@rubytech/create-maxy 1.0.463 → 1.0.464

package/payload/maxy/server.js

@@ -2485,7 +2485,7 @@ var responseViaResponseObject = async (res, outgoing, options = {}) => {
         });
         if (!chunk) {
           if (i === 1) {
-            await new Promise((resolve17) => setTimeout(resolve17));
+            await new Promise((resolve18) => setTimeout(resolve18));
             maxReadCount = 3;
             continue;
           }
@@ -2852,7 +2852,7 @@ var serveStatic = (options = { root: "" }) => {
 
 // server/index.ts
 import { readFileSync as readFileSync19, existsSync as existsSync19, watchFile } from "fs";
-import { resolve as resolve16, join as join9, basename as basename2 } from "path";
+import { resolve as resolve17, join as join9, basename as basename4 } from "path";
 import { homedir as homedir3 } from "os";
 
 // app/api/health/route.ts
@@ -3091,20 +3091,20 @@ async function probeApiKey() {
   }
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve17) => {
+  return new Promise((resolve18) => {
     const socket = createConnection(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve17(true);
+      resolve18(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve17(false);
+      resolve18(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve17(false);
+      resolve18(false);
     });
   });
 }
@@ -3668,7 +3668,7 @@ ${userContent}`;
     "dontAsk",
     prompt
   ];
-  return new Promise((resolve17) => {
+  return new Promise((resolve18) => {
     let stdout = "";
     let stderr = "";
     const spawnFn = _spawnOverride ?? spawn;
@@ -3686,35 +3686,35 @@ ${userContent}`;
     const timer = setTimeout(() => {
       proc.kill("SIGTERM");
       console.error("[persist] autoLabel: haiku subprocess timed out");
-      resolve17(null);
+      resolve18(null);
     }, SESSION_LABEL_TIMEOUT_MS);
     proc.on("error", (err) => {
       clearTimeout(timer);
       console.error(`[persist] autoLabel: subprocess error \u2014 ${err.message}`);
-      resolve17(null);
+      resolve18(null);
     });
     proc.on("close", (code) => {
       clearTimeout(timer);
       if (code !== 0) {
         console.error(`[persist] autoLabel: subprocess exited code=${code}${stderr ? ` stderr=${stderr.trim().slice(0, 200)}` : ""}`);
-        resolve17(null);
+        resolve18(null);
         return;
       }
       const text = stdout.trim();
       if (!text) {
         console.error("[persist] autoLabel: haiku returned empty response");
-        resolve17(null);
+        resolve18(null);
         return;
       }
       if (text === "SKIP") {
         console.error("[persist] autoLabel: haiku returned SKIP \u2014 messages too vague");
-        resolve17(null);
+        resolve18(null);
         return;
       }
       const words = text.split(/\s+/).slice(0, SESSION_LABEL_MAX_WORDS);
       const label = words.join(" ");
       console.error(`[persist] autoLabel: haiku response="${label}"`);
-      resolve17(label);
+      resolve18(label);
     });
   });
 }
@@ -4808,8 +4808,8 @@ async function buildPluginManifest(enabledPlugins) {
           for (const entry of readdirSync(current)) {
             const full = resolve4(current, entry);
             try {
-              const stat = statSync2(full);
-              if (stat.isDirectory()) {
+              const stat3 = statSync2(full);
+              if (stat3.isDirectory()) {
                 walk(full, `${rel}${entry}/`);
               } else if (entry.endsWith(".md")) {
                 target.push(`${prefix}${rel}${entry}`);
@@ -5102,7 +5102,7 @@ function getMcpServers(accountId, enabledPlugins) {
     // the always-on Chromium instance started by vnc.sh on display :99.
     "plugin_playwright_playwright": {
       command: "npx",
-      args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222", "--caps", "pdf"]
+      args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222"]
     }
   };
   if (process.env.TELEGRAM_PUBLIC_BOT_TOKEN) {
@@ -5194,6 +5194,7 @@ var ADMIN_CORE_TOOLS = [
   "mcp__whatsapp__whatsapp-status",
   "mcp__whatsapp__whatsapp-disconnect",
   "mcp__whatsapp__whatsapp-send",
+  "mcp__whatsapp__whatsapp-send-document",
   "mcp__whatsapp__whatsapp-config",
   "mcp__admin__system-status",
   "mcp__admin__brand-settings",
@@ -5206,6 +5207,7 @@ var ADMIN_CORE_TOOLS = [
   "mcp__admin__session-resume",
   "mcp__admin__api-key-store",
   "mcp__admin__api-key-verify",
+  "mcp__admin__file-attach",
   "mcp__cloudflare__tunnel-status",
   "mcp__cloudflare__tunnel-install",
   "mcp__cloudflare__tunnel-login",
@@ -5343,7 +5345,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
     return null;
   }
   const startMs = Date.now();
-  return new Promise((resolve17) => {
+  return new Promise((resolve18) => {
     const proc = spawn2(process.execPath, [serverPath], {
       env: {
         ...process.env,
@@ -5372,7 +5374,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
       } else {
         console.error(`[fetchMemoryContext] failed: ${reason} (${elapsed}ms)${stderrBuf ? ` stderr: ${stderrBuf.slice(0, 500)}` : ""}`);
       }
-      resolve17(value);
+      resolve18(value);
     };
     proc.stdout.on("data", (chunk) => {
       buffer += chunk.toString();
@@ -7572,8 +7574,9 @@ ${raw2}`;
 
