@rubytech/create-maxy-code 0.1.196 → 0.1.197

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (83) hide show
  1. package/package.json +1 -1
  2. package/payload/platform/config/brand.json +3 -1
  3. package/payload/platform/plugins/admin/PLUGIN.md +3 -0
  4. package/payload/platform/plugins/admin/skills/investigate/SKILL.md +286 -0
  5. package/payload/platform/plugins/admin/skills/superpowers-sprint/SKILL.md +361 -0
  6. package/payload/platform/plugins/admin/skills/task/SKILL.md +283 -0
  7. package/payload/platform/plugins/docs/references/admin-ui.md +2 -1
  8. package/payload/platform/plugins/docs/references/internals.md +0 -2
  9. package/payload/platform/plugins/docs/references/investigate-and-task-skills.md +9 -0
  10. package/payload/platform/plugins/docs/references/platform.md +1 -1
  11. package/payload/platform/plugins/docs/references/plugins-guide.md +1 -1
  12. package/payload/server/public/assets/AdminShell-DPk5UgEJ.js +1 -0
  13. package/payload/server/public/assets/{Checkbox-DTxJvyG7.js → Checkbox-Bh3kwzxP.js} +1 -1
  14. package/payload/server/public/assets/{admin-tKgLki8m.js → admin-BWzKAudL.js} +1 -1
  15. package/payload/server/public/assets/{architectureDiagram-Q4EWVU46-CrQJbK3h.js → architectureDiagram-Q4EWVU46-Boys2mT1.js} +1 -1
  16. package/payload/server/public/assets/{blockDiagram-DXYQGD6D-BLCbhL8K.js → blockDiagram-DXYQGD6D-CvHqp46r.js} +1 -1
  17. package/payload/server/public/assets/{brand-lZz3OVIE.css → brand-VQtREmts.css} +1 -1
  18. package/payload/server/public/assets/{c4Diagram-AHTNJAMY-X34EilDe.js → c4Diagram-AHTNJAMY-DiNQ95F6.js} +1 -1
  19. package/payload/server/public/assets/channel-BgwH_qhE.js +1 -0
  20. package/payload/server/public/assets/{chunk-336JU56O-CeRuGBQ2.js → chunk-336JU56O-9nS9-05M.js} +2 -2
  21. package/payload/server/public/assets/{chunk-426QAEUC-CUZOrcMu.js → chunk-426QAEUC-B2__9lRY.js} +1 -1
  22. package/payload/server/public/assets/{chunk-4TB4RGXK-CdrIHRcy.js → chunk-4TB4RGXK-R5F8rS0Z.js} +1 -1
  23. package/payload/server/public/assets/{chunk-5FUZZQ4R-CenIbTIp.js → chunk-5FUZZQ4R-B8HhJce-.js} +1 -1
  24. package/payload/server/public/assets/{chunk-5PVQY5BW-DGfzIUel.js → chunk-5PVQY5BW-Bjb08lbL.js} +1 -1
  25. package/payload/server/public/assets/{chunk-EDXVE4YY-DSft5oIH.js → chunk-EDXVE4YY-he0qCF3s.js} +1 -1
  26. package/payload/server/public/assets/{chunk-ENJZ2VHE-Dn8FFfaI.js → chunk-ENJZ2VHE-BTArFW5l.js} +1 -1
  27. package/payload/server/public/assets/{chunk-ICPOFSXX-JrwcKV7r.js → chunk-ICPOFSXX-CoyIL4q_.js} +1 -1
  28. package/payload/server/public/assets/{chunk-OYMX7WX6-C0X2fcAm.js → chunk-OYMX7WX6-DjLEhNFe.js} +1 -1
  29. package/payload/server/public/assets/{chunk-U2HBQHQK-DPdLe-f5.js → chunk-U2HBQHQK-tac2uvW1.js} +1 -1
  30. package/payload/server/public/assets/{chunk-X2U36JSP-Bw8pKkFu.js → chunk-X2U36JSP-DIWD9i88.js} +1 -1
  31. package/payload/server/public/assets/{chunk-YZCP3GAM-DcAJR-EA.js → chunk-YZCP3GAM-Ac7ogADz.js} +1 -1
  32. package/payload/server/public/assets/{chunk-ZZ45TVLE-DU374ZbR.js → chunk-ZZ45TVLE-QgqDaY9-.js} +1 -1
  33. package/payload/server/public/assets/classDiagram-6PBFFD2Q-CwdV1-c8.js +1 -0
  34. package/payload/server/public/assets/classDiagram-v2-HSJHXN6E-CS_jtevB.js +1 -0
  35. package/payload/server/public/assets/clone-BTishuSs.js +1 -0
  36. package/payload/server/public/assets/{dagre-DisbqNSB.js → dagre-D6qN4nkK.js} +1 -1
  37. package/payload/server/public/assets/{dagre-KV5264BT-D_n7R7V9.js → dagre-KV5264BT-C6TRKOg0.js} +1 -1
  38. package/payload/server/public/assets/data-CaZbNF-j.js +1 -0
  39. package/payload/server/public/assets/{diagram-5BDNPKRD-CJID_5OR.js → diagram-5BDNPKRD-BVk_J8Pt.js} +1 -1
  40. package/payload/server/public/assets/{diagram-G4DWMVQ6-ByepjvdE.js → diagram-G4DWMVQ6-BdV1IgwS.js} +1 -1
  41. package/payload/server/public/assets/{diagram-MMDJMWI5-DTkAHPHE.js → diagram-MMDJMWI5-OsvBkN6u.js} +1 -1
  42. package/payload/server/public/assets/{diagram-TYMM5635-CnVRa9NJ.js → diagram-TYMM5635-BQmKPyrb.js} +1 -1
  43. package/payload/server/public/assets/{erDiagram-SMLLAGMA-CRAGu7nV.js → erDiagram-SMLLAGMA-ChEx5_3C.js} +1 -1
  44. package/payload/server/public/assets/{flowDiagram-DWJPFMVM-BJusdlRz.js → flowDiagram-DWJPFMVM-B7sf6AG3.js} +1 -1
  45. package/payload/server/public/assets/{ganttDiagram-T4ZO3ILL-BFMOBBnF.js → ganttDiagram-T4ZO3ILL-DbpSraax.js} +1 -1
  46. package/payload/server/public/assets/{gitGraphDiagram-UUTBAWPF-CGWEzh7u.js → gitGraphDiagram-UUTBAWPF-BnxDElDh.js} +1 -1
  47. package/payload/server/public/assets/{graph-D-iQdRDk.js → graph-CBP5yppq.js} +2 -2
  48. package/payload/server/public/assets/{graph-labels-u2_3Eyfh.js → graph-labels-BsZNScfa.js} +1 -1
  49. package/payload/server/public/assets/{graphlib-DNUvypOi.js → graphlib-Dux06enE.js} +1 -1
  50. package/payload/server/public/assets/{infoDiagram-42DDH7IO-CBDrnRTc.js → infoDiagram-42DDH7IO-BLWb6oKx.js} +1 -1
  51. package/payload/server/public/assets/{ishikawaDiagram-UXIWVN3A-C7NwSQo_.js → ishikawaDiagram-UXIWVN3A-AFiRuE6G.js} +1 -1
  52. package/payload/server/public/assets/{journeyDiagram-VCZTEJTY-DSaP7A3F.js → journeyDiagram-VCZTEJTY-CxHBRGGu.js} +1 -1
  53. package/payload/server/public/assets/{kanban-definition-6JOO6SKY-DmixHCD4.js → kanban-definition-6JOO6SKY-CGugF0N8.js} +1 -1
  54. package/payload/server/public/assets/{line-CGGoTheL.js → line-COFloj-X.js} +1 -1
  55. package/payload/server/public/assets/{mermaid-parser.core-BudFADW7.js → mermaid-parser.core-CxXuCDQf.js} +1 -1
  56. package/payload/server/public/assets/{mermaid.core-BBbdJxXY.js → mermaid.core-BRBNvNup.js} +3 -3
  57. package/payload/server/public/assets/{mindmap-definition-QFDTVHPH-CUiD9km1.js → mindmap-definition-QFDTVHPH-DarW5Wwq.js} +1 -1
  58. package/payload/server/public/assets/{pieDiagram-DEJITSTG-BlAWpMr8.js → pieDiagram-DEJITSTG-CTokFAkN.js} +1 -1
  59. package/payload/server/public/assets/{public-CjeEF2vf.js → public-Bq-eOUu9.js} +3 -3
  60. package/payload/server/public/assets/{quadrantDiagram-34T5L4WZ-CXmIwc4W.js → quadrantDiagram-34T5L4WZ-BNawkg3I.js} +1 -1
  61. package/payload/server/public/assets/{requirementDiagram-MS252O5E-D_7_OeMC.js → requirementDiagram-MS252O5E-CWnO56oR.js} +1 -1
  62. package/payload/server/public/assets/{sankeyDiagram-XADWPNL6-BKm_PqzT.js → sankeyDiagram-XADWPNL6-D9c-EZfV.js} +1 -1
  63. package/payload/server/public/assets/{sequenceDiagram-FGHM5R23-CBSR0Zst.js → sequenceDiagram-FGHM5R23-In5lxCT5.js} +1 -1
  64. package/payload/server/public/assets/{stateDiagram-FHFEXIEX-CHNpT69M.js → stateDiagram-FHFEXIEX-CYb5js-u.js} +1 -1
  65. package/payload/server/public/assets/stateDiagram-v2-QKLJ7IA2-z-TVJfRt.js +1 -0
  66. package/payload/server/public/assets/{timeline-definition-GMOUNBTQ-CxZoew5-.js → timeline-definition-GMOUNBTQ-Cje-BY9v.js} +1 -1
  67. package/payload/server/public/assets/{useSelectionMode-CwxXQzEI.js → useSelectionMode-B_2EQ2CC.js} +1 -1
  68. package/payload/server/public/assets/{vennDiagram-DHZGUBPP-CKJdFDcG.js → vennDiagram-DHZGUBPP-BqeuoPr1.js} +1 -1
  69. package/payload/server/public/assets/{wardleyDiagram-NUSXRM2D-C-XBcm-g.js → wardleyDiagram-NUSXRM2D-DE7xAnoq.js} +1 -1
  70. package/payload/server/public/assets/{xychartDiagram-5P7HB3ND-Crb-ZtaP.js → xychartDiagram-5P7HB3ND-JE4x8YEZ.js} +1 -1
  71. package/payload/server/public/data.html +5 -5
  72. package/payload/server/public/graph.html +6 -6
  73. package/payload/server/public/index.html +6 -6
  74. package/payload/server/public/public.html +5 -5
  75. package/payload/server/server.js +221 -296
  76. package/payload/server/public/assets/AdminShell-DtABh34v.js +0 -1
  77. package/payload/server/public/assets/channel-ChZECiuj.js +0 -1
  78. package/payload/server/public/assets/classDiagram-6PBFFD2Q-BpMBCYn6.js +0 -1
  79. package/payload/server/public/assets/classDiagram-v2-HSJHXN6E-BU3HoIr1.js +0 -1
  80. package/payload/server/public/assets/clone-C3j5j6ku.js +0 -1
  81. package/payload/server/public/assets/data-DwY26t_T.js +0 -1
  82. package/payload/server/public/assets/stateDiagram-v2-QKLJ7IA2-Kc8XO6yH.js +0 -1
  83. /package/payload/server/public/assets/{brand-CpGp9OyK.js → brand-CzeO4m4J.js} +0 -0
@@ -817,7 +817,7 @@ var serveStatic = (options = { root: "" }) => {
817
817
 
