@askexenow/exe-os 0.9.92 → 0.9.94

package/dist/hooks/post-tool-combined.js

@@ -3018,6 +3018,20 @@ async function ensureSchema() {
     });
   } catch {
   }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN spawn_runtime TEXT`,
+      args: []
+    });
+  } catch {
+  }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE tasks ADD COLUMN spawn_model TEXT`,
+      args: []
+    });
+  } catch {
+  }
   await client.executeMultiple(`
     CREATE VIRTUAL TABLE IF NOT EXISTS conversations_fts USING fts5(
       content_text,
@@ -3269,6 +3283,22 @@ async function ensureSchema() {
     );
   } catch {
   }
+  for (const col of [
+    "ALTER TABLE memories ADD COLUMN valid_from TEXT",
+    "ALTER TABLE memories ADD COLUMN invalid_at TEXT"
+  ]) {
+    try {
+      await client.execute(col);
+    } catch {
+    }
+  }
+  try {
+    await client.execute({
+      sql: `UPDATE memories SET valid_from = timestamp WHERE valid_from IS NULL`,
+      args: []
+    });
+  } catch {
+  }
   try {
     await client.execute({
       sql: `ALTER TABLE memories ADD COLUMN memory_type TEXT DEFAULT 'raw'`,
@@ -3311,6 +3341,13 @@ async function ensureSchema() {
     } catch {
     }
   }
+  try {
+    await client.execute({
+      sql: `ALTER TABLE memories ADD COLUMN procedure_for TEXT`,
+      args: []
+    });
+  } catch {
+  }
   try {
     await client.execute({
       sql: `UPDATE tasks SET status = 'closed' WHERE status = 'done' AND result IS NOT NULL`,
@@ -4449,6 +4486,20 @@ var init_platform_procedures = __esm({
         priority: "p1",
         content: "Once per session (COO boot only, never repeat), call list_my_feature_requests to check if any previously filed feature requests have been shipped by AskExe. If any request has status 'shipped' with a shipped_version, surface it to the founder immediately: '\u{1F680} N feature(s) shipped \u2014 run exe-os update to get version X.Y.Z'. This is a one-time check at boot, not a recurring poll. If no requests exist or none are shipped, skip silently. If the MCP tool is unavailable or the network call fails, skip silently \u2014 this is informational, not blocking."
       },
+      // --- Tool guidance ---
+      {
+        title: "How to use company_actions \u2014 execute business actions through gateway connectors",
+        domain: "tools",
+        priority: "p2",
+        content: "The company_actions tool executes business actions through gateway connectors (e.g. send WhatsApp, trigger workflows, update CRM). It routes through the exe-gateway on the VPS. Actions are defined by the customer's gateway configuration \u2014 each connector (WhatsApp, Shopify, email, etc.) exposes specific actions. Use query_company_brain to find available data first, then company_actions to act on it. Requires gateway auth token. Read-only founders should NOT use this \u2014 it mutates external state."
+      },
+      // --- Release awareness ---
+      {
+        title: "What's New check \u2014 surface new features after update",
+        domain: "support",
+        priority: "p1",
+        content: "Once per session (COO boot only, never repeat), check if the installed exe-os version is newer than the last session. If it is, read the bundled release-notes.json (at the package root) and surface a brief summary to the founder: 'Updated to exe-os vX.Y.Z \u2014 N new features, M fixes.' List the top 3 features by name. This helps the founder know what they got from the update. If release-notes.json doesn't exist or the version hasn't changed, skip silently. Never repeat this check in the same session."
