@askexenow/exe-os 0.9.87 → 0.9.88

package/dist/lib/exe-daemon.js

@@ -2112,6 +2112,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config2) {
   if (_walCheckpointTimer) {
@@ -2153,6 +2154,16 @@ async function initDatabase(config2) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config2.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config2.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -4135,6 +4146,21 @@ var init_agentic_ontology = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/projection-worker.ts
 var projection_worker_exports = {};
 __export(projection_worker_exports, {
@@ -4173,7 +4199,8 @@ function loadPrisma() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result3 = await pool.query(query, values);
@@ -11631,7 +11658,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir();
   const tmp = `${QUEUE_PATH2}.tmp`;
-  writeFileSync11(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync11(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync5(tmp, QUEUE_PATH2);
 }
 function queueIntercom(targetSession, reason) {
@@ -20832,6 +20859,166 @@ var init_get_daemon_health = __esm({
   }
 });
 
+// src/mcp/license-gate.ts
+var license_gate_exports = {};
+__export(license_gate_exports, {
+  NO_LICENSE_MESSAGE: () => NO_LICENSE_MESSAGE,
+  getCachedLicenseGate: () => getCachedLicenseGate,
+  initLicenseGate: () => initLicenseGate
+});
+async function initLicenseGate() {
+  const key = loadLicense();
+  _hasLicenseKey = key !== null && key.length > 0;
+  if (_hasLicenseKey) {
+    try {
+      _cachedLicense = await checkLicense();
+    } catch {
+      _cachedLicense = null;
+    }
+    return { license: _cachedLicense, hasKey: true };
+  }
+  return { license: null, hasKey: false };
+}
+function getCachedLicenseGate() {
+  return {
+    license: _cachedLicense,
+    hasKey: _hasLicenseKey
+  };
+}
+var _cachedLicense, _hasLicenseKey, NO_LICENSE_MESSAGE;
+var init_license_gate = __esm({
+  "src/mcp/license-gate.ts"() {
+    "use strict";
+    init_license();
+    _cachedLicense = null;
+    _hasLicenseKey = false;
+    NO_LICENSE_MESSAGE = "License key required. Get your key from the Exe OS team, then:\n\n  echo 'exe_sk_YOUR_KEY' > ~/.exe-os/license.key\n\nThen run /mcp to reconnect, or restart your session.";
+  }
+});
+
+// src/mcp/tool-telemetry.ts
+var tool_telemetry_exports = {};
+__export(tool_telemetry_exports, {
+  getToolUsageStats: () => getToolUsageStats,
+  resetToolUsageStats: () => resetToolUsageStats,
+  startToolTelemetryFlush: () => startToolTelemetryFlush,
+  stopToolTelemetryFlush: () => stopToolTelemetryFlush,
+  wrapServerWithTelemetry: () => wrapServerWithTelemetry
+});
+function recordCall(toolName, action, isError) {
+  let record = _toolCalls.get(toolName);
+  if (!record) {
+    record = { count: 0, actions: /* @__PURE__ */ new Map(), lastCalledAt: 0, errors: 0 };
+    _toolCalls.set(toolName, record);
+  }
+  record.count++;
+  record.lastCalledAt = Date.now();
+  if (isError) record.errors++;
+  if (action) {
+    record.actions.set(action, (record.actions.get(action) ?? 0) + 1);
+  }
+}
+function wrapServerWithTelemetry(server) {
+  const originalRegisterTool = server.registerTool.bind(server);
+  server.registerTool = (name, config2, handler) => {
+    const wrappedHandler = async (input, extra) => {
+      const action = input.action;
+      try {
+        const result3 = await handler(input, extra);
+        const isError = result3?.isError === true;
+        recordCall(name, action, isError);
+        return result3;
+      } catch (err) {
+        recordCall(name, action, true);
+        throw err;
+      }
+    };
+    return originalRegisterTool(name, config2, wrappedHandler);
+  };
+  return server;
+}
+function getToolUsageStats() {
+  let totalCalls = 0;
+  let totalErrors = 0;
+  const tools = {};
+  for (const [name, record] of _toolCalls) {
+    totalCalls += record.count;
+    totalErrors += record.errors;
+    const entry = {
+      calls: record.count,
+      errors: record.errors,
+      lastCalledAt: new Date(record.lastCalledAt).toISOString()
+    };
+    if (record.actions.size > 0) {
+      entry.actions = Object.fromEntries(record.actions);
+    }
+    tools[name] = entry;
+  }
+  return {
+    sessionStartedAt: new Date(_sessionStartedAt).toISOString(),
+    uptimeMs: Date.now() - _sessionStartedAt,
+    totalCalls,
+    totalErrors,
+    tools
+  };
+}
+function resetToolUsageStats() {
+  _toolCalls.clear();
+  _sessionStartedAt = Date.now();
+}
+async function flushToMemory() {
+  const stats = getToolUsageStats();
+  if (stats.totalCalls === 0) return;
+  if (stats.totalCalls === _lastFlushedAt) return;
+  try {
+    const { getClient: getClient2, isInitialized: isInitialized2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    if (!isInitialized2()) return;
+    const client = getClient2();
