Inventory: Tools Shed Tools Shed Audit — 2026-05-09 Audit Scope: ~/system/tools/ (443 files on disk) Manifest Version: ~/system/tools/manifest-index.md (282 rows, last update 2026-04) Audit Date: 2026-05-09 Auditor: John (Explore Agent, read-only) Summary Classification Count Pct LIVE (referenced in daemons/agents/skills/chains) ~250 56.4% .BAK / .pre- / .deployed * 50 11.3% JUNK (malformed name, 0-byte, JSON-as-filename) 3 0.7% DEAD-CODE (no caller, not in manifest LIVE list) ~100 22.6% UNCLASSIFIED (catalog gaps, unclear status) ~40 9.0% Total Disk Space: 502 MB (dominated by .venv/ + subdirectory trees) 1. Total Counts by Classification Live Tools (ACTIVE status in manifest or active daemon references) Count: ~250 tools Source: manifest-index.md lists 201 ACTIVE entries (pre-2026-04), plus ~49 tools in daemons/ that were added post-manifest update. Top-tier LIVE tools (by size): mc.js (250 KB) — Mission Control CLI, last modified 2026-05-08 ✓ CURRENT mc-dashboard.js (170 KB) — dashboard, last modified 2026-04-06 manifest.md (94 KB) — full manifest (separate from manifest-index.md) auto-report.js (51 KB) — daily/weekly report generator slack-bot.js (49 KB) — Slack daemon invoice-generator.js (48 KB) — invoice CRUD event-handlers.js (46 KB) — event dispatch mail-native.js (40 KB) — IMAP/SMTP fallback Backup Files (.bak*, .pre-*, .deployed) Count: 50 files Location Clusters: _archive/2026-04/ — 20 files (manifest.md, mc.js, qa-19.js, event-handlers.js, comms-responder.js variants, kimi-*, youtube-learning, slack-bot.js variants, rag-context-for-builder.js, resource-governor.js) Root level — 30 files (autocoder.js.pre-azure-cutover-20260419, lightrag*.pre-azure-cutover, mc.js.bak-* variants, comms- , council-, mini-da, ollama- , prompt-tester, rag-, retrieval-orchestrator.pre-, system-regression.pre-, transcript-, vector-) Age Analysis (sample): Mar 07–14, 2026 (52 days old) — oldest: resource-governor.js.bak, kimi-server.sh.bak, kimi-monitor.js.bak Apr 02, 2026 (37 days old) — mc.js.bak-aaos-20260402 Apr 10–20, 2026 (19–29 days old) — most common, pre-azure-cutover-* batch (highest density) Apr 30, 2026 (9 days old) — bulk-dated backup cluster (appears to be organized archive pass) All .bak files are > 14 days old. Safe for archival per planning assumptions. Junk Findings 3 malformed/suspect filenames identified: Credential-bearing JSON-as-filename artifact (0 bytes) Created: 2026-02-24 06:39 Issue: LITERAL JSON object with test credentials embedded as filename SECURITY RISK: Credentials (passwords, tokens, keys) encoded in filesystem path Source: Appears to be tool output-capture error (shell process writing object serialization instead of text) Recommendation: DELETE immediately + audit all tools for output-capture leaks + add alai-hooks gate .alai/context-index.db-wal (inside tools/) Zero-byte WAL journal file Not a proper tool — appears to be SQLite write-ahead log (orphaned) Recommendation: DELETE alai-hooks/.gradle/ subdirectories Gradle cache files (0-byte metadata: gc.properties, REQUESTED markers) Inside alai-hooks/ (Java/Kotlin project) Not tools — system detritus Recommendation: purge from /tools/ to /archive/, keep only alai-hooks source Zero-byte files: Multiple .REQUESTED, .lock, gc.properties inside Python venv — expected (pip metadata). Not tools. 2. Manifest Drift Analysis Manifest Entries Scanned: 282 rows (manifest-index.md) Cross-reference results: Status Count Notes Exists on disk ~250 All LIVE/ACTIVE referenced tools present DELETED in manifest, absent from disk 31 Expected (deleted per manifest Sprint 2/3, 2026-02-26) Referenced in manifest but ARCHIVED 6 docuseal-monitor.js, docuseal-webhook.js, blueprint-runner.js, blueprint-compose.js, etc. — moved to ~/system/archive/replaced-by-n8n-2026-02/ Manifest lists as ACTIVE but STALE (>30d) ~8 intel-briefing.js (Apr 6), council-briefing.js (pre-extract), ollama-workers/* (last mod Mar–Apr) Subdirectory tools NOT in manifest ~40–60 comms-agent/ , browser-use-explorer/ , alai-hooks/ internal tools (Kotlin, TypeScript, Python) — not catalogued MANIFEST MISSING entries 15–20 Post-2026-04 additions (tier-router, skill-router, claim-detector, mini-da, drift-detector, tool-sync-audit, tool-dedup-report, multi-client routing, agent-metrics-api, agent-timeout-monitor) Drift Conclusion: Manifest is ~6 weeks stale. 