@askexenow/exe-os 0.9.87 → 0.9.89

package/dist/mcp/server.js

@@ -2180,6 +2180,7 @@ __export(database_exports, {
   isInitialized: () => isInitialized,
   setExternalClient: () => setExternalClient
 });
+import { chmodSync as chmodSync2 } from "fs";
 import { createClient } from "@libsql/client";
 async function initDatabase(config2) {
   if (_walCheckpointTimer) {
@@ -2221,6 +2222,16 @@ async function initDatabase(config2) {
   if (process.env.DATABASE_URL && process.env.EXE_USE_POSTGRES === "1") {
     _adapterClient = await createPrismaDbAdapter(_resilientClient);
   }
+  try {
+    chmodSync2(config2.dbPath, 384);
+    for (const suffix of ["-wal", "-shm"]) {
+      try {
+        chmodSync2(config2.dbPath + suffix, 384);
+      } catch {
+      }
+    }
+  } catch {
+  }
 }
 function isInitialized() {
   return _adapterClient !== null || _client !== null;
@@ -9426,7 +9437,7 @@ function readQueue() {
 function writeQueue(queue) {
   ensureDir();
   const tmp = `${QUEUE_PATH}.tmp`;
-  writeFileSync9(tmp, JSON.stringify(queue, null, 2));
+  writeFileSync9(tmp, JSON.stringify(queue, null, 2), { mode: 384 });
   renameSync4(tmp, QUEUE_PATH);
 }
 function queueIntercom(targetSession, reason) {
@@ -13996,6 +14007,21 @@ var init_crdt_sync = __esm({
   }
 });
 
+// src/lib/pg-ssl.ts
+var pg_ssl_exports = {};
+__export(pg_ssl_exports, {
+  pgSslConfig: () => pgSslConfig
+});
+function pgSslConfig() {
+  if (process.env.EXE_DB_SSL_DISABLED === "true") return {};
+  return { ssl: { rejectUnauthorized: process.env.EXE_DB_SSL_ALLOW_SELFSIGNED !== "true" } };
+}
+var init_pg_ssl = __esm({
+  "src/lib/pg-ssl.ts"() {
+    "use strict";
+  }
+});
+
 // src/lib/tmux-status.ts
 import { execSync as execSync13 } from "child_process";
 function inTmux() {
@@ -19940,6 +19966,130 @@ import { existsSync as existsSync24, readFileSync as readFileSync20 } from "fs";
 import path30 from "path";
 import { homedir as homedir4 } from "os";
 import { z as z54 } from "zod";
+
+// src/mcp/license-gate.ts
+init_license();
+var _cachedLicense = null;
+var _hasLicenseKey = false;
+async function initLicenseGate() {
+  const key = loadLicense();
+  _hasLicenseKey = key !== null && key.length > 0;
+  if (_hasLicenseKey) {
+    try {
+      _cachedLicense = await checkLicense();
+    } catch {
+      _cachedLicense = null;
+    }
+    return { license: _cachedLicense, hasKey: true };
+  }
+  return { license: null, hasKey: false };
+}
+function getCachedLicenseGate() {
+  return {
+    license: _cachedLicense,
+    hasKey: _hasLicenseKey
+  };
+}
+
+// src/mcp/tool-telemetry.ts
+var _toolCalls = /* @__PURE__ */ new Map();
+var _sessionStartedAt = Date.now();
+var _flushTimer2 = null;
+function recordCall(toolName, action, isError) {
+  let record = _toolCalls.get(toolName);
+  if (!record) {
+    record = { count: 0, actions: /* @__PURE__ */ new Map(), lastCalledAt: 0, errors: 0 };
+    _toolCalls.set(toolName, record);
+  }
+  record.count++;
+  record.lastCalledAt = Date.now();
+  if (isError) record.errors++;
+  if (action) {
+    record.actions.set(action, (record.actions.get(action) ?? 0) + 1);
+  }
+}
+function wrapServerWithTelemetry(server2) {
+  const originalRegisterTool = server2.registerTool.bind(server2);
+  server2.registerTool = (name, config2, handler) => {
+    const wrappedHandler = async (input, extra) => {
+      const action = input.action;
+      try {
+        const result3 = await handler(input, extra);
+        const isError = result3?.isError === true;
+        recordCall(name, action, isError);
+        return result3;
+      } catch (err) {
+        recordCall(name, action, true);
+        throw err;
+      }
+    };