+      },
       // --- Platform vs Customer ownership ---
       {
         title: "What the platform provides vs what you customize",
@@ -4537,13 +4588,13 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 memory, decision, and search",
         domain: "tool-use",
         priority: "p1",
-        content: `memory(action="recall") / recall_my_memory: search your own memories (semantic + FTS). memory(action="ask_team") / ask_team_memory: search a colleague's memories by agent name. memory(action="store") / store_memory: persist a memory. memory(action="commit") / commit_memory: high-importance memory that survives consolidation. Requires summary. memory(action="search") / search_everything: unified search across memories, tasks, entities, conversations. memory(action="session_context") / get_session_context: temporal memory window. Requires session_id + target_timestamp. memory(action="consolidate") / consolidate_memories: merge duplicate/related memories. memory(action="cardinality") / get_memory_cardinality: count memories per agent. decision(action="store") / store_decision: record an architectural decision (domain, decision, rationale). decision(action="get") / get_decision: retrieve a past decision by domain or query.`
+        content: `memory(action="recall") / recall_my_memory: search your own memories (semantic + FTS). Supports as_of param for bi-temporal queries (what did I know at time X?), kind param to filter by memory type (decision, procedure, observation, raw, conversation, behavior). memory(action="ask_team") / ask_team_memory: search a colleague's memories by agent name. memory(action="store") / store_memory: persist a memory. Supports kind param and procedure_for domain tag for procedure-type memories. memory(action="commit") / commit_memory: high-importance memory that survives consolidation. Requires summary. memory(action="search") / search_everything: unified search across memories, tasks, entities, conversations. memory(action="session_context") / get_session_context: temporal memory window. Requires session_id + target_timestamp. memory(action="consolidate") / consolidate_memories: merge duplicate/related memories. memory(action="cardinality") / get_memory_cardinality: count memories per agent. memory(action="supersede") / supersede: replace an old memory with a new version (old_id + new text). decision(action="store") / store_decision: record an architectural decision (domain, decision, rationale). decision(action="get") / get_decision: retrieve a past decision by domain or query.`
       },
       {
         title: "MCP tools \u2014 task orchestration",
         domain: "tool-use",
         priority: "p1",
-        content: 'task(action="create") / create_task: dispatch work (title, assigned_to, context). The ONLY dispatch path. Auto-spawns session. task(action="list") / list_tasks: query tasks by status, assignee, project. task(action="get") / get_task: fetch full task details by task_id. task(action="update") / update_task: change status (in_progress, done, blocked, cancelled) + result summary. task(action="close") / close_task: finalize a reviewed task (COO only). task(action="checkpoint") / checkpoint_task: save progress state for crash recovery. task(action="resume") / resume_employee: re-spawn an employee session for an existing task.'
+        content: `task(action="create") / create_task: dispatch work (title, assigned_to, context). The ONLY dispatch path. Auto-spawns session. Supports spawn_runtime and spawn_model params to override the agent's default runtime/model for a specific task. task(action="list") / list_tasks: query tasks by status, assignee, project. task(action="get") / get_task: fetch full task details by task_id. task(action="update") / update_task: change status (in_progress, done, blocked, cancelled) + result summary. task(action="close") / close_task: finalize a reviewed task (COO only). task(action="checkpoint") / checkpoint_task: save progress state for crash recovery. task(action="resume") / resume_employee: re-spawn an employee session for an existing task.`
       },
       {
         title: "MCP tools \u2014 knowledge graph (GraphRAG)",
@@ -4573,7 +4624,7 @@ var init_platform_procedures = __esm({
         title: "MCP tools \u2014 admin, config, and operations",
         domain: "tool-use",
         priority: "p1",
-        content: 'config(action="list_employees"): view roster. config(action="agent_spend"): token usage per agent. config(action="daemon_health"): check exed status. config(action="license_status"): check license. config(action="cloud_sync"): force sync. config(action="memory_audit"): health check (dupes, null vectors). config(action="run_consolidation"): trigger memory consolidation. config(action="company_procedure", subaction="store|list|deactivate"): manage company procedures. config(action="global_procedure"): list all procedures (platform + company). config(action="create_trigger|list_triggers"): scheduled agent jobs. config(action="export_orchestration|import_orchestration"): portable org state. diagnostics(action="healthcheck|doctor|status_brief|check_update|cloud_status"): system diagnostics. mcp_ping(): daemon health + license status + tool usage stats.'