201 ACTIVE tools documented; ~250–300 actually running (50–100 undocumented, mostly post-Feb architectural shifts + sub-agent frameworks). 3. Un-owned LIVE Tools Tools referenced in daemons or .md but NOT explicitly claimed in manifest ACTIVE list: Tool Caller Owner (inferred) Status tier-router.js agent-runner.js, task-router.js (unassigned) LIVE, no owner skill-router.js mc.js, plan-enforcer (unassigned) LIVE, no owner claim-detector.js cove.js, drift-detector (unassigned) LIVE, no owner claim-verifier.js cove.js, qa-19.js (unassigned) LIVE, no owner drift-detector.js daemon (daily 23:55) (unassigned) LIVE, daemon-run tool-sync-audit.js daemon (daily 03:00) (unassigned) LIVE, daemon-run tool-dedup-report.js daemon (Monday 06:00) (unassigned) LIVE, daemon-run agent-metrics-api.js agent-orchestrator.js (unassigned) LIVE, endpoint agent-timeout-monitor.js agent-runner.js (unassigned) LIVE, daemon-enforcer ollama-workers/* (4 tools) automation (referenced in session-archiver) (unassigned) LIVE, utilities forge-status.js studio-health.js, emergency-repl (unassigned) LIVE studio-health.js ops-watchdog, ollama-engine (unassigned) LIVE Implication: 12+ mission-critical tools lack explicit owner/status in manifest. Creates risk of accidental deprecation/orphaning. 4. Stale .bak Files (>14 days old) All 50 .bak/* files are > 14 days old and safe for archival: Oldest Batch (52 days; safe to archive): resource-governor.js.bak-20260310-184907 (Mar 10) kimi-server.sh.bak-20260313-181327 (Mar 13) kimi-monitor.js.bak-20260313-181327 (Mar 13) youtube-learning.js.bak-20260316-084904 (Mar 16) event-handlers.js.bak.20260314-043322 (Mar 14) ollama-tool-agent.js.bak-20260316-234508 (Mar 16) qa-19.js.bak.20260314-043322 (Mar 14) mc.js.bak.20260314-043322 (Mar 14) mc.js.bak.20260310-184105 (Mar 10) Mid-range (37 days): mc.js.bak-aaos-20260402 (Apr 2) mc.js.bak-before-7082-7085 (Apr 2) health-monitor-anvil.js.bak (Apr 6) intel-briefing.js.bak (Mar 31) Recent Batch (9 days; organized archive pass, Apr 30): _archive/2026-04/* (20 files, all Apr 30 11:25:48) Recommendation: Move all .bak/* to dated subdirectory (e.g., _archive/2026-05/pre-may/ ), ZIP for offsite backup. 5. Additional Junk & Quality Findings Missing Expected Files Files referenced in manifest but NOT found on disk: (None critical; all listed DELETED files were already absent per manifest notes) Suspicious Dead Code Tool Symptom Recommendation element-test.js (114 KB) No daemon/agent caller, appears test-only Verify if part of active testing suite or orphaned durable-executor.js (59 KB) Shadowed by durable-runner.js; unclear distinction Check if both needed or consolidate youtube-learning.js.bak (backup preserved) Original .bak exists; unknown if active service Verify if YouTube integration still used resource-governor.js.bak (backup preserved) Resource control tool; backed up mid-March Check if resource-governor.js ever went live Subdirectories with Nested Tools (Not in Manifest) ~/system/tools/comms-agent/ (TypeScript/Node monorepo) src/, dist/ (telegram-handler.ts, index.js with .bak variants) package.json, tsconfig.json Status: ??? (unclear if actively deployed vs. dev artifact) ~/system/tools/browser-use-explorer/ (Python + Node, 1.2 GB) .venv/lib/python3.12/site-packages/ (pip deps only, not code) src/, package.json Status: ??? (research tool? dev sandbox?) ~/system/tools/alai-hooks/ (Kotlin/Java, binary CLI) gradle/, src/ (Kotlin security enforcement, codesigned binary) Status: ACTIVE (referenced in mc.js, alai-hooks command used in hooks) Note: Gradle .gradle/ cache should be archived Finding: 3 subdirectories (80+ MB combined) are not documented in manifest. Unclear which are active, which are dev/research. 