@rubytech/create-maxy-code 0.1.228 → 0.1.230

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (27) hide show
  1. package/package.json +1 -1
  2. package/payload/platform/plugins/admin/mcp/dist/index.js +9 -20
  3. package/payload/platform/plugins/admin/mcp/dist/index.js.map +1 -1
  4. package/payload/platform/plugins/admin/skills/platform-architecture/SKILL.md +33 -1
  5. package/payload/platform/plugins/admin/skills/qr-code/SKILL.md +6 -5
  6. package/payload/platform/plugins/admin/skills/qr-code/references/data-formats.md +2 -2
  7. package/payload/platform/plugins/admin/skills/unzip-attachment/SKILL.md +1 -1
  8. package/payload/platform/plugins/cloudflare/references/dashboard-guide.md +28 -0
  9. package/payload/platform/plugins/cloudflare/references/serving-published-sites.md +73 -0
  10. package/payload/platform/plugins/cloudflare/skills/setup-tunnel/SKILL.md +1 -1
  11. package/payload/platform/plugins/docs/references/troubleshooting.md +32 -0
  12. package/payload/platform/services/claude-session-manager/dist/http-server.d.ts.map +1 -1
  13. package/payload/platform/services/claude-session-manager/dist/http-server.js +29 -4
  14. package/payload/platform/services/claude-session-manager/dist/http-server.js.map +1 -1
  15. package/payload/platform/services/claude-session-manager/dist/rc-daemon.d.ts.map +1 -1
  16. package/payload/platform/services/claude-session-manager/dist/rc-daemon.js +5 -2
  17. package/payload/platform/services/claude-session-manager/dist/rc-daemon.js.map +1 -1
  18. package/payload/server/public/assets/AdminShell-D_eg2QKE.js +1 -0
  19. package/payload/server/public/assets/{admin-CE1Dy8-O.js → admin-BKawc0eQ.js} +1 -1
  20. package/payload/server/public/assets/data-JoiWCmz6.js +1 -0
  21. package/payload/server/public/assets/graph-DmOvqjTa.js +51 -0
  22. package/payload/server/public/data.html +2 -2
  23. package/payload/server/public/graph.html +2 -2
  24. package/payload/server/public/index.html +2 -2
  25. package/payload/server/public/assets/AdminShell-BHSiRGiE.js +0 -1
  26. package/payload/server/public/assets/data-CKk52rib.js +0 -1
  27. package/payload/server/public/assets/graph-TuzretIr.js +0 -51
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  name: platform-architecture
3
3
  description: Use when grounding any documented-surface claim about what Maxy ships — plugins, skills, specialists, install/deploy flows, internals. This is the install catalogue, not evidence of what is enabled on the current account. For install state on this account, call `capabilities-here`; for documented surface, cite the `Source:` URL inline.
4
- content-hash: sha256:e41db861c3d27b7540a72b1d789ff9d6ea42625edb3e8d93a08e2baae46b27c0
4
+ content-hash: sha256:7ccf57afeb67e23745bc86265d7a65790fd4fc6cba0a659a8fb6ee3f69027e6d
5
5
  brand: maxy-code
6
6
  product-name: Maxy
7
7
  ---
@@ -3563,6 +3563,38 @@ Source: https://docs.getmaxy.com/troubleshooting.md
3563
3563
 
3564
3564
  **Diagnose if it ever recurs:** run `bash platform/scripts/__tests__/first-token-creates-stream-log.test.sh` from the install. Pass = invariant holds; any other exit = the writer-side existence contract is broken and one `[log-tee] missing-on-resolve sessionKey=<8> surface=<…>` line on `server.log` is the operator-visible signal (P0). For the duplicate-file class specifically (the 2026-05-14 recurrence trigger), `bash platform/scripts/log-adherence-check.sh` returns non-zero whenever any sessionKey has more than one `claude-agent-stream-<sk>.log` across account dirs.
3565
3565
 