818
818
  // server/index.ts
819
819
  import { readFileSync as readFileSync21, existsSync as existsSync21, watchFile } from "fs";
820
- import { resolve as resolve23, join as join16, basename as basename6 } from "path";
820
+ import { resolve as resolve22, join as join16, basename as basename6 } from "path";
821
821
  import { homedir as homedir2 } from "os";
822
822
  import { monitorEventLoopDelay } from "perf_hooks";
823
823
 
@@ -1275,7 +1275,7 @@ var credsSaveQueue = Promise.resolve();
1275
1275
  async function drainCredsSaveQueue(timeoutMs = 5e3) {
1276
1276
  console.error(`${TAG2} draining credential save queue\u2026`);
1277
1277
  const timer2 = new Promise(
1278
- (resolve24) => setTimeout(() => resolve24("timeout"), timeoutMs)
1278
+ (resolve23) => setTimeout(() => resolve23("timeout"), timeoutMs)
1279
1279
  );
1280
1280
  const result = await Promise.race([
1281
1281
  credsSaveQueue.then(() => "drained"),
@@ -1403,11 +1403,11 @@ async function createWaSocket(opts) {
1403
1403
  return sock;
1404
1404
  }
1405
1405
  async function waitForConnection(sock) {
1406
- return new Promise((resolve24, reject) => {
1406
+ return new Promise((resolve23, reject) => {
1407
1407
  const handler = (update) => {
1408
1408
  if (update.connection === "open") {
1409
1409
  sock.ev.off("connection.update", handler);
1410
- resolve24();
1410
+ resolve23();
1411
1411
  }
1412
1412
  if (update.connection === "close") {
1413
1413
  sock.ev.off("connection.update", handler);
@@ -1521,14 +1521,14 @@ ${inspected}`;
1521
1521
  return inspect2(err, INSPECT_OPTS2);
1522
1522
  }
1523
1523
  function withTimeout(label, promise, timeoutMs) {
1524
- return new Promise((resolve24, reject) => {
1524
+ return new Promise((resolve23, reject) => {
1525
1525
  const timer2 = setTimeout(() => {
1526
1526
  reject(new Error(`${label} timed out after ${timeoutMs}ms`));
1527
1527
  }, timeoutMs);
1528
1528
  promise.then(
1529
1529
  (value) => {
1530
1530
  clearTimeout(timer2);
1531
- resolve24(value);
1531
+ resolve23(value);
1532
1532
  },
1533
1533
  (err) => {
1534
1534
  clearTimeout(timer2);
@@ -2063,8 +2063,8 @@ async function persistWhatsAppMessage(input) {
2063
2063
  const { givenName, familyName } = splitName(input.pushName);
2064
2064
  const prev = sessionWriteLocks.get(input.cacheKey);
2065
2065
  let release;
2066
- const mine = new Promise((resolve24) => {
2067
- release = resolve24;
2066
+ const mine = new Promise((resolve23) => {
2067
+ release = resolve23;
2068
2068
  });
2069
2069
  const chained = (prev ?? Promise.resolve()).then(() => mine);
2070
2070
  sessionWriteLocks.set(input.cacheKey, chained);
@@ -3100,11 +3100,11 @@ async function connectWithReconnect(conn) {
3100
3100
  console.error(
3101
3101
  `${TAG12} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
3102
3102
  );
3103
- await new Promise((resolve24) => {
3104
- const timer2 = setTimeout(resolve24, delay);
3103
+ await new Promise((resolve23) => {
3104
+ const timer2 = setTimeout(resolve23, delay);
3105
3105
  conn.abortController.signal.addEventListener("abort", () => {
3106
3106
  clearTimeout(timer2);
3107
- resolve24();
3107
+ resolve23();
3108
3108
  }, { once: true });
3109
3109
  });
3110
3110
  }
@@ -3112,16 +3112,16 @@ async function connectWithReconnect(conn) {
3112
3112
  }
3113
3113
  }
3114
3114
  function waitForDisconnectEvent(conn) {
3115
- return new Promise((resolve24) => {
3115
+ return new Promise((resolve23) => {
3116
3116
  if (!conn.sock) {
3117
- resolve24();
3117
+ resolve23();
3118
3118
  return;
3119
3119
  }
3120
3120
  const sock = conn.sock;
3121
3121
  const handler = (update) => {
3122
3122
  if (update.connection === "close") {
3123
3123
  sock.ev.off("connection.update", handler);
3124
- resolve24();
3124
+ resolve23();
3125
3125
  }
3126
3126
  };
3127
3127
  sock.ev.on("connection.update", handler);
@@ -3383,8 +3383,8 @@ async function handleInboundMessage(conn, msg) {
3383
3383
  const conversationKey = isGroup ? remoteJid : senderPhone;
3384
3384
  const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
3385
3385
  let resolvePending;
3386
- const sttPending = new Promise((resolve24) => {
3387
- resolvePending = resolve24;
3386
+ const sttPending = new Promise((resolve23) => {
3387
+ resolvePending = resolve23;
3388
3388
  });
3389
3389
  if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
3390
3390
  try {
@@ -3788,20 +3788,20 @@ function buildX11Env(chromiumWrapperPath, transport = "vnc") {
3788
3788
 
3789
3789
  // server/routes/health.ts
3790
3790
  function checkPort(port2, timeoutMs = 500) {
3791
- return new Promise((resolve24) => {
3791
+ return new Promise((resolve23) => {
3792
3792
  const socket = createConnection2(port2, "127.0.0.1");
3793
3793
  socket.setTimeout(timeoutMs);
3794
3794
  socket.once("connect", () => {
3795
3795
  socket.destroy();
3796
- resolve24(true);
3796
+ resolve23(true);
3797
3797
  });
3798
3798
  socket.once("error", () => {
3799
3799
  socket.destroy();
3800
- resolve24(false);
3800
+ resolve23(false);
3801
3801
  });
3802
3802
  socket.once("timeout", () => {
3803
3803
  socket.destroy();
3804
- resolve24(false);
3804
+ resolve23(false);
3805
3805
  });
3806
3806
  });
3807
3807
  }
@@ -4537,12 +4537,12 @@ async function dispatchOnce(input) {
4537
4537
  });
4538
4538
  if (!entry) return { error: "spawn-failed" };
4539
4539
  entry.lastInboundAt = Date.now();
4540
- let resolve24;
4540
+ let resolve23;
4541
4541
  const turnPromise = new Promise((r) => {
4542
- resolve24 = r;
4542
+ resolve23 = r;
4543
4543
  });
4544
4544
  const listener = (text) => {
4545
- resolve24(text);
4545
+ resolve23(text);
4546
4546
  };
4547
4547
  entry.subscribers.add(listener);
4548
4548
  const writeOk = await writeInput(entry, input.text);
@@ -4984,8 +4984,8 @@ async function startLogin(opts) {
4984
4984
  resetActiveLogin(accountId);
4985
4985
  let resolveQr = null;
4986
4986
  let rejectQr = null;
4987
- const qrPromise = new Promise((resolve24, reject) => {
4988
- resolveQr = resolve24;
4987
+ const qrPromise = new Promise((resolve23, reject) => {
4988
+ resolveQr = resolve23;
4989
4989
  rejectQr = reject;
4990
4990
  });
4991
4991
  const qrTimer = setTimeout(
@@ -7966,13 +7966,13 @@ ${fm}
7966
7966
  }
7967
7967
  const skillPaths = parseSkillPathsFromFrontmatter(fm);
7968
7968
  const skills = [];
7969
- for (const relPath2 of skillPaths) {
7970
- const skillPath = join10(dir, relPath2);
7969
+ for (const relPath of skillPaths) {
7970
+ const skillPath = join10(dir, relPath);
7971
7971
  const skillFm = readFrontmatter(skillPath);
7972
7972
  if (!skillFm) continue;
7973
7973
  const skillName = frontmatterField(`---
7974
7974
  ${skillFm}
7975
- ---`, "name") ?? relPath2;
7975
+ ---`, "name") ?? relPath;
7976
7976
  const skillDesc = frontmatterField(`---
7977
7977
  ${skillFm}
7978
7978
  ---`, "description");
@@ -8391,8 +8391,8 @@ var DATA_ROOT = resolve12(PLATFORM_ROOT5, "..", "data");
8391
8391
  var CLAUDE_UPLOADS_ROOT = process.env.CLAUDE_CONFIG_DIR ? resolve12(process.env.CLAUDE_CONFIG_DIR, "uploads") : null;
8392
8392
  var ACCOUNT_PARTITION_DIRS = /* @__PURE__ */ new Set(["uploads", "accounts"]);
8393
8393
  var ACCOUNT_UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
8394
- function crossesForeignAccountPartition(relPath2, accountId) {
8395
- const segs = relPath2.split("/").filter(Boolean);
8394
+ function crossesForeignAccountPartition(relPath, accountId) {
8395
+ const segs = relPath.split("/").filter(Boolean);
8396
8396
  if (segs.length < 2) return false;
8397
8397
  if (!ACCOUNT_PARTITION_DIRS.has(segs[0])) return false;
8398
8398
  const owner = segs[1];
@@ -8432,8 +8432,8 @@ function resolveUnderRoot(raw, rootAbs, rootLabel) {
8432
8432
  if (resolvedReal !== rootReal && !resolvedReal.startsWith(rootReal + sep2)) {
8433
8433
  return { ok: false, status: 403, error: `Path escapes ${rootLabel}`, resolved: resolvedReal };
8434
8434
  }
8435
- const relPath2 = relative(rootReal, resolvedReal) || ".";
8436
- return { ok: true, absolute: resolvedReal, dataRootReal: rootReal, relative: relPath2 };
8435
+ const relPath = relative(rootReal, resolvedReal) || ".";
8436
+ return { ok: true, absolute: resolvedReal, dataRootReal: rootReal, relative: relPath };
8437
8437
  }
8438
8438
  function resolveDataPath(raw) {
8439
8439
  return resolveUnderRoot(raw, DATA_ROOT, "DATA_ROOT");
@@ -8680,8 +8680,8 @@ async function restoreNode(params) {
8680
8680
 
