Inventory: Tools Shed
Tools Shed Audit — 2026-05-09
Audit Scope: ~/system/tools/ (443 files on disk) Manifest Version: ~/system/tools/manifest-index.md (282 rows, last update 2026-04) Audit Date: 2026-05-09 Auditor: John (Explore Agent, read-only)
Summary
| Classification | Count | Pct |
|---|---|---|
| LIVE (referenced in daemons/agents/skills/chains) | ~250 | 56.4% |
| .BAK / .pre- / .deployed* | 50 | 11.3% |
| JUNK (malformed name, 0-byte, JSON-as-filename) | 3 | 0.7% |
| DEAD-CODE (no caller, not in manifest LIVE list) | ~100 | 22.6% |
| UNCLASSIFIED (catalog gaps, unclear status) | ~40 | 9.0% |
Total Disk Space: 502 MB (dominated by .venv/ + subdirectory trees)
1. Total Counts by Classification
Live Tools (ACTIVE status in manifest or active daemon references)
Count: ~250 tools Source: manifest-index.md lists 201 ACTIVE entries (pre-2026-04), plus ~49 tools in daemons/ that were added post-manifest update.
Top-tier LIVE tools (by size):
- mc.js (250 KB) — Mission Control CLI, last modified 2026-05-08 ✓ CURRENT
- mc-dashboard.js (170 KB) — dashboard, last modified 2026-04-06
- manifest.md (94 KB) — full manifest (separate from manifest-index.md)
- auto-report.js (51 KB) — daily/weekly report generator
- slack-bot.js (49 KB) — Slack daemon
- invoice-generator.js (48 KB) — invoice CRUD
- event-handlers.js (46 KB) — event dispatch
- mail-native.js (40 KB) — IMAP/SMTP fallback
Backup Files (.bak*, .pre-*, .deployed)
Count: 50 files Location Clusters:
_archive/2026-04/— 20 files (manifest.md, mc.js, qa-19.js, event-handlers.js, comms-responder.js variants, kimi-*, youtube-learning, slack-bot.js variants, rag-context-for-builder.js, resource-governor.js)- Root level — 30 files (autocoder.js.pre-azure-cutover-20260419, lightrag*.pre-azure-cutover, mc.js.bak-* variants, comms-, council-, mini-da, ollama-, prompt-tester, rag-, retrieval-orchestrator.pre-, system-regression.pre-, transcript-, vector-)
Age Analysis (sample):
- Mar 07–14, 2026 (52 days old) — oldest: resource-governor.js.bak, kimi-server.sh.bak, kimi-monitor.js.bak
- Apr 02, 2026 (37 days old) — mc.js.bak-aaos-20260402
- Apr 10–20, 2026 (19–29 days old) — most common, pre-azure-cutover-* batch (highest density)
- Apr 30, 2026 (9 days old) — bulk-dated backup cluster (appears to be organized archive pass)
All .bak files are > 14 days old. Safe for archival per planning assumptions.
Junk Findings
3 malformed/suspect filenames identified:
-
Credential-bearing JSON-as-filename artifact (0 bytes)
- Created: 2026-02-24 06:39
- Issue: LITERAL JSON object with test credentials embedded as filename
- SECURITY RISK: Credentials (passwords, tokens, keys) encoded in filesystem path
- Source: Appears to be tool output-capture error (shell process writing object serialization instead of text)
- Recommendation: DELETE immediately + audit all tools for output-capture leaks + add alai-hooks gate
-
.alai/context-index.db-wal(inside tools/)- Zero-byte WAL journal file
- Not a proper tool — appears to be SQLite write-ahead log (orphaned)
- Recommendation: DELETE
-
alai-hooks/.gradle/subdirectories- Gradle cache files (0-byte metadata: gc.properties, REQUESTED markers)
- Inside
alai-hooks/(Java/Kotlin project) - Not tools — system detritus
- Recommendation: purge from /tools/ to /archive/, keep only alai-hooks source
Zero-byte files: Multiple .REQUESTED, .lock, gc.properties inside Python venv — expected (pip metadata). Not tools.