3566
+ ## Retrieving evidence from an rc-spawn session
3567
+
3568
+ rc-spawn sessions (those started via the sidebar or the `claude rc --spawn` daemon) do not write a per-account stream log under `data/accounts/<id>/logs/`. Their evidence is the Claude Code JSONL transcript in the configDir:
3569
+
3570
+ ```
3571
+ <CLAUDE_CONFIG_DIR>/projects/<slug>/<uuid>.jsonl # parent session
3572
+ <…>/projects/<slug>/<uuid>.meta.json # bridgeIds persistent map
3573
+ <…>/projects/<slug>/<uuid>/subagents/agent-<hex>.jsonl # each subagent
3574
+ <…>/projects/<slug>/<uuid>/subagents/agent-<hex>.meta.json # {"agentType",…}
3575
+ ```
3576
+
3577
+ **Retrieve a session's merged timeline:** `logs-read.sh <key>` with a bare key (no second argument) maps the key to the local `<uuid>` and prints one timestamp-ordered timeline merging the parent transcript with every subagent transcript. The key is resolved in order: a matching `<uuid>.jsonl` on disk; a `sessions/<pid>.json` whose `bridgeSessionId` matches; a `<uuid>.meta.json` whose `bridgeIds` carries the suffix (persistent — survives PID-file cleanup on clean exit); and finally a content scan of the top-level transcripts as last resort. Any accepted key form works: the `claude.ai` `session_<id>`, its bare suffix, or the `<uuid>` (or a unique uuid prefix).
3578
+
3579
+ Every subagent `is_error` tool_result is flagged inline as `‼ SUBAGENT ERROR` with the agent type, the failing tool, and the error text. The parent session's own tool errors appear as `‼ tool error`. The two are never conflated.
3580
+
3581
+ **Audit all silently-failed subagents:** `logs-read.sh --scan-subagent-errors [N]` walks every `subagents/agent-*.jsonl` under the configDir and lists each one carrying an `is_error` result — agent type, parent session, failing tool, error text. Optional `N` limits the scan to the `N` most-recently-modified transcripts. Use this when a delivery failure was reported but no reproduction is available.
3582
+
3583
+ **Quick recipes:**
3584
+
3585
+ ```bash
3586
+ # A session's merged parent+subagent timeline (subagent errors flagged inline)
3587
+ ~/maxy-code/platform/scripts/logs-read.sh session_<id>
3588
+
3589
+ # Standing audit: every subagent transcript that failed silently
3590
+ ~/maxy-code/platform/scripts/logs-read.sh --scan-subagent-errors
3591
+
3592
+ # Limit audit to the 50 most-recent transcripts
3593
+ ~/maxy-code/platform/scripts/logs-read.sh --scan-subagent-errors 50
3594
+ ```
3595
+
3596
+ Note: passing an explicit second argument (e.g. `logs-read.sh <key> agent-stream`) still reads the legacy per-account stream log — the bare-key JSONL path is the default when no type is given.
3597
+
3566
3598
  ## A JavaScript-rendered page comes back empty from WebFetch or `url-get`
3567
3599
 
3568
3600
  **Symptom:** A page that needs JavaScript to show its content returns empty or a shell document from `WebFetch` (summary) or `url-get` (verbatim, server-rendered).
@@ -2,13 +2,14 @@
2
2
  name: qr-code
3
3
  description: >
4
4
  Generate QR codes from URLs, Wi-Fi credentials, contacts (vCard), email/SMS links,
5
- or plain text and deliver the image inline. Trigger phrases: "QR code", "generate a
6
- QR", "create a QR", "make a QR code for", or any request to share data as a scannable code.
5
+ or plain text. Writes the PNG under output/qr/ and tells the operator its path.
6
+ Trigger phrases: "QR code", "generate a QR", "create a QR", "make a QR code for",
7
+ or any request to share data as a scannable code.
7
8
  ---
8
9
 