 // app/lib/attachments.ts
 import { randomUUID as randomUUID2 } from "crypto";
-import { mkdir, writeFile } from "fs/promises";
-import { resolve as resolve6, extname } from "path";
+import { mkdir, readFile, stat, writeFile } from "fs/promises";
+import { realpathSync } from "fs";
+import { resolve as resolve6, extname, basename } from "path";
 var PLATFORM_ROOT4 = process.env.MAXY_PLATFORM_ROOT ?? resolve6(process.cwd(), "../platform");
 var ATTACHMENTS_ROOT = resolve6(PLATFORM_ROOT4, "data/attachments");
 var SUPPORTED_MIME_TYPES = /* @__PURE__ */ new Set([
@@ -7633,6 +7636,44 @@ async function storePublicAttachment(sessionId, file2, buffer) {
   }
   return writeAttachment(`public/${sessionId}`, file2.name, file2.type, file2.size, buffer);
 }
+var MIME_BY_EXT = {
+  ".pdf": "application/pdf",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".svg": "image/svg+xml",
+  ".html": "text/html",
+  ".htm": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".json": "application/json",
+  ".csv": "text/csv",
+  ".txt": "text/plain",
+  ".md": "text/markdown",
+  ".xml": "text/xml",
+  ".zip": "application/zip",
+  ".xlsx": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  ".docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  ".pptx": "application/vnd.openxmlformats-officedocument.presentationml.presentation"
+};
+function detectMimeType(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  return MIME_BY_EXT[ext] ?? "application/octet-stream";
+}
+async function storeGeneratedFile(accountId, filePath) {
+  const fileStat = await stat(filePath);
+  if (fileStat.size > MAX_FILE_SIZE_BYTES) {
+    throw new Error(
+      `File exceeds the 20 MB limit (${(fileStat.size / 1024 / 1024).toFixed(1)} MB).`
+    );
+  }
+  const filename = basename(filePath);
+  const mimeType = detectMimeType(filePath);
+  const buffer = await readFile(filePath);
+  return writeAttachment(accountId, filename, mimeType, fileStat.size, buffer);
+}
 
