for (let i = 0; i < allSymbols.length; i += EMBED_BATCH_SIZE) {
+    const batch = allSymbols.slice(i, i + EMBED_BATCH_SIZE);
+    const texts = batch.map((s) => s.text);
+    try {
+      const vectors = await embedBatchViaClient(texts, "low");
+      if (vectors && vectors.length === batch.length) {
+        for (let j = 0; j < batch.length; j++) {
+          store.vectors[batch[j].id] = vectors[j];
+        }
+      }
+    } catch {
+    }
+  }
+  saveVectorStore(index.projectRoot, store);
+  return store;
+}
 function normalizeProjectRoot(projectRoot) {
   return path51.resolve(projectRoot || process.cwd());
 }
@@ -35475,7 +35734,7 @@ function filteredFiles(index, options = {}) {
     return matchesPath(file.path, options.paths);
   });
 }
-function searchCodeContext(query, options = {}) {
+function lexicalSearch(query, options = {}) {
   const terms = tokenize2(query);
   if (terms.length === 0) return [];
   const index = loadOrBuildCodeContextIndex({ projectRoot: options.projectRoot, force: options.force || options.refreshIndex, maxFiles: options.maxFiles });
@@ -35501,6 +35760,81 @@ function searchCodeContext(query, options = {}) {
   const limit = options.limit ?? 20;
   return results.sort((a, b) => b.score - a.score || a.filePath.localeCompare(b.filePath)).slice(offset, offset + limit);
 }
+function searchCodeContext(query, options = {}) {
+  return lexicalSearch(query, options);
+}
+async function searchCodeContextSemantic(query, options = {}) {
+  const terms = tokenize2(query);
+  if (terms.length === 0) return [];
+  const index = loadOrBuildCodeContextIndex({ projectRoot: options.projectRoot, force: options.force || options.refreshIndex, maxFiles: options.maxFiles });
+  const projectRoot = normalizeProjectRoot(options.projectRoot);
+  const vectorStore = loadVectorStore(projectRoot);
+  if (!vectorStore || Object.keys(vectorStore.vectors).length === 0) {
+    return lexicalSearch(query, options);
+  }
+  let queryVector = null;
+  try {
+    const connected = await connectEmbedDaemon().catch(() => false);
+    if (connected) {
+      const result = await embedBatchViaClient([query], "high");
+      if (result && result.length === 1) queryVector = result[0];
+    }
+  } catch {
+  }
+  if (!queryVector) return lexicalSearch(query, options);
+  const files = filteredFiles(index, options);
+  const candidates = [];
+  for (const file of files) {
+    for (const symbol of file.symbols) {
+      const lexical = scoreSymbol(symbol, terms);
+      const vec = vectorStore.vectors[symbol.id];
+      const vectorScore = vec ? cosineSimilarity(queryVector, vec) : 0;
+      if (lexical.score > 0 || vectorScore > 0.3) {
+        candidates.push({
+          symbol,
+          lexicalScore: lexical.score,
+          vectorScore,
+          matches: lexical.matches
+        });
+      }
+    }
+  }
+  const byLexical = [...candidates].sort((a, b) => b.lexicalScore - a.lexicalScore);
+  const byVector = [...candidates].sort((a, b) => b.vectorScore - a.vectorScore);
+  const lexicalRank = /* @__PURE__ */ new Map();
+  const vectorRank = /* @__PURE__ */ new Map();
+  byLexical.forEach((c, i) => lexicalRank.set(c.symbol.id, i + 1));
+  byVector.forEach((c, i) => vectorRank.set(c.symbol.id, i + 1));
+  const VECTOR_WEIGHT = 0.6;
+  const LEXICAL_WEIGHT = 0.4;
+  const fused = candidates.map((c) => {
+    const lRank = lexicalRank.get(c.symbol.id) ?? candidates.length + 1;
+    const vRank = vectorRank.get(c.symbol.id) ?? candidates.length + 1;
+    const rrfScore = VECTOR_WEIGHT * (1 / (RRF_K + vRank)) + LEXICAL_WEIGHT * (1 / (RRF_K + lRank));
+    return {
+      symbol: c.symbol,
+      score: rrfScore,
+      matches: c.vectorScore > 0.3 ? [...c.matches, `semantic=${c.vectorScore.toFixed(3)}`] : c.matches,
+      filePath: c.symbol.filePath,
+      language: c.symbol.language,
+      content: c.symbol.text,
+      startLine: c.symbol.startLine,
+      endLine: c.symbol.endLine
+    };
+  });
+  const offset = Math.max(0, options.offset ?? 0);
+  const limit = options.limit ?? 20;
+  return fused.sort((a, b) => b.score - a.score || a.filePath.localeCompare(b.filePath)).slice(offset, offset + limit);
+}
+async function buildCodeContextIndexWithEmbeddings(options = {}) {
+  const index = buildCodeContextIndex(options);
+  const existingStore = loadVectorStore(index.projectRoot);
+  const existingCount = existingStore ? Object.keys(existingStore.vectors).length : 0;
+  const store = await embedSymbols(index);
+  const vectorCount = Object.keys(store.vectors).length;
+  const newEmbeddings = vectorCount - Math.min(existingCount, vectorCount);
+  return { index, vectorCount, newEmbeddings };
+}
 function dependentsMap(index) {
   const map = /* @__PURE__ */ new Map();
   for (const file of Object.values(index.files)) {
@@ -35592,15 +35926,19 @@ function getCodeContextStats(options = {}) {
     indexPath: getCodeContextIndexPath(index.projectRoot)
   };
 }
-var INDEX_VERSION, DEFAULT_MAX_FILES, IGNORE_SEGMENTS;
+var VECTOR_STORE_VERSION, EMBED_BATCH_SIZE, INDEX_VERSION, DEFAULT_MAX_FILES, IGNORE_SEGMENTS, RRF_K;
 var init_code_context_index = __esm({
   "src/lib/code-context-index.ts"() {
     "use strict";
     init_config();
     init_code_chunker();
+    init_exe_daemon_client();
+    VECTOR_STORE_VERSION = 1;
+    EMBED_BATCH_SIZE = 64;
     INDEX_VERSION = 2;
     DEFAULT_MAX_FILES = 5e3;
     IGNORE_SEGMENTS = /* @__PURE__ */ new Set(["node_modules", "dist", ".git", "coverage", ".worktrees", ".next", "build", "target", "vendor"]);
+    RRF_K = 60;
   }
 });
 