+    const toolSummary = Object.entries(stats.tools).sort((a, b) => b[1].calls - a[1].calls).map(([name, t]) => {
+      const actionStr = t.actions ? ` (${Object.entries(t.actions).sort((a, b) => b[1] - a[1]).map(([a, c]) => `${a}:${c}`).join(", ")})` : "";
+      return `${name}: ${t.calls} calls${t.errors > 0 ? ` (${t.errors} errors)` : ""}${actionStr}`;
+    }).join("\n");
+    const raw_text = `Tool usage since ${stats.sessionStartedAt} (${Math.round(stats.uptimeMs / 6e4)}min):
+Total: ${stats.totalCalls} calls, ${stats.totalErrors} errors
+
+${toolSummary}`;
+    await client.execute({
+      sql: `INSERT INTO memories (id, agent_id, raw_text, memory_type, project_name, importance, created_at, updated_at)
+            VALUES (?, 'system', ?, 'telemetry', 'exe-os', 2, datetime('now'), datetime('now'))`,
+      args: [
+        `telemetry-tools-${Date.now()}`,
+        raw_text
+      ]
+    });
+    _lastFlushedAt = stats.totalCalls;
+  } catch {
+  }
+}
+function startToolTelemetryFlush() {
+  if (_flushTimer3) return;
+  _sessionStartedAt = Date.now();
+  _flushTimer3 = setInterval(() => void flushToMemory(), FLUSH_INTERVAL_MS2);
+  _flushTimer3.unref();
+}
+async function stopToolTelemetryFlush() {
+  if (_flushTimer3) {
+    clearInterval(_flushTimer3);
+    _flushTimer3 = null;
+  }
+  await flushToMemory();
+}
+var _toolCalls, _sessionStartedAt, _flushTimer3, FLUSH_INTERVAL_MS2, _lastFlushedAt;
+var init_tool_telemetry = __esm({
+  "src/mcp/tool-telemetry.ts"() {
+    "use strict";
+    _toolCalls = /* @__PURE__ */ new Map();
+    _sessionStartedAt = Date.now();
+    _flushTimer3 = null;
+    FLUSH_INTERVAL_MS2 = 5 * 60 * 1e3;
+    _lastFlushedAt = 0;
+  }
+});
+
 // src/mcp/tools/mcp-ping.ts
 import { existsSync as existsSync27, readFileSync as readFileSync22 } from "fs";
 import path33 from "path";
@@ -20862,6 +21049,7 @@ function registerMcpPing(server) {
       const daemon = isDaemonAlive2();
       const summary = summarizeMcpTransport();
       writeMcpTransportSummary();
+      const gate = getCachedLicenseGate();
       const status2 = daemon.alive ? "ok" : "degraded";
       return {
         content: [
@@ -20870,8 +21058,14 @@ function registerMcpPing(server) {
             text: JSON.stringify({
               status: status2,
               daemon,
+              licenseGate: {
+                hasKey: gate.hasKey,
+                plan: gate.license?.plan ?? "none",
+                valid: gate.license?.valid ?? false
+              },
+              toolUsage: getToolUsageStats(),
               mcpTransport: summary,
-              remediation: daemon.alive ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
+              remediation: daemon.alive ? gate.hasKey ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "No license key found. Run: echo 'exe_sk_YOUR_KEY' > ~/.exe-os/license.key then reconnect MCP." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
             }, null, 2)
           }
         ]
@@ -20884,6 +21078,8 @@ var init_mcp_ping = __esm({
   "src/mcp/tools/mcp-ping.ts"() {
     "use strict";
     init_mcp_transport_health();
+    init_license_gate();
+    init_tool_telemetry();
     PID_PATH3 = path33.join(homedir4(), ".exe-os", "exed.pid");
   }
 });
@@ -22171,6 +22367,7 @@ import { fileURLToPath as fileURLToPath4 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath4(importMetaUrl));
@@ -24005,6 +24202,7 @@ __export(cloud_sync_exports, {
   cloudPull: () => cloudPull,
   cloudPullBehaviors: () => cloudPullBehaviors,
   cloudPullBlob: () => cloudPullBlob,
+  cloudPullCodeContext: () => cloudPullCodeContext,
   cloudPullConversations: () => cloudPullConversations,
   cloudPullDocuments: () => cloudPullDocuments,
   cloudPullGlobalProcedures: () => cloudPullGlobalProcedures,
@@ -24014,6 +24212,7 @@ __export(cloud_sync_exports, {
   cloudPush: () => cloudPush,
   cloudPushBehaviors: () => cloudPushBehaviors,
   cloudPushBlob: () => cloudPushBlob,
+  cloudPushCodeContext: () => cloudPushCodeContext,
   cloudPushConversations: () => cloudPushConversations,
   cloudPushDocuments: () => cloudPushDocuments,
   cloudPushGlobalProcedures: () => cloudPushGlobalProcedures,
@@ -24092,7 +24291,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result3 = await pool.query(query, values);
@@ -24637,6 +24837,17 @@ async function cloudSync(config2) {
   } catch (err) {
     logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
   }
+  let codeContextResult = { pushed: 0, pulled: 0 };
+  try {
+    codeContextResult.pushed = await cloudPushCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    codeContextResult.pulled = await cloudPullCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -24646,7 +24857,8 @@ async function cloudSync(config2) {
     tasks: tasksResult,
     conversations: conversationsResult,
     documents: documentsResult,