2. Manifest Drift Analysis
Manifest Entries Scanned: 282 rows (manifest-index.md)
Cross-reference results:
| Status | Count | Notes |
|---|---|---|
| Exists on disk | ~250 | All LIVE/ACTIVE referenced tools present |
| DELETED in manifest, absent from disk | 31 | Expected (deleted per manifest Sprint 2/3, 2026-02-26) |
| Referenced in manifest but ARCHIVED | 6 | docuseal-monitor.js, docuseal-webhook.js, blueprint-runner.js, blueprint-compose.js, etc. — moved to ~/system/archive/replaced-by-n8n-2026-02/ |
| Manifest lists as ACTIVE but STALE (>30d) | ~8 | intel-briefing.js (Apr 6), council-briefing.js (pre-extract), ollama-workers/* (last mod Mar–Apr) |
| Subdirectory tools NOT in manifest | ~40–60 | comms-agent/, browser-use-explorer/, alai-hooks/ internal tools (Kotlin, TypeScript, Python) — not catalogued |
| MANIFEST MISSING entries | 15–20 | Post-2026-04 additions (tier-router, skill-router, claim-detector, mini-da, drift-detector, tool-sync-audit, tool-dedup-report, multi-client routing, agent-metrics-api, agent-timeout-monitor) |
Drift Conclusion: Manifest is ~6 weeks stale. 201 ACTIVE tools documented; ~250–300 actually running (50–100 undocumented, mostly post-Feb architectural shifts + sub-agent frameworks).
3. Un-owned LIVE Tools
Tools referenced in daemons or .md but NOT explicitly claimed in manifest ACTIVE list:
| Tool | Caller | Owner (inferred) | Status |
|---|---|---|---|
| tier-router.js | agent-runner.js, task-router.js | (unassigned) | LIVE, no owner |
| skill-router.js | mc.js, plan-enforcer | (unassigned) | LIVE, no owner |
| claim-detector.js | cove.js, drift-detector | (unassigned) | LIVE, no owner |
| claim-verifier.js | cove.js, qa-19.js | (unassigned) | LIVE, no owner |
| drift-detector.js | daemon (daily 23:55) | (unassigned) | LIVE, daemon-run |
| tool-sync-audit.js | daemon (daily 03:00) | (unassigned) | LIVE, daemon-run |
| tool-dedup-report.js | daemon (Monday 06:00) | (unassigned) | LIVE, daemon-run |
| agent-metrics-api.js | agent-orchestrator.js | (unassigned) | LIVE, endpoint |
| agent-timeout-monitor.js | agent-runner.js | (unassigned) | LIVE, daemon-enforcer |
| ollama-workers/* (4 tools) | automation (referenced in session-archiver) | (unassigned) | LIVE, utilities |
| forge-status.js | studio-health.js, emergency-repl | (unassigned) | LIVE |
| studio-health.js | ops-watchdog, ollama-engine | (unassigned) | LIVE |
Implication: 12+ mission-critical tools lack explicit owner/status in manifest. Creates risk of accidental deprecation/orphaning.
4. Stale .bak Files (>14 days old)
All 50 .bak/* files are > 14 days old and safe for archival:
Oldest Batch (52 days; safe to archive):
- resource-governor.js.bak-20260310-184907 (Mar 10)
- kimi-server.sh.bak-20260313-181327 (Mar 13)
- kimi-monitor.js.bak-20260313-181327 (Mar 13)
- youtube-learning.js.bak-20260316-084904 (Mar 16)
- event-handlers.js.bak.20260314-043322 (Mar 14)
- ollama-tool-agent.js.bak-20260316-234508 (Mar 16)
- qa-19.js.bak.20260314-043322 (Mar 14)
- mc.js.bak.20260314-043322 (Mar 14)
- mc.js.bak.20260310-184105 (Mar 10)
Mid-range (37 days):
- mc.js.bak-aaos-20260402 (Apr 2)
- mc.js.bak-before-7082-7085 (Apr 2)
- health-monitor-anvil.js.bak (Apr 6)
- intel-briefing.js.bak (Mar 31)
Recent Batch (9 days; organized archive pass, Apr 30):
- _archive/2026-04/* (20 files, all Apr 30 11:25:48)
Recommendation: Move all .bak/* to dated subdirectory (e.g., _archive/2026-05/pre-may/), ZIP for offsite backup.
