@cgh567/agent 2.4.3 → 2.4.4

package/daemon/lib/session-log-reader.js

@@ -0,0 +1,93 @@
+'use strict';
+
+const path = require('path');
+const os = require('os');
+
+/**
+ * SessionLogReader — reads OpenCode session logs from opencode.db
+ * to reconstruct agent decision traces for HED audit.
+ * Uses better-sqlite3 (already a dependency via daemon) for read-only access.
+ */
+
+// OpenCode stores sessions at platform-specific paths:
+//   Linux/WSL: ~/.local/share/opencode/opencode.db
+//   macOS:     ~/Library/Application Support/opencode/opencode.db
+//   Windows:   %APPDATA%\opencode\opencode.db
+function getOpenCodeDbPath() {
+  if (process.platform === 'linux') {
+    return path.join(os.homedir(), '.local', 'share', 'opencode', 'opencode.db');
+  }
+  if (process.platform === 'darwin') {
+    return path.join(os.homedir(), 'Library', 'Application Support', 'opencode', 'opencode.db');
+  }
+  return path.join(os.homedir(), 'AppData', 'Local', 'opencode', 'opencode.db');
+}
+
+async function readSessionLog(sessionKey) {
+  if (!sessionKey) return [];
+  let Database;
+  try {
+    Database = require('better-sqlite3');
+  } catch {
+    console.warn('[session-log-reader] better-sqlite3 not available — cannot read session log');
+    return [];
+  }
+  const dbPath = getOpenCodeDbPath();
+  let db;
+  try {
+    db = new Database(dbPath, { readonly: true, fileMustExist: true });
+  } catch (err) {
+    console.warn('[session-log-reader] cannot open opencode.db:', err.message);
+    return [];
+  }
+  try {
+    const messages = db.prepare(
+      `SELECT role, content, created_at FROM messages WHERE session_id = ? ORDER BY created_at ASC`
+    ).all(sessionKey);
+    return messages.map((m, i) => ({
+      index: i,
+      role: m.role,
+      content: typeof m.content === 'string' ? m.content : JSON.stringify(m.content),
+      createdAt: m.created_at
+    }));
+  } catch (err) {
+    console.warn('[session-log-reader] query failed:', err.message);
+    return [];
+  } finally {
+    db.close();
+  }
+}
+
+// Classify messages into XEPV sequence: eXplore, Execute, Plan, Verify
+function classifyXEPV(messages) {
+  return messages.map(m => {
+    const content = m.content || '';
+    // Tool calls in content indicate action type
+    if (content.includes('"edit"') || content.includes('"write"')) return { ...m, xepv: 'X_Execute' };
+    if (content.includes('"read"') || content.includes('"grep"') || content.includes('"search_codebase"') || content.includes('"glob"')) return { ...m, xepv: 'X_Explore' };
+    if (content.includes('"bash"') && (content.includes('test') || content.includes('vitest') || content.includes('grep -n'))) return { ...m, xepv: 'X_Verify' };
+    if (m.role === 'assistant' && (content.includes('plan') || content.includes('approach') || content.includes('strategy') || content.includes('first'))) return { ...m, xepv: 'X_Plan' };
+    return { ...m, xepv: 'X_Unknown' };
+  });
+}
+
+// Find the branch point where the agent deviated from the declared target
+function findBranchPoint(xepvMessages, opTarget) {
+  const exploreBeforeExecute = xepvMessages.filter(m => m.xepv === 'X_Explore');
+  for (const msg of exploreBeforeExecute) {
+    // If the agent explored files NOT in the declared target, that's the branch point
+    if (opTarget && !msg.content.includes(opTarget)) {
+      return { message: msg, reason: `Agent explored ${msg.content.slice(0, 200)} instead of declared target ${opTarget}` };
+    }
+  }
+  return null;
+}
+
+// Compute P-ratio: plan steps vs execution steps
+function computePRatio(xepvMessages) {
+  const plan = xepvMessages.filter(m => m.xepv === 'X_Plan').length;
+  const execute = xepvMessages.filter(m => m.xepv === 'X_Execute').length;
+  return { planSteps: plan, executeSteps: execute, ratio: execute > 0 ? plan / execute : plan };
+}
+
+module.exports = { readSessionLog, classifyXEPV, findBranchPoint, computePRatio };