-    roster: rosterResult
+    roster: rosterResult,
+    codeContext: codeContextResult
   };
 }
 function recordRosterDeletion(name) {
@@ -25284,7 +25496,99 @@ async function cloudPullDocuments(config2) {
   }
   return { pulled };
 }
-var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS2, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH;
+async function cloudPushCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  if (!existsSync36(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync11(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path41.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync36(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync28(metaPath, "utf-8"));
+    } catch {
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path41.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat = statSync8(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat.mtimeMs <= lastPushed) continue;
+      const content = readFileSync28(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config2.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config2.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat.mtimeMs;
+        pushed++;
+      }
+    } catch {
+    }
+  }
+  if (pushed > 0) {
+    try {
+      writeFileSync19(metaPath, JSON.stringify(syncMeta));
+    } catch {
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config2.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config2.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync16(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path41.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync36(localPath)) {
+          writeFileSync19(localPath, content, "utf-8");
+          pulled++;
+        } else {
+          const localContent = readFileSync28(localPath, "utf-8");
+          if (localContent.length !== content.length) {
+            writeFileSync19(localPath, content, "utf-8");
+            pulled++;
+          }
+        }
+      } catch {
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
+var LOCALHOST_PATTERNS, FETCH_TIMEOUT_MS2, PUSH_BATCH_SIZE, ROSTER_LOCK_PATH, LOCK_STALE_MS, _pgPromise, _pgFailed, CLOUD_REUPLOAD_REQUIRED_MESSAGE, ROSTER_DELETIONS_PATH, CODE_CONTEXT_DIR;
 var init_cloud_sync = __esm({
   "src/lib/cloud-sync.ts"() {
     "use strict";
@@ -25305,6 +25609,7 @@ var init_cloud_sync = __esm({
     _pgFailed = false;
     CLOUD_REUPLOAD_REQUIRED_MESSAGE = "Cloud sync is blocked because this device rotated its memory encryption key. Run `exe-os cloud reupload` first to re-upload the cloud backup with the new key.";
     ROSTER_DELETIONS_PATH = path41.join(EXE_AI_DIR, "roster-deletions.json");
+    CODE_CONTEXT_DIR = path41.join(EXE_AI_DIR, "code-context");
   }
 });
 
@@ -29700,6 +30005,22 @@ async function getExeDbReadClient() {
   }
   if (!prismaPromise4) {
     prismaPromise4 = (async () => {
+      const readonlyUrl = process.env.MCP_READONLY_DATABASE_URL;
+      if (readonlyUrl) {
+        const { Pool } = await import("pg");
+        const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+        const pool = new Pool({ connectionString: readonlyUrl, ...pgSslConfig2() });
+        return {
+          async $queryRawUnsafe(query, ...values) {
+            const result3 = await pool.query(query, values);
+            return result3.rows;
+          },
+          async $disconnect() {
+            await pool.end();
+          }
+        };
+      }
+      console.warn("[exe-db-read] WARNING: MCP_READONLY_DATABASE_URL not set \u2014 falling back to admin role");
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
         const mod2 = await import(pathToFileURL6(explicitPath).href);
@@ -30702,7 +31023,10 @@ function registerSupportTools(server) {
       endpoint2.searchParams.set("status", status2);
       endpoint2.searchParams.set("limit", String(limit));
       const headers = { "content-type": "application/json" };
-      if (licenseKey) headers["x-exe-license-key"] = licenseKey;
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
       if (licenseToken) headers["x-exe-license-token"] = licenseToken;
       try {
         const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
@@ -30765,7 +31089,10 @@ function registerSupportTools(server) {
       endpoint2.searchParams.set("status", status2);
       endpoint2.searchParams.set("limit", String(limit));
       const headers = { "content-type": "application/json" };
-      if (licenseKey) headers["x-exe-license-key"] = licenseKey;
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
       if (licenseToken) headers["x-exe-license-token"] = licenseToken;
       try {
         const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
@@ -31243,7 +31570,7 @@ var init_exe_healthcheck = __esm({
     init_is_main();
     init_config();
     init_mcp_transport_health();
-    if (isMainModule(import.meta.url)) {