8681
8681
  // app/lib/file-delete-cascade.ts
8682
8682
  var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
8683
- function parseAttachmentPath(relPath2) {
8684
- const segments = relPath2.split("/").filter(Boolean);
8683
+ function parseAttachmentPath(relPath) {
8684
+ const segments = relPath.split("/").filter(Boolean);
8685
8685
  if (segments.length !== 4) return null;
8686
8686
  if (segments[0] !== "uploads") return null;
8687
8687
  const accountId = segments[1];
@@ -9246,9 +9246,9 @@ async function enrich(absolute, entry, accountNames) {
9246
9246
  }
9247
9247
  }
9248
9248
  }
9249
- function buildDisplayPath(relPath2, accountNames) {
9250
- if (relPath2 === "." || relPath2 === "") return [];
9251
- return relPath2.split("/").filter(Boolean).map((seg) => {
9249
+ function buildDisplayPath(relPath, accountNames) {
9250
+ if (relPath === "." || relPath === "") return [];
9251
+ return relPath.split("/").filter(Boolean).map((seg) => {
9252
9252
  const dn = UUID_RE3.test(seg) ? accountNames.get(seg) : void 0;
9253
9253
  return dn ? { name: seg, displayName: dn } : { name: seg };
9254
9254
  });
@@ -9286,9 +9286,9 @@ app15.get("/", requireAdminSession, async (c) => {
9286
9286
  }
9287
9287
  return c.json({ error: resolution.error }, resolution.status);
9288
9288
  }
9289
- const { absolute, relative: relPath2 } = resolution;
9290
- if (crossesForeignAccountPartition(relPath2, accountId)) {
9291
- console.error(`[data] account-scope-blocked endpoint="/api/admin/files" path="${relPath2}" account=${accountId.slice(0, 8)}\u2026`);
9289
+ const { absolute, relative: relPath } = resolution;
9290
+ if (crossesForeignAccountPartition(relPath, accountId)) {
9291
+ console.error(`[data] account-scope-blocked endpoint="/api/admin/files" path="${relPath}" account=${accountId.slice(0, 8)}\u2026`);
9292
9292
  return c.json({ error: "Not found" }, 404);
9293
9293
  }
9294
9294
  try {
@@ -9297,7 +9297,7 @@ app15.get("/", requireAdminSession, async (c) => {
9297
9297
  return c.json({ error: "Path is not a directory \u2014 use /api/admin/files/download for files" }, 400);
9298
9298
  }
9299
9299
  const names = await readdir3(absolute);
9300
- const segs = relPath2.split("/").filter(Boolean);
9300
+ const segs = relPath.split("/").filter(Boolean);
9301
9301
  const isAccountParent = segs.length === 1 && (segs[0] === "accounts" || segs[0] === "uploads");
9302
9302
  const entries = [];
9303
9303
  for (const name of names) {
@@ -9328,17 +9328,17 @@ app15.get("/", requireAdminSession, async (c) => {
9328
9328
  const bKey = b.displayName ?? b.name;
9329
9329
  return aKey.localeCompare(bKey);
9330
9330
  });
9331
- const displayPath = buildDisplayPath(relPath2, accountNames);
9332
- console.error(`[data] file-list path="${relPath2}" entries=${entries.length}`);
9333
- return c.json({ path: relPath2, displayPath, entries });
9331
+ const displayPath = buildDisplayPath(relPath, accountNames);
9332
+ console.error(`[data] file-list path="${relPath}" entries=${entries.length}`);
9333
+ return c.json({ path: relPath, displayPath, entries });
9334
9334
  } catch (err) {
9335
9335
  const code = err.code;
9336
9336
  if (code === "ENOENT") {
9337
- console.error(`[data] file-list not-found path="${relPath2}"`);
9337
+ console.error(`[data] file-list not-found path="${relPath}"`);
9338
9338
  return c.json({ error: "Not found" }, 404);
9339
9339
  }
9340
9340
  const message = err instanceof Error ? err.message : String(err);
9341
- console.error(`[data] file-list error path="${relPath2}" err="${message}"`);
9341
+ console.error(`[data] file-list error path="${relPath}" err="${message}"`);
9342
9342
  return c.json({ error: message }, 500);
9343
9343
  }
9344
9344
  });
@@ -9362,16 +9362,16 @@ app15.get("/download", requireAdminSession, async (c) => {
9362
9362
  }
9363
9363
  return c.json({ error: resolution.error }, resolution.status);
9364
9364
  }
9365
- const { absolute, relative: relPath2 } = resolution;
9365
+ const { absolute, relative: relPath } = resolution;
9366
9366
  if (root === "claude-uploads") {
9367
- const attachmentId = relPath2.split("/").filter(Boolean)[0] ?? "";
9367
+ const attachmentId = relPath.split("/").filter(Boolean)[0] ?? "";
9368
9368
  const owned = await knowledgeDocOwnedByAccount(accountId, attachmentId);
9369
9369
  if (!owned) {
9370
9370
  console.error(`[data] account-scope-blocked root="claude-uploads" attachmentId="${attachmentId.slice(0, 8)}\u2026" account=${accountId.slice(0, 8)}\u2026`);
9371
9371
  return c.json({ error: "Not found" }, 404);
9372
9372
  }
9373
- } else if (crossesForeignAccountPartition(relPath2, accountId)) {
9374
- console.error(`[data] account-scope-blocked endpoint="/api/admin/files/download" path="${relPath2}" account=${accountId.slice(0, 8)}\u2026`);
9373
+ } else if (crossesForeignAccountPartition(relPath, accountId)) {
9374
+ console.error(`[data] account-scope-blocked endpoint="/api/admin/files/download" path="${relPath}" account=${accountId.slice(0, 8)}\u2026`);
9375
9375
  return c.json({ error: "Not found" }, 404);
9376
9376
  }
9377
9377
  try {
@@ -9383,7 +9383,7 @@ app15.get("/download", requireAdminSession, async (c) => {
9383
9383
  const mimeType = detectMimeType(absolute);
9384
9384
  const nodeStream = createReadStream2(absolute);
9385
9385
  const webStream = Readable2.toWeb(nodeStream);
9386
- console.error(`[data] file-download root="${root}" path="${relPath2}" size=${info.size}`);
9386
+ console.error(`[data] file-download root="${root}" path="${relPath}" size=${info.size}`);
9387
9387
  const safeQuotedName = filename.replace(/[\r\n"\\]/g, "_");
9388
9388
  const encodedName = encodeURIComponent(filename);
9389
9389
  return new Response(webStream, {
@@ -9398,11 +9398,11 @@ app15.get("/download", requireAdminSession, async (c) => {
9398
9398
  } catch (err) {
9399
9399
  const code = err.code;
9400
9400
  if (code === "ENOENT") {
9401
- console.error(`[data] file-download not-found path="${relPath2}"`);
9401
+ console.error(`[data] file-download not-found path="${relPath}"`);
9402
9402
  return c.json({ error: "Not found" }, 404);
9403
9403
  }
9404
9404
  const message = err instanceof Error ? err.message : String(err);
9405
- console.error(`[data] file-download error path="${relPath2}" err="${message}"`);
9405
+ console.error(`[data] file-download error path="${relPath}" err="${message}"`);
9406
9406
  return c.json({ error: message }, 500);
9407
9407
  }
9408
9408
  });
@@ -9483,15 +9483,15 @@ app15.delete("/", requireAdminSession, async (c) => {
9483
9483
  }
9484
9484
  return c.json({ error: resolution.error }, resolution.status);
9485
9485
  }
9486
- const { absolute, relative: relPath2 } = resolution;
9487
- if (crossesForeignAccountPartition(relPath2, accountId)) {
9488
- console.error(`[data] account-scope-blocked endpoint="DELETE /api/admin/files" path="${relPath2}" account=${accountId.slice(0, 8)}\u2026`);
9486
+ const { absolute, relative: relPath } = resolution;
9487
+ if (crossesForeignAccountPartition(relPath, accountId)) {
9488
+ console.error(`[data] account-scope-blocked endpoint="DELETE /api/admin/files" path="${relPath}" account=${accountId.slice(0, 8)}\u2026`);
9489
9489
  return c.json({ error: "Not found" }, 404);
9490
9490
  }
9491
9491
  const base = basename4(absolute);
9492
- const segments = relPath2.split("/").filter(Boolean);
9492
+ const segments = relPath.split("/").filter(Boolean);
9493
9493
  if (base === "account.json" || segments.includes(".git")) {
9494
- console.error(`[data] file-delete blocked path="${relPath2}" reason="protected"`);
9494
+ console.error(`[data] file-delete blocked path="${relPath}" reason="protected"`);
9495
9495
  return c.json({ error: "Protected file \u2014 refusing to delete" }, 403);
9496
9496
  }
9497
9497
  try {
@@ -9512,34 +9512,34 @@ app15.delete("/", requireAdminSession, async (c) => {
9512
9512
  } catch {
9513
9513
  }
9514
9514
  }
9515
- console.error(`[data] file-delete path="${relPath2}" bytes=${info.size}`);
9515
+ console.error(`[data] file-delete path="${relPath}" bytes=${info.size}`);
9516
9516
  try {
9517
- await dropFileIndex(accountId, relPath2);
9517
+ await dropFileIndex(accountId, relPath);
9518
9518
  } catch (err) {
9519
- console.error(`[data] file-delete index-drop-failed path="${relPath2}" err="${err instanceof Error ? err.message : String(err)}"`);
9519
+ console.error(`[data] file-delete index-drop-failed path="${relPath}" err="${err instanceof Error ? err.message : String(err)}"`);
9520
9520
  }
9521
- const parsed = parseAttachmentPath(relPath2);
9521
+ const parsed = parseAttachmentPath(relPath);
9522
9522
  if (parsed) {
9523
9523
  try {
9524
9524
  const { nodes } = await cascadeDeleteDocument({
9525
9525
  accountId,
9526
9526
  attachmentId: parsed.attachmentId
9527
9527
  });
9528
- console.error(`[data] file-delete graph-cascade path="${relPath2}" nodes=${nodes}`);
9528
+ console.error(`[data] file-delete graph-cascade path="${relPath}" nodes=${nodes}`);
9529
9529
  } catch (err) {
9530
9530
  const message = err instanceof Error ? err.message : String(err);
9531
- console.error(`[data] file-delete graph-cascade-failed path="${relPath2}" err="${message}"`);
9531
+ console.error(`[data] file-delete graph-cascade-failed path="${relPath}" err="${message}"`);
9532
9532
  }
9533
9533
  }
9534
9534
  return c.json({ ok: true });
9535
9535
  } catch (err) {
9536
9536
  const code = err.code;
9537
9537
  if (code === "ENOENT") {
9538
- console.error(`[data] file-delete not-found path="${relPath2}"`);
9538
+ console.error(`[data] file-delete not-found path="${relPath}"`);
9539
9539
  return c.json({ error: "Not found" }, 404);
9540
9540
  }
9541
9541
  const message = err instanceof Error ? err.message : String(err);
9542
- console.error(`[data] file-delete error path="${relPath2}" err="${message}"`);
9542
+ console.error(`[data] file-delete error path="${relPath}" err="${message}"`);
9543
9543
  return c.json({ error: message }, 500);
9544
9544
  }
9545
9545
  });
@@ -11601,7 +11601,6 @@ async function fetchOutputArtefacts(accountId) {
11601
11601
  name: displayName ?? basename5(relativePath),
11602
11602
  kind: "output-file",
11603
11603
  updatedAt: modifiedAt,
11604
- editable: false,
11605
11604
  mimeType,
11606
11605
  downloadPath: relativePath,
11607
11606
  downloadRoot: "data"
@@ -11628,8 +11627,7 @@ async function fetchAgentTemplateRows(accountDir) {
11628
11627
  overridePath,
11629
11628
  overrideRoot: accountDir,
11630
11629
  bundledPath,
11631
- bundledRoot: PLATFORM_ROOT,
11632
- editable: true
11630
+ bundledRoot: PLATFORM_ROOT
11633
11631
  });
11634
11632
  if (row) rows.push(row);
11635
11633
  }
@@ -11646,8 +11644,7 @@ async function fetchAgentTemplateRows(accountDir) {
11646
11644
  overridePath,
11647
11645
  overrideRoot: accountDir,
11648
11646
  bundledPath,
11649
- bundledRoot: PLATFORM_ROOT,
11650
- editable: false
11647
+ bundledRoot: PLATFORM_ROOT
11651
11648
  });
11652
11649
  if (row) rows.push(row);
11653
11650
  }
@@ -11700,7 +11697,6 @@ async function readAgentTemplateRow(inp) {
11700
11697
  name: inp.displayName,
11701
11698
  kind: "agent-template",
11702
11699
  updatedAt: st.mtime.toISOString(),
11703
- editable: inp.editable,
11704
11700
  mimeType: "text/markdown",
11705
11701
  // Override paths live under <accountDir> (inside DATA_ROOT) and are
11706
11702
  // downloadable; bundled-fallback templates live under PLATFORM_ROOT
@@ -11724,83 +11720,13 @@ function isWithin(target, root) {
11724
11720
  }
11725
11721
  var sidebar_artefacts_default = app22;
11726
11722
 
