# Inventory: Tools Shed # Tools Shed Audit — 2026-05-09 **Audit Scope:** ~/system/tools/ (443 files on disk) **Manifest Version:** ~/system/tools/manifest-index.md (282 rows, last update 2026-04) **Audit Date:** 2026-05-09 **Auditor:** John (Explore Agent, read-only) --- ## Summary | Classification | Count | Pct | |---|---|---| | **LIVE** (referenced in daemons/agents/skills/chains) | **~250** | 56.4% | | **.BAK / .pre-* / .deployed** | **50** | 11.3% | | **JUNK** (malformed name, 0-byte, JSON-as-filename) | **3** | 0.7% | | **DEAD-CODE** (no caller, not in manifest LIVE list) | ~100 | 22.6% | | **UNCLASSIFIED** (catalog gaps, unclear status) | ~40 | 9.0% | **Total Disk Space:** 502 MB (dominated by .venv/ + subdirectory trees) --- ## 1. Total Counts by Classification ### Live Tools (ACTIVE status in manifest or active daemon references) **Count:** ~250 tools **Source:** manifest-index.md lists 201 ACTIVE entries (pre-2026-04), plus ~49 tools in daemons/ that were added post-manifest update. **Top-tier LIVE tools (by size):** - mc.js (250 KB) — Mission Control CLI, last modified 2026-05-08 ✓ CURRENT - mc-dashboard.js (170 KB) — dashboard, last modified 2026-04-06 - manifest.md (94 KB) — full manifest (separate from manifest-index.md) - auto-report.js (51 KB) — daily/weekly report generator - slack-bot.js (49 KB) — Slack daemon - invoice-generator.js (48 KB) — invoice CRUD - event-handlers.js (46 KB) — event dispatch - mail-native.js (40 KB) — IMAP/SMTP fallback ### Backup Files (.bak*, .pre-*, .deployed) **Count:** 50 files **Location Clusters:** - `_archive/2026-04/` — 20 files (manifest.md, mc.js, qa-19.js, event-handlers.js, comms-responder.js variants, kimi-*, youtube-learning, slack-bot.js variants, rag-context-for-builder.js, resource-governor.js) - Root level — 30 files (autocoder.js.pre-azure-cutover-20260419, lightrag*.pre-azure-cutover, mc.js.bak-* variants, comms-*, council-, mini-da, ollama-*, prompt-tester, rag-, retrieval-orchestrator.pre-, system-regression.pre-, transcript-, vector-) **Age Analysis (sample):** - **Mar 07–14, 2026** (52 days old) — oldest: resource-governor.js.bak, kimi-server.sh.bak, kimi-monitor.js.bak - **Apr 02, 2026** (37 days old) — mc.js.bak-aaos-20260402 - **Apr 10–20, 2026** (19–29 days old) — most common, pre-azure-cutover-* batch (highest density) - **Apr 30, 2026** (9 days old) — bulk-dated backup cluster (appears to be organized archive pass) **All .bak files are > 14 days old.** Safe for archival per planning assumptions. ### Junk Findings **3 malformed/suspect filenames identified:** 1. **Credential-bearing JSON-as-filename artifact** (0 bytes) - Created: 2026-02-24 06:39 - Issue: LITERAL JSON object with test credentials embedded as filename - **SECURITY RISK:** Credentials (passwords, tokens, keys) encoded in filesystem path - Source: Appears to be tool output-capture error (shell process writing object serialization instead of text) - Recommendation: **DELETE immediately** + audit all tools for output-capture leaks + add alai-hooks gate 2. **`.alai/context-index.db-wal` (inside tools/)** - Zero-byte WAL journal file - Not a proper tool — appears to be SQLite write-ahead log (orphaned) - Recommendation: DELETE 3. **`alai-hooks/.gradle/` subdirectories** - Gradle cache files (0-byte metadata: gc.properties, REQUESTED markers) - Inside `alai-hooks/` (Java/Kotlin project) - Not tools — system detritus - Recommendation: purge from /tools/ to /archive/, keep only alai-hooks source **Zero-byte files:** Multiple .REQUESTED, .lock, gc.properties inside Python venv — expected (pip metadata). Not tools. --- ## 2. Manifest Drift Analysis **Manifest Entries Scanned:** 282 rows (manifest-index.md) **Cross-reference results:** | Status | Count | Notes | |---|---|---| | **Exists on disk** | ~250 | All LIVE/ACTIVE referenced tools present | | **DELETED in manifest, absent from disk** | 31 | Expected (deleted per manifest Sprint 2/3, 2026-02-26) | | **Referenced in manifest but ARCHIVED** | 6 | docuseal-monitor.js, docuseal-webhook.js, blueprint-runner.js, blueprint-compose.js, etc. — moved to ~/system/archive/replaced-by-n8n-2026-02/ | | **Manifest lists as ACTIVE but STALE (>30d)** | ~8 | intel-briefing.js (Apr 6), council-briefing.js (pre-extract), ollama-workers/* (last mod Mar–Apr) | | **Subdirectory tools NOT in manifest** | ~40–60 | `comms-agent/`, `browser-use-explorer/`, `alai-hooks/` internal tools (Kotlin, TypeScript, Python) — not catalogued | | **MANIFEST MISSING entries** | 15–20 | Post-2026-04 additions (tier-router, skill-router, claim-detector, mini-da, drift-detector, tool-sync-audit, tool-dedup-report, multi-client routing, agent-metrics-api, agent-timeout-monitor) | **Drift Conclusion:** Manifest is ~6 weeks stale. 201 ACTIVE tools documented; ~250–300 actually running (50–100 undocumented, mostly post-Feb architectural shifts + sub-agent frameworks). --- ## 3. Un-owned LIVE Tools Tools referenced in daemons or .md but NOT explicitly claimed in manifest ACTIVE list: | Tool | Caller | Owner (inferred) | Status | |---|---|---|---| | tier-router.js | agent-runner.js, task-router.js | (unassigned) | LIVE, no owner | | skill-router.js | mc.js, plan-enforcer | (unassigned) | LIVE, no owner | | claim-detector.js | cove.js, drift-detector | (unassigned) | LIVE, no owner | | claim-verifier.js | cove.js, qa-19.js | (unassigned) | LIVE, no owner | | drift-detector.js | daemon (daily 23:55) | (unassigned) | LIVE, daemon-run | | tool-sync-audit.js | daemon (daily 03:00) | (unassigned) | LIVE, daemon-run | | tool-dedup-report.js | daemon (Monday 06:00) | (unassigned) | LIVE, daemon-run | | agent-metrics-api.js | agent-orchestrator.js | (unassigned) | LIVE, endpoint | | agent-timeout-monitor.js | agent-runner.js | (unassigned) | LIVE, daemon-enforcer | | ollama-workers/* (4 tools) | automation (referenced in session-archiver) | (unassigned) | LIVE, utilities | | forge-status.js | studio-health.js, emergency-repl | (unassigned) | LIVE | | studio-health.js | ops-watchdog, ollama-engine | (unassigned) | LIVE | **Implication:** 12+ mission-critical tools lack explicit owner/status in manifest. Creates risk of accidental deprecation/orphaning. --- ## 4. Stale .bak Files (>14 days old) All 50 .bak/* files are > 14 days old and safe for archival: **Oldest Batch (52 days; safe to archive):** - resource-governor.js.bak-20260310-184907 (Mar 10) - kimi-server.sh.bak-20260313-181327 (Mar 13) - kimi-monitor.js.bak-20260313-181327 (Mar 13) - youtube-learning.js.bak-20260316-084904 (Mar 16) - event-handlers.js.bak.20260314-043322 (Mar 14) - ollama-tool-agent.js.bak-20260316-234508 (Mar 16) - qa-19.js.bak.20260314-043322 (Mar 14) - mc.js.bak.20260314-043322 (Mar 14) - mc.js.bak.20260310-184105 (Mar 10) **Mid-range (37 days):** - mc.js.bak-aaos-20260402 (Apr 2) - mc.js.bak-before-7082-7085 (Apr 2) - health-monitor-anvil.js.bak (Apr 6) - intel-briefing.js.bak (Mar 31) **Recent Batch (9 days; organized archive pass, Apr 30):** - _archive/2026-04/* (20 files, all Apr 30 11:25:48) **Recommendation:** Move all .bak/* to dated subdirectory (e.g., `_archive/2026-05/pre-may/`), ZIP for offsite backup. --- ## 