package/daemon/lib/standard-work-bootstrap.js

@@ -106,7 +106,93 @@ const PROVISIONAL_WORK = [
     ],
     qualityCriteria: ['Body updated with completion summary.'],
     escalationTriggers: ['Task request is ambiguous — set andoning=true, andonCategory=ambiguous_instruction.']
-  }
+  },
+  {
+    taskOriginKind: 'harada_l2_research',
+    agentId: 'any',
+    estimatedDurationMs: 600_000,
+    p90DurationMs: 1_200_000,
+    steps: [
+      '1. Read your task body carefully — it contains the GoalResearchBrief, pillar domain, and CEO critique from the previous round (if any).',
+      '2. Read the full GoalPillar node for your assigned pillar using GET /api/hbo/mandala?companyId=<cid>.',
+      '3. Perform a SearXNG web search: "<pillar.name> <company domain> strategy best practices 2024 2025".',
+      '4. Query Memgraph for existing memory on this pillar: MATCH (p:GoalPillar {id: $pillarId})-[:HAS_FACT]->(f:KeyFact) RETURN f.text LIMIT 10.',
+      '5. Cross-reference the GoalResearchBrief tournament winner with your search results.',
+      '6. Synthesise a 50-word purpose statement for this pillar anchored to the company goal.',
+      '7. Choose a strategy direction in ≤20 chars (e.g., "Land & Expand", "Cost Leadership").',
+      '8. Define 3 key actions the company must execute over the next 90 days for this pillar.',
+      '9. If a CEO critique was provided in the task body, explicitly address each point.',
+      '10. Submit: POST /api/hbo/pillar/{pillarId}/l2content with { l2Strategy, l2Content, l2ReviewStatus: "pending_review" }.',
+      '11. Write a one-sentence completion summary in your task result.',
+    ],
+    qualityCriteria: [
+      'l2Strategy is ≤20 characters and is a recognisable strategic archetype.',
+      'l2Content directly references the GoalResearchBrief tournament winner.',
+      'All three 90-day actions are specific and measurable.',
+      'CEO critique (if present) is explicitly addressed point-by-point.',
+    ],
+  },
+  {
+    taskOriginKind: 'harada_l2_review',
+    agentId: 'any_ceo',
+    estimatedDurationMs: 120_000,
+    p90DurationMs: 300_000,
+    steps: [
+      '1. Read the GoalPillar l2Content and l2Strategy for the pillar under review.',
+      '2. Read the GoalResearchBrief tournament winner for context.',
+      '3. Evaluate against three criteria: (a) Does the strategy align with the company goal? (b) Does l2Content reference the tournament winner? (c) Are the 90-day actions specific and measurable?',
+      '4. If l2ReviewCycles >= 2: escalate with AnomalySignal (harada_cascade_blocked) instead of requesting another revision.',
+      '5. Verdict PASS: POST /api/hbo/pillar/{pillarId}/l2review with { verdict: "pass", reviewCritique: "<one sentence summary>" }.',
+      '6. Verdict FAIL: POST /api/hbo/pillar/{pillarId}/l2review with { verdict: "fail", reviewCritique: "<specific actionable critique>" }. This re-dispatches harada_l2_research with your critique in the task body.',
+    ],
+    qualityCriteria: [
+      'Verdict is exactly "pass" or "fail" — no other values.',
+      'reviewCritique is ≤100 words and is specific enough for the researcher to act on.',
+      'harada_cascade_blocked is raised when l2ReviewCycles >= 2 — never a third research pass.',
+    ],
+  },
+  {
+    taskOriginKind: 'harada_l3_research',
+    agentId: 'any',
+    estimatedDurationMs: 480_000,
+    p90DurationMs: 900_000,
+    steps: [
+      '1. Read your task body — it contains the pillar l2Content, l2Strategy, action cell description, and dept head critique (if any).',
+      '2. Read the ActionCell node for context using GET /api/hbo/actioncell/{cellId}.',
+      '3. Perform a SearXNG web search: "<cell.description> <pillar.name> execution tactics implementation".',
+      '4. Focus on concrete execution tactics, not high-level strategy.',
+      '5. Query Memgraph for relevant prior work: MATCH (ac:ActionCell {id: $cellId})-[:HAS_FACT]->(f:KeyFact) RETURN f.text LIMIT 5.',
+      '6. Synthesise a ≤100-word execution plan for this action cell.',
+      '7. Ensure your plan references the pillar l2Strategy for coherence.',
+      '8. If a dept head critique was in the task body, address it explicitly.',
+      '9. Submit: POST /api/hbo/actioncell/{cellId}/l3content with { l3Content, l3ReviewStatus: "pending_review" }.',
+      '10. Write a one-sentence completion summary.',
+    ],
+    qualityCriteria: [
+      'l3Content is ≤100 words and is an execution plan, not a strategy statement.',
+      'l3Content explicitly references the pillar l2Strategy.',
+      'Dept head critique (if present) is addressed point-by-point.',
+    ],
+  },
+  {
+    taskOriginKind: 'harada_l3_review',
+    agentId: 'any',
+    estimatedDurationMs: 120_000,
+    p90DurationMs: 300_000,
+    steps: [
+      '1. Read the ActionCell l3Content for the cell under review.',
+      '2. Read the parent GoalPillar l2Strategy for alignment context.',
+      '3. Evaluate against two criteria: (a) Does l3Content align with the pillar l2Strategy? (b) Is the execution plan specific enough to guide agent task dispatch?',
+      '4. If l3ReviewCycles >= 2: escalate with harada_cascade_blocked AnomalySignal.',
+      '5. Verdict PASS: POST /api/hbo/actioncell/{cellId}/l3review with { verdict: "pass", reviewCritique: "<one sentence>" }.',
+      '6. Verdict FAIL: POST /api/hbo/actioncell/{cellId}/l3review with { verdict: "fail", reviewCritique: "<specific critique>" }.',
+    ],
+    qualityCriteria: [
+      'Verdict is exactly "pass" or "fail".',
+      'reviewCritique is ≤80 words.',
+      'harada_cascade_blocked is raised when l3ReviewCycles >= 2.',
+    ],
+  },
 ];
 