+    if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("exe-healthcheck")) {
       const { results, passed, failed } = runHealthCheck();
       console.log("\n  exe-os Health Check\n");
       for (const r of results) {
@@ -32496,7 +32823,269 @@ var init_support_inbox = __esm({
   }
 });
 
+// src/mcp/tools/decision.ts
+import { z as z95 } from "zod";
+function buildHandlers6() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerStoreDecision(fake);
+  registerGetDecision(fake);
+  return tools;
+}
+function registerDecision(server) {
+  const handlers = buildHandlers6();
+  server.registerTool(
+    "decision",
+    {
+      title: "Decision",
+      description: "Store or retrieve authoritative decisions. Actions: store (persist a decision by domain), get (look up a decision by domain/query).",
+      inputSchema: {
+        action: z95.enum(["store", "get"]).describe("Decision operation"),
+        domain: z95.string().optional().describe("Decision domain (e.g. 'architecture', 'hiring')"),
+        decision: z95.string().optional().describe("Decision text for action=store"),
+        rationale: z95.string().optional().describe("Why this decision was made (action=store)"),
+        query: z95.string().optional().describe("Search query for action=get"),
+        limit: z95.coerce.number().optional().describe("Max results for action=get")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL3[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown decision action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+var ACTION_TO_TOOL3;
+var init_decision = __esm({
+  "src/mcp/tools/decision.ts"() {
+    "use strict";
+    init_store_decision();
+    init_get_decision();
+    ACTION_TO_TOOL3 = {
+      store: "store_decision",
+      get: "get_decision"
+    };
+  }
+});
+
+// src/mcp/tools/session.ts
+import { z as z96 } from "zod";
+function buildHandlers7() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerGetSessionEvents(fake);
+  registerGetLastAssistantResponse(fake);
+  return tools;
+}
+function registerSession2(server) {
+  const handlers = buildHandlers7();
+  server.registerTool(
+    "session",
+    {
+      title: "Session",
+      description: "Session inspection tools. Actions: events (get session event log), last_response (get the most recent assistant response text).",
+      inputSchema: {
+        action: z96.enum(["events", "last_response"]).describe("Session operation"),
+        session_id: z96.string().optional().describe("Session ID for action=events"),
+        limit: z96.coerce.number().optional().describe("Max events for action=events")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL4[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown session action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+var ACTION_TO_TOOL4;
+var init_session = __esm({
+  "src/mcp/tools/session.ts"() {
+    "use strict";
+    init_get_session_events();
+    ACTION_TO_TOOL4 = {
+      events: "get_session_events",
+      last_response: "get_last_assistant_response"
+    };
+  }
+});
+
+// src/mcp/tools/support-consolidated.ts
+import { z as z97 } from "zod";
+function buildHandlers8() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCreateBugReport(fake);
+  registerCreateFeatureRequest(fake);
+  registerSupportTools(fake);
+  registerListBugReports(fake);
+  registerGetBugReport(fake);
+  registerTriageBugReport(fake);
+  registerListFeatureRequests(fake);
+  registerGetFeatureRequest(fake);
+  registerTriageFeatureRequest(fake);
+  return tools;
+}
+function registerSupportConsolidated(server) {
+  const handlers = buildHandlers8();
+  server.registerTool(
+    "support",
+    {
+      title: "Support",
+      description: "Bug reports, feature requests, and support system. Actions: create_bug, create_feature, list_my_bugs, list_my_features, list_bugs, get_bug, triage_bug, list_features, get_feature, triage_feature, health, test.",
+      inputSchema: {
+        action: z97.enum([
+          "create_bug",
+          "create_feature",
+          "list_my_bugs",
+          "list_my_features",
+          "list_bugs",
+          "get_bug",
+          "triage_bug",
+          "list_features",
+          "get_feature",
+          "triage_feature",
+          "health",
+          "test"
+        ]).describe("Support operation"),
+        title: z97.string().optional().describe("Bug/feature title"),
+        description: z97.string().optional().describe("Bug/feature description"),
+        steps_to_reproduce: z97.string().optional().describe("Steps to reproduce (bugs)"),
+        expected_behavior: z97.string().optional().describe("Expected behavior (bugs)"),
+        actual_behavior: z97.string().optional().describe("Actual behavior (bugs)"),
+        severity: z97.string().optional().describe("Severity: p0/p1/p2/p3"),