 // app/api/chat/route.ts
 function isLocalRequest(req) {
@@ -7844,10 +7885,10 @@ var SCRYPT_R = 8;
 var SCRYPT_P = 1;
 var SCRYPT_KEYLEN = 64;
 function scryptAsync(password, salt) {
-  return new Promise((resolve17, reject) => {
+  return new Promise((resolve18, reject) => {
     scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, r: SCRYPT_R, p: SCRYPT_P }, (err, key) => {
       if (err) reject(err);
-      else resolve17(key);
+      else resolve18(key);
     });
   });
 }
@@ -9400,7 +9441,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG2} draining credential save queue\u2026`);
   const timer = new Promise(
-    (resolve17) => setTimeout(() => resolve17("timeout"), timeoutMs)
+    (resolve18) => setTimeout(() => resolve18("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -9541,11 +9582,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve17, reject) => {
+  return new Promise((resolve18, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve17();
+        resolve18();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -9730,8 +9771,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve17, reject) => {
-    resolveQr = resolve17;
+  const qrPromise = new Promise((resolve18, reject) => {
+    resolveQr = resolve18;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -23656,7 +23697,7 @@ var WhatsAppAccountSchema = external_exports.object({
     direct: external_exports.boolean().optional().default(true),
     group: external_exports.enum(["always", "mentions", "never"]).optional().default("mentions")
   }).strict().optional().describe("React to incoming messages with an emoji to acknowledge receipt before the agent responds."),
-  debounceMs: external_exports.number().int().nonnegative().optional().default(0).describe("Wait this many milliseconds after the last message before processing, to batch rapid multi-message input into a single agent turn. 0 means process each message immediately."),
+  debounceMs: external_exports.number().int().nonnegative().optional().default(2e3).describe("Wait this many milliseconds after the last message before processing, to batch rapid multi-message input into a single agent turn. Default 2000ms catches most multi-message bursts. 0 means process each message immediately."),
   publicAgent: external_exports.string().optional().describe("Slug of the public agent that handles WhatsApp inbound from non-admin phones for this account. Overrides the top-level publicAgent when set.")
 }).strict().superRefine((value, ctx) => {
   if (value.dmPolicy !== "open") return;
@@ -23678,7 +23719,7 @@ var WhatsAppConfigSchema = external_exports.object({
   sendReadReceipts: external_exports.boolean().optional().default(true).describe("Whether to send read receipts (blue ticks) when messages are received. Disabling may feel less responsive but preserves privacy."),
   mediaMaxMb: external_exports.number().int().positive().optional().default(50).describe("Maximum file size in MB for media the agent will download and process."),
   textChunkLimit: external_exports.number().int().positive().optional().default(4e3).describe("Maximum characters per outbound message. Longer replies are split into multiple messages."),
-  debounceMs: external_exports.number().int().nonnegative().optional().default(0).describe("Wait this many milliseconds after the last message before processing, to batch rapid multi-message input into a single agent turn. 0 means process each message immediately."),
+  debounceMs: external_exports.number().int().nonnegative().optional().default(2e3).describe("Wait this many milliseconds after the last message before processing, to batch rapid multi-message input into a single agent turn. Default 2000ms catches most multi-message bursts. 0 means process each message immediately."),
   publicAgent: external_exports.string().optional().describe("Slug of the public agent that handles WhatsApp inbound from non-admin phones. Per-account overrides take precedence.")
 }).strict().superRefine((value, ctx) => {
   if (value.dmPolicy !== "open") return;
@@ -24284,6 +24325,53 @@ async function sendReadReceipt(sock, chatJid, messageIds, participant) {
   } catch {
   }
 }
+async function sendMediaMessage(sock, to, media) {
+  try {
+    const jid = to.includes("@") ? to : toWhatsappJid(to);
+    let payload;
+    switch (media.type) {
+      case "image":
+        payload = {
+          image: media.buffer,
+          mimetype: media.mimetype,
+          caption: media.caption
+        };
+        break;
+      case "audio":
+        payload = {
+          audio: media.buffer,
+          mimetype: media.mimetype,
+          ptt: media.ptt ?? false
+        };
+        break;
+      case "video":
+        payload = {
+          video: media.buffer,
+          mimetype: media.mimetype,
+          caption: media.caption
+        };
+        break;
+      case "document":
+        payload = {
+          document: media.buffer,
+          mimetype: media.mimetype,
+          fileName: media.filename ?? "file",
+          caption: media.caption
+        };
+        break;
+    }
+    const result = await sock.sendMessage(jid, payload);
+    const messageId = result?.key?.id;
+    if (messageId) {
+      trackAgentSentMessage(messageId);
+      console.error(`${TAG5} sent ${media.type} to=${jid} id=${messageId}`);
+    }
+    return { success: true, messageId: messageId ?? void 0 };
+  } catch (err) {
+    console.error(`${TAG5} send media failed to=${to}: ${String(err)}`);
+    return { success: false, error: String(err) };
+  }
+}
 
 // app/lib/whatsapp/inbound/media.ts
 import { randomUUID as randomUUID6 } from "crypto";
@@ -24667,11 +24755,11 @@ async function connectWithReconnect(conn) {
       }
       const delay = computeBackoff(conn.reconnectAttempts);
       console.error(`${TAG8} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${conn.reconnectAttempts}/${maxAttempts})`);
-      await new Promise((resolve17) => {
-        const timer = setTimeout(resolve17, delay);
+      await new Promise((resolve18) => {
+        const timer = setTimeout(resolve18, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer);
-          resolve17();
+          resolve18();
         }, { once: true });
       });
       if (conn.abortController.signal.aborted) return;
@@ -24679,14 +24767,14 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve17) => {
+  return new Promise((resolve18) => {
     if (!conn.sock) {
-      resolve17();
+      resolve18();
       return;
     }
     conn.sock.ev.on("connection.update", (update) => {
       if (update.connection === "close") {
-        resolve17();
+        resolve18();
       }
     });
   });
@@ -24978,45 +25066,56 @@ async function POST13(req) {
 }
 