+    return originalRegisterTool(name, config2, wrappedHandler);
+  };
+  return server2;
+}
+function getToolUsageStats() {
+  let totalCalls = 0;
+  let totalErrors = 0;
+  const tools = {};
+  for (const [name, record] of _toolCalls) {
+    totalCalls += record.count;
+    totalErrors += record.errors;
+    const entry = {
+      calls: record.count,
+      errors: record.errors,
+      lastCalledAt: new Date(record.lastCalledAt).toISOString()
+    };
+    if (record.actions.size > 0) {
+      entry.actions = Object.fromEntries(record.actions);
+    }
+    tools[name] = entry;
+  }
+  return {
+    sessionStartedAt: new Date(_sessionStartedAt).toISOString(),
+    uptimeMs: Date.now() - _sessionStartedAt,
+    totalCalls,
+    totalErrors,
+    tools
+  };
+}
+var FLUSH_INTERVAL_MS = 5 * 60 * 1e3;
+var _lastFlushedAt = 0;
+async function flushToMemory() {
+  const stats = getToolUsageStats();
+  if (stats.totalCalls === 0) return;
+  if (stats.totalCalls === _lastFlushedAt) return;
+  try {
+    const { getClient: getClient2, isInitialized: isInitialized2 } = await Promise.resolve().then(() => (init_database(), database_exports));
+    if (!isInitialized2()) return;
+    const client = getClient2();
+    const toolSummary = Object.entries(stats.tools).sort((a, b) => b[1].calls - a[1].calls).map(([name, t]) => {
+      const actionStr = t.actions ? ` (${Object.entries(t.actions).sort((a, b) => b[1] - a[1]).map(([a, c]) => `${a}:${c}`).join(", ")})` : "";
+      return `${name}: ${t.calls} calls${t.errors > 0 ? ` (${t.errors} errors)` : ""}${actionStr}`;
+    }).join("\n");
+    const raw_text = `Tool usage since ${stats.sessionStartedAt} (${Math.round(stats.uptimeMs / 6e4)}min):
+Total: ${stats.totalCalls} calls, ${stats.totalErrors} errors
+
+${toolSummary}`;
+    await client.execute({
+      sql: `INSERT INTO memories (id, agent_id, raw_text, memory_type, project_name, importance, created_at, updated_at)
+            VALUES (?, 'system', ?, 'telemetry', 'exe-os', 2, datetime('now'), datetime('now'))`,
+      args: [
+        `telemetry-tools-${Date.now()}`,
+        raw_text
+      ]
+    });
+    _lastFlushedAt = stats.totalCalls;
+  } catch {
+  }
+}
+function startToolTelemetryFlush() {
+  if (_flushTimer2) return;
+  _sessionStartedAt = Date.now();
+  _flushTimer2 = setInterval(() => void flushToMemory(), FLUSH_INTERVAL_MS);
+  _flushTimer2.unref();
+}
+
+// src/mcp/tools/mcp-ping.ts
 var PID_PATH3 = path30.join(homedir4(), ".exe-os", "exed.pid");
 function isDaemonAlive2() {
   try {
@@ -19966,6 +20116,7 @@ function registerMcpPing(server2) {
       const daemon = isDaemonAlive2();
       const summary = summarizeMcpTransport();
       writeMcpTransportSummary();
+      const gate = getCachedLicenseGate();
       const status2 = daemon.alive ? "ok" : "degraded";
       return {
         content: [
@@ -19974,8 +20125,14 @@ function registerMcpPing(server2) {
             text: JSON.stringify({
               status: status2,
               daemon,
+              licenseGate: {
+                hasKey: gate.hasKey,
+                plan: gate.license?.plan ?? "none",
+                valid: gate.license?.valid ?? false
+              },
+              toolUsage: getToolUsageStats(),
               mcpTransport: summary,
-              remediation: daemon.alive ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
+              remediation: daemon.alive ? gate.hasKey ? "MCP transport probe reached the server. If tools still fail, reconnect the MCP client." : "No license key found. Run: echo 'exe_sk_YOUR_KEY' > ~/.exe-os/license.key then reconnect MCP." : "Daemon is offline. Restart exe-os/exed; do not bypass MCP or access the DB directly."