+        content: 'config(action="list_employees"): view roster. config(action="agent_spend"): token usage per agent. config(action="daemon_health"): check exed status. config(action="license_status"): check license. config(action="cloud_sync"): force sync. config(action="memory_audit"): health check (dupes, null vectors). config(action="run_consolidation"): trigger memory consolidation. config(action="company_procedure", subaction="store|list|deactivate"): manage company procedures. config(action="global_procedure"): list all procedures (platform + company). config(action="create_trigger|list_triggers"): scheduled agent jobs. config(action="export_orchestration|import_orchestration"): portable org state. diagnostics(action="healthcheck|doctor|status_brief|check_update|cloud_status"): system diagnostics. diagnostics(action="tool_search"): semantic tool discovery \u2014 find relevant MCP tools by natural language query. Returns top-K tools ranked by relevance. diagnostics(action="drift"): identity drift detection \u2014 score how far an agent has drifted from its role identity. Returns drift score + recommendations. mcp_ping(): daemon health + license status + tool usage stats.'
       }
     ];
     PLATFORM_PROCEDURE_TITLES = new Set(
@@ -5257,6 +5308,8 @@ async function writeMemory(record) {
     source_type: record.source_type ?? null,
     tier: record.tier ?? classifyTier(record),
     supersedes_id: record.supersedes_id ?? null,
+    valid_from: record.valid_from ?? record.timestamp,
+    invalid_at: record.invalid_at ?? null,
     draft: record.draft ? 1 : 0,
     memory_type: memoryType,
     trajectory: record.trajectory ? JSON.stringify(record.trajectory) : null,
@@ -5275,7 +5328,8 @@ async function writeMemory(record) {
     token_cost: record.token_cost ?? null,
     audience: record.audience ?? null,
     language_type: record.language_type ?? inferLanguageType(record),
-    parent_memory_id: record.parent_memory_id ?? null
+    parent_memory_id: record.parent_memory_id ?? null,
+    procedure_for: record.procedure_for ?? null
   };
   _pendingRecords.push(dbRow);
   orgBus.emit({
@@ -5330,6 +5384,8 @@ async function flushBatch() {
       const sourceType = row.source_type ?? null;
       const tier = row.tier ?? 3;
       const supersedesId = row.supersedes_id ?? null;
+      const validFrom = row.valid_from ?? row.timestamp;
+      const invalidAt = row.invalid_at ?? null;
       const draft = row.draft ? 1 : 0;
       const memoryType = row.memory_type ?? "raw";
       const trajectory = row.trajectory ?? null;
@@ -5349,15 +5405,16 @@ async function flushBatch() {
       const audience = row.audience ?? null;
       const languageType = row.language_type ?? null;
       const parentMemoryId = row.parent_memory_id ?? null;
+      const procedureFor = row.procedure_for ?? null;
       const cols = `id, agent_id, agent_role, session_id, timestamp,
                tool_name, project_name,
                has_error, raw_text, vector, version, task_id, importance, status,
                confidence, last_accessed,
                workspace_id, document_id, user_id, char_offset, page_number,
-               source_path, source_type, tier, supersedes_id, draft, memory_type, trajectory, content_hash,
+               source_path, source_type, tier, supersedes_id, valid_from, invalid_at, draft, memory_type, trajectory, content_hash,
                intent, outcome, domain, referenced_entities, retrieval_count,
                chain_position, review_status, context_window_pct, file_paths, commit_hash,
-               duration_ms, token_cost, audience, language_type, parent_memory_id`;
+               duration_ms, token_cost, audience, language_type, parent_memory_id, procedure_for`;
       const metaArgs = [
         intent,
         outcome,
@@ -5373,7 +5430,8 @@ async function flushBatch() {
         tokenCost,
         audience,
         languageType,