 // app/lib/whatsapp/schema-serialize.ts
+function zodTypeName(def) {
+  if (typeof def?.type === "string") return def.type;
+  if (typeof def?.typeName === "string") return def.typeName;
+  return "unknown";
+}
+function isType(name, ...candidates) {
+  return candidates.includes(name);
+}
 function resolveZodType(def) {
-  const typeName = def?.typeName ?? "unknown";
-  if (typeName === "ZodDefault") {
+  const tn = zodTypeName(def);
+  if (isType(tn, "ZodDefault", "default")) {
     const inner = resolveZodType(def.innerType?._def);
     const defaultVal = typeof def.defaultValue === "function" ? def.defaultValue() : def.defaultValue;
     return { ...inner, default: JSON.stringify(defaultVal) };
   }
-  if (typeName === "ZodOptional") {
+  if (isType(tn, "ZodOptional", "optional")) {
     const inner = resolveZodType(def.innerType?._def);
     return { ...inner, required: false };
   }
-  if (typeName === "ZodString") return { type: "string", required: true };
-  if (typeName === "ZodNumber") return { type: "number", required: true };
-  if (typeName === "ZodBoolean") return { type: "boolean", required: true };
-  if (typeName === "ZodEnum") {
+  if (isType(tn, "ZodString", "string")) return { type: "string", required: true };
+  if (isType(tn, "ZodNumber", "number")) return { type: "number", required: true };
+  if (isType(tn, "ZodBoolean", "boolean")) return { type: "boolean", required: true };
+  if (isType(tn, "ZodEnum", "enum")) {
     const values = def.values ?? [];
     return { type: `enum(${values.join(", ")})`, required: true };
   }
-  if (typeName === "ZodArray") {
-    const inner = resolveZodType(def.type?._def);
+  if (isType(tn, "ZodArray", "array")) {
+    const elementDef = def.element?._def ?? def.type?._def;
+    const inner = resolveZodType(elementDef);
     return { type: `${inner.type}[]`, required: true };
   }
-  if (typeName === "ZodRecord") {
+  if (isType(tn, "ZodRecord", "record")) {
     return { type: "Record<string, ...>", required: true };
   }
-  if (typeName === "ZodObject") {
+  if (isType(tn, "ZodObject", "object")) {
     return { type: "object", required: true };
   }
   return { type: "unknown", required: true };
 }
-function extractDescription(def) {
-  if (!def) return void 0;
-  if (typeof def.description === "string") return def.description;
-  if (def.innerType?._def) return extractDescription(def.innerType._def);
+function extractDescription(schema, def) {
+  if (typeof schema?.description === "string") return schema.description;
+  const d = def ?? schema?._def ?? schema;
+  if (typeof d?.description === "string") return d.description;
+  if (d?.innerType) return extractDescription(d.innerType, d.innerType?._def);
   return void 0;
 }
 function unwrapToShape(schema) {
   if (schema?.shape && typeof schema.shape === "object") return schema.shape;
-  if (schema?._def?.typeName === "ZodEffects" && schema._def.schema) {
+  const tn = zodTypeName(schema?._def);
+  if (isType(tn, "ZodEffects", "effects") && schema._def.schema) {
     return unwrapToShape(schema._def.schema);
   }
   if (typeof schema?._def?.shape === "function") return schema._def.shape();
@@ -25028,7 +25127,7 @@ function extractFields(schema) {
   for (const [name, fieldSchema] of Object.entries(shape)) {
     const def = fieldSchema?._def;
     const resolved = resolveZodType(def);
-    const description = extractDescription(def);
+    const description = extractDescription(fieldSchema, def);
     fields.push({
       name,
       type: resolved.type,
@@ -25162,6 +25261,107 @@ async function POST14(req) {
   }
 }
 