11727
- // server/routes/admin/sidebar-artefact-save.ts
11728
- import { mkdir as mkdir4, stat as stat6, writeFile as writeFile5 } from "fs/promises";
11729
- import { resolve as resolve16 } from "path";
11730
- var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
11731
- var app23 = new Hono();
11732
- app23.post("/", requireAdminSession, async (c) => {
11733
- const cacheKey = c.var.cacheKey;
11734
- const accountId = getAccountIdForSession(cacheKey);
11735
- if (!accountId) return c.json({ error: "Account not found for session" }, 401);
11736
- const body = await safeJson(c);
11737
- if (!body || typeof body.id !== "string" || typeof body.content !== "string") {
11738
- return c.json({ error: "id and content required" }, 400);
11739
- }
11740
- const accountDir = resolve16(ACCOUNTS_DIR, accountId);
11741
- const resolved = await resolveSavePath(body.id, accountDir);
11742
- if (resolved.kind === "reject") {
11743
- console.error(
11744
- `[admin/sidebar-artefact-save] auth-rejected reason=${resolved.reason} path=${body.id}`
11745
- );
11746
- return c.json({ error: resolved.reason }, resolved.status);
11747
- }
11748
- const start = Date.now();
11749
- try {
11750
- await writeFile5(resolved.path, body.content, "utf-8");
11751
- } catch (err) {
11752
- const message = err instanceof Error ? err.message : String(err);
11753
- console.error(
11754
- `[admin/sidebar-artefact-save] write-failed path=${relPath(resolved.path, accountDir)} error="${message}"`
11755
- );
11756
- return c.json({ error: "Write failed" }, 500);
11757
- }
11758
- let updatedAt = (/* @__PURE__ */ new Date()).toISOString();
11759
- try {
11760
- const st = await stat6(resolved.path);
11761
- updatedAt = st.mtime.toISOString();
11762
- } catch {
11763
- }
11764
- const ms = Date.now() - start;
11765
- console.log(
11766
- `[admin/sidebar-artefact-save] account=${accountId} path=${relPath(resolved.path, accountDir)} bytes=${body.content.length} ms=${ms}`
11767
- );
11768
- return c.json({ updatedAt });
11769
- });
11770
- async function resolveSavePath(id, accountDir) {
11771
- if (!id.startsWith("agent-template:")) {
11772
- return { kind: "reject", status: 400, reason: "invalid-id" };
11773
- }
11774
- const parts = id.split(":");
11775
- if (parts.length !== 3) return { kind: "reject", status: 400, reason: "invalid-id" };
11776
- const [, role, filename] = parts;
11777
- if (role === "specialist") {
11778
- return { kind: "reject", status: 403, reason: "specialist-write-blocked" };
11779
- }
11780
- if (role !== "admin" || !ADMIN_AGENT_FILES2.has(filename)) {
11781
- return { kind: "reject", status: 400, reason: "invalid-id" };
11782
- }
11783
- const parent = resolve16(accountDir, "agents", "admin");
11784
- await mkdir4(parent, { recursive: true });
11785
- try {
11786
- validateFilePathInAccount(parent, accountDir);
11787
- } catch {
11788
- return { kind: "reject", status: 400, reason: "containment-rejected" };
11789
- }
11790
- return { kind: "admin-template", path: resolve16(parent, filename) };
11791
- }
11792
- function relPath(absPath, root) {
11793
- return absPath.startsWith(root) ? absPath.slice(root.length + 1) : absPath;
11794
- }
11795
- var sidebar_artefact_save_default = app23;
11796
-
11797
11723
  // server/routes/admin/sidebar-sessions.ts
11798
11724
  import { readdirSync as readdirSync8, readFileSync as readFileSync14, statSync as statSync7 } from "fs";
11799
11725
  import { join as join13 } from "path";
11800
11726
  var RC_URL_RE = /https:\/\/claude\.ai\/code\/session_[A-Za-z0-9_-]+/;
11801
11727
  var SESSION_ID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.jsonl$/i;
11802
11728
  var TITLE_MAX = 80;
11803
- var app24 = new Hono();
11729
+ var app23 = new Hono();
11804
11730
  function claudeConfigDir() {
11805
11731
  return process.env.CLAUDE_CONFIG_DIR ?? null;
11806
11732
  }
@@ -11895,7 +11821,7 @@ function firstUserMessage(body) {
11895
11821
  }
11896
11822
  return null;
11897
11823
  }
11898
- app24.get("/", requireAdminSession, async (c) => {
11824
+ app23.get("/", requireAdminSession, async (c) => {
11899
11825
  const configDir2 = claudeConfigDir();
11900
11826
  if (!configDir2) {
11901
11827
  console.error("[admin-sessions-list] CLAUDE_CONFIG_DIR not set; returning empty list");
@@ -11947,7 +11873,7 @@ app24.get("/", requireAdminSession, async (c) => {
11947
11873
  );
11948
11874
  return c.json({ sessions: rows });
11949
11875
  });
11950
- var sidebar_sessions_default = app24;
11876
+ var sidebar_sessions_default = app23;
11951
11877
 
11952
11878
  // server/routes/admin/system-stats.ts
11953
11879
  import { readFile as readFile5 } from "fs/promises";
@@ -12044,8 +11970,8 @@ async function sample() {
12044
11970
  if (process.platform === "linux") return sampleLinux();
12045
11971
  return sampleOsFallback();
12046
11972
  }
12047
- var app25 = new Hono();
12048
- app25.get("/", async (c) => {
11973
+ var app24 = new Hono();
11974
+ app24.get("/", async (c) => {
12049
11975
  const started = Date.now();
12050
11976
  if (!inflight) {
12051
11977
  inflight = sample().finally(() => {
@@ -12068,12 +11994,12 @@ app25.get("/", async (c) => {
12068
11994
  return c.json({ degraded: true, reason, sampledAtMs: Date.now() });
12069
11995
  }
12070
11996
  });
12071
- var system_stats_default = app25;
11997
+ var system_stats_default = app24;
12072
11998
 
12073
11999
  // server/routes/admin/health.ts
12074
12000
  import { existsSync as existsSync17, readFileSync as readFileSync15 } from "fs";
12075
- import { resolve as resolve17, join as join14 } from "path";
12076
- var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve17(process.cwd(), "..");
12001
+ import { resolve as resolve16, join as join14 } from "path";
12002
+ var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve16(process.cwd(), "..");
12077
12003
  var brandHostname = "maxy";
12078
12004
  var brandJsonPath = join14(PLATFORM_ROOT6, "config", "brand.json");
12079
12005
  if (existsSync17(brandJsonPath)) {
@@ -12083,7 +12009,7 @@ if (existsSync17(brandJsonPath)) {
12083
12009
  } catch {
12084
12010
  }
12085
12011
  }
12086
- var VERSION_FILE = resolve17(PLATFORM_ROOT6, `config/.${brandHostname}-version`);
12012
+ var VERSION_FILE = resolve16(PLATFORM_ROOT6, `config/.${brandHostname}-version`);
12087
12013
  var PROCESS_STARTED_AT = (/* @__PURE__ */ new Date()).toISOString();
12088
12014
  var PROBE_TIMEOUT_MS = 1e3;
12089
12015
  function readVersion() {
@@ -12113,8 +12039,8 @@ async function probeConversationDb() {
12113
12039
  });
12114
12040
  }
12115
12041
  }
12116
- var app26 = new Hono();
12117
- app26.get("/", async (c) => {
12042
+ var app25 = new Hono();
12043
+ app25.get("/", async (c) => {
12118
12044
  const version = readVersion();
12119
12045
  const probe = await probeConversationDb();
12120
12046
  const uptimeMs = Date.now() - new Date(PROCESS_STARTED_AT).getTime();
@@ -12136,7 +12062,7 @@ app26.get("/", async (c) => {
12136
12062
  uptimeMs
12137
12063
  });
12138
12064
  });
12139
- var health_default2 = app26;
12065
+ var health_default2 = app25;
12140
12066
 