-        parentMemoryId
+        parentMemoryId,
+        procedureFor
       ];
       const baseArgs = [
         row.id,
@@ -5402,6 +5460,8 @@ async function flushBatch() {
         sourceType,
         tier,
         supersedesId,
+        validFrom,
+        invalidAt,
         draft,
         memoryType,
         trajectory,
@@ -5409,8 +5469,8 @@ async function flushBatch() {
       ];
       return {
         sql: hasVector ? `INSERT OR IGNORE INTO memories (${cols})
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, vector32(?), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)` : `INSERT OR IGNORE INTO memories (${cols})
-              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, vector32(?), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)` : `INSERT OR IGNORE INTO memories (${cols})
+              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, NULL, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
         args: hasVector ? [...baseArgs, vectorToBlob(row.vector), ...sharedArgs, ...metaArgs] : [...baseArgs, ...sharedArgs, ...metaArgs]
       };
     };
@@ -5526,6 +5586,12 @@ async function searchMemories(queryVector, agentId, options) {
                AND vector IS NOT NULL${statusFilter}${draftFilter}
                AND COALESCE(confidence, 0.7) >= 0.3`;
   const args = [agentId];
+  if (options?.asOf) {
+    sql += ` AND (valid_from IS NULL OR valid_from <= ?) AND (invalid_at IS NULL OR invalid_at > ?)`;
+    args.push(options.asOf, options.asOf);
+  } else {
+    sql += ` AND invalid_at IS NULL`;
+  }
   const scope = buildWikiScopeFilter(options, "");
   sql += scope.clause;
   args.push(...scope.args);
@@ -6850,6 +6916,19 @@ __export(hybrid_search_exports, {
   rrfMerge: () => rrfMerge,
   rrfMergeMulti: () => rrfMergeMulti
 });
+function buildTemporalFilter(options, columnPrefix) {
+  const asOf = options?.asOf;
+  if (asOf) {
+    return {
+      clause: ` AND (${columnPrefix}valid_from IS NULL OR ${columnPrefix}valid_from <= ?) AND (${columnPrefix}invalid_at IS NULL OR ${columnPrefix}invalid_at > ?)`,
+      args: [asOf, asOf]
+    };
+  }
+  return {
+    clause: ` AND ${columnPrefix}invalid_at IS NULL`,
+    args: []
+  };
+}
 function appendMemoryTypeFilter(sql, args, column, options) {
   if (options?.memoryTypes && options.memoryTypes.length > 0) {
     const uniqueTypes = [...new Set(options.memoryTypes)];
@@ -7082,6 +7161,9 @@ async function estimateCardinality(agentId, options) {
                AND COALESCE(status, 'active') = 'active'
                AND COALESCE(confidence, 0.7) >= 0.3`;
   const args = [agentId];
+  const temporal = buildTemporalFilter(options, "");
+  sql += temporal.clause;
+  args.push(...temporal.args);
   const rawVisibility = buildRawVisibilityFilter(options, "");
   sql += rawVisibility.clause;
   args.push(...rawVisibility.args);
@@ -7210,6 +7292,9 @@ async function ftsQuery(client, matchExpr, agentId, options, limit) {
                AND m.agent_id = ?${statusFilter}${draftFilter}
                AND COALESCE(m.confidence, 0.7) >= 0.3`;
   const args = [matchExpr, agentId];
+  const temporal = buildTemporalFilter(options, "m.");
+  sql += temporal.clause;
+  args.push(...temporal.args);
   const scope = buildWikiScopeFilter(options, "m.");
   sql += scope.clause;
   args.push(...scope.args);
@@ -7322,6 +7407,9 @@ async function recentRecords(agentId, options, limit, textFilter) {
              WHERE agent_id = ?${statusFilter}${draftFilter}
                AND COALESCE(confidence, 0.7) >= 0.3`;
   const args = [agentId];
+  const temporal = buildTemporalFilter(options, "");
+  sql += temporal.clause;
+  args.push(...temporal.args);
   const scope = buildWikiScopeFilter(options, "");
   sql += scope.clause;
   args.push(...scope.args);
@@ -7422,6 +7510,9 @@ async function trajectoryBypass(queryText, agentId, options, limit) {
                  AND json_extract(trajectory, '$.tool') = ?