9
10
  # QR Code Generation
10
11
 
11
- Generate QR codes from user-provided data and deliver the resulting image inline in conversation.
12
+ Generate QR codes from user-provided data and deliver by stating the file path.
12
13
 
13
14
  ## When to Activate
14
15
 
@@ -20,9 +21,9 @@ Generate QR codes from user-provided data and deliver the resulting image inline
20
21
 
21
22
  Infer the data type from the user's input. For structured types (Wi-Fi, vCard), collect any missing fields conversationally and confirm the structured data before encoding. For simple types (URL, plain text, email, SMS), encode directly.
22
23
 
23
- Generate the QR image by piping the encoded string to the `qrcode` CLI via stdin never interpolate user data into the shell command. Save the output as PNG to `/tmp/` and present the file to the user.
24
+ Generate the QR image by calling the `qr-generate` tool with the encoded data string as the `data` parameter. The tool writes the PNG under `output/qr/` and returns the path. Tell the operator the path so they can retrieve it from the Artefacts panel or file share.
24
25
 
25
- If the CLI exits with an error, report the error message to the user and suggest corrections (e.g., data too long, invalid format).
26
+ If the tool returns an error, report the message to the user and suggest corrections (e.g., data too long, invalid format).
26
27
 
27
28
  ## Boundaries
28
29
 
@@ -5,7 +5,7 @@
5
5
  Always pipe data via stdin to avoid shell injection. Never interpolate user data into the command string.
6
6
 
7
7
  ```bash
8
- printf '%s' 'ENCODED_DATA' | npx -y qrcode -o /tmp/qr-$(date +%s).png
8
+ printf '%s' 'ENCODED_DATA' | npx -y qrcode -o output/qr/qr-$(date +%s).png
9
9
  ```
10
10
 
11
11
  ### Options
@@ -14,7 +14,7 @@ printf '%s' 'ENCODED_DATA' | npx -y qrcode -o /tmp/qr-$(date +%s).png
14
14
  |--------|------|--------|
15
15
  | Size | `--width` | Small: 200, Medium: 400 (default), Large: 800 |
16
16
  | Error correction | `--error-correction-level` | L (7%), M (15%, default), Q (25%), H (30%) |
17
- | SVG output | `--type svg -o /tmp/qr-$(date +%s).svg` | Use instead of PNG when user requests SVG |
17
+ | SVG output | `--type svg -o output/qr/qr-$(date +%s).svg` | Use instead of PNG when user requests SVG |
18
18
 
19
19
  Higher error correction allows the QR code to remain scannable even if partially damaged, but reduces data capacity.
20
20
 
@@ -49,7 +49,7 @@ See [references/safety.md](references/safety.md) for the precise shell commands,
49
49
  6. **Emit the done log line** — `[skill:unzip] done attachmentId=<uuid> entries=<n> uncompressed=<bytes>`.
50
50
  7. **Inventory + propose.** Reply to the operator with: top-level entries (first-level subdirectories and top-level files, up to ~20), total file count, total uncompressed bytes. For each entry class, propose **one** concrete follow-up:
51
51
  - `.md`, `.txt` → "ingest into memory via `memory-ingest`?"
52
- - `.png`, `.jpg`, `.pdf` → "re-attach via the `file-presentation` skill so the user sees the file?"
52
+ - `.png`, `.jpg`, `.pdf` → "state their location under `extracted/<attachmentId>/` the operator retrieves them from the Artefacts panel or file share."
53
53
  - unknown / binary / source → list only. No proposal.
54
54
 
55
55
  On any refusal step the operator gets the refusal message verbatim, no re-try, no silent substitution — per the loud-failure protocol in IDENTITY.md.
@@ -140,6 +140,34 @@ opens an SSH prompt to the Pi.
140
140
 