+        use_case: z97.string().optional().describe("Use case (features)"),
+        proposed_solution: z97.string().optional().describe("Proposed solution (features)"),
+        priority: z97.string().optional().describe("Priority (features)"),
+        id: z97.string().optional().describe("Bug/feature ID for get/triage"),
+        status: z97.string().optional().describe("Filter by status"),
+        classification: z97.string().optional().describe("Triage classification"),
+        resolution: z97.string().optional().describe("Triage resolution"),
+        notes: z97.string().optional().describe("Triage notes (mapped to triage_notes for bug/feature triage)"),
+        triage_notes: z97.string().optional().describe("Triage notes (legacy field name)"),
+        linked_task_id: z97.string().optional().describe("Linked task ID for triage"),
+        linked_commit: z97.string().optional().describe("Linked commit hash for triage"),
+        fixed_version: z97.string().optional().describe("Version that fixes this bug"),
+        limit: z97.coerce.number().optional().describe("Max results")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL5[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown support action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      if ((action === "triage_bug" || action === "triage_feature") && args.notes && !args.triage_notes) {
+        args.triage_notes = args.notes;
+        delete args.notes;
+      }
+      return handler(args, extra);
+    }
+  );
+}
+var ACTION_TO_TOOL5;
+var init_support_consolidated = __esm({
+  "src/mcp/tools/support-consolidated.ts"() {
+    "use strict";
+    init_create_bug_report();
+    init_create_feature_request();
+    init_support();
+    init_support_inbox();
+    ACTION_TO_TOOL5 = {
+      create_bug: "create_bug_report",
+      create_feature: "create_feature_request",
+      list_my_bugs: "list_my_bug_reports",
+      list_my_features: "list_my_feature_requests",
+      list_bugs: "list_bug_reports",
+      get_bug: "get_bug_report",
+      triage_bug: "triage_bug_report",
+      list_features: "list_feature_requests",
+      get_feature: "get_feature_request",
+      triage_feature: "triage_feature_request",
+      health: "support_health",
+      test: "support_test"
+    };
+  }
+});
+
+// src/mcp/tools/diagnostics.ts
+import { z as z98 } from "zod";
+function buildHandlers9() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCliParityTools(fake);
+  return tools;
+}
+function registerDiagnostics(server) {
+  const handlers = buildHandlers9();
+  const toolNames = Array.from(handlers.keys());
+  void (toolNames.length > 0 ? toolNames : ["healthcheck"]);
+  server.registerTool(
+    "diagnostics",
+    {
+      title: "Diagnostics",
+      description: `System diagnostics and admin operations. Actions: ${toolNames.join(", ")}. Covers health checks, update status, cloud status, key management, and employee rename.`,
+      inputSchema: {
+        action: z98.string().describe(`Diagnostic operation: ${toolNames.join(", ")}`),
+        // Pass-through params used by various sub-tools
+        name: z98.string().optional().describe("Employee name (rename_employee)"),
+        new_name: z98.string().optional().describe("New employee name (rename_employee)"),
+        query: z98.string().optional().describe("Search/filter query"),
+        format: z98.string().optional().describe("Output format")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const handler = handlers.get(action);
+      if (!handler) {
+        return {
+          content: [{ type: "text", text: `Unknown diagnostics action: ${action}. Available: ${toolNames.join(", ")}` }],
+          isError: true
+        };
+      }
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+var init_diagnostics = __esm({
+  "src/mcp/tools/diagnostics.ts"() {
+    "use strict";
+    init_cli_parity();
+  }
+});
+
 // src/mcp/tool-gates.ts
+function isToolAllowedForPlan(registerFnName, plan) {
+  const category = TOOL_CATEGORIES[registerFnName];
+  if (!category) return true;
+  const requiredPlan = PLAN_GATES[category] ?? "free";
+  return PLAN_TIERS[plan] >= PLAN_TIERS[requiredPlan];
+}
 function isChiefOfStaffRole(role) {
   const normalized = (role ?? "").trim().toLowerCase();
   return normalized === "chief of staff" || normalized === "executive assistant";
@@ -32513,7 +33102,7 @@ function isToolAllowed(registerFnName) {
   if (!allowedRoles || allowedRoles.length === 0) return true;
   return allowedRoles.includes(role);
 }
-var TOOL_GATES, TOOL_CATEGORIES, CHIEF_OF_STAFF_READ_TOOLS;
+var TOOL_GATES, TOOL_CATEGORIES, PLAN_TIERS, PLAN_GATES, CHIEF_OF_STAFF_READ_TOOLS;
 var init_tool_gates = __esm({
   "src/mcp/tool-gates.ts"() {
     "use strict";
@@ -32571,6 +33160,11 @@ var init_tool_gates = __esm({
       registerGetSessionEvents: "core",
       registerGetLastAssistantResponse: "core",