 /**

package/daemon/lib/task-completion-processor.js

@@ -36,9 +36,11 @@ class TaskCompletionProcessor {
   /**
    * @param {object} opts
    * @param {Function} opts.mgQuery - Memgraph query function from daemon
+   * @param {object} [opts.activityLogger] - Optional ActivityLogger for recording task.complete events
    */
   constructor(opts = {}) {
     this._mg = opts.mgQuery;
+    this.activityLogger = opts.activityLogger ?? null;
   }
 
   /**
@@ -208,6 +210,16 @@ class TaskCompletionProcessor {
           process.stderr.write('[task-completion] routineDisciplineScore increment warn: ' + (e?.message || e) + '\n');
         }
       }
+
+      // ── H-01: Record task.complete in ActivityLogger ─────────────────────────
+      this.activityLogger?.record({
+        action: 'task.complete',
+        actor: agentId,
+        entityId: taskId,
+        companyId: companyId,
+        outcome: exitCode === 0 ? 'success' : 'error',
+        meta: { exitCode, originKind },
+      });
     } catch (err) {
       // Non-fatal — log but don't fail the task completion
       process.stdout.write(JSON.stringify({

package/daemon/package.json

@@ -22,7 +22,8 @@
   "dependencies": {
     "better-sqlite3": "^12.10.0",
     "croner": "^9.0.0",
-    "neo4j-driver": "^6.0.1"
+    "neo4j-driver": "^6.0.1",
+    "sqlite-vec": "0.1.9"
   },
   "devDependencies": {
     "tsx": "^4.22.4",