12141
12067
  // server/routes/admin/linkedin-ingest.ts
12142
12068
  var TAG20 = "[linkedin-ingest-route]";
@@ -12232,8 +12158,8 @@ function buildInitialMessage(env) {
12232
12158
  }
12233
12159
  return header;
12234
12160
  }
12235
- var app27 = new Hono();
12236
- app27.post("/", requireAdminSession, async (c) => {
12161
+ var app26 = new Hono();
12162
+ app26.post("/", requireAdminSession, async (c) => {
12237
12163
  let body;
12238
12164
  try {
12239
12165
  body = await c.req.json();
@@ -12287,7 +12213,7 @@ app27.post("/", requireAdminSession, async (c) => {
12287
12213
  );
12288
12214
  return c.json({ ok: true, dispatchId: envelope.dispatchId, taskId: claudeSessionId }, 202);
12289
12215
  });
12290
- var linkedin_ingest_default = app27;
12216
+ var linkedin_ingest_default = app26;
12291
12217
 
12292
12218
  // server/routes/admin/post-turn-context.ts
12293
12219
  import neo4j2 from "neo4j-driver";
@@ -12329,8 +12255,8 @@ function pruneProperties(raw) {
12329
12255
  }
12330
12256
  return out;
12331
12257
  }
12332
- var app28 = new Hono();
12333
- app28.get("/", async (c) => {
12258
+ var app27 = new Hono();
12259
+ app27.get("/", async (c) => {
12334
12260
  const remoteAddr = c.env?.incoming?.socket?.remoteAddress ?? "";
12335
12261
  if (!isLoopbackAddr2(remoteAddr)) {
12336
12262
  console.error(`${TAG21} reject reason=non-loopback remoteAddr=${remoteAddr}`);
@@ -12390,7 +12316,7 @@ app28.get("/", async (c) => {
12390
12316
  await session.close();
12391
12317
  }
12392
12318
  });
12393
- var post_turn_context_default = app28;
12319
+ var post_turn_context_default = app27;
12394
12320
 
12395
12321
  // server/routes/admin/public-session-context.ts
12396
12322
  import neo4j3 from "neo4j-driver";
@@ -12432,8 +12358,8 @@ function pruneProperties2(raw) {
12432
12358
  }
12433
12359
  return out;
12434
12360
  }
12435
- var app29 = new Hono();
12436
- app29.get("/", async (c) => {
12361
+ var app28 = new Hono();
12362
+ app28.get("/", async (c) => {
12437
12363
  const remoteAddr = c.env?.incoming?.socket?.remoteAddress ?? "";
12438
12364
  if (!isLoopbackAddr3(remoteAddr)) {
12439
12365
  console.error(`${TAG22} reject reason=non-loopback remoteAddr=${remoteAddr}`);
@@ -12492,15 +12418,15 @@ app29.get("/", async (c) => {
12492
12418
  await session.close();
12493
12419
  }
12494
12420
  });
12495
- var public_session_context_default = app29;
12421
+ var public_session_context_default = app28;
12496
12422
 
12497
12423
  // server/routes/admin/public-session-exit.ts
12498
12424
  var TAG23 = "[public-session-exit-route]";
12499
12425
  function isLoopbackAddr4(addr) {
12500
12426
  return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
12501
12427
  }
12502
- var app30 = new Hono();
12503
- app30.post("/", async (c) => {
12428
+ var app29 = new Hono();
12429
+ app29.post("/", async (c) => {
12504
12430
  const remoteAddr = c.env?.incoming?.socket?.remoteAddress ?? "";
12505
12431
  if (!isLoopbackAddr4(remoteAddr)) {
12506
12432
  console.error(`${TAG23} reject reason=non-loopback remoteAddr=${remoteAddr}`);
@@ -12527,15 +12453,15 @@ app30.post("/", async (c) => {
12527
12453
  handlePublicSessionExit(sessionId);
12528
12454
  return c.json({ ok: true });
12529
12455
  });
12530
- var public_session_exit_default = app30;
12456
+ var public_session_exit_default = app29;
12531
12457
 
12532
12458
  // server/routes/admin/access-session-evict.ts
12533
12459
  var TAG24 = "[access-session-evict]";
12534
12460
  function isLoopbackAddr5(addr) {
12535
12461
  return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
12536
12462
  }
12537
- var app31 = new Hono();
12538
- app31.post("/", async (c) => {
12463
+ var app30 = new Hono();
12464
+ app30.post("/", async (c) => {
12539
12465
  const remoteAddr = c.env?.incoming?.socket?.remoteAddress ?? "";
12540
12466
  if (!isLoopbackAddr5(remoteAddr)) {
12541
12467
  console.error(`${TAG24} reject reason=non-loopback remoteAddr=${remoteAddr}`);
@@ -12563,48 +12489,47 @@ app31.post("/", async (c) => {
12563
12489
  console.log(`${TAG24} grantId=${grantId} dropped=${dropped}`);
12564
12490
  return c.json({ ok: true, dropped });
12565
12491
  });
12566
- var access_session_evict_default = app31;
12492
+ var access_session_evict_default = app30;
12567
12493
 
12568
12494
  // server/routes/admin/index.ts
12569
- var app32 = new Hono();
12570
- app32.route("/session", session_default);
12571
- app32.route("/logs", logs_default);
12572
- app32.route("/claude-info", claude_info_default);
12573
- app32.route("/attachment", attachment_default);
12574
- app32.route("/agents", agents_default);
12575
- app32.route("/sessions", sessions_default);
12576
- app32.route("/claude-sessions", claude_sessions_default);
12577
- app32.route("/log-ingest", log_ingest_default);
12578
- app32.route("/events", events_default);
12579
- app32.route("/files", files_default);
12580
- app32.route("/graph-search", graph_search_default);
12581
- app32.route("/graph-subgraph", graph_subgraph_default);
12582
- app32.route("/graph-delete", graph_delete_default);
12583
- app32.route("/graph-restore", graph_restore_default);
12584
- app32.route("/graph-labels-in-graph", graph_labels_in_graph_default);
12585
- app32.route("/graph-default-view", graph_default_view_default);
12586
- app32.route("/sidebar-artefacts", sidebar_artefacts_default);
12587
- app32.route("/sidebar-artefact-save", sidebar_artefact_save_default);
12588
- app32.route("/sidebar-sessions", sidebar_sessions_default);
12589
- app32.route("/system-stats", system_stats_default);
12590
- app32.route("/health-brand", health_default2);
12591
- app32.route("/linkedin-ingest", linkedin_ingest_default);
12592
- app32.route("/post-turn-context", post_turn_context_default);
12593
- app32.route("/public-session-context", public_session_context_default);
12594
- app32.route("/public-session-exit", public_session_exit_default);
12595
- app32.route("/access-session-evict", access_session_evict_default);
12596
- var admin_default = app32;
12495
+ var app31 = new Hono();
12496
+ app31.route("/session", session_default);
12497
+ app31.route("/logs", logs_default);
12498
+ app31.route("/claude-info", claude_info_default);
12499
+ app31.route("/attachment", attachment_default);
12500
+ app31.route("/agents", agents_default);
12501
+ app31.route("/sessions", sessions_default);
12502
+ app31.route("/claude-sessions", claude_sessions_default);
12503
+ app31.route("/log-ingest", log_ingest_default);
12504
+ app31.route("/events", events_default);
12505
+ app31.route("/files", files_default);
12506
+ app31.route("/graph-search", graph_search_default);
12507
+ app31.route("/graph-subgraph", graph_subgraph_default);
12508
+ app31.route("/graph-delete", graph_delete_default);
12509
+ app31.route("/graph-restore", graph_restore_default);
12510
+ app31.route("/graph-labels-in-graph", graph_labels_in_graph_default);
12511
+ app31.route("/graph-default-view", graph_default_view_default);
12512
+ app31.route("/sidebar-artefacts", sidebar_artefacts_default);
12513
+ app31.route("/sidebar-sessions", sidebar_sessions_default);
12514
+ app31.route("/system-stats", system_stats_default);
12515
+ app31.route("/health-brand", health_default2);
12516
+ app31.route("/linkedin-ingest", linkedin_ingest_default);
12517
+ app31.route("/post-turn-context", post_turn_context_default);
12518
+ app31.route("/public-session-context", public_session_context_default);
12519
+ app31.route("/public-session-exit", public_session_exit_default);
12520
+ app31.route("/access-session-evict", access_session_evict_default);
12521
+ var admin_default = app31;
12597
12522
 
12598
12523
  // app/lib/access-gate.ts
12599
12524
  import neo4j4 from "neo4j-driver";
12600
12525
  import { readFileSync as readFileSync16 } from "fs";
12601
- import { resolve as resolve18 } from "path";
12526
+ import { resolve as resolve17 } from "path";
12602
12527
  import { randomUUID as randomUUID8 } from "crypto";
12603
- var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT ?? resolve18(process.cwd(), "..");
12528
+ var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT ?? resolve17(process.cwd(), "..");
12604
12529
  var driver = null;
12605
12530
  function readPassword() {
12606
12531
  if (process.env.NEO4J_PASSWORD) return process.env.NEO4J_PASSWORD;
12607
- const passwordFile = resolve18(PLATFORM_ROOT7, "config/.neo4j-password");
12532
+ const passwordFile = resolve17(PLATFORM_ROOT7, "config/.neo4j-password");
12608
12533
  try {
12609
12534
  return readFileSync16(passwordFile, "utf-8").trim();
12610
12535
  } catch {
@@ -12807,8 +12732,8 @@ async function generateNewMagicToken(grantId) {
12807
12732
  var TAG25 = "[access-verify]";
12808
12733
  var MINT_TAG = "[access-session-mint]";
12809
12734
  var COOKIE_NAME = "__access_session";
12810
- var app33 = new Hono();
12811
- app33.post("/", async (c) => {
12735
+ var app32 = new Hono();
12736
+ app32.post("/", async (c) => {
12812
12737
  const ip = c.var.clientIp || "unknown";
12813
12738
  let body;
12814
12739
  try {
@@ -12890,13 +12815,13 @@ app33.post("/", async (c) => {
12890
12815
  displayName: grant.displayName
12891
12816
  });
12892
12817
  });
12893
- var verify_token_default = app33;
12818
+ var verify_token_default = app32;
12894
12819
 
12895
12820
  // app/lib/access-email.ts
12896
12821
  import { spawn as spawn2 } from "child_process";
12897
- import { resolve as resolve19 } from "path";
12898
- var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT ?? resolve19(process.cwd(), "..");
12899
- var SEND_SCRIPT = resolve19(
12822
+ import { resolve as resolve18 } from "path";
12823
+ var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT ?? resolve18(process.cwd(), "..");
12824
+ var SEND_SCRIPT = resolve18(
12900
12825
  PLATFORM_ROOT8,
12901
12826
  "plugins",
12902
12827
  "email",
@@ -12953,9 +12878,9 @@ async function sendMagicLinkEmail(payload) {
12953
12878
 