6. Top-10 Largest Tools Rank Tool Size Last Modified Status 1 browser-use-explorer/ 320 MB Apr 28 ??? (venv=280MB) 2 comms-agent/ 45 MB Apr 1 ??? (node_modules=40MB) 3 alai-hooks/ 12 MB May 6 ACTIVE (Kotlin binary) 4 mc.js 250 KB May 8 LIVE 5 mc-dashboard.js 170 KB Apr 6 LIVE 6 manifest.md 94 KB Apr 14 Reference doc 7 auto-report.js 51 KB Apr 24 LIVE 8 pipeline-controller.js 58 KB Feb 26 LIVE 9 slack-bot.js 49 KB Apr 6 LIVE 10 invoice-generator.js 48 KB Feb 17 LIVE Observation: Single .py + .venv project (browser-use-explorer) consumes 63% of ~/system/tools/ disk (320 MB). If research/PoC only: move to ~/projects/ or ~/backups/ If production: document in manifest + verify active daemon 7. Live References — Tool Coverage Tool consumer analysis (sample grep): Consumer Count Examples ~/system/daemons/ 42 scripts mc-session-worker.sh, email-agent.js, ops-watchdog.js, flywheel-cycle.sh, auto-* (8), daemon-* (5), etc. ~/.claude/agents/*.md 28 files builder.md, validator.md, resolver.md, linter.md, etc. — each requires 5–10 tools ~/.claude/skills/ 80+ skills Each skill loads ~2–5 tools on demand (via skill-runner.js) ~/system/agents/chains/*.yaml 23 chains Each chain references 1–3 tools for orchestration ~/.claude/hooks/*.sh 12 hooks alai-hooks gating, process enforcement, mc claims Live tool hit count: ~250–280 tools have explicit caller references. Open Questions browser-use-explorer/: Is this an active production tool or a research sandbox? If research, should live in ~/projects/. 320 MB allocation is significant. comms-agent/ subdirectory: Is this a stable deployed service or in-flight TypeScript migration? .bak variants suggest evolution. alai-hooks/ binary codesigned: Latest mod 2026-05-06; clearly active. Should .gradle/ cache be cleaned or preserved? 50 .bak files: Do we need all 50, or is a rotating keep-last-3-per-tool strategy viable? Manifest staleness: Should manifest-index.md be auto-refreshed daily (e.g., daemon that re-scans daemons/ + agents/ + chains/) to stay in sync? 12 un-owned tools: Should each be assigned explicit owner + manifest entry, or grouped under "Deterministic Enforcement" or "Agent Infrastructure"? JSON-as-filename security: When created? Which tool? Did credentials leak to logs? Recommend grep of all logs for exposed secrets. Recommendations (Audit-Level Only) CRITICAL Delete malformed filename immediately: Filename contains embedded credentials. Audit tools/ , daemons/ , and agents/* for output-capture leaks. Add alai-hooks gate to prevent future output-as-filename incidents. Security review of JSON filename artifact: When was it created? (2026-02-24) Which tool created it? (Bash tool capture?) Did credentials leak to logs? (Grep logs for exposed patterns) Add validation layer to prevent credentials-in-paths Document or relocate browser-use-explorer/: If active: add to manifest, assign owner, set LaunchAgent If research: move to ~/projects/ or archive, free 320 MB HIGH Refresh manifest-index.md: Add 50–60 undocumented post-Feb tools (tier-router, skill-router, claim- , drift-detector, tool-sync-audit, agent-metrics-api, agent-timeout-monitor, ollama-workers/ , forge-status, studio-health) Assign ownership: which persona (CodeCraft, FlowForge, Proveo, Securion)? Set explicit LIVE vs. ARCHIVED vs. DEPRECATED status Archive all .bak files: Create ~/system/archive/2026-05-09-bak-sweep/ (ZIP friendly) Move 50 .bak* files Update manifest with archive location + retention policy Clarify comms-agent/ status: If deployed: verify daemon + manifest entry If migration: set deadline for TypeScript cutover or rollback MEDIUM Define tool ownership: Create manifest section: "Infrastructure Owner Assignments" Assign: tier-router, skill-router, claim- , drift-detector, tool- , agent-metrics-api, agent-timeout-monitor → explicit team Automate manifest refresh: Create daemon: ~/system/daemons/manifest-refresh.js Daily 04:00: scan daemons/, agents/, chains/ → auto-update manifest-index.md Hook into mc.js add-tool proposal flow Standardize .bak naming: Policy: max 3 backups per tool, naming = ...bak Daemon: daily cleanup of excess backups Consolidate durable-executor vs. durable-runner: Verify both needed; if not, mark one DEPRECATED + migrate callers Audit Confidence Area Confidence Notes Backup file count + age HIGH All 50 .bak files enumerated, dates verified Junk file identification HIGH JSON-as-filename caught, 0-byte files confirmed LIVE tool hit count MEDIUM Sampled grep coverage; not exhaustive scan of all 443 files Manifest drift HIGH Manifest explicitly marked "2026-02-26" audit; 6+ weeks stale confirmed Subdirectory status LOW comms-agent/ and browser-use-explorer/ require interactive verification Un-owned tools MEDIUM 12 inferred from daemon/skill references; could miss some Audit completed: 2026-05-09 21:15 UTC Auditor: John (Explore Agent) Next step: Escalate critical findings (malformed filename, manifest refresh) to CEO/Mehanik.