package/daemon/routes/agents.js

@@ -4,8 +4,10 @@
  * routes/agents.js — Agent-related route dispatch
  *
  * Routes handled:
- *   GET  /api/agents
- *   POST /api/agents/pause-all
+ *   GET  /api/agents                       — list all agents for a company
+ *   GET  /api/agents/:id                   — single agent detail (P7-A1)
+ *   GET  /api/agents/:id/runs              — HeartbeatRun history (P7-A2)
+ *   POST /api/agents/pause-all             — pause all agents (handled by hbo.js; stubbed here)
  *   POST /api/agents/:id/sync-skills
  *   POST /api/agents/:id/approve
  *   POST /api/agents/:id/terminate
@@ -14,7 +16,8 @@
  */
 
 module.exports = function createAgentsRouter(handlers) {
-  const { handleGetAgents, handleSyncSkills, handleApproveAgent, handleTerminateAgent,
+  const { handleGetAgents, handleGetAgent, handleGetAgentRuns,
+          handleSyncSkills, handleApproveAgent, handleTerminateAgent,
           handlePauseAgent, handleResumeAgent, handlePauseAll } = handlers;
 
   return async function agentsRoute(req, res, ctx, pathname, method) {
@@ -24,7 +27,25 @@ module.exports = function createAgentsRouter(handlers) {
     }
 
     if (method === 'POST' && pathname === '/api/agents/pause-all') {
-      await handlePauseAll(req, res, ctx);
+      // pause-all is also handled by hbo.js; guard against null stub
+      if (handlePauseAll) {
+        await handlePauseAll(req, res, ctx);
+      } else {
+        // delegated to hbo.js — return false so hboRoute can handle it
+        return false;
+      }
+      return true;
+    }
+
+    // P7-A2: GET /api/agents/:id/runs — must be matched BEFORE /:id to avoid conflict
+    const runsMatch = pathname.match(/^\/api\/agents\/([^/]+)\/runs$/);
+    if (method === 'GET' && runsMatch) {
+      if (handleGetAgentRuns) {
+        await handleGetAgentRuns(req, res, ctx, decodeURIComponent(runsMatch[1]));
+      } else {
+        res.writeHead(501, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Agent runs endpoint not configured' }));
+      }
       return true;
     }
 
@@ -48,13 +69,37 @@ module.exports = function createAgentsRouter(handlers) {
 
     const pauseMatch = pathname.match(/^\/api\/agents\/([^/]+)\/pause$/);
     if (method === 'POST' && pauseMatch) {
-      await handlePauseAgent(req, res, ctx, decodeURIComponent(pauseMatch[1]));
+      if (handlePauseAgent) {
+        await handlePauseAgent(req, res, ctx, decodeURIComponent(pauseMatch[1]));
+      } else {
+        // H-4 fix: explicit error response instead of silent hang
+        res.writeHead(501, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Agent pause handler not configured' }));
+      }
       return true;
     }
 
     const resumeMatch = pathname.match(/^\/api\/agents\/([^/]+)\/resume$/);
     if (method === 'POST' && resumeMatch) {
-      await handleResumeAgent(req, res, ctx, decodeURIComponent(resumeMatch[1]));
+      if (handleResumeAgent) {
+        await handleResumeAgent(req, res, ctx, decodeURIComponent(resumeMatch[1]));
+      } else {
+        // H-4 fix: explicit error response instead of silent hang
+        res.writeHead(501, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Agent resume handler not configured' }));
+      }
+      return true;
+    }
+
+    // P7-A1: GET /api/agents/:id — must be LAST to avoid matching sub-routes above
+    const agentDetailMatch = pathname.match(/^\/api\/agents\/([^/]+)$/);
+    if (method === 'GET' && agentDetailMatch) {
+      if (handleGetAgent) {
+        await handleGetAgent(req, res, ctx, decodeURIComponent(agentDetailMatch[1]));
+      } else {
+        res.writeHead(501, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Agent detail endpoint not configured' }));
+      }
       return true;
     }
 

package/daemon/routes/channels.js

@@ -34,7 +34,7 @@ const ACCOUNTS_FILE = path.join(ACCOUNTS_DIR, 'accounts.json');
 // Serialise all accounts.json mutations to prevent concurrent-write corruption
 let _accountsWriteLock = Promise.resolve();
 function withAccountsLock(fn) {
-  _accountsWriteLock = _accountsWriteLock.then(fn).catch(fn);
+  _accountsWriteLock = _accountsWriteLock.then(fn).catch(err => { console.error('[channels] accounts lock error:', err); });
   return _accountsWriteLock;
 }
 