12954
12879
  // server/routes/access/request-magic-link.ts
12955
12880
  var TAG26 = "[access-request-link]";
12956
- var app34 = new Hono();
12881
+ var app33 = new Hono();
12957
12882
  var VISITOR_MESSAGE = "If that email is on the invite list, a fresh link is on the way.";
12958
- app34.post("/", async (c) => {
12883
+ app33.post("/", async (c) => {
12959
12884
  let body;
12960
12885
  try {
12961
12886
  body = await c.req.json();
@@ -13029,17 +12954,17 @@ app34.post("/", async (c) => {
13029
12954
  );
13030
12955
  return c.json({ message: VISITOR_MESSAGE }, 200);
13031
12956
  });
13032
- var request_magic_link_default = app34;
12957
+ var request_magic_link_default = app33;
13033
12958
 
13034
12959
  // server/routes/access/index.ts
13035
- var app35 = new Hono();
13036
- app35.route("/verify-token", verify_token_default);
13037
- app35.route("/request-magic-link", request_magic_link_default);
13038
- var access_default = app35;
12960
+ var app34 = new Hono();
12961
+ app34.route("/verify-token", verify_token_default);
12962
+ app34.route("/request-magic-link", request_magic_link_default);
12963
+ var access_default = app34;
13039
12964
 
13040
12965
  // server/routes/sites.ts
13041
12966
  import { existsSync as existsSync18, readFileSync as readFileSync17, realpathSync as realpathSync5, statSync as statSync8 } from "fs";
13042
- import { resolve as resolve20 } from "path";
12967
+ import { resolve as resolve19 } from "path";
13043
12968
  var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
13044
12969
  var MIME = {
13045
12970
  ".html": "text/html; charset=utf-8",
@@ -13070,8 +12995,8 @@ function getExt(p) {
13070
12995
  if (idx < p.lastIndexOf("/")) return "";
13071
12996
  return p.slice(idx).toLowerCase();
13072
12997
  }
13073
- var app36 = new Hono();
13074
- app36.get("/:rel{.*}", (c) => {
12998
+ var app35 = new Hono();
12999
+ app35.get("/:rel{.*}", (c) => {
13075
13000
  const reqPath = c.req.path;
13076
13001
  const rawRel = c.req.param("rel") ?? "";
13077
13002
  const trimmed = rawRel.replace(/^\/+/, "").replace(/\/+$/, "");
@@ -13096,19 +13021,19 @@ app36.get("/:rel{.*}", (c) => {
13096
13021
  }
13097
13022
  segments.push(seg);
13098
13023
  }
13099
- const rootDir = resolve20(account.accountDir, "sites");
13100
- let filePath = segments.length === 0 ? rootDir : resolve20(rootDir, ...segments);
13024
+ const rootDir = resolve19(account.accountDir, "sites");
13025
+ let filePath = segments.length === 0 ? rootDir : resolve19(rootDir, ...segments);
13101
13026
  if (filePath !== rootDir && !filePath.startsWith(rootDir + "/")) {
13102
13027
  console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
13103
13028
  return c.text("Forbidden", 403);
13104
13029
  }
13105
- let stat8;
13030
+ let stat7;
13106
13031
  try {
13107
- stat8 = existsSync18(filePath) ? statSync8(filePath) : null;
13032
+ stat7 = existsSync18(filePath) ? statSync8(filePath) : null;
13108
13033
  } catch {
13109
- stat8 = null;
13034
+ stat7 = null;
13110
13035
  }
13111
- if (stat8?.isDirectory() && !reqPath.endsWith("/")) {
13036
+ if (stat7?.isDirectory() && !reqPath.endsWith("/")) {
13112
13037
  const search = new URL(c.req.url).search;
13113
13038
  const target = `${reqPath}/${search}`;
13114
13039
  console.log(
@@ -13116,8 +13041,8 @@ app36.get("/:rel{.*}", (c) => {
13116
13041
  );
13117
13042
  return c.redirect(target, 301);
13118
13043
  }
13119
- if (stat8?.isDirectory()) {
13120
- filePath = resolve20(filePath, "index.html");
13044
+ if (stat7?.isDirectory()) {
13045
+ filePath = resolve19(filePath, "index.html");
13121
13046
  }
13122
13047
  if (!filePath.startsWith(rootDir + "/")) {
13123
13048
  console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
@@ -13174,7 +13099,7 @@ app36.get("/:rel{.*}", (c) => {
13174
13099
  "X-Content-Type-Options": "nosniff"
13175
13100
  });
13176
13101
  });
13177
- var sites_default = app36;
13102
+ var sites_default = app35;
13178
13103
 
13179
13104
  // app/lib/visitor-token.ts
13180
13105
  import { createHmac, randomBytes, timingSafeEqual } from "crypto";
@@ -13274,7 +13199,7 @@ function readBrandConfig() {
13274
13199
  }
13275
13200
 
13276
13201
  // server/routes/visitor-consent.ts
13277
- var app37 = new Hono();
13202
+ var app36 = new Hono();
13278
13203
  var CONSENT_COOKIE_NAME = "mxy_consent";
13279
13204
  var CONSENT_COOKIE_MAX_AGE_SECONDS = 60 * 60 * 24 * 365;
13280
13205
  var DEFAULT_CONSENT_COPY = {
@@ -13319,17 +13244,17 @@ function siteSlugFromReferer(referer) {
13319
13244
  return "";
13320
13245
  }
13321
13246
  }
13322
- app37.options("/consent", (c) => {
13247
+ app36.options("/consent", (c) => {
13323
13248
  const origin = getOrigin(c);
13324
13249
  setCorsHeaders(c, origin);
13325
13250
  return c.body(null, 204);
13326
13251
  });
13327
- app37.options("/brand-config", (c) => {
13252
+ app36.options("/brand-config", (c) => {
13328
13253
  const origin = getOrigin(c);
13329
13254
  setCorsHeaders(c, origin);
13330
13255
  return c.body(null, 204);
13331
13256
  });
13332
- app37.post("/consent", async (c) => {
13257
+ app36.post("/consent", async (c) => {
13333
13258
  const origin = getOrigin(c);
13334
13259
  setCorsHeaders(c, origin);
13335
13260
  let raw;
@@ -13369,7 +13294,7 @@ app37.post("/consent", async (c) => {
13369
13294
  console.log(`[consent] ${parsed.decision} site=${site} brand=${brandName} tokenBound=${tokenBound}`);
13370
13295
  return c.body(null, 204);
13371
13296
  });
13372
- app37.get("/brand-config", (c) => {
13297
+ app36.get("/brand-config", (c) => {
13373
13298
  const origin = getOrigin(c);
13374
13299
  setCorsHeaders(c, origin);
13375
13300
  const brand = readBrandConfig();
@@ -13379,7 +13304,7 @@ app37.get("/brand-config", (c) => {
13379
13304
  c.header("Cache-Control", "public, max-age=300");
13380
13305
  return c.json({ consent: { copy, palette } });
13381
13306
  });
13382
- var visitor_consent_default = app37;
13307
+ var visitor_consent_default = app36;
13383
13308
 
13384
13309
  // server/routes/listings.ts
13385
13310
  function getCookie(headerValue, name) {
@@ -13406,8 +13331,8 @@ function appendConsentParams(pageUrl, token) {
13406
13331
  }
13407
13332
  var SAFE_SLUG_RE = /^[a-z0-9](?:[a-z0-9-]{0,118}[a-z0-9])?$/;
13408
13333
  var CHAT_SESSION_KEY_RE = /^[A-Za-z0-9][A-Za-z0-9_-]{7,127}$/;
13409
- var app38 = new Hono();
13410
- app38.get("/:slug/click", async (c) => {
13334
+ var app37 = new Hono();
13335
+ app37.get("/:slug/click", async (c) => {
13411
13336
  const slug = c.req.param("slug") ?? "";
13412
13337
  const rawSession = c.req.query("session") ?? "";
13413
13338
  const sessionKey = CHAT_SESSION_KEY_RE.test(rawSession) ? rawSession : "invalid";
@@ -13471,10 +13396,10 @@ app38.get("/:slug/click", async (c) => {
13471
13396
  console.log(`[property-card-click] sessionKey=${sessionKey} listingSlug=${slug} consent=${consentCookie ?? "absent"} ts=${(/* @__PURE__ */ new Date()).toISOString()}`);
13472
13397
  return c.redirect(redirectUrl, 302);
13473
13398
  });
13474
- var listings_default = app38;
13399
+ var listings_default = app37;
13475
13400
 
13476
13401
  // server/routes/visitor-event.ts
13477
- var app39 = new Hono();
13402
+ var app38 = new Hono();
13478
13403
  var BOT_UA_RE = /\b(bot|crawl|spider|slurp|headlesschrome|phantomjs|googlebot|bingbot|yandex|baiduspider|ahrefsbot|semrushbot|mj12bot|dotbot|petalbot)\b/i;
13479
13404
  var buckets = /* @__PURE__ */ new Map();
13480
13405
  var RATE_LIMIT = 60;
@@ -13541,12 +13466,12 @@ function originAllowed(origin, allowlist) {
13541
13466
  return false;
13542
13467
  }
13543
13468
  }
13544
- app39.options("/event", (c) => {
13469
+ app38.options("/event", (c) => {
13545
13470
  const origin = getOrigin2(c);
13546
13471
  setCorsHeaders2(c, origin);
13547
13472
  return c.body(null, 204);
13548
13473
  });
13549
- app39.post("/event", async (c) => {
13474
+ app38.post("/event", async (c) => {
13550
13475
  const origin = getOrigin2(c);
13551
13476
  setCorsHeaders2(c, origin);
13552
13477
  const ua = c.req.header("user-agent") ?? "";
@@ -13751,7 +13676,7 @@ async function writeEvent(opts) {
13751
13676
  );
13752
13677
  }
13753
13678
  }
13754
- var visitor_event_default = app39;
13679
+ var visitor_event_default = app38;
13755
13680
 
13756
13681
  // app/lib/graph-health.ts
13757
13682
  var HOUR_MS = 60 * 60 * 1e3;
@@ -13836,7 +13761,7 @@ function startGraphHealthTimer() {
13836
13761
 