+// app/api/whatsapp/send-document/route.ts
+import { readFile as readFile2, stat as stat2 } from "fs/promises";
+import { realpathSync as realpathSync2 } from "fs";
+import { resolve as resolve10, basename as basename2 } from "path";
+var TAG9 = "[whatsapp:api]";
+var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT || "";
+async function POST15(req) {
+  try {
+    const body = await req.json();
+    const { to, filePath, caption, maxyAccountId } = body;
+    const accountId = validateAccountId(body.accountId);
+    if (!to || !filePath) {
+      return Response.json({ error: "Missing required fields: to, filePath" }, { status: 400 });
+    }
+    if (!maxyAccountId || !PLATFORM_ROOT6) {
+      return Response.json(
+        { error: "Cannot validate file path: missing account or platform context" },
+        { status: 400 }
+      );
+    }
+    const accountDir = resolve10(PLATFORM_ROOT6, "config/accounts", maxyAccountId);
+    let resolvedPath;
+    try {
+      resolvedPath = realpathSync2(filePath);
+      const accountResolved = realpathSync2(accountDir);
+      if (!resolvedPath.startsWith(accountResolved + "/")) {
+        const sanitised = filePath.replace(accountDir, "<account>/");
+        console.error(`${TAG9} send-document REJECTED path=${sanitised} reason=outside_account_directory`);
+        return Response.json({ error: "Access denied: file is outside the account directory" }, { status: 403 });
+      }
+    } catch (err) {
+      const code = err.code;
+      if (code === "ENOENT") {
+        console.error(`${TAG9} send-document ENOENT path=${filePath}`);
+        return Response.json({ error: `File not found: ${filePath}` }, { status: 404 });
+      }
+      console.error(`${TAG9} send-document path error: ${String(err)}`);
+      return Response.json({ error: String(err) }, { status: 500 });
+    }
+    const fileStat = await stat2(resolvedPath);
+    if (fileStat.size > MAX_FILE_SIZE_BYTES) {
+      return Response.json(
+        { error: `File exceeds 20 MB limit (${(fileStat.size / 1024 / 1024).toFixed(1)} MB)` },
+        { status: 400 }
+      );
+    }
+    const buffer = Buffer.from(await readFile2(resolvedPath));
+    const filename = basename2(resolvedPath);
+    const mimetype = detectMimeType(resolvedPath);
+    const sock = getSocket(accountId);
+    if (!sock) {
+      return Response.json(
+        { error: `WhatsApp account "${accountId}" is not connected` },
+        { status: 503 }
+      );
+    }
+    const result = await sendMediaMessage(sock, to, {
+      type: "document",
+      buffer,
+      mimetype,
+      filename,
+      caption
+    });
+    console.error(
+      `${TAG9} send-document to=${to} size=${fileStat.size} mime=${mimetype} ok=${result.success}` + (result.messageId ? ` id=${result.messageId}` : "")
+    );
+    return Response.json(result);
+  } catch (err) {
+    console.error(`${TAG9} send-document error: ${String(err)}`);
+    return Response.json({ error: String(err) }, { status: 500 });
+  }
+}
+
+// app/api/admin/file-attach/route.ts
+async function POST16(req) {
+  try {
+    const body = await req.json();
+    const { filePath, accountId } = body;
+    if (!filePath || !accountId) {
+      return Response.json(
+        { error: "Missing required fields: filePath, accountId" },
+        { status: 400 }
+      );
+    }
+    const attachment = await storeGeneratedFile(accountId, filePath);
+    console.error(
+      `[admin:file-attach] stored path=${filePath} id=${attachment.attachmentId} size=${attachment.sizeBytes} mime=${attachment.mimeType}`
+    );
+    return Response.json({
+      attachmentId: attachment.attachmentId,
+      filename: attachment.filename,
+      sizeBytes: attachment.sizeBytes,
+      mimeType: attachment.mimeType
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[admin:file-attach] error: ${message}`);
+    return Response.json({ error: message }, { status: 500 });
+  }
+}
+
 // app/api/onboarding/claude-auth/route.ts
 import { spawn as spawn3, execFileSync as execFileSync2 } from "child_process";
 import { openSync, closeSync, writeFileSync as writeFileSync7, writeSync } from "fs";
@@ -25192,7 +25392,7 @@ async function waitForAuthPage(timeoutMs = 2e4) {
 async function GET3() {
   return Response.json({ authenticated: checkAuthStatus() });
 }
-async function POST15(req) {
+async function POST17(req) {
   let body = {};
   try {
     body = await req.json();
@@ -25249,7 +25449,7 @@ import { createHash } from "crypto";
 function hashPin(pin) {
   return createHash("sha256").update(pin).digest("hex");
 }
-async function POST16(req) {
+async function POST18(req) {
   if (existsSync11(PIN_FILE)) {
     return Response.json(
       { error: "PIN is already configured." },
@@ -25307,7 +25507,7 @@ function getStoredPinHash() {
   }
   return null;
 }
-async function POST17(req) {
+async function POST19(req) {
   const storedHash = getStoredPinHash();
   if (!storedHash) {
     return Response.json(
@@ -25428,7 +25628,7 @@ function advanceGateIfNeeded(envelope, accountDir, logFn) {
   const pending = Object.entries(gates).filter(([, v]) => !v).map(([k]) => k);
   logFn(`${gateFlag} gate advanced (route-level). Pending: ${pending.length > 0 ? pending.join(", ") : "none"}`);
 }
-async function POST18(req) {
+async function POST20(req) {
   const contentType = req.headers.get("content-type") ?? "";
   let message;
   let session_key;
@@ -25650,7 +25850,7 @@ async function POST18(req) {
 }
 