@@ -348,6 +348,108 @@ async function handleSaveSlackChannel(req, res, companyId, body, mgQuery) {
 
 // ── Route dispatcher ───────────────────────────────────────────────────────
 
+// ── iMessage channel handlers ──────────────────────────────────────────────
+
+/**
+ * POST /api/companies/:id/channels/imessage/setup
+ *
+ * Verifies that the daemon can read the macOS iMessage database (chat.db).
+ * Requirements: macOS, Messages.app installed, Full Disk Access granted to this process.
+ * Returns: { connected: true, messageCount: N } on success,
+ *          { error: 'fda_denied', message: '...' } if FDA is not granted,
+ *          { error: 'not_macos' } on non-macOS platforms.
+ */
+async function handleImessageSetup(req, res) {
+  // iMessage is macOS-only — chat.db only exists on macOS
+  if (process.platform !== 'darwin') {
+    jsonErr(res, 400, 'not_macos', req);
+    return;
+  }
+
+  const chatDbPath = path.join(os.homedir(), 'Library', 'Messages', 'chat.db');
+
+  let db;
+  try {
+    // Dynamically require better-sqlite3 so non-macOS builds don't fail at import time.
+    // If it's not available, fall back to graceful error.
+    let Database;
+    try {
+      Database = require('better-sqlite3');
+    } catch (_) {
+      // Try bun:sqlite as fallback (daemon may run under Bun)
+      try {
+        const bun = require('bun:sqlite');
+        Database = bun.Database;
+      } catch (__) {
+        jsonErr(res, 500, 'sqlite_unavailable', req);
+        return;
+      }
+    }
+
+    db = new Database(chatDbPath, { readonly: true });
+    // Quick sanity query — counts messages to verify FDA access
+    const row = db.prepare('SELECT COUNT(*) as count FROM message').get();
+    const messageCount = row ? row.count : 0;
+
+    jsonOk(res, { connected: true, messageCount }, req);
+  } catch (err) {
+    const code = err && (err.code || err.message || '');
+    // SQLITE_CANTOPEN is thrown when FDA is not granted (chat.db unreadable)
+    if (
+      typeof code === 'string' &&
+      (code.includes('SQLITE_CANTOPEN') || code.includes('EPERM') || code.includes('EACCES') || code.includes('authorization denied'))
+    ) {
+      res.writeHead(403, getCorsHeaders(req));
+      res.end(JSON.stringify({
+        error: 'fda_denied',
+        message: 'Helios needs Full Disk Access to read iMessages. Open System Settings → Privacy & Security → Full Disk Access and add Helios.',
+      }));
+    } else {
+      jsonErr(res, 500, err.message || 'Unknown error reading chat.db', req);
+    }
+  } finally {
+    if (db) {
+      try { db.close(); } catch (_) {}
+    }
+  }
+}
+
+/**
+ * GET /api/companies/:id/channels/imessage/status
+ *
+ * Returns imessage connection status without writing anything.
+ */
+async function handleImessageStatus(req, res) {
+  if (process.platform !== 'darwin') {
+    jsonOk(res, { connected: false, available: false }, req);
+    return;
+  }
+
+  const chatDbPath = path.join(os.homedir(), 'Library', 'Messages', 'chat.db');
+
+  let db;
+  let connected = false;
+  try {
+    let Database;
+    try { Database = require('better-sqlite3'); } catch (_) {
+      try { Database = require('bun:sqlite').Database; } catch (__) {}
+    }
+    if (Database) {
+      db = new Database(chatDbPath, { readonly: true });
+      db.prepare('SELECT 1 FROM message LIMIT 1').get();
+      connected = true;
+    }
+  } catch (_) {
+    connected = false;
+  } finally {
+    if (db) { try { db.close(); } catch (_) {} }
+  }
+
+  jsonOk(res, { connected, available: true }, req);
+}
+
+// ── Route dispatcher ───────────────────────────────────────────────────────
+
 /**
  * channelsRoute(req, res, ctx, pathname, method)
  * Returns true if this route handled the request, false otherwise.
@@ -362,8 +464,10 @@ function channelsRoute(req, res, ctx, pathname, method) {
 