                  AND agent_id = ?${statusFilter}${draftFilter}`;
     const args = [toolName, agentId];
+    const temporal = buildTemporalFilter(options, "");
+    sql += temporal.clause;
+    args.push(...temporal.args);
     const rawVisibility = buildRawVisibilityFilter(options, "");
     sql += rawVisibility.clause;
     args.push(...rawVisibility.args);
@@ -7754,6 +7845,236 @@ var init_active_agent2 = __esm({
   }
 });
 
+// src/mcp/tool-gates.ts
+var tool_gates_exports = {};
+__export(tool_gates_exports, {
+  TOOL_CATEGORIES: () => TOOL_CATEGORIES,
+  TOOL_GATES: () => TOOL_GATES,
+  isToolAllowed: () => isToolAllowed,
+  isToolAllowedForPlan: () => isToolAllowedForPlan
+});
+function isToolAllowedForPlan(registerFnName, plan) {
+  const category = TOOL_CATEGORIES[registerFnName];
+  if (!category) return true;
+  const requiredPlan = PLAN_GATES[category] ?? "free";
+  return PLAN_TIERS[plan] >= PLAN_TIERS[requiredPlan];
+}
+function isChiefOfStaffRole(role) {
+  const normalized = (role ?? "").trim().toLowerCase();
+  return normalized === "chief of staff" || normalized === "executive assistant";
+}
+function isToolAllowed(registerFnName) {
+  const role = process.env.AGENT_ROLE;
+  if (!role) return true;
+  if (isChiefOfStaffRole(role)) {
+    return CHIEF_OF_STAFF_READ_TOOLS.has(registerFnName);
+  }
+  const category = TOOL_CATEGORIES[registerFnName];
+  if (!category) return true;
+  const allowedRoles = TOOL_GATES[category];
+  if (!allowedRoles || allowedRoles.length === 0) return true;
+  return allowedRoles.includes(role);
+}
+var TOOL_GATES, TOOL_CATEGORIES, PLAN_TIERS, PLAN_GATES, CHIEF_OF_STAFF_READ_TOOLS;
+var init_tool_gates = __esm({
+  "src/mcp/tool-gates.ts"() {
+    "use strict";
+    TOOL_GATES = {
+      core: [],
+      // all agents — recall, store, ask_team, commit, search, session, consolidate, cardinality, behavior, identity, decisions
+      tasks: [],
+      // all agents — create, list, get, update, close, checkpoint, resume
+      comms: [],
+      // all agents — send_message, acknowledge
+      reminders: [],
+      // all agents — create, list, complete, reminder
+      "graph-read": [],
+      // all agents — query_relationships, get_entity_neighbors, get_hot_entities, get_graph_stats, find_similar_trajectories, code_context
+      "graph-write": ["COO", "CTO"],
+      // merge_entities, export_graph
+      wiki: ["COO", "Wiki Agent"],
+      // read/list curated wiki pages
+      crm: ["COO", "CRM Agent"],
+      // CRM read/list/get and legacy add/list/get person
+      "raw-data": ["COO", "CTO", "Gateway Agent", "CRM Agent", "Wiki Agent"],
+      // capped read-only raw landing-pad access
+      documents: ["COO", "CTO", "Wiki Agent"],
+      // ingest, list, purge, set_importance, rerank
+      gateway: ["COO", "Gateway Agent"],
+      // send_whatsapp, query_conversations, query_company_brain, company_actions
+      admin: ["COO"],
+      // deploy, backup, daemon health, auto-wake, worker gate, memory audit, consolidation, cloud sync, agent config, list employees, agent spend, sessions, session kills
+      licensing: ["COO"],
+      // get/create/list/activate license
+      orchestration: ["COO"]
+      // triggers, load_skill, starter_pack, export/import orchestration, global procedures
+    };
+    TOOL_CATEGORIES = {
+      // core
+      registerMemory: "core",
+      registerRecallMyMemory: "core",
+      registerAskTeamMemory: "core",
+      registerGetSessionContext: "core",
+      registerGetMemoryById: "core",
+      registerStoreMemory: "core",
+      registerCommitMemory: "core",
+      registerSearchEverything: "core",
+      registerConsolidateMemories: "core",
+      registerGetMemoryCardinality: "core",
+      registerStoreBehavior: "core",
+      registerListBehaviors: "core",
+      registerDeactivateBehavior: "core",
+      registerBehavior: "core",
+      registerStoreDecision: "core",