             }, null, 2)
           }
         ]
@@ -20181,6 +20338,7 @@ import { fileURLToPath as fileURLToPath4 } from "url";
 function isMainModule(importMetaUrl) {
   if (process.argv[1] == null) return false;
   if (process.argv[1].includes("mcp/server")) return false;
+  if (process.argv[1].includes("exe-daemon")) return false;
   try {
     const scriptPath = realpathSync(process.argv[1]);
     const modulePath = realpathSync(fileURLToPath4(importMetaUrl));
@@ -21597,7 +21755,8 @@ function loadPgClient() {
         return new Ctor();
       }
       const { Pool } = await import("pg");
-      const pool = new Pool({ connectionString: process.env.DATABASE_URL });
+      const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+      const pool = new Pool({ connectionString: process.env.DATABASE_URL, ...pgSslConfig2() });
       return {
         async $queryRawUnsafe(query, ...values) {
           const result3 = await pool.query(query, values);
@@ -22126,6 +22285,17 @@ async function cloudSync(config2) {
   } catch (err) {
     logError(`[cloud-sync] DB backup upload error: ${err instanceof Error ? err.message : String(err)}`);
   }
+  let codeContextResult = { pushed: 0, pulled: 0 };
+  try {
+    codeContextResult.pushed = await cloudPushCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context push: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  try {
+    codeContextResult.pulled = await cloudPullCodeContext(config2);
+  } catch (err) {
+    logError(`[cloud-sync] Code context pull: ${err instanceof Error ? err.message : String(err)}`);
+  }
   return {
     pushed,
     pulled,
@@ -22135,7 +22305,8 @@ async function cloudSync(config2) {
     tasks: tasksResult,
     conversations: conversationsResult,
     documents: documentsResult,
-    roster: rosterResult
+    roster: rosterResult,
+    codeContext: codeContextResult
   };
 }
 var ROSTER_DELETIONS_PATH = path37.join(EXE_AI_DIR, "roster-deletions.json");
@@ -22763,6 +22934,99 @@ async function cloudPullDocuments(config2) {
   }
   return { pulled };
 }
+var CODE_CONTEXT_DIR = path37.join(EXE_AI_DIR, "code-context");
+async function cloudPushCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  if (!existsSync32(CODE_CONTEXT_DIR)) return 0;
+  const files = readdirSync11(CODE_CONTEXT_DIR).filter(
+    (f) => f.endsWith(".json") && !f.endsWith(".vectors.json") && !f.startsWith(".")