13837
13762
  // app/lib/file-watcher.ts
13838
13763
  import * as fsp2 from "fs/promises";
13839
- import { resolve as resolve21, sep as sep6 } from "path";
13764
+ import { resolve as resolve20, sep as sep6 } from "path";
13840
13765
  var ACCOUNT_UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
13841
13766
  var DEFAULT_COALESCE_MS = 500;
13842
13767
  var ROOTS = ["uploads", "accounts"];
@@ -13855,7 +13780,7 @@ async function startFileWatcher(opts = {}) {
13855
13780
  const dropFn = opts.drop ?? dropFileIndex;
13856
13781
  for (const r of ROOTS) {
13857
13782
  try {
13858
- await fsp2.mkdir(resolve21(dataRoot, r), { recursive: true });
13783
+ await fsp2.mkdir(resolve20(dataRoot, r), { recursive: true });
13859
13784
  } catch (err) {
13860
13785
  console.error(
13861
13786
  `[file-watcher] start-failed root="${r}" err="${err.message}" \u2014 index will be maintained by the 5-min reconcile backstop only`
@@ -13876,7 +13801,7 @@ async function startFileWatcher(opts = {}) {
13876
13801
  timers.set(relativePath, t);
13877
13802
  }
13878
13803
  async function runHook(relativePath, accountId) {
13879
- const absolute = resolve21(dataRoot, relativePath);
13804
+ const absolute = resolve20(dataRoot, relativePath);
13880
13805
  let exists = false;
13881
13806
  try {
13882
13807
  const st = await fsp2.stat(absolute);
@@ -13900,7 +13825,7 @@ async function startFileWatcher(opts = {}) {
13900
13825
  }
13901
13826
  }
13902
13827
  async function watchRoot(rootName) {
13903
- const absRoot = resolve21(dataRoot, rootName);
13828
+ const absRoot = resolve20(dataRoot, rootName);
13904
13829
  try {
13905
13830
  const iter = fsp2.watch(absRoot, { recursive: true, signal: controller.signal });
13906
13831
  for await (const event of iter) {
@@ -13999,7 +13924,7 @@ function broadcastAdminShutdown(reason) {
13999
13924
  // ../lib/entitlement/src/index.ts
14000
13925
  import { createPublicKey, createHash as createHash4, verify as cryptoVerify } from "crypto";
14001
13926
  import { existsSync as existsSync20, readFileSync as readFileSync20, statSync as statSync9 } from "fs";
14002
- import { resolve as resolve22 } from "path";
13927
+ import { resolve as resolve21 } from "path";
14003
13928
 