141
141
  ---
142
142
 
143
+ ## Create a URL Rewrite Rule
144
+
145
+ A URL Rewrite Rule silently rewrites the path the origin server receives without changing the URL the visitor sees in their browser. Use this when you want a custom domain root (e.g. `getmaxy.com/`) to serve a path that lives elsewhere on the origin (e.g. `/sites/getmaxy/`) without redirecting the visitor.
146
+
147
+ This is **not** the same as a Page Rule redirect. Page Rules issue a visible 301/302 to the browser; a Rewrite Rule changes only what the origin receives, transparently.
148
+
149
+ 1. Click **Websites** in the sidebar, then click the zone.
150
+ 2. Click **Rules** in the left-hand sidebar, then **Overview**.
151
+ 3. Click **Create rule**, then select **URL Rewrite Rule**.
152
+ Alternatively, click **Create from template** and choose **"Rewrite path of moved section"** for a pre-filled starting point.
153
+ 4. Enter a descriptive **Rule name** (e.g. `getmaxy apex → marketing site`).
154
+ 5. Under **If incoming requests match**, select **Custom filter expression** and enter the expression. For a match on bare domain and www:
155
+ ```
156
+ (http.host eq "example.com") or (http.host eq "www.example.com")
157
+ ```
158
+ 6. Under **Then**, set **Path** → **Rewrite to** → **Dynamic** and enter the expression:
159
+ ```
160
+ concat("/sites/mysite", http.request.uri.path)
161
+ ```
162
+ Leave **Query string** on **Preserve** (unchanged).
163
+ 7. Click **Deploy**.
164
+
165
+ No server restart is needed. Verify with `curl -s https://<domain>/ | head` — the response should be the site's HTML, not the agent SPA `<div id="root">`.
166
+
167
+ **When the zone cert misroutes:** if `cloudflared tunnel route dns` is run for a hostname in a zone the cert was not authorised for at `tunnel login`, it silently creates a record in the wrong zone (appends the cert's zone as a suffix). Check the emitted record name in the command output; if it has an unexpected suffix, delete the stray record via `DNS → Records` and create the CNAME manually in the correct zone instead.
168
+
169
+ ---
170
+
143
171
  ## Where tunnels live in the dashboard (as of 2026-04)
144
172
 