+  );
+  if (files.length === 0) return 0;
+  const metaPath = path37.join(CODE_CONTEXT_DIR, ".sync-meta.json");
+  let syncMeta = {};
+  if (existsSync32(metaPath)) {
+    try {
+      syncMeta = JSON.parse(readFileSync25(metaPath, "utf-8"));
+    } catch {
+    }
+  }
+  let pushed = 0;
+  for (const file of files) {
+    const filePath = path37.join(CODE_CONTEXT_DIR, file);
+    try {
+      const stat = statSync7(filePath);
+      const lastPushed = syncMeta[file] ?? 0;
+      if (stat.mtimeMs <= lastPushed) continue;
+      const content = readFileSync25(filePath, "utf-8");
+      const header = content.substring(0, 300);
+      if (header.includes("/tmp") || header.includes("/var/folders") || header.includes(".worktrees/")) continue;
+      const compressed = compress(Buffer.from(content, "utf8"));
+      const encrypted = encryptSyncBlob(compressed);
+      const resp = await fetchWithRetry(`${config2.endpoint}/sync/push-code-context`, {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${config2.apiKey}`,
+          "Content-Type": "application/json",
+          "X-Device-Id": loadDeviceId()
+        },
+        body: JSON.stringify({ key: file, blob: encrypted })
+      });
+      if (resp.ok) {
+        syncMeta[file] = stat.mtimeMs;
+        pushed++;
+      }
+    } catch {
+    }
+  }
+  if (pushed > 0) {
+    try {
+      writeFileSync18(metaPath, JSON.stringify(syncMeta));
+    } catch {
+    }
+  }
+  return pushed;
+}
+async function cloudPullCodeContext(config2) {
+  assertSecureEndpoint(config2.endpoint);
+  try {
+    const resp = await fetchWithRetry(`${config2.endpoint}/sync/pull-code-context`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${config2.apiKey}`,
+        "X-Device-Id": loadDeviceId()
+      }
+    });
+    if (!resp.ok) return 0;
+    const data = await resp.json();
+    if (!data.indexes || data.indexes.length === 0) return 0;
+    mkdirSync16(CODE_CONTEXT_DIR, { recursive: true });
+    let pulled = 0;
+    for (const { key, blob } of data.indexes) {
+      try {
+        if (key.endsWith(".vectors.json")) continue;
+        const localPath = path37.join(CODE_CONTEXT_DIR, key);
+        const compressed = decryptSyncBlob(blob);
+        const content = decompress(compressed).toString("utf8");
+        if (!existsSync32(localPath)) {
+          writeFileSync18(localPath, content, "utf-8");
+          pulled++;
+        } else {
+          const localContent = readFileSync25(localPath, "utf-8");
+          if (localContent.length !== content.length) {
+            writeFileSync18(localPath, content, "utf-8");
+            pulled++;
+          }
+        }
+      } catch {
+      }
+    }
+    return pulled;
+  } catch (err) {
+    process.stderr.write(`[cloud-sync] Code context pull failed: ${err instanceof Error ? err.message : String(err)}
+`);
+    return 0;
+  }
+}
 
 // src/mcp/tools/cloud-sync.ts
 init_config();
@@ -26921,6 +27185,22 @@ async function getExeDbReadClient() {
   }
   if (!prismaPromise3) {
     prismaPromise3 = (async () => {
+      const readonlyUrl = process.env.MCP_READONLY_DATABASE_URL;
+      if (readonlyUrl) {
+        const { Pool } = await import("pg");
+        const { pgSslConfig: pgSslConfig2 } = await Promise.resolve().then(() => (init_pg_ssl(), pg_ssl_exports));
+        const pool = new Pool({ connectionString: readonlyUrl, ...pgSslConfig2() });
+        return {
+          async $queryRawUnsafe(query, ...values) {
+            const result3 = await pool.query(query, values);
+            return result3.rows;
+          },
+          async $disconnect() {
+            await pool.end();
+          }
+        };
+      }
+      console.warn("[exe-db-read] WARNING: MCP_READONLY_DATABASE_URL not set \u2014 falling back to admin role");
       const explicitPath = process.env.EXE_OS_PRISMA_CLIENT_PATH;
       if (explicitPath) {
         const mod2 = await import(pathToFileURL5(explicitPath).href);
@@ -27881,7 +28161,10 @@ function registerSupportTools(server2) {
       endpoint2.searchParams.set("status", status2);