       registerCodeContext: "graph-read",
+      // consolidated tools
+      registerDecision: "core",
+      registerSession: "core",
+      registerSupportConsolidated: "core",
+      registerDiagnostics: "admin",
       registerListBugReports: "admin",
       registerGetBugReport: "admin",
       registerTriageBugReport: "admin",
@@ -32664,6 +33258,30 @@ var init_tool_gates = __esm({
       registerListGlobalProcedures: "orchestration",
       registerDeactivateGlobalProcedure: "orchestration"
     };
+    PLAN_TIERS = {
+      free: 0,
+      pro: 1,
+      team: 2,
+      agency: 3,
+      enterprise: 4
+    };
+    PLAN_GATES = {
+      core: "free",
+      tasks: "free",
+      comms: "free",
+      reminders: "free",
+      "graph-read": "free",
+      licensing: "free",
+      // always allow checking/managing own license
+      "graph-write": "pro",
+      wiki: "pro",
+      crm: "pro",
+      "raw-data": "pro",
+      documents: "pro",
+      gateway: "pro",
+      admin: "pro",
+      orchestration: "pro"
+    };
     CHIEF_OF_STAFF_READ_TOOLS = /* @__PURE__ */ new Set([
       "registerRecallMyMemory",
       "registerAskTeamMemory",
@@ -32689,9 +33307,12 @@ var register_tools_exports = {};
 __export(register_tools_exports, {
   registerAllTools: () => registerAllTools
 });
-function registerAllTools(server) {
+function registerAllTools(server, license, hasKey) {
   const gate = (name, fn) => {
-    if (isToolAllowed(name)) fn(server);
+    if (!isToolAllowed(name)) return;
+    if (hasKey === false && !ALWAYS_ALLOWED.has(name)) return;
+    if (license && !isToolAllowedForPlan(name, license.plan)) return;
+    fn(server);
   };
   const mcpToolSurface = process.env.EXE_MCP_TOOL_SURFACE ?? "legacy";
   const exposeConsolidatedTasks = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
@@ -32712,6 +33333,14 @@ function registerAllTools(server) {
   const exposeLegacyGraph = mcpToolSurface !== "consolidated";
   const exposeConsolidatedConfig = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
   const exposeLegacyConfig = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDecisions = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDecisions = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSession = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySession = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSupport = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySupport = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDiagnostics = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDiagnostics = mcpToolSurface !== "consolidated";
   if (exposeConsolidatedMemory) {
     gate("registerMemory", registerMemory);
   }
@@ -32825,23 +33454,43 @@ function registerAllTools(server) {
   if (exposeLegacyMemory) {
     gate("registerSearchEverything", registerSearchEverything);
   }
-  gate("registerStoreDecision", registerStoreDecision);
-  gate("registerGetDecision", registerGetDecision);
-  gate("registerCreateBugReport", registerCreateBugReport);
-  gate("registerCreateFeatureRequest", registerCreateFeatureRequest);
-  gate("registerSupportTools", registerSupportTools);
-  gate("registerCliParityTools", registerCliParityTools);
-  gate("registerGetSessionEvents", registerGetSessionEvents);
-  gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
-  gate("registerCodeContext", registerCodeContext);
-  if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
-    gate("registerListBugReports", registerListBugReports);
-    gate("registerGetBugReport", registerGetBugReport);
-    gate("registerTriageBugReport", registerTriageBugReport);
-    gate("registerListFeatureRequests", registerListFeatureRequests);
-    gate("registerGetFeatureRequest", registerGetFeatureRequest);
-    gate("registerTriageFeatureRequest", registerTriageFeatureRequest);
+  if (exposeConsolidatedDecisions) {
+    gate("registerDecision", registerDecision);
+  }
+  if (exposeLegacyDecisions) {
+    gate("registerStoreDecision", registerStoreDecision);
+    gate("registerGetDecision", registerGetDecision);
+  }
+  if (exposeConsolidatedSupport) {
+    gate("registerSupportConsolidated", registerSupportConsolidated);
+  }
+  if (exposeLegacySupport) {
+    gate("registerCreateBugReport", registerCreateBugReport);
+    gate("registerCreateFeatureRequest", registerCreateFeatureRequest);
+    gate("registerSupportTools", registerSupportTools);
+    if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
+      gate("registerListBugReports", registerListBugReports);
+      gate("registerGetBugReport", registerGetBugReport);
+      gate("registerTriageBugReport", registerTriageBugReport);
+      gate("registerListFeatureRequests", registerListFeatureRequests);
+      gate("registerGetFeatureRequest", registerGetFeatureRequest);
+      gate("registerTriageFeatureRequest", registerTriageFeatureRequest);