145
173
  Tunnels are under **Zero Trust** → **Networks** → **Tunnels**. This is not in the top-level sidebar — it is under the Zero Trust sub-dashboard, which itself appears in the main sidebar. Cloudflare has moved this location in the past. If **Networks** → **Tunnels** is not visible under Zero Trust, the label has likely been renamed; look for "Tunnels" under Networks or Access.
@@ -0,0 +1,73 @@
1
+ # Serving a published static site at a custom domain — recipe + known gaps
2
+
3
+ Notes captured 2026-06-01 during the getmaxy.com apex setup. The existing runbook
4
+ (`manual-setup.md`) covers getting a hostname to *reach* the server, but not the
5
+ application-layer step of making that hostname *serve a published site at its root*.
6
+ These are the gaps that cost time, and the recipe that works.
7
+
8
+ ---
9
+
10
+ ## Gap 1 — an alias hostname serves the PUBLIC-AGENT SPA at `/`, not a published site
11
+
12
+ Adding a hostname to `alias-domains.json` (so `isPublicHost()` is true) makes the
13
+ platform serve the **public chat-agent landing** (`brandedPublicHtml`) at `/`. It does
14
+ **not** serve a published static site. Published sites live at `/sites/<slug>/` and are
15
+ reachable under any alias host at that path, but the bare root always renders the agent SPA.
16
+
17
+ There is **no per-domain → landing-site mapping** in the platform. `resolveDefaultSlug()`
18
+ reads `account.defaultAgent` (a chat agent), never a site slug. Confirmed by reading
19
+ `server/server.js` `app41.get("/")` and the `/sites` route.
20
+
21
+ **Implication:** "point getmaxy.com at the getmaxy site" is two jobs, not one:
22
+ 1. Routing (DNS + tunnel ingress + alias-domains) — gets the host to the server.
23
+ 2. Root-serving (below) — makes `/` render the site instead of the agent SPA.
24
+
25
+ State this split to the operator up front. Do not imply step 1 alone will show the site.
26
+
27
+ ---
28
+
29
+ ## Recipe — serve `/sites/<slug>/` at a custom domain root
30
+
31
+ 1. **Ingress** — add the hostname(s) to `${CFG_DIR}/config.yml` (per `manual-setup.md`
32
+ multi-ingress section), validate, reload the brand service.
33
+ 2. **alias-domains.json** — add the hostname(s) so the public path filter allows `/sites/`.
34
+ 3. **DNS** — apex via dashboard CNAME (`@` → `<UUID>.cfargotunnel.com`, proxied); `www` via
35
+ dashboard too if the cert is not authorised for the zone (see Gap 2).
36
+ 4. **URL Rewrite Rule** (Cloudflare dashboard) — rewrite every path on the host to the site
37
+ subtree, invisibly (visitor URL stays clean):
38
+ - **Rules → Overview → Create rule → URL Rewrite Rule** (or **Create from template →
39
+ "Rewrite path of moved section"**).
40
+ - If — Custom filter expression: `(http.host eq "<domain>") or (http.host eq "www.<domain>")`
41
+ - Then — Path → Rewrite to → **Dynamic**: `concat("/sites/<slug>", http.request.uri.path)`
42
+ - Leave query string unchanged. Deploy.
43
+ - Effect: `<domain>/` → origin `/sites/<slug>/` → `index.html`; `<domain>/foo.webp` →
44
+ `/sites/<slug>/foo.webp`. Works because `/sites/` is in `PUBLIC_ALLOWED_PREFIXES`.
45
+
46
+ No server restart needed for step 4. Verify: `curl -s https://<domain>/ | head` shows the
47
+ site markup, not the SPA `<div id="root">`.
48
+
49
+ ---
50
+
51
+ ## Gap 2 — `tunnel route dns` misroutes ANY hostname whose zone the cert isn't authorised for
52
+
53
+ `manual-setup.md` Step 4 warns about apex misrouting. The same failure hits **non-apex**
54
+ hostnames too: if the login cert is authorised for zone A (e.g. `maxy.bot`) but you route a
55
+ host in zone B (e.g. `www.getmaxy.com`), `cloudflared` appends zone A and silently creates
56
+ `www.getmaxy.com.maxy.bot` under the wrong zone — exit 0, looks successful.
57
+
58
+ **Rule:** the CLI can only route hostnames in a zone the cert was authorised for at
59
+ `tunnel login`. For a hostname in any other zone (apex OR subdomain), create the CNAME in
60
+ the dashboard, or re-run `cloudflared tunnel login` and authorise the new zone first. Do not
61
+ trust exit 0 — check the emitted record name in the output (`Added CNAME <name>`); if it has
62
+ an extra zone suffix, it misrouted and the stray record needs dashboard deletion.
63
+
64
+ ---
65
+
66
+ ## Gap 3 — dashboard labels are stale in `dashboard-guide.md`
67
+
68
+ - URL rewrites are **not** called "Transform Rules" in the current UI. They are under
69
+ **Rules → Overview → Create rule → URL Rewrite Rule**, with templates via **Create from
70
+ template** (the relevant one: **"Rewrite path of moved section"**).
71
+ - **Page Rules is the wrong tool** for transparent rewrites — it only does forwarding
72
+ (HTTP 301/302 redirects) with a visible URL change. Do not suggest Page Rules when the
73
+ requirement is an invisible origin-path rewrite.
@@ -40,7 +40,7 @@ When local Cloudflare state is corrupt or the operator wants to start from a kno
40
40
 