       endpoint2.searchParams.set("limit", String(limit));
       const headers = { "content-type": "application/json" };
-      if (licenseKey) headers["x-exe-license-key"] = licenseKey;
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
       if (licenseToken) headers["x-exe-license-token"] = licenseToken;
       try {
         const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
@@ -27944,7 +28227,10 @@ function registerSupportTools(server2) {
       endpoint2.searchParams.set("status", status2);
       endpoint2.searchParams.set("limit", String(limit));
       const headers = { "content-type": "application/json" };
-      if (licenseKey) headers["x-exe-license-key"] = licenseKey;
+      if (licenseKey) {
+        headers["authorization"] = `Bearer ${licenseKey}`;
+        headers["x-exe-license-key"] = licenseKey;
+      }
       if (licenseToken) headers["x-exe-license-token"] = licenseToken;
       try {
         const res = await fetch(endpoint2.toString(), { method: "GET", headers, signal: AbortSignal.timeout(15e3) });
@@ -28409,7 +28695,7 @@ function runHealthCheck() {
   const failed = results.filter((r) => !r.pass).length;
   return { results, passed, failed };
 }
-if (isMainModule(import.meta.url)) {
+if (isMainModule(import.meta.url) && (process.argv[1] ?? "").includes("exe-healthcheck")) {
   const { results, passed, failed } = runHealthCheck();
   console.log("\n  exe-os Health Check\n");
   for (const r of results) {
@@ -29610,6 +29896,231 @@ function registerTriageFeatureRequest(server2) {
   );
 }
 
+// src/mcp/tools/decision.ts
+import { z as z95 } from "zod";
+function buildHandlers6() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerStoreDecision(fake);
+  registerGetDecision(fake);
+  return tools;
+}
+var ACTION_TO_TOOL3 = {
+  store: "store_decision",
+  get: "get_decision"
+};
+function registerDecision(server2) {
+  const handlers = buildHandlers6();
+  server2.registerTool(
+    "decision",
+    {
+      title: "Decision",
+      description: "Store or retrieve authoritative decisions. Actions: store (persist a decision by domain), get (look up a decision by domain/query).",
+      inputSchema: {
+        action: z95.enum(["store", "get"]).describe("Decision operation"),
+        domain: z95.string().optional().describe("Decision domain (e.g. 'architecture', 'hiring')"),
+        decision: z95.string().optional().describe("Decision text for action=store"),
+        rationale: z95.string().optional().describe("Why this decision was made (action=store)"),
+        query: z95.string().optional().describe("Search query for action=get"),
+        limit: z95.coerce.number().optional().describe("Max results for action=get")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL3[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown decision action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/session.ts
+import { z as z96 } from "zod";
+function buildHandlers7() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerGetSessionEvents(fake);
+  registerGetLastAssistantResponse(fake);
+  return tools;
+}
+var ACTION_TO_TOOL4 = {
+  events: "get_session_events",
+  last_response: "get_last_assistant_response"
+};
+function registerSession2(server2) {
+  const handlers = buildHandlers7();
+  server2.registerTool(
+    "session",
+    {
+      title: "Session",
+      description: "Session inspection tools. Actions: events (get session event log), last_response (get the most recent assistant response text).",
+      inputSchema: {
+        action: z96.enum(["events", "last_response"]).describe("Session operation"),
+        session_id: z96.string().optional().describe("Session ID for action=events"),
+        limit: z96.coerce.number().optional().describe("Max events for action=events")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL4[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown session action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/support-consolidated.ts
+import { z as z97 } from "zod";
+function buildHandlers8() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCreateBugReport(fake);