   const emailMatch = pathname.match(/^\/api\/companies\/([^/]+)\/channels\/email(\/oauth\/(start|complete))?$/);
   const slackMatch = pathname.match(/^\/api\/companies\/([^/]+)\/channels\/slack$/);
+  const imessageSetupMatch = pathname.match(/^\/api\/companies\/([^/]+)\/channels\/imessage\/setup$/);
+  const imessageStatusMatch = pathname.match(/^\/api\/companies\/([^/]+)\/channels\/imessage\/status$/);
 
-  if (!emailMatch && !slackMatch) return Promise.resolve(false);
+  if (!emailMatch && !slackMatch && !imessageSetupMatch && !imessageStatusMatch) return Promise.resolve(false);
 
   const mgQuery = ctx && ctx.mgQuery;
 
@@ -396,6 +500,14 @@ function channelsRoute(req, res, ctx, pathname, method) {
     }
   }
 
+  if (imessageSetupMatch && method === 'POST') {
+    return handleImessageSetup(req, res).then(() => true);
+  }
+
+  if (imessageStatusMatch && method === 'GET') {
+    return handleImessageStatus(req, res).then(() => true);
+  }
+
   return Promise.resolve(false);
 }
 
@@ -431,3 +543,5 @@ module.exports.handleEmailOAuthStart = handleEmailOAuthStart;
 module.exports.handleEmailOAuthComplete = handleEmailOAuthComplete;
 module.exports.handleGetSlackChannel = handleGetSlackChannel;
 module.exports.handleSaveSlackChannel = handleSaveSlackChannel;
+module.exports.handleImessageSetup = handleImessageSetup;
+module.exports.handleImessageStatus = handleImessageStatus;