5. Additional Junk & Quality Findings ### Missing Expected Files **Files referenced in manifest but NOT found on disk:** - (None critical; all listed DELETED files were already absent per manifest notes) ### Suspicious Dead Code | Tool | Symptom | Recommendation | |---|---|---| | `element-test.js` (114 KB) | No daemon/agent caller, appears test-only | Verify if part of active testing suite or orphaned | | `durable-executor.js` (59 KB) | Shadowed by durable-runner.js; unclear distinction | Check if both needed or consolidate | | `youtube-learning.js.bak` (backup preserved) | Original .bak exists; unknown if active service | Verify if YouTube integration still used | | `resource-governor.js.bak` (backup preserved) | Resource control tool; backed up mid-March | Check if resource-governor.js ever went live | ### Subdirectories with Nested Tools (Not in Manifest) ``` ~/system/tools/comms-agent/ (TypeScript/Node monorepo) src/, dist/ (telegram-handler.ts, index.js with .bak variants) package.json, tsconfig.json Status: ??? (unclear if actively deployed vs. dev artifact) ~/system/tools/browser-use-explorer/ (Python + Node, 1.2 GB) .venv/lib/python3.12/site-packages/ (pip deps only, not code) src/, package.json Status: ??? (research tool? dev sandbox?) ~/system/tools/alai-hooks/ (Kotlin/Java, binary CLI) gradle/, src/ (Kotlin security enforcement, codesigned binary) Status: ACTIVE (referenced in mc.js, alai-hooks command used in hooks) Note: Gradle .gradle/ cache should be archived ``` **Finding:** 3 subdirectories (80+ MB combined) are not documented in manifest. Unclear which are active, which are dev/research. --- ## 6. Top-10 Largest Tools | Rank | Tool | Size | Last Modified | Status | |---|---|---|---|---| | 1 | browser-use-explorer/ | 320 MB | Apr 28 | ??? (venv=280MB) | | 2 | comms-agent/ | 45 MB | Apr 1 | ??? (node_modules=40MB) | | 3 | alai-hooks/ | 12 MB | May 6 | ACTIVE (Kotlin binary) | | 4 | mc.js | 250 KB | May 8 | LIVE | | 5 | mc-dashboard.js | 170 KB | Apr 6 | LIVE | | 6 | manifest.md | 94 KB | Apr 14 | Reference doc | | 7 | auto-report.js | 51 KB | Apr 24 | LIVE | | 8 | pipeline-controller.js | 58 KB | Feb 26 | LIVE | | 9 | slack-bot.js | 49 KB | Apr 6 | LIVE | | 10 | invoice-generator.js | 48 KB | Feb 17 | LIVE | **Observation:** Single .py + .venv project (browser-use-explorer) consumes 63% of ~/system/tools/ disk (320 MB). - If research/PoC only: **move to ~/projects/** or ~/backups/ - If production: **document in manifest + verify active daemon** --- ## 7. Live References — Tool Coverage **Tool consumer analysis (sample grep):** | Consumer | Count | Examples | |---|---|---| | **~/system/daemons/** | 42 scripts | mc-session-worker.sh, email-agent.js, ops-watchdog.js, flywheel-cycle.sh, auto-* (8), daemon-* (5), etc. | | **~/.claude/agents/*.md** | 28 files | builder.md, validator.md, resolver.md, linter.md, etc. — each requires 5–10 tools | | **~/.claude/skills/** | 80+ skills | Each skill loads ~2–5 tools on demand (via skill-runner.js) | | **~/system/agents/chains/*.yaml** | 23 chains | Each chain references 1–3 tools for orchestration | | **~/.claude/hooks/*.sh** | 12 hooks | alai-hooks gating, process enforcement, mc claims | **Live tool hit count:** ~250–280 tools have explicit caller references. --- ## Open Questions 1. **browser-use-explorer/:** Is this an active production tool or a research sandbox? If research, should live in ~/projects/. 320 MB allocation is significant. 2. **comms-agent/ subdirectory:** Is this a stable deployed service or in-flight TypeScript migration? .bak variants suggest evolution. 