+  registerCreateFeatureRequest(fake);
+  registerSupportTools(fake);
+  registerListBugReports(fake);
+  registerGetBugReport(fake);
+  registerTriageBugReport(fake);
+  registerListFeatureRequests(fake);
+  registerGetFeatureRequest(fake);
+  registerTriageFeatureRequest(fake);
+  return tools;
+}
+var ACTION_TO_TOOL5 = {
+  create_bug: "create_bug_report",
+  create_feature: "create_feature_request",
+  list_my_bugs: "list_my_bug_reports",
+  list_my_features: "list_my_feature_requests",
+  list_bugs: "list_bug_reports",
+  get_bug: "get_bug_report",
+  triage_bug: "triage_bug_report",
+  list_features: "list_feature_requests",
+  get_feature: "get_feature_request",
+  triage_feature: "triage_feature_request",
+  health: "support_health",
+  test: "support_test"
+};
+function registerSupportConsolidated(server2) {
+  const handlers = buildHandlers8();
+  server2.registerTool(
+    "support",
+    {
+      title: "Support",
+      description: "Bug reports, feature requests, and support system. Actions: create_bug, create_feature, list_my_bugs, list_my_features, list_bugs, get_bug, triage_bug, list_features, get_feature, triage_feature, health, test.",
+      inputSchema: {
+        action: z97.enum([
+          "create_bug",
+          "create_feature",
+          "list_my_bugs",
+          "list_my_features",
+          "list_bugs",
+          "get_bug",
+          "triage_bug",
+          "list_features",
+          "get_feature",
+          "triage_feature",
+          "health",
+          "test"
+        ]).describe("Support operation"),
+        title: z97.string().optional().describe("Bug/feature title"),
+        description: z97.string().optional().describe("Bug/feature description"),
+        steps_to_reproduce: z97.string().optional().describe("Steps to reproduce (bugs)"),
+        expected_behavior: z97.string().optional().describe("Expected behavior (bugs)"),
+        actual_behavior: z97.string().optional().describe("Actual behavior (bugs)"),
+        severity: z97.string().optional().describe("Severity: p0/p1/p2/p3"),
+        use_case: z97.string().optional().describe("Use case (features)"),
+        proposed_solution: z97.string().optional().describe("Proposed solution (features)"),
+        priority: z97.string().optional().describe("Priority (features)"),
+        id: z97.string().optional().describe("Bug/feature ID for get/triage"),
+        status: z97.string().optional().describe("Filter by status"),
+        classification: z97.string().optional().describe("Triage classification"),
+        resolution: z97.string().optional().describe("Triage resolution"),
+        notes: z97.string().optional().describe("Triage notes (mapped to triage_notes for bug/feature triage)"),
+        triage_notes: z97.string().optional().describe("Triage notes (legacy field name)"),
+        linked_task_id: z97.string().optional().describe("Linked task ID for triage"),
+        linked_commit: z97.string().optional().describe("Linked commit hash for triage"),
+        fixed_version: z97.string().optional().describe("Version that fixes this bug"),
+        limit: z97.coerce.number().optional().describe("Max results")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const toolName = ACTION_TO_TOOL5[action];
+      if (!toolName) return { content: [{ type: "text", text: `Unknown support action: ${action}` }], isError: true };
+      const handler = handlers.get(toolName);
+      if (!handler) return { content: [{ type: "text", text: `Handler not found: ${toolName}` }], isError: true };
+      const { action: _, ...args } = input;
+      if ((action === "triage_bug" || action === "triage_feature") && args.notes && !args.triage_notes) {
+        args.triage_notes = args.notes;
+        delete args.notes;
+      }
+      return handler(args, extra);
+    }
+  );
+}
+
+// src/mcp/tools/diagnostics.ts
+import { z as z98 } from "zod";
+function buildHandlers9() {
+  const tools = /* @__PURE__ */ new Map();
+  const fake = {
+    registerTool(name, _config, handler) {