+    }
+  }
+  if (exposeConsolidatedDiagnostics) {
+    gate("registerDiagnostics", registerDiagnostics);
+  }
+  if (exposeLegacyDiagnostics) {
+    gate("registerCliParityTools", registerCliParityTools);
+  }
+  if (exposeConsolidatedSession) {
+    gate("registerSession", registerSession2);
+  }
+  if (exposeLegacySession) {
+    gate("registerGetSessionEvents", registerGetSessionEvents);
+    gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
   }
+  gate("registerCodeContext", registerCodeContext);
   if (exposeLegacyConfig) {
     gate("registerGetAgentSpend", registerGetAgentSpend);
   }
@@ -32890,6 +33539,7 @@ function registerAllTools(server) {
     gate("registerCompanyActions", registerCompanyActions);
   }
 }
+var ALWAYS_ALLOWED;
 var init_register_tools = __esm({
   "src/mcp/register-tools.ts"() {
     "use strict";
@@ -32989,7 +33639,16 @@ var init_register_tools = __esm({
     init_get_session_events();
     init_code_context();
     init_support_inbox();
+    init_decision();
+    init_session();
+    init_support_consolidated();
+    init_diagnostics();
     init_tool_gates();
+    ALWAYS_ALLOWED = /* @__PURE__ */ new Set([
+      "registerMcpPing",
+      "registerGetLicenseStatus",
+      "registerActivateLicense"
+    ]);
   }
 });
 
@@ -34007,7 +34666,7 @@ import os24 from "os";
 import net2 from "net";
 import { createServer as createHttpServer } from "http";
 import { randomUUID as randomUUID11 } from "crypto";
-import { writeFileSync as writeFileSync29, unlinkSync as unlinkSync15, mkdirSync as mkdirSync25, existsSync as existsSync47, readFileSync as readFileSync41, chmodSync as chmodSync2 } from "fs";
+import { writeFileSync as writeFileSync29, unlinkSync as unlinkSync15, mkdirSync as mkdirSync25, existsSync as existsSync47, readFileSync as readFileSync41, chmodSync as chmodSync3 } from "fs";
 import path62 from "path";
 
 // src/lib/orchestration-metrics.ts
@@ -34091,6 +34750,7 @@ var _context = null;
 var _model = null;
 var _llama = null;
 var _shuttingDown = false;
+var _mcpHttpReady = Promise.resolve();
 var _daemonToken = "";
 var MAX_QUEUE_SIZE = 1e3;
 var highQueue = [];
@@ -34140,6 +34800,13 @@ async function processQueue() {
       if (entry.socket.destroyed) continue;
       try {
         const vectors = [];
+        if (!_context) {
+          sendResponse(entry.socket, {
+            id: entry.request.id,
+            error: "Model not loaded yet \u2014 embeddings unavailable"
+          });
+          continue;
+        }
         for (const text3 of entry.request.texts) {
           const embedding = await _context.getEmbeddingFor(text3);
           const vector = Array.from(embedding.vector);
@@ -34555,7 +35222,7 @@ function startMemoryQueueDrain() {
 function startServer() {
   mkdirSync25(path62.dirname(SOCKET_PATH2), { recursive: true });
   try {
-    chmodSync2(path62.dirname(SOCKET_PATH2), 448);
+    chmodSync3(path62.dirname(SOCKET_PATH2), 448);
   } catch {
   }
   _daemonToken = ensureDaemonToken(process.env[DAEMON_TOKEN_ENV2] ?? null);
@@ -34677,12 +35344,12 @@ function startServer() {
     process.stderr.write(`[exed] Listening on ${SOCKET_PATH2}
 `);
     try {
-      chmodSync2(SOCKET_PATH2, 384);
+      chmodSync3(SOCKET_PATH2, 384);
     } catch {
     }
     checkIdle();
   });
-  void startMcpHttpServer();
+  _mcpHttpReady = startMcpHttpServer();
 }
 async function startMcpHttpServer() {
   process.stderr.write("[exed] MCP HTTP: starting setup...\n");
@@ -34735,11 +35402,13 @@ async function startMcpHttpServer() {
       recordMcpHttpEvent({ level: "warn", message, status: status2, ...extra });
     };
     var parseDurationMs = parseDurationMs2, closeMcpSession = closeMcpSession2, sweepStaleMcpSessions = sweepStaleMcpSessions2, getJsonRpcId = getJsonRpcId2, sendJsonRpcError = sendJsonRpcError2;
+    process.stderr.write("[exed] MCP HTTP: importing SDK modules...\n");
     const { McpServer } = await import("@modelcontextprotocol/sdk/server/mcp.js");
     const { StreamableHTTPServerTransport } = await import("@modelcontextprotocol/sdk/server/streamableHttp.js");
     const { isInitializeRequest } = await import("@modelcontextprotocol/sdk/types.js");
     const { registerAllTools: registerAllTools2 } = await Promise.resolve().then(() => (init_register_tools(), register_tools_exports));
     const { runWithAgent: runWithAgent2 } = await Promise.resolve().then(() => (init_agent_context(), agent_context_exports));
+    process.stderr.write("[exed] MCP HTTP: SDK imports done, initializing DB...\n");
     const dbReady = await ensureStoreForPolling();
     if (!dbReady) {
       process.stderr.write(
@@ -34748,6 +35417,18 @@ async function startMcpHttpServer() {
       return;
     }
     process.stderr.write("[exed] MCP HTTP: DB ready\n");