+      registerGetDecision: "core",
+      registerCreateBugReport: "core",
+      registerSupportTools: "core",
+      registerCliParityTools: "admin",
+      registerGetSessionEvents: "core",
+      registerGetLastAssistantResponse: "core",
+      registerCodeContext: "graph-read",
+      // consolidated tools
+      registerDecision: "core",
+      registerSession: "core",
+      registerSupportConsolidated: "core",
+      registerDiagnostics: "admin",
+      registerListBugReports: "admin",
+      registerGetBugReport: "admin",
+      registerTriageBugReport: "admin",
+      registerIdentity: "core",
+      registerGetIdentity: "core",
+      registerUpdateIdentity: "core",
+      // tasks
+      registerTask: "tasks",
+      registerCreateTask: "tasks",
+      registerListTasks: "tasks",
+      registerUpdateTask: "tasks",
+      registerCloseTask: "tasks",
+      registerGetTask: "tasks",
+      registerCheckpointTask: "tasks",
+      registerResumeEmployee: "tasks",
+      // comms
+      registerMessage: "comms",
+      registerSendMessage: "comms",
+      registerAcknowledgeMessages: "comms",
+      // reminders
+      registerCreateReminder: "reminders",
+      registerListReminders: "reminders",
+      registerCompleteReminder: "reminders",
+      registerReminder: "reminders",
+      // graph-read
+      registerGraph: "graph-read",
+      registerQueryRelationships: "graph-read",
+      registerGetEntityNeighbors: "graph-read",
+      registerGetHotEntities: "graph-read",
+      registerGetGraphStats: "graph-read",
+      registerFindSimilarTrajectories: "graph-read",
+      // graph-write
+      registerMergeEntities: "graph-write",
+      registerExportGraph: "graph-write",
+      // wiki
+      registerWiki: "wiki",
+      registerCreateWikiPage: "wiki",
+      registerListWikiPages: "wiki",
+      registerGetWikiPage: "wiki",
+      // crm
+      registerCrm: "crm",
+      registerRawData: "raw-data",
+      registerAddPerson: "crm",
+      registerListPeople: "crm",
+      registerGetPerson: "crm",
+      // documents
+      registerDocument: "documents",
+      registerIngestDocument: "documents",
+      registerListDocuments: "documents",
+      registerPurgeDocument: "documents",
+      registerSetDocumentImportance: "documents",
+      registerRerankDocuments: "documents",
+      // gateway
+      registerGateway: "gateway",
+      registerSendWhatsapp: "gateway",
+      registerQueryConversations: "gateway",
+      registerQueryCompanyBrain: "gateway",
+      registerCompanyActions: "gateway",
+      // admin
+      registerConfig: "admin",
+      registerDeployClient: "admin",
+      registerBackupVps: "admin",
+      registerGetDaemonHealth: "admin",
+      registerMcpPing: "core",
+      registerGetAutoWakeStatus: "admin",
+      registerGetWorkerGate: "admin",
+      registerRunMemoryAudit: "admin",
+      registerRunConsolidation: "admin",
+      registerCloudSync: "admin",
+      registerOrchestrationPhase: "admin",
+      registerSetAgentConfig: "admin",
+      registerListEmployees: "admin",
+      registerGetAgentSpend: "admin",
+      registerListAgentSessions: "admin",
+      registerGetSessionKills: "admin",
+      // licensing
+      registerGetLicenseStatus: "licensing",
+      registerCreateLicense: "licensing",
+      registerListLicenses: "licensing",
+      registerActivateLicense: "licensing",
+      // orchestration
+      registerCreateTrigger: "orchestration",
+      registerListTriggers: "orchestration",
+      registerApplyStarterPack: "orchestration",
+      registerLoadSkill: "orchestration",
+      registerExportOrchestration: "orchestration",
+      registerImportOrchestration: "orchestration",
+      registerCompanyProcedure: "orchestration",
+      registerGlobalProcedure: "orchestration",
+      registerStoreGlobalProcedure: "orchestration",
+      registerListGlobalProcedures: "orchestration",