14004
13929
  // ../lib/entitlement/src/canonicalize.ts
14005
13930
  function canonicalize(value) {
@@ -14034,7 +13959,7 @@ var PUBKEY_SHA256 = "8eee6bcb33545fd13b16d3199a5735ca5db5062834c7b49dfe4f23801d9
14034
13959
  var GRACE_DAYS = 7;
14035
13960
  var GRACE_MS = GRACE_DAYS * 24 * 60 * 60 * 1e3;
14036
13961
  function pubkeyPath(brand) {
14037
- return resolve22(brand.platformRoot, "lib", "entitlement", "rubytech-pubkey.pem");
13962
+ return resolve21(brand.platformRoot, "lib", "entitlement", "rubytech-pubkey.pem");
14038
13963
  }
14039
13964
  var memo = null;
14040
13965
  function memoKey(mtimeMs, account) {
@@ -14046,12 +13971,12 @@ function resolveEntitlement(brand, account) {
14046
13971
  if (brand.commercialMode !== true) {
14047
13972
  return logResolved(implicitTrust(account), null);
14048
13973
  }
14049
- const entitlementPath = resolve22(brand.configDir, "entitlement.json");
13974
+ const entitlementPath = resolve21(brand.configDir, "entitlement.json");
14050
13975
  if (!existsSync20(entitlementPath)) {
14051
13976
  return logResolved(anonymousFallback("missing"), { reason: "missing" });
14052
13977
  }
14053
- const stat8 = statSync9(entitlementPath);
14054
- const key = memoKey(stat8.mtimeMs, account);
13978
+ const stat7 = statSync9(entitlementPath);
13979
+ const key = memoKey(stat7.mtimeMs, account);
14055
13980
  if (memo && memo.key === key) {
14056
13981
  return memo.result;
14057
13982
  }
@@ -14291,9 +14216,9 @@ watchFile(ALIAS_DOMAINS_PATH, { interval: 2e3 }, () => {
14291
14216
  function isPublicHost(host) {
14292
14217
  return host.startsWith("public.") || aliasDomains.has(host);
14293
14218
  }
14294
- var app40 = new Hono();
14295
- app40.use("*", clientIpMiddleware);
14296
- app40.use("*", async (c, next) => {
14219
+ var app39 = new Hono();
14220
+ app39.use("*", clientIpMiddleware);
14221
+ app39.use("*", async (c, next) => {
14297
14222
  await next();
14298
14223
  c.header("X-Content-Type-Options", "nosniff");
14299
14224
  c.header("Referrer-Policy", "strict-origin-when-cross-origin");
@@ -14303,7 +14228,7 @@ app40.use("*", async (c, next) => {
14303
14228
  );
14304
14229
  });
14305
14230
  var HTTP_LOG_PATHS = /* @__PURE__ */ new Set(["/vnc-viewer.html", "/vnc-popout.html"]);
14306
- app40.use("*", async (c, next) => {
14231
+ app39.use("*", async (c, next) => {
14307
14232
  if (!HTTP_LOG_PATHS.has(c.req.path)) {
14308
14233
  await next();
14309
14234
  return;
@@ -14336,7 +14261,7 @@ var PUBLIC_ALLOWED_PREFIXES = [
14336
14261
  "/sites/"
14337
14262
  ];
14338
14263
  var PUBLIC_ALLOWED_EXACT = ["/favicon.ico"];
14339
- app40.use("*", async (c, next) => {
14264
+ app39.use("*", async (c, next) => {
14340
14265
  const host = (c.req.header("host") ?? "").split(":")[0];
14341
14266
  if (!isPublicHost(host)) {
14342
14267
  await next();
@@ -14376,7 +14301,7 @@ function resolveRemoteAuthOpts() {
14376
14301
  return brandLoginOpts;
14377
14302
  }
14378
14303
  var MAX_LOGIN_BODY = 8 * 1024;
14379
- app40.post("/__remote-auth/login", async (c) => {
14304
+ app39.post("/__remote-auth/login", async (c) => {
14380
14305
  const client = clientFrom(c);
14381
14306
  const clientIp = client.ip || "unknown";
14382
14307
  if (!requestIsTlsTerminated(c)) {
@@ -14421,7 +14346,7 @@ app40.post("/__remote-auth/login", async (c) => {
14421
14346
  }
14422
14347
  });
14423
14348
  });
14424
- app40.get("/__remote-auth/logout", (c) => {
14349
+ app39.get("/__remote-auth/logout", (c) => {
14425
14350
  const client = clientFrom(c);
14426
14351
  const clientIp = client.ip || "unknown";
14427
14352
  console.error(`[remote-auth] logout ip=${clientIp}`);
@@ -14434,7 +14359,7 @@ app40.get("/__remote-auth/logout", (c) => {
14434
14359
  }
14435
14360
  });
14436
14361
  });
14437
- app40.post("/__remote-auth/change-password", async (c) => {
14362
+ app39.post("/__remote-auth/change-password", async (c) => {
14438
14363
  const client = clientFrom(c);
14439
14364
  const clientIp = client.ip || "unknown";
14440
14365
  const rateLimited = checkRateLimit(client);
@@ -14485,13 +14410,13 @@ app40.post("/__remote-auth/change-password", async (c) => {
14485
14410
  return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "change", changeError: "Failed to save password", redirect }), 200);
14486
14411
  }
14487
14412
  });
14488
- app40.get("/__remote-auth/setup", (c) => {
14413
+ app39.get("/__remote-auth/setup", (c) => {
14489
14414
  if (isRemoteAuthConfigured()) {
14490
14415
  return c.redirect("/");
14491
14416
  }
14492
14417
  return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup" }), 200);
14493
14418
  });
14494
- app40.post("/__remote-auth/set-initial-password", async (c) => {
14419
+ app39.post("/__remote-auth/set-initial-password", async (c) => {
14495
14420
  if (isRemoteAuthConfigured()) {
14496
14421
  return c.redirect("/");
14497
14422
  }
@@ -14529,10 +14454,10 @@ app40.post("/__remote-auth/set-initial-password", async (c) => {
14529
14454
  return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup", setupError: "Failed to save password. Please try again." }), 200);
14530
14455
  }
14531
14456
  });
14532
- app40.get("/api/remote-auth/status", (c) => {
14457
+ app39.get("/api/remote-auth/status", (c) => {
14533
14458
  return c.json({ configured: isRemoteAuthConfigured() });
14534
14459
  });
14535
- app40.post("/api/remote-auth/set-password", async (c) => {
14460
+ app39.post("/api/remote-auth/set-password", async (c) => {
14536
14461
  let body;
14537
14462
  try {
14538
14463
  body = await c.req.json();
@@ -14563,9 +14488,9 @@ app40.post("/api/remote-auth/set-password", async (c) => {
14563
14488
  return c.json({ error: "Failed to save password" }, 500);
14564
14489
  }
14565
14490
  });
14566
- app40.route("/api/_client-error", client_error_default);
14491
+ app39.route("/api/_client-error", client_error_default);
14567
14492
  console.log("[client-error-route] mounted");
14568
- app40.use("*", async (c, next) => {
14493
+ app39.use("*", async (c, next) => {
14569
14494
  const host = (c.req.header("host") ?? "").split(":")[0];
14570
14495
  const path2 = c.req.path;
14571
14496
  if (path2 === "/favicon.ico" || path2.startsWith("/assets/") || path2.startsWith("/brand/")) {
@@ -14598,12 +14523,12 @@ app40.use("*", async (c, next) => {
14598
14523
  console.error(`[remote-auth] login required ip=${clientIp} path=${path2} ${disambig}`);
14599
14524
  return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), redirect: path2 }), 200);
14600
14525
  });
14601
- app40.route("/api/health", health_default);
14602
- app40.route("/api/chat", chat_default);
14603
- app40.route("/api/whatsapp", whatsapp_default);
14604
- app40.route("/api/onboarding", onboarding_default);
14605
- app40.route("/api/admin", admin_default);
14606
- app40.route("/api/access", access_default);
14526
+ app39.route("/api/health", health_default);
14527
+ app39.route("/api/chat", chat_default);
14528
+ app39.route("/api/whatsapp", whatsapp_default);
14529
+ app39.route("/api/onboarding", onboarding_default);
14530
+ app39.route("/api/admin", admin_default);
14531
+ app39.route("/api/access", access_default);
14607
14532
  var SAFE_SLUG_RE2 = /^[a-z][a-z0-9-]{2,49}$/;
14608
14533
  var SAFE_FILENAME_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
14609
14534
  var IMAGE_MIME = {
@@ -14615,7 +14540,7 @@ var IMAGE_MIME = {
14615
14540
  ".svg": "image/svg+xml",
14616
14541
  ".ico": "image/x-icon"
14617
14542
  };
14618
- app40.get("/agent-assets/:slug/:filename", (c) => {
14543
+ app39.get("/agent-assets/:slug/:filename", (c) => {
14619
14544
  const slug = c.req.param("slug");
14620
14545
  const filename = c.req.param("filename");
14621
14546
  if (!SAFE_SLUG_RE2.test(slug)) {
@@ -14631,8 +14556,8 @@ app40.get("/agent-assets/:slug/:filename", (c) => {
14631
14556
  console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
14632
14557
  return c.text("Not found", 404);
14633
14558
  }
14634
- const filePath = resolve23(account.accountDir, "agents", slug, "assets", filename);
14635
- const expectedDir = resolve23(account.accountDir, "agents", slug, "assets");
14559
+ const filePath = resolve22(account.accountDir, "agents", slug, "assets", filename);
14560
+ const expectedDir = resolve22(account.accountDir, "agents", slug, "assets");
14636
14561
  if (!filePath.startsWith(expectedDir + "/")) {
14637
14562
  console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
14638
14563
  return c.text("Forbidden", 403);
@@ -14650,7 +14575,7 @@ app40.get("/agent-assets/:slug/:filename", (c) => {
14650
14575
  "Cache-Control": "public, max-age=3600"
14651
14576
  });
14652
14577
  });
14653
- app40.get("/generated/:filename", (c) => {
14578
+ app39.get("/generated/:filename", (c) => {
14654
14579
  const filename = c.req.param("filename");
14655
14580
  if (!SAFE_FILENAME_RE.test(filename) || filename.includes("..")) {
14656
14581
  console.error(`[generated] serve file=${filename} status=403`);
@@ -14661,8 +14586,8 @@ app40.get("/generated/:filename", (c) => {
14661
14586
  console.error(`[generated] serve file=${filename} status=404`);
14662
14587
  return c.text("Not found", 404);
14663
14588
  }
14664
- const filePath = resolve23(account.accountDir, "generated", filename);
14665
- const expectedDir = resolve23(account.accountDir, "generated");
14589
+ const filePath = resolve22(account.accountDir, "generated", filename);
14590
+ const expectedDir = resolve22(account.accountDir, "generated");
14666
14591
  if (!filePath.startsWith(expectedDir + "/")) {
14667
14592
  console.error(`[generated] serve file=${filename} status=403`);
14668
14593
  return c.text("Forbidden", 403);
@@ -14680,10 +14605,10 @@ app40.get("/generated/:filename", (c) => {
14680
14605
  "Cache-Control": "public, max-age=86400"
14681
14606
  });
14682
14607
  });
14683
- app40.route("/sites", sites_default);
14684
- app40.route("/listings", listings_default);
14685
- app40.route("/v", visitor_event_default);
14686
- app40.route("/v", visitor_consent_default);
14608
+ app39.route("/sites", sites_default);
14609
+ app39.route("/listings", listings_default);
14610
+ app39.route("/v", visitor_event_default);
14611
+ app39.route("/v", visitor_consent_default);
14687
14612
  var htmlCache = /* @__PURE__ */ new Map();
14688
14613
  var brandLogoPath = "/brand/maxy-monochrome.png";
14689
14614
  var brandIconPath = "/brand/maxy-monochrome.png";
@@ -14749,7 +14674,7 @@ var clientErrorReporterScript = `<script>
14749
14674
  function cachedHtml(file) {
14750
14675
  let html = htmlCache.get(file);
14751
14676
  if (!html) {
14752
- html = readFileSync21(resolve23(process.cwd(), "public", file), "utf-8");
14677
+ html = readFileSync21(resolve22(process.cwd(), "public", file), "utf-8");
14753
14678
  const productNameEsc = escapeHtml(BRAND.productName);
14754
14679
  html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
14755
14680
  html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -14820,7 +14745,7 @@ function brandedPublicHtml(agentSlug) {
14820
14745
  function escapeHtml(s) {
14821
14746
  return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
14822
14747
  }
14823
- app40.get("/", (c) => {
14748
+ app39.get("/", (c) => {
14824
14749
  const host = (c.req.header("host") ?? "").split(":")[0];
14825
14750
  if (isPublicHost(host)) {
14826
14751
  const defaultSlug = resolveDefaultSlug();
@@ -14828,12 +14753,12 @@ app40.get("/", (c) => {
14828
14753
  }
14829
14754
  return c.html(cachedHtml("index.html"));
14830
14755
  });
14831
- app40.get("/public", (c) => {
14756
+ app39.get("/public", (c) => {
14832
14757
  const host = (c.req.header("host") ?? "").split(":")[0];
14833
14758
  if (isPublicHost(host)) return c.text("Not found", 404);
14834
14759
  return c.html(cachedHtml("public.html"));
14835
14760
  });
14836
- app40.get("/chat", (c) => {
14761
+ app39.get("/chat", (c) => {
14837
14762
  const host = (c.req.header("host") ?? "").split(":")[0];
14838
14763
  if (isPublicHost(host)) return c.text("Not found", 404);
14839
14764
  return c.html(cachedHtml("public.html"));
@@ -14852,12 +14777,12 @@ async function logViewerFetch(c, next) {
14852
14777
  duration_ms: Date.now() - start
14853
14778
  });
14854
14779
  }
14855
- app40.use("/vnc-viewer.html", logViewerFetch);
14856
- app40.use("/vnc-popout.html", logViewerFetch);
14857
- app40.get("/vnc-popout.html", (c) => {
14780
+ app39.use("/vnc-viewer.html", logViewerFetch);
14781
+ app39.use("/vnc-popout.html", logViewerFetch);
14782
+ app39.get("/vnc-popout.html", (c) => {
14858
14783
  let html = htmlCache.get("vnc-popout.html");
14859
14784
  if (!html) {
14860
- html = readFileSync21(resolve23(process.cwd(), "public", "vnc-popout.html"), "utf-8");
14785
+ html = readFileSync21(resolve22(process.cwd(), "public", "vnc-popout.html"), "utf-8");
14861
14786
  const name = escapeHtml(BRAND.productName);
14862
14787
  html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
14863
14788
  html = html.replace("</head>", ` ${brandScript}
@@ -14867,7 +14792,7 @@ app40.get("/vnc-popout.html", (c) => {
14867
14792
  }
14868
14793
  return c.html(html);
14869
14794
  });
14870
- app40.post("/api/vnc/client-event", async (c) => {
14795
+ app39.post("/api/vnc/client-event", async (c) => {
14871
14796
  let body;
14872
14797
  try {
14873
14798
  body = await c.req.json();
@@ -14888,25 +14813,25 @@ app40.post("/api/vnc/client-event", async (c) => {
14888
14813
  });
14889
14814
  return c.json({ ok: true });
14890
14815
  });
14891
- app40.get("/g/:slug", (c) => {
14816
+ app39.get("/g/:slug", (c) => {
14892
14817
  return c.html(brandedPublicHtml());
14893
14818
  });
14894
- app40.get("/graph", (c) => {
14819
+ app39.get("/graph", (c) => {
14895
14820
  const host = (c.req.header("host") ?? "").split(":")[0];
14896
14821
  if (isPublicHost(host)) return c.text("Not found", 404);
14897
14822
  return c.html(cachedHtml("graph.html"));
14898
14823
  });
14899
- app40.get("/sessions", (c) => {
14824
+ app39.get("/sessions", (c) => {
14900
14825
  const host = (c.req.header("host") ?? "").split(":")[0];
14901
14826
  if (isPublicHost(host)) return c.text("Not found", 404);
14902
14827
  return c.html(cachedHtml("sessions.html"));
14903
14828
  });
14904
- app40.get("/data", (c) => {
14829
+ app39.get("/data", (c) => {
14905
14830
  const host = (c.req.header("host") ?? "").split(":")[0];
14906
14831
  if (isPublicHost(host)) return c.text("Not found", 404);
14907
14832
  return c.html(cachedHtml("data.html"));
14908
14833
  });
14909
- app40.get("/:slug", async (c, next) => {
14834
+ app39.get("/:slug", async (c, next) => {
14910
14835
  const slug = c.req.param("slug");
14911
14836
  if (AGENT_SLUG_PATTERN.test(`/${slug}`)) {
14912
14837
  const branding = loadBrandingCache(slug);
@@ -14916,15 +14841,15 @@ app40.get("/:slug", async (c, next) => {
14916
14841
  await next();
14917
14842
  });
14918
14843
  if (brandFaviconPath !== "/favicon.ico") {
14919
- app40.get("/favicon.ico", (c) => {
14844
+ app39.get("/favicon.ico", (c) => {
14920
14845
  c.header("Cache-Control", "public, max-age=300");
14921
14846
  return c.redirect(brandFaviconPath, 302);
14922
14847
  });
14923
14848
  }
14924
- app40.use("/*", serveStatic({ root: "./public" }));
14849
+ app39.use("/*", serveStatic({ root: "./public" }));
14925
14850
  var port = requirePortEnv("MAXY_UI_INTERNAL_PORT", { tag: "ui-server" });
14926
14851
  var hostname = process.env.HOSTNAME ?? "127.0.0.1";
14927
- var httpServer = serve({ fetch: app40.fetch, port, hostname });
14852
+ var httpServer = serve({ fetch: app39.fetch, port, hostname });
14928
14853
  console.log(`${BRAND.productName} listening on http://${hostname}:${port}`);
14929
14854
  {
14930
14855
  const loopHist = monitorEventLoopDelay({ resolution: 50 });
@@ -14960,7 +14885,7 @@ for (const m of SUBAPP_MANIFEST) {
14960
14885
  }
14961
14886
  try {
14962
14887
  const registered = [];
14963
- for (const r of app40.routes ?? []) {
14888
+ for (const r of app39.routes ?? []) {
14964
14889
  if (typeof r.path !== "string" || r.path.includes(":") || r.path.includes("*")) continue;
14965
14890
  if (AGENT_SLUG_PATTERN.test(r.path)) {
14966
14891
  registered.push({ method: (r.method ?? "ALL").toUpperCase(), path: r.path });
@@ -15078,7 +15003,7 @@ if (bootAccountConfig?.whatsapp) {
15078
15003
  }
15079
15004
  init({
15080
15005
  configDir: configDirForWhatsApp,
15081
- platformRoot: resolve23(process.env.MAXY_PLATFORM_ROOT ?? join16(__dirname, "..")),
15006
+ platformRoot: resolve22(process.env.MAXY_PLATFORM_ROOT ?? join16(__dirname, "..")),
15082
15007
  accountConfig: bootAccountConfig,
15083
15008
  onMessage: async (msg) => {
15084
15009
  if (process.env.WHATSAPP_PTY_BRIDGE_ENABLED === "true" && msg.text && !msg.isOwnerMirror) {