41
41
  ## Dashboard guidance
42
42
 
43
- For operations only the Cloudflare dashboard can do (sign in, switch accounts, add a site, edit an apex CNAME, verify zone nameservers, delete stale CNAMEs), quote the relevant click-path from `references/dashboard-guide.md` verbatim. The operator follows it in their browser. The agent does not drive the dashboard programmatically.
43
+ For operations only the Cloudflare dashboard can do (sign in, switch accounts, add a site, edit an apex CNAME, verify zone nameservers, delete stale CNAMEs, create URL Rewrite Rules), quote the relevant click-path from `references/dashboard-guide.md` verbatim. The operator follows it in their browser. The agent does not drive the dashboard programmatically.
44
44
 
45
45
  ## Tool discipline — binding
46
46
 
@@ -8,6 +8,38 @@
8
8
 
9
9
  **Diagnose if it ever recurs:** run `bash platform/scripts/__tests__/first-token-creates-stream-log.test.sh` from the install. Pass = invariant holds; any other exit = the writer-side existence contract is broken and one `[log-tee] missing-on-resolve sessionKey=<8> surface=<…>` line on `server.log` is the operator-visible signal (P0). For the duplicate-file class specifically (the 2026-05-14 recurrence trigger), `bash platform/scripts/log-adherence-check.sh` returns non-zero whenever any sessionKey has more than one `claude-agent-stream-<sk>.log` across account dirs.
10
10
 
11
+ ## Retrieving evidence from an rc-spawn session
12
+
13
+ rc-spawn sessions (those started via the sidebar or the `claude rc --spawn` daemon) do not write a per-account stream log under `data/accounts/<id>/logs/`. Their evidence is the Claude Code JSONL transcript in the configDir:
14
+
15
+ ```
16
+ <CLAUDE_CONFIG_DIR>/projects/<slug>/<uuid>.jsonl # parent session
17
+ <…>/projects/<slug>/<uuid>.meta.json # bridgeIds persistent map
18
+ <…>/projects/<slug>/<uuid>/subagents/agent-<hex>.jsonl # each subagent
19
+ <…>/projects/<slug>/<uuid>/subagents/agent-<hex>.meta.json # {"agentType",…}
20
+ ```
21
+
22
+ **Retrieve a session's merged timeline:** `logs-read.sh <key>` with a bare key (no second argument) maps the key to the local `<uuid>` and prints one timestamp-ordered timeline merging the parent transcript with every subagent transcript. The key is resolved in order: a matching `<uuid>.jsonl` on disk; a `sessions/<pid>.json` whose `bridgeSessionId` matches; a `<uuid>.meta.json` whose `bridgeIds` carries the suffix (persistent — survives PID-file cleanup on clean exit); and finally a content scan of the top-level transcripts as last resort. Any accepted key form works: the `claude.ai` `session_<id>`, its bare suffix, or the `<uuid>` (or a unique uuid prefix).
23
+
24
+ Every subagent `is_error` tool_result is flagged inline as `‼ SUBAGENT ERROR` with the agent type, the failing tool, and the error text. The parent session's own tool errors appear as `‼ tool error`. The two are never conflated.
25
+
26
+ **Audit all silently-failed subagents:** `logs-read.sh --scan-subagent-errors [N]` walks every `subagents/agent-*.jsonl` under the configDir and lists each one carrying an `is_error` result — agent type, parent session, failing tool, error text. Optional `N` limits the scan to the `N` most-recently-modified transcripts. Use this when a delivery failure was reported but no reproduction is available.
27
+
28
+ **Quick recipes:**
29
+
30
+ ```bash
31
+ # A session's merged parent+subagent timeline (subagent errors flagged inline)
32
+ ~/maxy-code/platform/scripts/logs-read.sh session_<id>
33
+
34
+ # Standing audit: every subagent transcript that failed silently
35
+ ~/maxy-code/platform/scripts/logs-read.sh --scan-subagent-errors
36
+
37
+ # Limit audit to the 50 most-recent transcripts
38
+ ~/maxy-code/platform/scripts/logs-read.sh --scan-subagent-errors 50
39
+ ```
40
+
41
+ Note: passing an explicit second argument (e.g. `logs-read.sh <key> agent-stream`) still reads the legacy per-account stream log — the bare-key JSONL path is the default when no type is given.
42
+
11
43
  ## A JavaScript-rendered page comes back empty from WebFetch or `url-get`
12
44
 