+      registerDeactivateGlobalProcedure: "orchestration"
+    };
+    PLAN_TIERS = {
+      free: 0,
+      pro: 1,
+      team: 2,
+      agency: 3,
+      enterprise: 4
+    };
+    PLAN_GATES = {
+      core: "free",
+      tasks: "free",
+      comms: "free",
+      reminders: "free",
+      "graph-read": "free",
+      licensing: "free",
+      // always allow checking/managing own license
+      "graph-write": "pro",
+      wiki: "pro",
+      crm: "pro",
+      "raw-data": "pro",
+      documents: "pro",
+      gateway: "pro",
+      admin: "pro",
+      orchestration: "pro"
+    };
+    CHIEF_OF_STAFF_READ_TOOLS = /* @__PURE__ */ new Set([
+      "registerRecallMyMemory",
+      "registerAskTeamMemory",
+      "registerGetMemoryById",
+      "registerGetSessionContext",
+      "registerGetSessionEvents",
+      "registerGetLastAssistantResponse",
+      "registerSearchEverything",
+      "registerGetDecision",
+      "registerGetIdentity",
+      "registerMcpPing",
+      "registerListTasks",
+      "registerGetTask",
+      "registerListReminders",
+      "registerQueryConversations",
+      "registerQueryCompanyBrain"
+    ]);
+  }
+});
+
 // src/bin/fast-db-init.ts
 var fast_db_init_exports = {};
 __export(fast_db_init_exports, {
@@ -8036,7 +8357,7 @@ import { pathToFileURL as pathToFileURL2 } from "url";
 import os8 from "os";
 import path15 from "path";
 import { jwtVerify, importSPKI } from "jose";
-var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH;
+var LICENSE_PATH, CACHE_PATH, DEVICE_ID_PATH, API_BASE;
 var init_license = __esm({
   "src/lib/license.ts"() {
     "use strict";
@@ -8044,6 +8365,7 @@ var init_license = __esm({
     LICENSE_PATH = path15.join(EXE_AI_DIR, "license.key");
     CACHE_PATH = path15.join(EXE_AI_DIR, "license-cache.json");
     DEVICE_ID_PATH = path15.join(EXE_AI_DIR, "device-id");
+    API_BASE = process.env.EXE_CLOUD_ENDPOINT ?? "https://askexe.com/cloud";
   }
 });
 
@@ -8087,6 +8409,9 @@ import { fileURLToPath as fileURLToPath2 } from "url";
 function getMySession() {
   return getTransport().getMySession();
 }
+function isRootSession(name) {
+  return name.length > 0 && !name.includes("-");
+}
 function extractRootExe(name) {
   if (!name) return null;
   if (!name.includes("-")) return name;
@@ -8105,6 +8430,7 @@ function resolveExeSession() {
   const mySession = getMySession();
   if (!mySession) return null;
   const fromSessionName = extractRootExe(mySession);
+  let candidate = null;
   try {
     const key = getSessionKey();
     const parentExe = getParentExe(key);
@@ -8115,13 +8441,47 @@ function resolveExeSession() {
           `[tmux-routing] WARN: cache says "${fromCache}" but session name says "${fromSessionName}". Trusting session name.
 `
         );
-        return fromSessionName;
+        candidate = fromSessionName;
+      } else {
+        candidate = fromCache;
       }
-      return fromCache;
     }
   } catch {
   }
-  return fromSessionName ?? mySession;
+  if (!candidate) {
+    candidate = fromSessionName ?? mySession;
+  }
+  if (candidate && isRootSession(candidate)) {
+    try {
+      const transport = getTransport();
+      const liveSessions = transport.listSessions();
+      if (!liveSessions.includes(candidate)) {
+        const liveRoots = liveSessions.filter((s) => isRootSession(s));
+        if (liveRoots.length === 1) {
+          process.stderr.write(
+            `[tmux-routing] WARN: resolved session "${candidate}" is dead. Using live coordinator "${liveRoots[0]}".
+`
+          );
+          return liveRoots[0];
+        } else if (liveRoots.length > 1) {
+          const base = candidate.replace(/\d+$/, "");
+          const match = liveRoots.find((s) => s.startsWith(base));
+          const chosen = match ?? liveRoots[0];
+          process.stderr.write(
+            `[tmux-routing] WARN: resolved session "${candidate}" is dead. ${liveRoots.length} live roots found, using "${chosen}".