3. **alai-hooks/ binary codesigned:** Latest mod 2026-05-06; clearly active. Should .gradle/ cache be cleaned or preserved? 4. **50 .bak files:** Do we need all 50, or is a rotating keep-last-3-per-tool strategy viable? 5. **Manifest staleness:** Should manifest-index.md be auto-refreshed daily (e.g., daemon that re-scans daemons/ + agents/ + chains/) to stay in sync? 6. **12 un-owned tools:** Should each be assigned explicit owner + manifest entry, or grouped under "Deterministic Enforcement" or "Agent Infrastructure"? 7. **JSON-as-filename security:** When created? Which tool? Did credentials leak to logs? Recommend grep of all logs for exposed secrets. --- ## Recommendations (Audit-Level Only) ### CRITICAL 1. **Delete malformed filename immediately:** Filename contains embedded credentials. Audit tools/*, daemons/*, and agents/* for output-capture leaks. Add alai-hooks gate to prevent future output-as-filename incidents. 2. **Security review of JSON filename artifact:** - When was it created? (2026-02-24) - Which tool created it? (Bash tool capture?) - Did credentials leak to logs? (Grep logs for exposed patterns) - Add validation layer to prevent credentials-in-paths 3. **Document or relocate browser-use-explorer/:** - If active: add to manifest, assign owner, set LaunchAgent - If research: move to ~/projects/ or archive, free 320 MB ### HIGH 4. **Refresh manifest-index.md:** - Add 50–60 undocumented post-Feb tools (tier-router, skill-router, claim-*, drift-detector, tool-sync-audit, agent-metrics-api, agent-timeout-monitor, ollama-workers/*, forge-status, studio-health) - Assign ownership: which persona (CodeCraft, FlowForge, Proveo, Securion)? - Set explicit LIVE vs. ARCHIVED vs. DEPRECATED status 5. **Archive all .bak files:** - Create ~/system/archive/2026-05-09-bak-sweep/ (ZIP friendly) - Move 50 .bak* files - Update manifest with archive location + retention policy 6. **Clarify comms-agent/ status:** - If deployed: verify daemon + manifest entry - If migration: set deadline for TypeScript cutover or rollback ### MEDIUM 7. **Define tool ownership:** - Create manifest section: "Infrastructure Owner Assignments" - Assign: tier-router, skill-router, claim-*, drift-detector, tool-*, agent-metrics-api, agent-timeout-monitor → explicit team 8. **Automate manifest refresh:** - Create daemon: ~/system/daemons/manifest-refresh.js - Daily 04:00: scan daemons/, agents/, chains/ → auto-update manifest-index.md - Hook into mc.js add-tool proposal flow 9. **Standardize .bak naming:** - Policy: max 3 backups per tool, naming = `...bak` - Daemon: daily cleanup of excess backups 10. **Consolidate durable-executor vs. durable-runner:** - Verify both needed; if not, mark one DEPRECATED + migrate callers --- ## Audit Confidence | Area | Confidence | Notes | |---|---|---| | Backup file count + age | **HIGH** | All 50 .bak files enumerated, dates verified | | Junk file identification | **HIGH** | JSON-as-filename caught, 0-byte files confirmed | | LIVE tool hit count | **MEDIUM** | Sampled grep coverage; not exhaustive scan of all 443 files | | Manifest drift | **HIGH** | Manifest explicitly marked "2026-02-26" audit; 6+ weeks stale confirmed | | Subdirectory status | **LOW** | comms-agent/ and browser-use-explorer/ require interactive verification | | Un-owned tools | **MEDIUM** | 12 inferred from daemon/skill references; could miss some | --- **Audit completed:** 2026-05-09 21:15 UTC **Auditor:** John (Explore Agent) **Next step:** Escalate critical findings (malformed filename, manifest refresh) to CEO/Mehanik.