 // app/api/admin/compact/route.ts
-async function POST19(req) {
+async function POST21(req) {
   let body;
   try {
     body = await req.json();
@@ -25692,7 +25892,7 @@ async function POST19(req) {
 
 // app/api/admin/logs/route.ts
 import { existsSync as existsSync14, readdirSync as readdirSync2, readFileSync as readFileSync14, statSync as statSync3 } from "fs";
-import { resolve as resolve10, basename } from "path";
+import { resolve as resolve11, basename as basename3 } from "path";
 var TAIL_BYTES = 8192;
 async function GET4(request) {
   const { searchParams } = new URL(request.url);
@@ -25700,12 +25900,12 @@ async function GET4(request) {
   const typeParam = searchParams.get("type");
   const download = searchParams.get("download") === "1";
   const account = resolveAccount();
-  const accountLogDir = account ? resolve10(account.accountDir, "logs") : null;
+  const accountLogDir = account ? resolve11(account.accountDir, "logs") : null;
   if (fileParam) {
-    const safe = basename(fileParam);
+    const safe = basename3(fileParam);
     for (const dir of [accountLogDir, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve10(dir, safe);
+      const filePath = resolve11(dir, safe);
       try {
         const content = readFileSync14(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
@@ -25731,7 +25931,7 @@ async function GET4(request) {
     }
     for (const dir of [accountLogDir, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve10(dir, fileName);
+      const filePath = resolve11(dir, fileName);
       try {
         const content = readFileSync14(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
@@ -25752,10 +25952,10 @@ async function GET4(request) {
     } catch {
       continue;
     }
-    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync3(resolve10(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
+    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync3(resolve11(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
       seen.add(name);
       try {
-        const content = readFileSync14(resolve10(dir, name));
+        const content = readFileSync14(resolve11(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
       } catch {
@@ -25789,9 +25989,9 @@ async function GET5() {
 }
 
 // app/api/admin/attachment/[attachmentId]/route.ts
-import { readFile, readdir } from "fs/promises";
+import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync15 } from "fs";
-import { resolve as resolve11 } from "path";
+import { resolve as resolve12 } from "path";
 async function GET6(req, attachmentId) {
   const sessionKey = new URL(req.url).searchParams.get("session_key") ?? "";
   if (!validateSession(sessionKey, "admin")) {
@@ -25804,17 +26004,17 @@ async function GET6(req, attachmentId) {
   if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.test(attachmentId)) {
     return new Response("Not found", { status: 404 });
   }
-  const dir = resolve11(ATTACHMENTS_ROOT, accountId, attachmentId);
+  const dir = resolve12(ATTACHMENTS_ROOT, accountId, attachmentId);
   if (!existsSync15(dir)) {
     return new Response("Not found", { status: 404 });
   }
-  const metaPath = resolve11(dir, `${attachmentId}.meta.json`);
+  const metaPath = resolve12(dir, `${attachmentId}.meta.json`);
   if (!existsSync15(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
   let meta3;
   try {
-    meta3 = JSON.parse(await readFile(metaPath, "utf-8"));
+    meta3 = JSON.parse(await readFile3(metaPath, "utf-8"));
   } catch {
     return new Response("Not found", { status: 404 });
   }
@@ -25823,8 +26023,8 @@ async function GET6(req, attachmentId) {
   if (!dataFile) {
     return new Response("Not found", { status: 404 });
   }
-  const filePath = resolve11(dir, dataFile);
-  const buffer = await readFile(filePath);
+  const filePath = resolve12(dir, dataFile);
+  const buffer = await readFile3(filePath);
   return new Response(buffer, {
     headers: {
       "Content-Type": meta3.mimeType,
@@ -25836,7 +26036,7 @@ async function GET6(req, attachmentId) {
 
 // app/api/admin/account/route.ts
 import { readFileSync as readFileSync15, writeFileSync as writeFileSync10 } from "fs";
-import { resolve as resolve12 } from "path";
+import { resolve as resolve13 } from "path";
 var VALID_CONTEXT_MODES = ["managed", "claude-code"];
 async function PATCH(req) {
   let body;
@@ -25859,7 +26059,7 @@ async function PATCH(req) {
   if (!account) {
     return Response.json({ error: "No account configured" }, { status: 500 });
   }
-  const configPath2 = resolve12(account.accountDir, "account.json");
+  const configPath2 = resolve13(account.accountDir, "account.json");
   try {
     const raw2 = readFileSync15(configPath2, "utf-8");
     const config2 = JSON.parse(raw2);
@@ -25874,14 +26074,14 @@ async function PATCH(req) {
 }
 