+`
+          );
+          return chosen;
+        }
+        process.stderr.write(
+          `[tmux-routing] WARN: resolved session "${candidate}" is dead and no live coordinator found.
+`
+        );
+      }
+    } catch {
+    }
+  }
+  return candidate;
 }
 var SPAWN_LOCK_DIR, SESSION_CACHE, INTERCOM_LOG2, DEBOUNCE_FILE, DEBOUNCE_CLEANUP_AGE_MS;
 var init_tmux_routing = __esm({
@@ -8651,6 +9011,66 @@ ${context}`
     }
   } catch {
   }
+  try {
+    const payload = JSON.parse(input);
+    const toolName = String(payload.tool_name ?? "");
+    const { getActiveAgent: getActiveAgent2 } = await Promise.resolve().then(() => (init_active_agent2(), active_agent_exports));
+    const driftAgent = getActiveAgent2();
+    if (driftAgent.agentId !== "default" && toolName) {
+      const { existsSync: driftExists, readFileSync: driftRead, writeFileSync: driftWrite, mkdirSync: driftMkdir } = await import("fs");
+      const driftPath = await import("path");
+      const { TOOL_CATEGORIES: TOOL_CATEGORIES2, TOOL_GATES: TOOL_GATES2 } = await Promise.resolve().then(() => (init_tool_gates(), tool_gates_exports));
+      const normalized = toolName.replace(/[_-]/g, "").toLowerCase();
+      let toolCategory = "unknown";
+      for (const [registerFn, cat] of Object.entries(TOOL_CATEGORIES2)) {
+        const fnNormalized = registerFn.replace(/^register/, "").toLowerCase();
+        if (fnNormalized === normalized) {
+          toolCategory = cat;
+          break;
+        }
+      }
+      const gateRoles = TOOL_GATES2[toolCategory];
+      const isRestricted = gateRoles && gateRoles.length > 0;
+      const isAllowed = !isRestricted || gateRoles.includes(driftAgent.agentRole);
+      if (isRestricted && !isAllowed) {
+        const cacheDir = driftPath.join(
+          process.env.EXE_OS_DIR ?? driftPath.join(process.env.HOME ?? "", ".exe-os"),
+          "session-cache"
+        );
+        driftMkdir(cacheDir, { recursive: true });
+        const counterFile = driftPath.join(cacheDir, `drift-counter-${driftAgent.agentId}.json`);
+        let mismatches = [];
+        try {
+          if (driftExists(counterFile)) {
+            const data = JSON.parse(driftRead(counterFile, "utf8"));
+            mismatches = Array.isArray(data.mismatches) ? data.mismatches : [];
+          }
+        } catch {
+        }
+        mismatches.push(`${toolName} (${toolCategory})`);
+        driftWrite(counterFile, JSON.stringify({
+          mismatches,
+          count: mismatches.length,
+          updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+        }));
+        const MISMATCH_THRESHOLD = 3;
+        if (mismatches.length >= MISMATCH_THRESHOLD) {
+          process.stderr.write(
+            `[post-tool] ${driftAgent.agentId} has ${mismatches.length} tool-category mismatches: ${mismatches.slice(-3).join(", ")}. Injecting scope reminder.
+`
+          );
+          process.stdout.write(JSON.stringify({
+            hookSpecificOutput: {
+              hookEventName: "PostToolUse",
+              additionalContext: `## Scope Reminder
+You are **${driftAgent.agentId}** (${driftAgent.agentRole}). You've used ${mismatches.length} tools outside your expected scope: ${mismatches.slice(-3).join(", ")}. Stay within your role. If this work was delegated to you, continue \u2014 otherwise, route it to the appropriate team member.`
+            }
+          }));
+        }
+      }
+    }
+  } catch {
+  }
   try {
     const data = JSON.parse(input);
     const { getActiveAgent: getActiveAgent2 } = await Promise.resolve().then(() => (init_active_agent2(), active_agent_exports));