package/daemon/routes/crm.js

@@ -0,0 +1,85 @@
+'use strict';
+
+/**
+ * routes/crm.js — P5-S5c
+ * POST /api/crm/contacts — upsert a CRM contact into Memgraph.
+ * Accepts CRMSyncEntry shape from crmSyncService.ts dual-write.
+ * C7: Writes to Memgraph via mgQuery (CREATE or MERGE on email/id).
+ * C15: Non-blocking from desktop perspective — desktop SQLite is authoritative;
+ *      this route is the async Memgraph leg.
+ */
+
+module.exports = function createCrmRouter({ parseBody, jsonResponse }) {
+  return async function crmRoute(req, res, ctx, pathname, method) {
+    // POST /api/crm/contacts — upsert contact node into Memgraph
+    if (method === 'POST' && pathname === '/api/crm/contacts') {
+      try {
+        const body = await parseBody(req);
+        if (!body || !body.id || !body.name) {
+          jsonResponse(res, 400, { error: 'id and name are required' });
+          return true;
+        }
+
+        const mg = ctx.mgQuery;
+        if (!mg) {
+          // Memgraph not connected — return 503 so desktop queues for retry
+          jsonResponse(res, 503, { error: 'Memgraph not connected' });
+          return true;
+        }
+
+        const contact = {
+          id: String(body.id),
+          name: String(body.name),
+          email: body.email ? String(body.email) : null,
+          phone: body.phone ? String(body.phone) : null,
+          company: body.company ? String(body.company) : null,
+          jobTitle: body.jobTitle ? String(body.jobTitle) : null,
+          stage: body.stage ? String(body.stage) : 'lead',
+          source: body.source ? String(body.source) : 'desktop',
+          companyId: body.companyId ? String(body.companyId) : (ctx.cid || null),
+          dunbarLayer: body.dunbarLayer ? String(body.dunbarLayer) : null,
+          healthStatus: body.healthStatus ? String(body.healthStatus) : null,
+          personId: body.personId ? String(body.personId) : null,
+          syncedAt: new Date().toISOString(),
+        };
+
+        // MERGE on id to make upsert idempotent; SET all mutable fields
+        await mg(
+          `MERGE (c:CRMContact {id: $id})
+           SET c.name = $name,
+               c.email = $email,
+               c.phone = $phone,
+               c.company = $company,
+               c.jobTitle = $jobTitle,
+               c.stage = $stage,
+               c.source = $source,
+               c.companyId = $companyId,
+               c.dunbarLayer = $dunbarLayer,
+               c.healthStatus = $healthStatus,
+               c.personId = $personId,
+               c.syncedAt = $syncedAt`,
+          contact
+        );
+
+        // If personId is known, create a link to the Person node
+        if (contact.personId) {
+          await mg(
+            `MATCH (c:CRMContact {id: $crmId}), (p:Person {id: $personId})
+             MERGE (c)-[:TRACKS]->(p)`,
+            { crmId: contact.id, personId: contact.personId }
+          ).catch(() => {
+            // Non-fatal — Person node may not exist yet
+          });
+        }
+
+        jsonResponse(res, 201, { ok: true, id: contact.id });
+        return true;
+      } catch (err) {
+        jsonResponse(res, 500, { error: err.message });
+        return true;
+      }
+    }
+
+    return false;
+  };
+};

package/daemon/routes/dashboard.js

@@ -29,16 +29,28 @@ async function handleGetCosts(req, res, ctx) {
 
   const url = new URL(req.url, 'http://localhost');
   const groupBy = url.searchParams.get('groupBy');
+  // G-01: date range filtering — ?from=ISO&to=ISO
+  const fromDate = url.searchParams.get('from') || null;
+  const toDate = url.searchParams.get('to') || null;
 
    try {
     if (groupBy && ['provider', 'model', 'agent'].includes(groupBy)) {
       const field = groupBy === 'agent' ? 'agentId' : groupBy;
-      const result = await mgQuery(
-        `MATCH (c:CostEvent {companyId: $cid})
-         RETURN c.${field} AS groupKey, sum(coalesce(c.costCents, c.amount * 100, 0)) / 100.0 AS total, count(c) AS count
-         ORDER BY total DESC`,
-        { cid: ctx.cid }
-      );
+      let groupCypher = `MATCH (c:CostEvent {companyId: $cid})`;
+      const groupParams = { cid: ctx.cid };
+      if (fromDate && toDate) {
+        groupCypher += ' WHERE c.createdAt >= $from AND c.createdAt <= $to';
+        groupParams.from = fromDate;
+        groupParams.to = toDate;
+      } else if (fromDate) {
+        groupCypher += ' WHERE c.createdAt >= $from';
+        groupParams.from = fromDate;
+      } else if (toDate) {
+        groupCypher += ' WHERE c.createdAt <= $to';
+        groupParams.to = toDate;
+      }
+      groupCypher += ` RETURN c.${field} AS groupKey, sum(coalesce(c.costCents, c.amount * 100, 0)) / 100.0 AS total, count(c) AS count ORDER BY total DESC`;
+      const result = await mgQuery(groupCypher, groupParams);
       const rows = (result?.rows ?? []);
       const groups = rows.map(r => ({ [groupBy]: r[0], total: r[1], count: r[2] }));
       res.writeHead(200, { 'Content-Type': 'application/json' });
@@ -46,8 +58,20 @@ async function handleGetCosts(req, res, ctx) {
       return;
     }
 