 // app/api/admin/agents/route.ts
-import { resolve as resolve13 } from "path";
+import { resolve as resolve14 } from "path";
 import { readdirSync as readdirSync3, readFileSync as readFileSync16, existsSync as existsSync16 } from "fs";
 async function GET7() {
   const account = resolveAccount();
   if (!account) {
     return Response.json({ agents: [] });
   }
-  const agentsDir = resolve13(account.accountDir, "agents");
+  const agentsDir = resolve14(account.accountDir, "agents");
   if (!existsSync16(agentsDir)) {
     return Response.json({ agents: [] });
   }
@@ -25891,7 +26091,7 @@ async function GET7() {
     for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
-      const configPath2 = resolve13(agentsDir, entry.name, "config.json");
+      const configPath2 = resolve14(agentsDir, entry.name, "config.json");
       if (!existsSync16(configPath2)) continue;
       try {
         const config2 = JSON.parse(readFileSync16(configPath2, "utf-8"));
@@ -25913,11 +26113,11 @@ async function GET7() {
 
 // app/api/admin/version/route.ts
 import { readFileSync as readFileSync17, existsSync as existsSync17 } from "fs";
-import { resolve as resolve14, join as join7 } from "path";
-var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve14(process.cwd(), "..");
+import { resolve as resolve15, join as join7 } from "path";
+var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT ?? resolve15(process.cwd(), "..");
 var brandHostname = "maxy";
 var brandNpmPackage = "@rubytech/create-maxy";
-var brandJsonPath = join7(PLATFORM_ROOT6, "config", "brand.json");
+var brandJsonPath = join7(PLATFORM_ROOT7, "config", "brand.json");
 if (existsSync17(brandJsonPath)) {
   try {
     const brand = JSON.parse(readFileSync17(brandJsonPath, "utf-8"));
@@ -25926,7 +26126,7 @@ if (existsSync17(brandJsonPath)) {
   } catch {
   }
 }
-var VERSION_FILE = resolve14(PLATFORM_ROOT6, `config/.${brandHostname}-version`);
+var VERSION_FILE = resolve15(PLATFORM_ROOT7, `config/.${brandHostname}-version`);
 var NPM_PACKAGE = brandNpmPackage;
 var REGISTRY_URL = `https://registry.npmjs.org/${NPM_PACKAGE}/latest`;
 var CACHE_TTL_MS = 60 * 60 * 1e3;
@@ -25989,11 +26189,11 @@ async function GET8() {
 // app/api/admin/version/upgrade/route.ts
 import { spawn as spawn4 } from "child_process";
 import { existsSync as existsSync18, statSync as statSync4, writeFileSync as writeFileSync11, readFileSync as readFileSync18, openSync as openSync2, closeSync as closeSync2 } from "fs";
-import { resolve as resolve15, join as join8 } from "path";
-var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT ?? resolve15(process.cwd(), "..");
+import { resolve as resolve16, join as join8 } from "path";
+var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT ?? resolve16(process.cwd(), "..");
 var upgradePkg = "@rubytech/create-maxy";
 var upgradeHostname = "maxy";
-var brandPath = join8(PLATFORM_ROOT7, "config", "brand.json");
+var brandPath = join8(PLATFORM_ROOT8, "config", "brand.json");
 if (existsSync18(brandPath)) {
   try {
     const brand = JSON.parse(readFileSync18(brandPath, "utf-8"));
@@ -26008,13 +26208,13 @@ var LOCK_MAX_AGE_MS = 3 * 60 * 1e3;
 function isLockFresh() {
   if (!existsSync18(LOCK_FILE)) return false;
   try {
-    const stat = statSync4(LOCK_FILE);
-    return Date.now() - stat.mtimeMs < LOCK_MAX_AGE_MS;
+    const stat3 = statSync4(LOCK_FILE);
+    return Date.now() - stat3.mtimeMs < LOCK_MAX_AGE_MS;
   } catch {
     return false;
   }
 }
-async function POST20(req) {
+async function POST22(req) {
   let body;
   try {
     body = await req.json();
@@ -26043,7 +26243,7 @@ async function POST20(req) {
       detached: true,
       stdio: ["ignore", logFd, logFd],
       env: { ...process.env, npm_config_yes: "true" },
-      cwd: resolve15(process.cwd(), "..")
+      cwd: resolve16(process.cwd(), "..")
     });
     child.unref();
     closeSync2(logFd);
@@ -26138,7 +26338,7 @@ async function GET10(req, { params }) {
 }
 