+      tools.set(name, handler);
+    }
+  };
+  registerCliParityTools(fake);
+  return tools;
+}
+function registerDiagnostics(server2) {
+  const handlers = buildHandlers9();
+  const toolNames = Array.from(handlers.keys());
+  void (toolNames.length > 0 ? toolNames : ["healthcheck"]);
+  server2.registerTool(
+    "diagnostics",
+    {
+      title: "Diagnostics",
+      description: `System diagnostics and admin operations. Actions: ${toolNames.join(", ")}. Covers health checks, update status, cloud status, key management, and employee rename.`,
+      inputSchema: {
+        action: z98.string().describe(`Diagnostic operation: ${toolNames.join(", ")}`),
+        // Pass-through params used by various sub-tools
+        name: z98.string().optional().describe("Employee name (rename_employee)"),
+        new_name: z98.string().optional().describe("New employee name (rename_employee)"),
+        query: z98.string().optional().describe("Search/filter query"),
+        format: z98.string().optional().describe("Output format")
+      }
+    },
+    async (input, extra) => {
+      const action = input.action;
+      const handler = handlers.get(action);
+      if (!handler) {
+        return {
+          content: [{ type: "text", text: `Unknown diagnostics action: ${action}. Available: ${toolNames.join(", ")}` }],
+          isError: true
+        };
+      }
+      const { action: _, ...args } = input;
+      return handler(args, extra);
+    }
+  );
+}
+
 // src/mcp/tool-gates.ts
 var TOOL_GATES = {
   core: [],
@@ -29665,6 +30176,11 @@ var TOOL_CATEGORIES = {
   registerGetSessionEvents: "core",
   registerGetLastAssistantResponse: "core",
   registerCodeContext: "graph-read",
+  // consolidated tools
+  registerDecision: "core",
+  registerSession: "core",
+  registerSupportConsolidated: "core",
+  registerDiagnostics: "admin",
   registerListBugReports: "admin",
   registerGetBugReport: "admin",
   registerTriageBugReport: "admin",
@@ -29758,6 +30274,36 @@ var TOOL_CATEGORIES = {
   registerListGlobalProcedures: "orchestration",
   registerDeactivateGlobalProcedure: "orchestration"
 };
+var PLAN_TIERS = {
+  free: 0,
+  pro: 1,
+  team: 2,
+  agency: 3,
+  enterprise: 4
+};
+var PLAN_GATES = {
+  core: "free",
+  tasks: "free",
+  comms: "free",
+  reminders: "free",
+  "graph-read": "free",
+  licensing: "free",
+  // always allow checking/managing own license
+  "graph-write": "pro",
+  wiki: "pro",
+  crm: "pro",
+  "raw-data": "pro",
+  documents: "pro",
+  gateway: "pro",
+  admin: "pro",
+  orchestration: "pro"
+};
+function isToolAllowedForPlan(registerFnName, plan) {
+  const category = TOOL_CATEGORIES[registerFnName];
+  if (!category) return true;
+  const requiredPlan = PLAN_GATES[category] ?? "free";
+  return PLAN_TIERS[plan] >= PLAN_TIERS[requiredPlan];
+}
 var CHIEF_OF_STAFF_READ_TOOLS = /* @__PURE__ */ new Set([
   "registerRecallMyMemory",
   "registerAskTeamMemory",
@@ -29793,9 +30339,17 @@ function isToolAllowed(registerFnName) {
 }
 
 // src/mcp/register-tools.ts
-function registerAllTools(server2) {
+var ALWAYS_ALLOWED = /* @__PURE__ */ new Set([
+  "registerMcpPing",
+  "registerGetLicenseStatus",
+  "registerActivateLicense"
+]);
+function registerAllTools(server2, license, hasKey) {
   const gate = (name, fn) => {
-    if (isToolAllowed(name)) fn(server2);
+    if (!isToolAllowed(name)) return;
+    if (hasKey === false && !ALWAYS_ALLOWED.has(name)) return;
+    if (license && !isToolAllowedForPlan(name, license.plan)) return;
+    fn(server2);
   };
   const mcpToolSurface = process.env.EXE_MCP_TOOL_SURFACE ?? "legacy";
   const exposeConsolidatedTasks = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
@@ -29816,6 +30370,14 @@ function registerAllTools(server2) {
   const exposeLegacyGraph = mcpToolSurface !== "consolidated";
   const exposeConsolidatedConfig = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
