@askexenow/exe-os 0.9.97 → 0.9.99

package/dist/bin/agentic-ontology-backfill.js

@@ -1055,40 +1055,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3545,6 +3516,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/agentic-reflection-backfill.js

@@ -1055,40 +1055,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3545,6 +3516,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/agentic-semantic-label.js

@@ -1055,40 +1055,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3545,6 +3516,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/backfill-conversations.js

@@ -1059,40 +1059,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3685,6 +3656,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/backfill-responses.js

@@ -1059,40 +1059,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3685,6 +3656,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/backfill-vectors.js

@@ -1055,40 +1055,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3681,6 +3652,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/bulk-sync-postgres.js

@@ -1055,40 +1055,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3853,6 +3824,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/cleanup-stale-review-tasks.js

@@ -1077,40 +1077,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync6 } = __require("child_process");
-      const vmstat = execSync6("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os4.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os4.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os4.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -4328,6 +4299,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/cli.js

@@ -3748,40 +3748,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync20 } = __require("child_process");
-      const vmstat = execSync20("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os10.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os10.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os10.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -9015,6 +8986,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",
@@ -19950,7 +19928,7 @@ function ask3(rl, prompt) {
     doAsk();
   });
 }
-function getAvailableMemoryGB2() {
+function getAvailableMemoryGB() {
   if (process.platform === "darwin") {
     try {
       const { execSync: execSync20 } = __require("child_process");
@@ -19974,11 +19952,11 @@ function getTotalMemoryGB() {
   return os19.totalmem() / (1024 * 1024 * 1024);
 }
 function isLowMemory() {
-  return getAvailableMemoryGB2() < 2;
+  return getAvailableMemoryGB() < 2;
 }
 async function validateModel(log) {
   const totalGB = getTotalMemoryGB();
-  const freeGB = getAvailableMemoryGB2();
+  const freeGB = getAvailableMemoryGB();
   if (totalGB <= 8 || isLowMemory()) {
     log(`System memory: ${totalGB.toFixed(0)}GB total, ${freeGB.toFixed(1)}GB free`);
     log("Skipping in-memory model validation (low memory \u2014 will validate on first use).");
@@ -20223,7 +20201,7 @@ async function runSetupWizard(opts = {}) {
         skipModel = true;
       }
       if (!skipModel) {
-        const freeGB = getAvailableMemoryGB2();
+        const freeGB = getAvailableMemoryGB();
         if (freeGB < 2) {
           log(`\u26A0 Low memory detected: ${freeGB.toFixed(1)}GB free of ${totalGB.toFixed(0)}GB total`);
           log("  Close other applications (browser, Slack, etc.) before continuing.");

package/dist/bin/exe-agent.js

@@ -1493,6 +1493,13 @@ var PLATFORM_PROCEDURES = [
     priority: "p0",
     content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
   },
+  // --- Encryption key + cloud sync ---
+  {
+    title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+    domain: "security",
+    priority: "p0",
+    content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+  },
   // --- MCP is the ONLY data interface ---
   {
     title: "MCP disconnect \u2014 ask the user, never work around it",

package/dist/bin/exe-assign.js

@@ -430,40 +430,11 @@ function findPackageRoot() {
   }
   return null;
 }
-function getAvailableMemoryGB() {
-  if (process.platform === "darwin") {
-    try {
-      const { execSync: execSync4 } = __require("child_process");
-      const vmstat = execSync4("vm_stat", { encoding: "utf8" });
-      const pageSize = 16384;
-      const pageSizeMatch = vmstat.match(/page size of (\d+) bytes/);
-      const actualPageSize = pageSizeMatch ? parseInt(pageSizeMatch[1], 10) : pageSize;
-      const free = vmstat.match(/Pages free:\s+(\d+)/);
-      const inactive = vmstat.match(/Pages inactive:\s+(\d+)/);
-      const speculative = vmstat.match(/Pages speculative:\s+(\d+)/);
-      const freePages = free ? parseInt(free[1], 10) : 0;
-      const inactivePages = inactive ? parseInt(inactive[1], 10) : 0;
-      const speculativePages = speculative ? parseInt(speculative[1], 10) : 0;
-      return (freePages + inactivePages + speculativePages) * actualPageSize / (1024 * 1024 * 1024);
-    } catch {
-      return os3.freemem() / (1024 * 1024 * 1024);
-    }
-  }
-  return os3.freemem() / (1024 * 1024 * 1024);
-}
 function spawnDaemon() {
-  const freeGB = getAvailableMemoryGB();
   const totalGB = os3.totalmem() / (1024 * 1024 * 1024);
   if (totalGB <= 8) {
     process.stderr.write(
       `[exed-client] SKIP: ${totalGB.toFixed(0)}GB system \u2014 embedding daemon disabled. Using keyword search only. Minimum 16GB recommended for vector search.
-`
-    );
-    return;
-  }
-  if (totalGB <= 16 && freeGB < 2) {
-    process.stderr.write(
-      `[exed-client] SKIP: low memory (${freeGB.toFixed(1)}GB available / ${totalGB.toFixed(0)}GB total). Embedding daemon not started \u2014 using keyword search only.
 `
     );
     return;
@@ -3695,6 +3666,13 @@ var init_platform_procedures = __esm({
         priority: "p0",
         content: "Tasks live in the DB. Intercom (tmux send-keys) is fire-and-forget \u2014 it may fail, get garbled, or arrive mid-work. Never rely on intercom for task delivery. The UserPromptSubmit hook checks the DB for new tasks on every prompt. Your operating procedures step 7 says check for next work. The daemon nudges idle agents as a speedup. If you have no tasks, you found them all."
       },
+      // --- Encryption key + cloud sync ---
+      {
+        title: "Encryption key lives in Keychain, not on disk \u2014 never expose the recovery phrase",
+        domain: "security",
+        priority: "p0",
+        content: "The master encryption key is stored in macOS Keychain (Secure Enclave) or Linux secret-tool \u2014 NOT as a file. There is no ~/.exe-os/master.key on modern installs. If an older install had one, it was auto-migrated to Keychain and the file deleted. Device linking uses a 24-word BIP39 recovery phrase: Device 1 runs `exe-os cloud link --show-full` in their local Terminal to reveal it, Device 2 runs `exe-os cloud` and pastes the phrase to import the key into its own Keychain, then cloud sync pulls encrypted memories. NEVER display, log, or return the recovery phrase in agent output. MCP tools are hardened \u2014 they cannot reveal it. If the user needs the phrase, tell them: 'Run exe-os cloud link --show-full in your Terminal.' If searching for master.key returns nothing, that is CORRECT \u2014 the key is in Keychain."
+      },
       // --- MCP is the ONLY data interface ---
       {
         title: "MCP disconnect \u2014 ask the user, never work around it",