-    const result = await mgQuery(
-      `MATCH (c:CostEvent {companyId: $cid})
+    let listCypher = `MATCH (c:CostEvent {companyId: $cid})`;
+    const listParams = { cid: ctx.cid, limit: 100 };
+    if (fromDate && toDate) {
+      listCypher += ' WHERE c.createdAt >= $from AND c.createdAt <= $to';
+      listParams.from = fromDate;
+      listParams.to = toDate;
+    } else if (fromDate) {
+      listCypher += ' WHERE c.createdAt >= $from';
+      listParams.from = fromDate;
+    } else if (toDate) {
+      listCypher += ' WHERE c.createdAt <= $to';
+      listParams.to = toDate;
+    }
+    listCypher += `
        RETURN c.id AS id, c.provider AS provider, c.model AS model,
               c.agentId AS agentId,
               coalesce(c.costCents, c.amount * 100, 0) / 100.0 AS amount,
@@ -55,9 +79,8 @@ async function handleGetCosts(req, res, ctx) {
               c.inputTokens AS inputTokens, c.outputTokens AS outputTokens,
               c.createdAt AS createdAt
        ORDER BY c.createdAt DESC
-       LIMIT toInteger($limit)`,
-      { cid: ctx.cid, limit: 100 }
-    );
+       LIMIT toInteger($limit)`;
+    const result = await mgQuery(listCypher, listParams);
     const rows = (result?.rows ?? []);
     const keys = ['id', 'provider', 'model', 'agentId', 'amount', 'biller', 'inputTokens', 'outputTokens', 'createdAt'];
     const events = rows.map(r => {
@@ -78,14 +101,31 @@ async function handleGetCosts(req, res, ctx) {
  * Returns all budget policies with current spend percentage.
  */
 async function handleGetBudgetStatus(req, res, ctx) {
+  // C-1 fix: filter by agentId when provided — prevents one agent seeing another's budget policy
+  const url = new URL(req.url, 'http://localhost');
+  const agentIdFilter = url.searchParams.get('agentId') || null;
+  // M-3 fix: guard against Memgraph unavailability
+  if (!ctx.mgQuery) {
+    res.writeHead(503, { 'Content-Type': 'application/json' });
+    res.end(JSON.stringify({ error: 'Memgraph not connected', policies: [] }));
+    return;
+  }
   try {
-    const result = await ctx.mgQuery(
-      `MATCH (bp:BudgetPolicy {companyId: $cid})
+    let cypher, params;
+    if (agentIdFilter) {
+      cypher = `MATCH (bp:BudgetPolicy {companyId: $cid, agentId: $agentId})
+       RETURN bp.id AS id, bp.scope AS scope, bp.agentId AS agentId,
+              bp.limitCents AS limitCents, bp.spentCents AS spentCents,
+              bp.warnPercent AS warnPercent`;
+      params = { cid: ctx.cid, agentId: agentIdFilter };
+    } else {
+      cypher = `MATCH (bp:BudgetPolicy {companyId: $cid})
        RETURN bp.id AS id, bp.scope AS scope, bp.agentId AS agentId,
               bp.limitCents AS limitCents, bp.spentCents AS spentCents,
-              bp.warnPercent AS warnPercent`,
-      { cid: ctx.cid }
-    );
+              bp.warnPercent AS warnPercent`;
+      params = { cid: ctx.cid };
+    }
+    const result = await ctx.mgQuery(cypher, params);
 
     const policies = (result?.rows ?? []).map(([id, scope, agentId, limitCents, spentCents, warnPercent]) => {
       const limit = limitCents ?? 0;
@@ -116,6 +156,12 @@ module.exports = function createDashboardRouter(handlers) {
   return async function dashboardRoute(req, res, ctx, pathname, method) {
     // POST /api/companies -- register a company at runtime (for tests and dynamic wizard creation)
     if (method === 'POST' && pathname === '/api/companies') {
+      // C-2 fix: guard against null handler — use /api/daemon/register-company instead
+      if (!handleRegisterCompany) {
+        res.writeHead(501, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Company registration via /api/companies is not configured. Use POST /api/daemon/register-company instead.' }));
+        return true;
+      }
       await handleRegisterCompany(req, res, ctx);
       return true;
     }