   const exposeLegacyConfig = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDecisions = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDecisions = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSession = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySession = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedSupport = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacySupport = mcpToolSurface !== "consolidated";
+  const exposeConsolidatedDiagnostics = mcpToolSurface === "both" || mcpToolSurface === "consolidated";
+  const exposeLegacyDiagnostics = mcpToolSurface !== "consolidated";
   if (exposeConsolidatedMemory) {
     gate("registerMemory", registerMemory);
   }
@@ -29929,23 +30491,43 @@ function registerAllTools(server2) {
   if (exposeLegacyMemory) {
     gate("registerSearchEverything", registerSearchEverything);
   }
-  gate("registerStoreDecision", registerStoreDecision);
-  gate("registerGetDecision", registerGetDecision);
-  gate("registerCreateBugReport", registerCreateBugReport);
-  gate("registerCreateFeatureRequest", registerCreateFeatureRequest);
-  gate("registerSupportTools", registerSupportTools);
-  gate("registerCliParityTools", registerCliParityTools);
-  gate("registerGetSessionEvents", registerGetSessionEvents);
-  gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
-  gate("registerCodeContext", registerCodeContext);
-  if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
-    gate("registerListBugReports", registerListBugReports);
-    gate("registerGetBugReport", registerGetBugReport);
-    gate("registerTriageBugReport", registerTriageBugReport);
-    gate("registerListFeatureRequests", registerListFeatureRequests);
-    gate("registerGetFeatureRequest", registerGetFeatureRequest);
-    gate("registerTriageFeatureRequest", registerTriageFeatureRequest);
+  if (exposeConsolidatedDecisions) {
+    gate("registerDecision", registerDecision);
+  }
+  if (exposeLegacyDecisions) {
+    gate("registerStoreDecision", registerStoreDecision);
+    gate("registerGetDecision", registerGetDecision);
+  }
+  if (exposeConsolidatedSupport) {
+    gate("registerSupportConsolidated", registerSupportConsolidated);
+  }
+  if (exposeLegacySupport) {
+    gate("registerCreateBugReport", registerCreateBugReport);
+    gate("registerCreateFeatureRequest", registerCreateFeatureRequest);
+    gate("registerSupportTools", registerSupportTools);
+    if (process.env.ASKEXE_SUPPORT_ADMIN_TOKEN || process.env.EXE_SUPPORT_ADMIN_TOKEN) {
+      gate("registerListBugReports", registerListBugReports);
+      gate("registerGetBugReport", registerGetBugReport);
+      gate("registerTriageBugReport", registerTriageBugReport);
+      gate("registerListFeatureRequests", registerListFeatureRequests);
+      gate("registerGetFeatureRequest", registerGetFeatureRequest);
+      gate("registerTriageFeatureRequest", registerTriageFeatureRequest);
+    }
+  }
+  if (exposeConsolidatedDiagnostics) {
+    gate("registerDiagnostics", registerDiagnostics);
+  }
+  if (exposeLegacyDiagnostics) {
+    gate("registerCliParityTools", registerCliParityTools);
   }
+  if (exposeConsolidatedSession) {
+    gate("registerSession", registerSession2);
+  }
+  if (exposeLegacySession) {
+    gate("registerGetSessionEvents", registerGetSessionEvents);
+    gate("registerGetLastAssistantResponse", registerGetLastAssistantResponse);
+  }
+  gate("registerCodeContext", registerCodeContext);
   if (exposeLegacyConfig) {
     gate("registerGetAgentSpend", registerGetAgentSpend);
   }
@@ -30060,9 +30642,13 @@ var _backfillTimer = null;
 var _ppidWatchdog = null;
 var _shuttingDown = false;
 instrumentServer(server);
-registerAllTools(server);
+var wrappedServer = wrapServerWithTelemetry(server);
+var _licenseGate = await initLicenseGate();
+registerAllTools(wrappedServer, _licenseGate.license, _licenseGate.hasKey);
+startToolTelemetryFlush();
 var _gatedRole = process.env.AGENT_ROLE ?? "standalone";
-process.stderr.write(`[exe-os] Tool gating: role=${_gatedRole}
+var _gatedPlan = _licenseGate.license?.plan ?? (_licenseGate.hasKey ? "validating" : "no-key");
+process.stderr.write(`[exe-os] Tool gating: role=${_gatedRole} plan=${_gatedPlan}
 `);
 try {
   await initStore();