package/dist/bin/exe-agent.js

@@ -1271,6 +1271,7 @@ var OllamaProvider = class {
 import { randomUUID as randomUUID3 } from "crypto";
 
 // src/lib/database.ts
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 
 // src/lib/employees.ts
@@ -1377,6 +1378,24 @@ var PLATFORM_PROCEDURES = [
     priority: "p0",
     content: "When an agent encounters a suspected Exe OS bug, update breakage, MCP/tool failure, installer issue, memory/orchestration defect, or customer-local patch need, it MUST use create_bug_report. Do this before or alongside any local workaround so the report reaches AskExe support directly via the customer's license. Do NOT ask the founder for permission to file a required bug report. If create_bug_report is deferred/lazy-loaded, load it and call it. If it is unavailable in the live MCP surface, report 'create_bug_report unavailable in this session' and save a local report in exe/output \u2014 never claim the tool does not exist unless the live MCP surface was checked. If upstream delivery fails, call support_test (MCP) and include its result in the local report so AskExe can distinguish customer setup, license provisioning, and server intake issues; only ask the founder to run `exe-os support test` if MCP is disconnected/unavailable. Classify first: upstream_bug = reproducible exe-os/platform defect; customer_customization = identity, behavior, procedure, config, branding, workflow preference that belongs in customer-owned layers; emergency_hotfix = temporary local patch. For upstream bugs/emergency hotfixes include version, repro steps, expected/actual, files changed, workaround, and local diff summary. Avoid permanent platform-code patches unless founder approves; if a hotfix is unavoidable, document it in the bug report and re-check after npm update."
   },
+  {
+    title: "Bug report status check \u2014 surface available fixes on boot",
+    domain: "support",
+    priority: "p1",
+    content: "Once per session (COO boot only, never repeat), call list_my_bug_reports to check if any previously filed bug reports have been fixed by AskExe. If any report has status 'fixed' with a fixed_version, surface it to the founder immediately: '\u{1F527} N bug fix(es) available \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no reports exist or none are fixed, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+  },
+  {
+    title: "Feature request triage \u2014 upstream feature vs local customization",
+    domain: "support",
+    priority: "p0",
+    content: "When an agent or founder identifies a desired capability that exe-os does not yet provide, the COO (or equivalent coordinator) must decide: is this a local customization (identity, behavior, procedure, config, branding, workflow preference that can be configured in customer-owned layers) or an upstream feature request (a platform capability that requires changes to exe-os code, shipped via npm update)? Local customizations: implement immediately using store_behavior, update_identity, company_procedure, or config changes. Upstream features: use create_feature_request to submit to AskExe. Include use case, business impact, and current workaround. Do NOT ask the founder for permission to file a feature request \u2014 file it proactively when the need is clear."
+  },
+  {
+    title: "Feature request status check \u2014 surface shipped features on boot",
+    domain: "support",
+    priority: "p1",
+    content: "Once per session (COO boot only, never repeat), call list_my_feature_requests to check if any previously filed feature requests have been shipped by AskExe. If any request has status 'shipped' with a shipped_version, surface it to the founder immediately: '\u{1F680} N feature(s) shipped \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no requests exist or none are shipped, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
+  },
   // --- Operations ---
   {
     title: "Managers must supervise deployed workers",