13
45
  **Symptom:** A page that needs JavaScript to show its content returns empty or a shell document from `WebFetch` (summary) or `url-get` (verbatim, server-rendered).
@@ -1 +1 @@
1
- {"version":3,"file":"http-server.d.ts","sourceRoot":"","sources":["../src/http-server.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAM3B,OAAO,EAgBL,KAAK,SAAS,EAEf,MAAM,kBAAkB,CAAA;AAezB,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,iBAAiB,CAAA;AAE5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAC3D,OAAO,EAAqB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAgF9E,eAAO,MAAM,kBAAkB,QAA2B,CAAA;AAI1D,MAAM,WAAW,QAAS,SAAQ,IAAI,CAAC,SAAS,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAC7E,OAAO,EAAE,SAAS,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,iBAAiB,EAAE,MAAM,CAAA;IACzB,kBAAkB,EAAE,WAAW,CAAA;IAC/B,eAAe,EAAE,aAAa,CAAA;IAC9B;kFAC8E;IAC9E,cAAc,EAAE,cAAc,CAAA;CAC/B;AA4LD;;;kEAGkE;AAClE,MAAM,MAAM,OAAO,GAAG,IAAI,GAAG;IAC3B,2BAA2B,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACpD;;;+CAG2C;IAC3C,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CAChD,CAAA;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAs5CpD"}
1
+ {"version":3,"file":"http-server.d.ts","sourceRoot":"","sources":["../src/http-server.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAM3B,OAAO,EAgBL,KAAK,SAAS,EAEf,MAAM,kBAAkB,CAAA;AAezB,OAAO,KAAK,EAAE,SAAS,EAAc,MAAM,iBAAiB,CAAA;AAE5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAA;AAC3D,OAAO,EAAqB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAgF9E,eAAO,MAAM,kBAAkB,QAA2B,CAAA;AAI1D,MAAM,WAAW,QAAS,SAAQ,IAAI,CAAC,SAAS,EAAE,gBAAgB,GAAG,SAAS,CAAC;IAC7E,OAAO,EAAE,SAAS,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,iBAAiB,EAAE,MAAM,CAAA;IACzB,kBAAkB,EAAE,WAAW,CAAA;IAC/B,eAAe,EAAE,aAAa,CAAA;IAC9B;kFAC8E;IAC9E,cAAc,EAAE,cAAc,CAAA;CAC/B;AA4LD;;;kEAGkE;AAClE,MAAM,MAAM,OAAO,GAAG,IAAI,GAAG;IAC3B,2BAA2B,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACpD;;;+CAG2C;IAC3C,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CAChD,CAAA;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAg7CpD"}
@@ -1456,6 +1456,14 @@ export function buildHttpApp(deps) {
1456
1456
  argv.push(name);
1457
1457
  if (sessionId)
1458
1458
  argv.push(mode === 'resume' ? '--resume' : '--session-id', sessionId);
1459
+ // Task 592 — per-spawn bypass-permissions waiver. The brand settings.json
1460
+ // carries `defaultMode: bypassPermissions` (Task 583); without this flag
1461
+ // the first-time "WARNING: … 1. No, exit 2. Yes, I accept" disclaimer
1462
+ // hangs the spawn and times out waitForPid. Both documented skip keys are
1463
+ // waived so the disclaimer is suppressed whatever mode the session resolves
1464
+ // to. Per Task 574 doctrine the waiver is per-spawn (never written into
1465
+ // settings.json / .claude.json, which would permanently waive it).
1466
+ argv.push('--settings', JSON.stringify({ skipDangerousModePermissionPrompt: true, skipAutoPermissionPrompt: true }));