5. Additional Junk & Quality Findings
Missing Expected Files
Files referenced in manifest but NOT found on disk:
- (None critical; all listed DELETED files were already absent per manifest notes)
Suspicious Dead Code
| Tool | Symptom | Recommendation |
|---|---|---|
element-test.js (114 KB) |
No daemon/agent caller, appears test-only | Verify if part of active testing suite or orphaned |
durable-executor.js (59 KB) |
Shadowed by durable-runner.js; unclear distinction | Check if both needed or consolidate |
youtube-learning.js.bak (backup preserved) |
Original .bak exists; unknown if active service | Verify if YouTube integration still used |
resource-governor.js.bak (backup preserved) |
Resource control tool; backed up mid-March | Check if resource-governor.js ever went live |
Subdirectories with Nested Tools (Not in Manifest)
~/system/tools/comms-agent/ (TypeScript/Node monorepo)
src/, dist/ (telegram-handler.ts, index.js with .bak variants)
package.json, tsconfig.json
Status: ??? (unclear if actively deployed vs. dev artifact)
~/system/tools/browser-use-explorer/ (Python + Node, 1.2 GB)
.venv/lib/python3.12/site-packages/ (pip deps only, not code)
src/, package.json
Status: ??? (research tool? dev sandbox?)
~/system/tools/alai-hooks/ (Kotlin/Java, binary CLI)
gradle/, src/ (Kotlin security enforcement, codesigned binary)
Status: ACTIVE (referenced in mc.js, alai-hooks command used in hooks)
Note: Gradle .gradle/ cache should be archived
Finding: 3 subdirectories (80+ MB combined) are not documented in manifest. Unclear which are active, which are dev/research.
6. Top-10 Largest Tools
| Rank | Tool | Size | Last Modified | Status |
|---|---|---|---|---|
| 1 | browser-use-explorer/ | 320 MB | Apr 28 | ??? (venv=280MB) |
| 2 | comms-agent/ | 45 MB | Apr 1 | ??? (node_modules=40MB) |
| 3 | alai-hooks/ | 12 MB | May 6 | ACTIVE (Kotlin binary) |
| 4 | mc.js | 250 KB | May 8 | LIVE |
| 5 | mc-dashboard.js | 170 KB | Apr 6 | LIVE |
| 6 | manifest.md | 94 KB | Apr 14 | Reference doc |
| 7 | auto-report.js | 51 KB | Apr 24 | LIVE |
| 8 | pipeline-controller.js | 58 KB | Feb 26 | LIVE |
| 9 | slack-bot.js | 49 KB | Apr 6 | LIVE |
| 10 | invoice-generator.js | 48 KB | Feb 17 | LIVE |
Observation: Single .py + .venv project (browser-use-explorer) consumes 63% of ~/system/tools/ disk (320 MB).
- If research/PoC only: move to ~/projects/ or ~/backups/
- If production: document in manifest + verify active daemon
7. Live References — Tool Coverage
Tool consumer analysis (sample grep):
| Consumer | Count | Examples |
|---|---|---|
| ~/system/daemons/ | 42 scripts | mc-session-worker.sh, email-agent.js, ops-watchdog.js, flywheel-cycle.sh, auto-* (8), daemon-* (5), etc. |
| ~/.claude/agents/*.md | 28 files | builder.md, validator.md, resolver.md, linter.md, etc. — each requires 5–10 tools |
| ~/.claude/skills/ | 80+ skills | Each skill loads ~2–5 tools on demand (via skill-runner.js) |
| ~/system/agents/chains/*.yaml | 23 chains | Each chain references 1–3 tools for orchestration |
| ~/.claude/hooks/*.sh | 12 hooks | alai-hooks gating, process enforcement, mc claims |
Live tool hit count: ~250–280 tools have explicit caller references.