+    const { initLicenseGate: initLicenseGate2, getCachedLicenseGate: getCachedLicenseGate2 } = await Promise.resolve().then(() => (init_license_gate(), license_gate_exports));
+    const gateResult = await initLicenseGate2();
+    if (!gateResult.hasKey) {
+      process.stderr.write(
+        "[exed] MCP HTTP: No license key found \u2014 tools restricted to diagnostics only.\n"
+      );
+    } else if (gateResult.license) {
+      process.stderr.write(
+        `[exed] MCP HTTP: License validated \u2014 plan=${gateResult.license.plan}
+`
+      );
+    }
     const transports = /* @__PURE__ */ new Map();
     const MCP_HTTP_PORT = parseInt(process.env.EXE_MCP_PORT || "48739", 10);
     const MCP_SESSION_TTL_MS = parseDurationMs2(process.env.EXE_MCP_SESSION_TTL_MS, 4 * 60 * 60 * 1e3, { allowZero: true });
@@ -34767,16 +35448,14 @@ async function startMcpHttpServer() {
         return;
       }
       const url = new URL(req.url || "/", `http://127.0.0.1:${MCP_HTTP_PORT}`);
-      const authHeader = req.headers.authorization;
-      if (!authHeader || authHeader !== `Bearer ${_daemonToken}`) {
-        sendJsonRpcError2(res, 401, "Unauthorized: invalid or missing daemon token", "unknown", {
-          method: req.method,
-          path: url.pathname
-        });
+      if (url.pathname !== "/mcp") {
+        res.writeHead(404, { "Content-Type": "text/plain" });
+        res.end("Not Found");
         return;
       }
-      if (url.pathname !== "/mcp") {
-        sendJsonRpcError2(res, 404, "Not Found: MCP endpoint is /mcp", "unknown", {
+      const authHeader = req.headers.authorization;
+      if (authHeader && authHeader !== `Bearer ${_daemonToken}`) {
+        sendJsonRpcError2(res, 401, "Unauthorized: invalid daemon token", "unknown", {
           method: req.method,
           path: url.pathname
         });
@@ -34837,7 +35516,10 @@ async function startMcpHttpServer() {
           if (sid) closeMcpSession2(sid, "session_closed");
         };
         const sessionMcp = new McpServer({ name: "exe-os", version: "1.3.0" });
-        registerAllTools2(sessionMcp);
+        const gateState = getCachedLicenseGate2();
+        const { wrapServerWithTelemetry: wrapServerWithTelemetry2 } = await Promise.resolve().then(() => (init_tool_telemetry(), tool_telemetry_exports));
+        const wrappedMcp = wrapServerWithTelemetry2(sessionMcp);
+        registerAllTools2(wrappedMcp, gateState.license, gateState.hasKey);
         await sessionMcp.connect(transport);
       } else {
         const message = sessionId ? "Bad Request: MCP session is stale or unknown; reconnect MCP client" : "Bad Request: missing MCP session; initialize before tool calls";
@@ -34910,8 +35592,9 @@ async function startMcpHttpServer() {
         }
       }
     });
-    httpServer.listen(MCP_HTTP_PORT, "127.0.0.1", () => {
-      process.stderr.write(`[exed] MCP HTTP listening on 127.0.0.1:${MCP_HTTP_PORT}
+    const MCP_HTTP_HOST = process.env.EXE_MCP_HOST || process.env.EXED_HOST || "127.0.0.1";
+    httpServer.listen(MCP_HTTP_PORT, MCP_HTTP_HOST, () => {
+      process.stderr.write(`[exed] MCP HTTP listening on ${MCP_HTTP_HOST}:${MCP_HTTP_PORT}
 `);
       recordMcpHttpEvent({
         level: "info",
@@ -35595,6 +36278,18 @@ function handleSignalShutdown() {
 }
 process.on("SIGINT", handleSignalShutdown);
 process.on("SIGTERM", handleSignalShutdown);
+process.on("unhandledRejection", (reason) => {
+  process.stderr.write(
+    `[exed] Unhandled rejection (caught): ${reason instanceof Error ? reason.stack ?? reason.message : String(reason)}
+`
+  );
+});
+process.on("uncaughtException", (err) => {
+  process.stderr.write(
+    `[exed] Uncaught exception (caught): ${err.stack ?? err.message}
+`
+  );
+});
 function checkExistingDaemon() {
   try {
     if (!existsSync47(PID_PATH4)) return false;
@@ -35694,14 +36389,20 @@ if (checkExistingDaemon()) {
 }
 writeFileSync29(PID_PATH4, String(process.pid));
 try {
-  chmodSync2(PID_PATH4, 384);
+  chmodSync3(PID_PATH4, 384);
 } catch {
 }
 process.env.EXE_IS_DAEMON = "1";
 try {
   initMetrics();
-  await loadModel();
   startServer();
+  await _mcpHttpReady;
+  loadModel().catch((err) => {
+    process.stderr.write(
+      `[exed] Background model load failed: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+  });
   startReviewPolling();
   startSessionTTL();
   startIdleKill();
@@ -35721,6 +36422,9 @@ try {
   startRssWatchdog();
   startBackgroundJobGuardrails();
   startTaskEnforcementScanner();
+  const { startToolTelemetryFlush: startToolTelemetryFlush2 } = await Promise.resolve().then(() => (init_tool_telemetry(), tool_telemetry_exports));
+  startToolTelemetryFlush2();
+  process.stderr.write("[exed] Tool telemetry started (flush every 5m)\n");
   const { startProjectionWorker: startProjectionWorker2 } = await Promise.resolve().then(() => (init_projection_worker(), projection_worker_exports));
   startProjectionWorker2();
   try {