1459
1467
  const env = buildRcChildEnv({
1460
1468
  accountId: deps.accountId,
1461
1469
  uiPort: process.env.MAXY_UI_INTERNAL_PORT ?? '',
@@ -1587,8 +1595,13 @@ export function buildHttpApp(deps) {
1587
1595
  // — and the natural-exit path inside `pty.onExit →
1588
1596
  // handlePtyNaturalExit`. The tracker remains in `livePtys` for the
1589
1597
  // session's lifetime.
1590
- void deps.watcher
1591
- .waitForPid(pty.pid, deps.pidFileTimeoutMs)
1598
+ //
1599
+ // Task 592 — capture the promise once so the fire-and-forget logging
1600
+ // and the bounded bridgeSessionId await share the same resolution.
1601
+ const RC_SPAWN_URL_WAIT_MS = 12_000;
1602
+ const waitPidPromise = deps.watcher.waitForPid(pty.pid, deps.pidFileTimeoutMs);
1603
+ // Fire-and-forget: unchanged logging contract.
1604
+ void waitPidPromise
1592
1605
  .then((row) => {
1593
1606
  pidFileSeen = true;
1594
1607
  const ageMs = Date.now() - start;
@@ -1609,12 +1622,24 @@ export function buildHttpApp(deps) {
1609
1622
  err: JSON.stringify(err instanceof Error ? err.message : String(err)),
1610
1623
  });
1611
1624
  });
1625
+ // Task 592 — bounded await: surface bridgeSessionId in the response
1626
+ // so the client can open the exact session URL. The pid file appears
1627
+ // ~2-3 s in production; the 12 s bound is well inside that window.
1628
+ // On timeout (or waitForPid rejection) bridgeSessionId stays null and
1629
+ // the client falls back to the bare claude.ai/code URL.
1630
+ let bridgeSessionId = null;
1631
+ const timedPidRow = await Promise.race([
1632
+ waitPidPromise.then((r) => r).catch(() => null),
1633
+ new Promise((resolve) => setTimeout(() => resolve(null), RC_SPAWN_URL_WAIT_MS)),
1634
+ ]);
1635
+ if (timedPidRow)
1636
+ bridgeSessionId = timedPidRow.bridgeSessionId ?? null;
1612
1637
  // Every rc-spawn child runs inside a `systemd-run --user --scope`
1613
1638
  // unit driven by node-pty; the operator-visible spawnMethod marker
1614
1639
  // is kept stable so server.log greps survive the Task 573 cleanup.
1615
- deps.logger(`[sessions-rc-resume] mode=${mode} sessionId=${sessionId ?? 'none'} jsonlPath=${existingJsonlPath ?? 'none'} name=${name ?? 'none'} spawnedPid=${pty.pid} bridgeId=pending spawnMethod=systemd-scope env.CLAUDE_CONFIG_DIR=${deps.claudeConfigDir}`);
1640
+ deps.logger(`[sessions-rc-resume] mode=${mode} sessionId=${sessionId ?? 'none'} jsonlPath=${existingJsonlPath ?? 'none'} name=${name ?? 'none'} spawnedPid=${pty.pid} bridgeId=${bridgeSessionId ?? 'pending'} spawnMethod=systemd-scope env.CLAUDE_CONFIG_DIR=${deps.claudeConfigDir}`);
1616
1641
  timed(deps.logger, 'POST', '/rc-spawn', 200, Date.now() - start);
1617
- return c.json({ spawnedPid: pty.pid, sessionId: sessionId ?? null });
1642
+ return c.json({ spawnedPid: pty.pid, sessionId: sessionId ?? null, bridgeSessionId });
1618
1643
  });
1619
1644
  return app;
1620
1645
  }