 // app/api/admin/browser/launch/route.ts
-async function POST21() {
+async function POST23() {
   try {
     const vncOk = await ensureVnc();
     if (!vncOk) {
@@ -26159,8 +26359,8 @@ async function POST21() {
 }
 
 // server/index.ts
-var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT8 ? join9(PLATFORM_ROOT8, "config", "brand.json") : "";
+var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT || "";
+var BRAND_JSON_PATH = PLATFORM_ROOT9 ? join9(PLATFORM_ROOT9, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
 if (BRAND_JSON_PATH && !existsSync19(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
@@ -26491,13 +26691,14 @@ app.post("/api/whatsapp/disconnect", (c) => POST11(c.req.raw));
 app.post("/api/whatsapp/reconnect", (c) => POST12(c.req.raw));
 app.post("/api/whatsapp/send", (c) => POST13(c.req.raw));
 app.post("/api/whatsapp/config", (c) => POST14(c.req.raw));
+app.post("/api/whatsapp/send-document", (c) => POST15(c.req.raw));
 app.get("/api/onboarding/claude-auth", () => GET3());
-app.post("/api/onboarding/claude-auth", (c) => POST15(c.req.raw));
-app.post("/api/onboarding/set-pin", (c) => POST16(c.req.raw));
+app.post("/api/onboarding/claude-auth", (c) => POST17(c.req.raw));
+app.post("/api/onboarding/set-pin", (c) => POST18(c.req.raw));
 app.delete("/api/onboarding/set-pin", (c) => DELETE(c.req.raw));
-app.post("/api/admin/session", (c) => POST17(c.req.raw));
-app.post("/api/admin/chat", (c) => POST18(c.req.raw));
-app.post("/api/admin/compact", (c) => POST19(c.req.raw));
+app.post("/api/admin/session", (c) => POST19(c.req.raw));
+app.post("/api/admin/chat", (c) => POST20(c.req.raw));
+app.post("/api/admin/compact", (c) => POST21(c.req.raw));
 app.get("/api/admin/logs", (c) => GET4(c.req.raw));
 app.get("/api/admin/claude-info", () => GET5());
 app.patch("/api/admin/account", (c) => PATCH(c.req.raw));
@@ -26505,10 +26706,11 @@ app.get(
   "/api/admin/attachment/:attachmentId",
   (c) => GET6(c.req.raw, c.req.param("attachmentId"))
 );
+app.post("/api/admin/file-attach", (c) => POST16(c.req.raw));
 app.get("/api/admin/version", () => GET8());
-app.post("/api/admin/version/upgrade", (c) => POST20(c.req.raw));
+app.post("/api/admin/version/upgrade", (c) => POST22(c.req.raw));
 app.get("/api/admin/agents", () => GET7());
-app.post("/api/admin/browser/launch", () => POST21());
+app.post("/api/admin/browser/launch", () => POST23());
 app.get("/api/admin/sessions", (c) => GET9(c.req.raw));
 app.delete(
   "/api/admin/sessions/:id",
@@ -26540,7 +26742,7 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function cachedHtml(file2) {
   let html = htmlCache.get(file2);
   if (!html) {
-    html = readFileSync19(resolve16(process.cwd(), "public", file2), "utf-8");
+    html = readFileSync19(resolve17(process.cwd(), "public", file2), "utf-8");
     html = html.replace("</head>", `${brandScript}
 </head>`);
     htmlCache.set(file2, html);
@@ -26634,7 +26836,7 @@ var port = parseInt(process.env.PORT ?? "19200", 10);
 var hostname3 = process.env.HOSTNAME ?? "0.0.0.0";
 serve({ fetch: app.fetch, port, hostname: hostname3 });
 console.log(`${BRAND.productName} listening on http://${hostname3}:${port}`);
-var configDirForWhatsApp = basename2(MAXY_DIR) || ".maxy";
+var configDirForWhatsApp = basename4(MAXY_DIR) || ".maxy";
 var bootAccount = resolveAccount();
 var bootAccountConfig = bootAccount?.config;
 var bootPublicAgent = bootAccount ? getPublicAgent(bootAccount.accountDir) : null;
@@ -26645,7 +26847,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve16(process.env.MAXY_PLATFORM_ROOT ?? join9(__dirname, "..")),
+  platformRoot: resolve17(process.env.MAXY_PLATFORM_ROOT ?? join9(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {