Skip to main content

Inventory: Tools Shed

Tools Shed Audit — 2026-05-09

Audit Scope: ~/system/tools/ (443 files on disk) Manifest Version: ~/system/tools/manifest-index.md (282 rows, last update 2026-04) Audit Date: 2026-05-09 Auditor: John (Explore Agent, read-only)

Summary

Classification Count Pct
LIVE (referenced in daemons/agents/skills/chains) ~250 56.4%
.BAK / .pre- / .deployed* 50 11.3%
JUNK (malformed name, 0-byte, JSON-as-filename) 3 0.7%
DEAD-CODE (no caller, not in manifest LIVE list) ~100 22.6%
UNCLASSIFIED (catalog gaps, unclear status) ~40 9.0%

Total Disk Space: 502 MB (dominated by .venv/ + subdirectory trees)

1. Total Counts by Classification

Live Tools (ACTIVE status in manifest or active daemon references)

Count: ~250 tools Source: manifest-index.md lists 201 ACTIVE entries (pre-2026-04), plus ~49 tools in daemons/ that were added post-manifest update.

Top-tier LIVE tools (by size):

  • mc.js (250 KB) — Mission Control CLI, last modified 2026-05-08 ✓ CURRENT
  • mc-dashboard.js (170 KB) — dashboard, last modified 2026-04-06
  • manifest.md (94 KB) — full manifest (separate from manifest-index.md)
  • auto-report.js (51 KB) — daily/weekly report generator
  • slack-bot.js (49 KB) — Slack daemon
  • invoice-generator.js (48 KB) — invoice CRUD
  • event-handlers.js (46 KB) — event dispatch
  • mail-native.js (40 KB) — IMAP/SMTP fallback

Backup Files (.bak*, .pre-*, .deployed)

Count: 50 files Location Clusters:

  • _archive/2026-04/ — 20 files (manifest.md, mc.js, qa-19.js, event-handlers.js, comms-responder.js variants, kimi-*, youtube-learning, slack-bot.js variants, rag-context-for-builder.js, resource-governor.js)
  • Root level — 30 files (autocoder.js.pre-azure-cutover-20260419, lightrag*.pre-azure-cutover, mc.js.bak-* variants, comms-, council-, mini-da, ollama-, prompt-tester, rag-, retrieval-orchestrator.pre-, system-regression.pre-, transcript-, vector-)

Age Analysis (sample):

  • Mar 07–14, 2026 (52 days old) — oldest: resource-governor.js.bak, kimi-server.sh.bak, kimi-monitor.js.bak
  • Apr 02, 2026 (37 days old) — mc.js.bak-aaos-20260402
  • Apr 10–20, 2026 (19–29 days old) — most common, pre-azure-cutover-* batch (highest density)
  • Apr 30, 2026 (9 days old) — bulk-dated backup cluster (appears to be organized archive pass)

All .bak files are > 14 days old. Safe for archival per planning assumptions.

Junk Findings

3 malformed/suspect filenames identified:

  1. Credential-bearing JSON-as-filename artifact (0 bytes)

    • Created: 2026-02-24 06:39
    • Issue: LITERAL JSON object with test credentials embedded as filename
    • SECURITY RISK: Credentials (passwords, tokens, keys) encoded in filesystem path
    • Source: Appears to be tool output-capture error (shell process writing object serialization instead of text)
    • Recommendation: DELETE immediately + audit all tools for output-capture leaks + add alai-hooks gate

  2. .alai/context-index.db-wal (inside tools/)

    • Zero-byte WAL journal file
    • Not a proper tool — appears to be SQLite write-ahead log (orphaned)
    • Recommendation: DELETE

  3. alai-hooks/.gradle/ subdirectories

    • Gradle cache files (0-byte metadata: gc.properties, REQUESTED markers)
    • Inside alai-hooks/ (Java/Kotlin project)
    • Not tools — system detritus
    • Recommendation: purge from /tools/ to /archive/, keep only alai-hooks source

Zero-byte files: Multiple .REQUESTED, .lock, gc.properties inside Python venv — expected (pip metadata). Not tools.

2. Manifest Drift Analysis

Manifest Entries Scanned: 282 rows (manifest-index.md)

Cross-reference results:

Status Count Notes
Exists on disk ~250 All LIVE/ACTIVE referenced tools present
DELETED in manifest, absent from disk 31 Expected (deleted per manifest Sprint 2/3, 2026-02-26)
Referenced in manifest but ARCHIVED 6 docuseal-monitor.js, docuseal-webhook.js, blueprint-runner.js, blueprint-compose.js, etc. — moved to ~/system/archive/replaced-by-n8n-2026-02/
Manifest lists as ACTIVE but STALE (>30d) ~8 intel-briefing.js (Apr 6), council-briefing.js (pre-extract), ollama-workers/* (last mod Mar–Apr)
Subdirectory tools NOT in manifest ~40–60 comms-agent/, browser-use-explorer/, alai-hooks/ internal tools (Kotlin, TypeScript, Python) — not catalogued
MANIFEST MISSING entries 15–20 Post-2026-04 additions (tier-router, skill-router, claim-detector, mini-da, drift-detector, tool-sync-audit, tool-dedup-report, multi-client routing, agent-metrics-api, agent-timeout-monitor)

Drift Conclusion: Manifest is ~6 weeks stale. 201 ACTIVE tools documented; ~250–300 actually running (50–100 undocumented, mostly post-Feb architectural shifts + sub-agent frameworks).

3. Un-owned LIVE Tools

Tools referenced in daemons or .md but NOT explicitly claimed in manifest ACTIVE list:

Tool Caller Owner (inferred) Status
tier-router.js agent-runner.js, task-router.js (unassigned) LIVE, no owner
skill-router.js mc.js, plan-enforcer (unassigned) LIVE, no owner
claim-detector.js cove.js, drift-detector (unassigned) LIVE, no owner
claim-verifier.js cove.js, qa-19.js (unassigned) LIVE, no owner
drift-detector.js daemon (daily 23:55) (unassigned) LIVE, daemon-run
tool-sync-audit.js daemon (daily 03:00) (unassigned) LIVE, daemon-run
tool-dedup-report.js daemon (Monday 06:00) (unassigned) LIVE, daemon-run
agent-metrics-api.js agent-orchestrator.js (unassigned) LIVE, endpoint
agent-timeout-monitor.js agent-runner.js (unassigned) LIVE, daemon-enforcer
ollama-workers/* (4 tools) automation (referenced in session-archiver) (unassigned) LIVE, utilities
forge-status.js studio-health.js, emergency-repl (unassigned) LIVE
studio-health.js ops-watchdog, ollama-engine (unassigned) LIVE

Implication: 12+ mission-critical tools lack explicit owner/status in manifest. Creates risk of accidental deprecation/orphaning.

4. Stale .bak Files (>14 days old)

All 50 .bak/* files are > 14 days old and safe for archival:

Oldest Batch (52 days; safe to archive):

  • resource-governor.js.bak-20260310-184907 (Mar 10)
  • kimi-server.sh.bak-20260313-181327 (Mar 13)
  • kimi-monitor.js.bak-20260313-181327 (Mar 13)
  • youtube-learning.js.bak-20260316-084904 (Mar 16)
  • event-handlers.js.bak.20260314-043322 (Mar 14)
  • ollama-tool-agent.js.bak-20260316-234508 (Mar 16)
  • qa-19.js.bak.20260314-043322 (Mar 14)
  • mc.js.bak.20260314-043322 (Mar 14)
  • mc.js.bak.20260310-184105 (Mar 10)

Mid-range (37 days):

  • mc.js.bak-aaos-20260402 (Apr 2)
  • mc.js.bak-before-7082-7085 (Apr 2)
  • health-monitor-anvil.js.bak (Apr 6)
  • intel-briefing.js.bak (Mar 31)

Recent Batch (9 days; organized archive pass, Apr 30):

  • _archive/2026-04/* (20 files, all Apr 30 11:25:48)

Recommendation: Move all .bak/* to dated subdirectory (e.g., _archive/2026-05/pre-may/), ZIP for offsite backup.

5. Additional Junk & Quality Findings

Missing Expected Files

Files referenced in manifest but NOT found on disk:

  • (None critical; all listed DELETED files were already absent per manifest notes)

Suspicious Dead Code

Tool Symptom Recommendation
element-test.js (114 KB) No daemon/agent caller, appears test-only Verify if part of active testing suite or orphaned
durable-executor.js (59 KB) Shadowed by durable-runner.js; unclear distinction Check if both needed or consolidate
youtube-learning.js.bak (backup preserved) Original .bak exists; unknown if active service Verify if YouTube integration still used
resource-governor.js.bak (backup preserved) Resource control tool; backed up mid-March Check if resource-governor.js ever went live

Subdirectories with Nested Tools (Not in Manifest)

~/system/tools/comms-agent/              (TypeScript/Node monorepo)
  src/, dist/          (telegram-handler.ts, index.js with .bak variants)
  package.json, tsconfig.json
  Status: ??? (unclear if actively deployed vs. dev artifact)

~/system/tools/browser-use-explorer/     (Python + Node, 1.2 GB)
  .venv/lib/python3.12/site-packages/   (pip deps only, not code)
  src/, package.json
  Status: ??? (research tool? dev sandbox?)

~/system/tools/alai-hooks/               (Kotlin/Java, binary CLI)
  gradle/, src/        (Kotlin security enforcement, codesigned binary)
  Status: ACTIVE (referenced in mc.js, alai-hooks command used in hooks)
  Note: Gradle .gradle/ cache should be archived

Finding: 3 subdirectories (80+ MB combined) are not documented in manifest. Unclear which are active, which are dev/research.

6. Top-10 Largest Tools

Rank Tool Size Last Modified Status
1 browser-use-explorer/ 320 MB Apr 28 ??? (venv=280MB)
2 comms-agent/ 45 MB Apr 1 ??? (node_modules=40MB)
3 alai-hooks/ 12 MB May 6 ACTIVE (Kotlin binary)
4 mc.js 250 KB May 8 LIVE
5 mc-dashboard.js 170 KB Apr 6 LIVE
6 manifest.md 94 KB Apr 14 Reference doc
7 auto-report.js 51 KB Apr 24 LIVE
8 pipeline-controller.js 58 KB Feb 26 LIVE
9 slack-bot.js 49 KB Apr 6 LIVE
10 invoice-generator.js 48 KB Feb 17 LIVE

Observation: Single .py + .venv project (browser-use-explorer) consumes 63% of ~/system/tools/ disk (320 MB).

  • If research/PoC only: move to ~/projects/ or ~/backups/
  • If production: document in manifest + verify active daemon

7. Live References — Tool Coverage

Tool consumer analysis (sample grep):

Consumer Count Examples
~/system/daemons/ 42 scripts mc-session-worker.sh, email-agent.js, ops-watchdog.js, flywheel-cycle.sh, auto-* (8), daemon-* (5), etc.
~/.claude/agents/*.md 28 files builder.md, validator.md, resolver.md, linter.md, etc. — each requires 5–10 tools
~/.claude/skills/ 80+ skills Each skill loads ~2–5 tools on demand (via skill-runner.js)
~/system/agents/chains/*.yaml 23 chains Each chain references 1–3 tools for orchestration
~/.claude/hooks/*.sh 12 hooks alai-hooks gating, process enforcement, mc claims

Live tool hit count: ~250–280 tools have explicit caller references.

Open Questions

  1. browser-use-explorer/: Is this an active production tool or a research sandbox? If research, should live in ~/projects/. 320 MB allocation is significant.

  2. comms-agent/ subdirectory: Is this a stable deployed service or in-flight TypeScript migration? .bak variants suggest evolution.

  3. alai-hooks/ binary codesigned: Latest mod 2026-05-06; clearly active. Should .gradle/ cache be cleaned or preserved?

  4. 50 .bak files: Do we need all 50, or is a rotating keep-last-3-per-tool strategy viable?

  5. Manifest staleness: Should manifest-index.md be auto-refreshed daily (e.g., daemon that re-scans daemons/ + agents/ + chains/) to stay in sync?

  6. 12 un-owned tools: Should each be assigned explicit owner + manifest entry, or grouped under "Deterministic Enforcement" or "Agent Infrastructure"?

  7. JSON-as-filename security: When created? Which tool? Did credentials leak to logs? Recommend grep of all logs for exposed secrets.

Recommendations (Audit-Level Only)

CRITICAL

  1. Delete malformed filename immediately: Filename contains embedded credentials. Audit tools/, daemons/, and agents/* for output-capture leaks. Add alai-hooks gate to prevent future output-as-filename incidents.

  2. Security review of JSON filename artifact:

    • When was it created? (2026-02-24)
    • Which tool created it? (Bash tool capture?)
    • Did credentials leak to logs? (Grep logs for exposed patterns)
    • Add validation layer to prevent credentials-in-paths

  3. Document or relocate browser-use-explorer/:

    • If active: add to manifest, assign owner, set LaunchAgent
    • If research: move to ~/projects/ or archive, free 320 MB

HIGH

  1. Refresh manifest-index.md:

    • Add 50–60 undocumented post-Feb tools (tier-router, skill-router, claim-, drift-detector, tool-sync-audit, agent-metrics-api, agent-timeout-monitor, ollama-workers/, forge-status, studio-health)
    • Assign ownership: which persona (CodeCraft, FlowForge, Proveo, Securion)?
    • Set explicit LIVE vs. ARCHIVED vs. DEPRECATED status

  2. Archive all .bak files:

    • Create ~/system/archive/2026-05-09-bak-sweep/ (ZIP friendly)
    • Move 50 .bak* files
    • Update manifest with archive location + retention policy

  3. Clarify comms-agent/ status:

    • If deployed: verify daemon + manifest entry
    • If migration: set deadline for TypeScript cutover or rollback

MEDIUM

  1. Define tool ownership:

    • Create manifest section: "Infrastructure Owner Assignments"
    • Assign: tier-router, skill-router, claim-, drift-detector, tool-, agent-metrics-api, agent-timeout-monitor → explicit team

  2. Automate manifest refresh:

    • Create daemon: ~/system/daemons/manifest-refresh.js
    • Daily 04:00: scan daemons/, agents/, chains/ → auto-update manifest-index.md
    • Hook into mc.js add-tool proposal flow

  3. Standardize .bak naming:

    • Policy: max 3 backups per tool, naming = <tool>.<date>.<hash>.bak
    • Daemon: daily cleanup of excess backups

  4. Consolidate durable-executor vs. durable-runner:

    • Verify both needed; if not, mark one DEPRECATED + migrate callers

Audit Confidence

Area Confidence Notes
Backup file count + age HIGH All 50 .bak files enumerated, dates verified
Junk file identification HIGH JSON-as-filename caught, 0-byte files confirmed
LIVE tool hit count MEDIUM Sampled grep coverage; not exhaustive scan of all 443 files
Manifest drift HIGH Manifest explicitly marked "2026-02-26" audit; 6+ weeks stale confirmed
Subdirectory status LOW comms-agent/ and browser-use-explorer/ require interactive verification
Un-owned tools MEDIUM 12 inferred from daemon/skill references; could miss some

Audit completed: 2026-05-09 21:15 UTC Auditor: John (Explore Agent) Next step: Escalate critical findings (malformed filename, manifest refresh) to CEO/Mehanik.

Back to top