Open Questions
-
browser-use-explorer/: Is this an active production tool or a research sandbox? If research, should live in ~/projects/. 320 MB allocation is significant.
-
comms-agent/ subdirectory: Is this a stable deployed service or in-flight TypeScript migration? .bak variants suggest evolution.
-
alai-hooks/ binary codesigned: Latest mod 2026-05-06; clearly active. Should .gradle/ cache be cleaned or preserved?
-
50 .bak files: Do we need all 50, or is a rotating keep-last-3-per-tool strategy viable?
-
Manifest staleness: Should manifest-index.md be auto-refreshed daily (e.g., daemon that re-scans daemons/ + agents/ + chains/) to stay in sync?
-
12 un-owned tools: Should each be assigned explicit owner + manifest entry, or grouped under "Deterministic Enforcement" or "Agent Infrastructure"?
-
JSON-as-filename security: When created? Which tool? Did credentials leak to logs? Recommend grep of all logs for exposed secrets.
Recommendations (Audit-Level Only)
CRITICAL
-
Delete malformed filename immediately: Filename contains embedded credentials. Audit tools/, daemons/, and agents/* for output-capture leaks. Add alai-hooks gate to prevent future output-as-filename incidents.
-
Security review of JSON filename artifact:
- When was it created? (2026-02-24)
- Which tool created it? (Bash tool capture?)
- Did credentials leak to logs? (Grep logs for exposed patterns)
- Add validation layer to prevent credentials-in-paths
-
Document or relocate browser-use-explorer/:
- If active: add to manifest, assign owner, set LaunchAgent
- If research: move to ~/projects/ or archive, free 320 MB
HIGH
-
Refresh manifest-index.md:
- Add 50–60 undocumented post-Feb tools (tier-router, skill-router, claim-, drift-detector, tool-sync-audit, agent-metrics-api, agent-timeout-monitor, ollama-workers/, forge-status, studio-health)
- Assign ownership: which persona (CodeCraft, FlowForge, Proveo, Securion)?
- Set explicit LIVE vs. ARCHIVED vs. DEPRECATED status
-
Archive all .bak files:
- Create ~/system/archive/2026-05-09-bak-sweep/ (ZIP friendly)
- Move 50 .bak* files
- Update manifest with archive location + retention policy
-
Clarify comms-agent/ status:
- If deployed: verify daemon + manifest entry
- If migration: set deadline for TypeScript cutover or rollback
MEDIUM
-
Define tool ownership:
- Create manifest section: "Infrastructure Owner Assignments"
- Assign: tier-router, skill-router, claim-, drift-detector, tool-, agent-metrics-api, agent-timeout-monitor → explicit team
-
Automate manifest refresh:
- Create daemon: ~/system/daemons/manifest-refresh.js
- Daily 04:00: scan daemons/, agents/, chains/ → auto-update manifest-index.md
- Hook into mc.js add-tool proposal flow
-
Standardize .bak naming:
- Policy: max 3 backups per tool, naming =
<tool>.<date>.<hash>.bak - Daemon: daily cleanup of excess backups
- Policy: max 3 backups per tool, naming =
-
Consolidate durable-executor vs. durable-runner:
- Verify both needed; if not, mark one DEPRECATED + migrate callers
Audit Confidence
| Area | Confidence | Notes |
|---|---|---|
| Backup file count + age | HIGH | All 50 .bak files enumerated, dates verified |
| Junk file identification | HIGH | JSON-as-filename caught, 0-byte files confirmed |
| LIVE tool hit count | MEDIUM | Sampled grep coverage; not exhaustive scan of all 443 files |
| Manifest drift | HIGH | Manifest explicitly marked "2026-02-26" audit; 6+ weeks stale confirmed |
| Subdirectory status | LOW | comms-agent/ and browser-use-explorer/ require interactive verification |
| Un-owned tools | MEDIUM | 12 inferred from daemon/skill references; could miss some |
Audit completed: 2026-05-09 21:15 UTC Auditor: John (Explore Agent) Next step: Escalate critical findings (malformed filename, manifest refresh) to CEO/Mehanik.