@rubytech/create-maxy 1.0.629 → 1.0.630

package/payload/server/public/index.html

@@ -5,7 +5,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Maxy</title>
   <link rel="icon" href="/favicon.ico">
-  <script type="module" crossorigin src="/assets/admin-CGIu9HnV.js"></script>
+  <script type="module" crossorigin src="/assets/admin-DirN63aF.js"></script>
   <link rel="modulepreload" crossorigin href="/assets/chunk-Be6NvmcD.js">
   <link rel="modulepreload" crossorigin href="/assets/preload-helper-rov5CBGT.js">
   <link rel="modulepreload" crossorigin href="/assets/useVoiceRecorder-tbj4tUsl.js">

package/payload/server/server.js

@@ -3610,8 +3610,6 @@ function handleUpgrade(req, clientSocket, head, opts) {
   const qsIndex = url2.indexOf("?");
   const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
   if (pathname !== WS_PATH) {
-    vncLog("ws-upgrade", { decision: "rejected", reason: "wrong-path", path: pathname });
-    clientSocket.destroy();
     return;
   }
   const corrId = newCorrId();
@@ -3828,9 +3826,203 @@ Content-Length: 0\r
   socket.destroy();
 }
 
+// server/graph-proxy.ts
+import { createConnection as createConnection2 } from "net";
+var GRAPH_PREFIX = "/graph";
+var UPSTREAM_TIMEOUT_MS2 = 5e3;
+var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function resolveUpstreamPort() {
+  const uri = process.env.NEO4J_URI ?? "bolt://localhost:7687";
+  const m = uri.match(/:(\d+)$/);
+  const boltPort = m ? parseInt(m[1], 10) : 7687;
+  return boltPort - 213;
+}
+var UPSTREAM_HOST = "127.0.0.1";
+var UPSTREAM_PORT = resolveUpstreamPort();
+function attachGraphHttpRoutes(app2) {
+  const handler = async (c) => {
+    const raw2 = c.req.raw;
+    const url2 = new URL(raw2.url);
+    const pathAfterPrefix = url2.pathname.slice(GRAPH_PREFIX.length) || "/";
+    const upstreamUrl = `http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${pathAfterPrefix}${url2.search}`;
+    const upstreamHeaders = new Headers(raw2.headers);
+    for (const h of HOP_BY_HOP2) upstreamHeaders.delete(h);
+    upstreamHeaders.set("host", `${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+    try {
+      const upstream = await fetch(upstreamUrl, {
+        method: raw2.method,
+        headers: upstreamHeaders,
+        body: raw2.body,
+        // `duplex: 'half'` is required when forwarding a streaming body; TS
+        // typings do not yet expose it but the undici runtime supports it.
+        ...raw2.body ? { duplex: "half" } : {},
+        redirect: "manual"
+      });
+      const resHeaders = new Headers(upstream.headers);
+      for (const h of HOP_BY_HOP2) resHeaders.delete(h);
+      return new Response(upstream.body, {
+        status: upstream.status,
+        statusText: upstream.statusText,
+        headers: resHeaders
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[graph-proxy] upstream fetch failed for ${upstreamUrl}: ${msg}`);
+      return c.text(`Graph proxy upstream unreachable: ${msg}`, 502);
+    }
+  };
+  app2.all(GRAPH_PREFIX, handler);
+  app2.all(`${GRAPH_PREFIX}/*`, handler);
+}
+function attachGraphWsProxy(server, opts) {
+  server.on("upgrade", (req, clientSocket, head) => {
+    try {
+      const url2 = req.url ?? "";
+      const qsIndex = url2.indexOf("?");
+      const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
+      const isGraphPath = pathname === GRAPH_PREFIX || pathname.startsWith(`${GRAPH_PREFIX}/`);
+      if (!isGraphPath) {
+        if (pathname !== "/websockify") {
+          clientSocket.destroy();
+        }
+        return;
+      }
+      const hostHeader = (req.headers.host ?? "").split(":")[0];
+      const remote = req.socket.remoteAddress;
+      const xff = headerString2(req.headers["x-forwarded-for"]);
+      const cookie = headerString2(req.headers.cookie);
+      const decision = opts.canAccessAdmin({
+        host: hostHeader,
+        remoteAddress: remote,
+        xForwardedFor: xff,
+        cookieHeader: cookie,
+        isPublicHost: opts.isPublicHost
+      });
+      if (!decision.allow) {
+        const status = decision.reason === "public-host" ? 404 : 401;
+        writeStatusAndDestroy2(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
+        return;
+      }
+      const originHeader = headerString2(req.headers.origin);
+      const originHost = parseOriginHost2(originHeader);
+      if (!originHost || originHost !== hostHeader || opts.isPublicHost(originHost)) {
+        writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+        return;
+      }
+      const rewrittenPath = pathname === GRAPH_PREFIX ? "/" : pathname.slice(GRAPH_PREFIX.length);
+      const rewrittenUrl = qsIndex === -1 ? rewrittenPath : rewrittenPath + url2.slice(qsIndex);
+      const upstream = createConnection2({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
+      upstream.setTimeout(UPSTREAM_TIMEOUT_MS2);
+      upstream.once("connect", () => {
+        upstream.setTimeout(0);
+        const lines = [];
+        lines.push(`${req.method ?? "GET"} ${rewrittenUrl} HTTP/${req.httpVersion}`);
+        lines.push(`host: ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+        for (const [name, value] of Object.entries(req.headers)) {
+          if (name === "host") continue;
+          if (HOP_BY_HOP2.has(name)) continue;
+          if (value == null) continue;
+          if (Array.isArray(value)) {
+            for (const v of value) lines.push(`${name}: ${v}`);
+          } else {
+            lines.push(`${name}: ${value}`);
+          }
+        }
+        const upgradeHeader = headerString2(req.headers.upgrade);
+        const connectionHeader = headerString2(req.headers.connection);
+        if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
+        if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
+        upstream.write(lines.join("\r\n") + "\r\n\r\n");
+        if (head && head.length > 0) upstream.write(head);
+        clientSocket.pipe(upstream);
+        upstream.pipe(clientSocket);
+        const teardown = () => {
+          clientSocket.destroy();
+          upstream.destroy();
+        };
+        clientSocket.once("close", teardown);
+        upstream.once("close", teardown);
+        clientSocket.once("error", teardown);
+        upstream.once("error", teardown);
+      });
+      upstream.once("timeout", () => {
+        writeStatusAndDestroy2(clientSocket, 504, "Gateway Timeout");
+        upstream.destroy();
+      });
+      upstream.once("error", (err) => {
+        console.error(`[graph-proxy] ws upstream error: ${err.message}`);
+        writeStatusAndDestroy2(clientSocket, 502, "Bad Gateway");
+        upstream.destroy();
+      });
+    } catch (err) {
+      console.error(`[graph-proxy] upgrade handler exception: ${err.message}`);
+      clientSocket.destroy();
+    }
+  });
+}
+function graphAuthMiddleware(opts) {
+  return async (c, next) => {
+    const url2 = new URL(c.req.raw.url);
+    if (!url2.pathname.startsWith(GRAPH_PREFIX)) return next();
+    const hostHeader = (c.req.header("host") ?? "").split(":")[0];
+    const incoming = c.env?.incoming;
+    const remote = incoming?.socket?.remoteAddress;
+    const xff = c.req.header("x-forwarded-for");
+    const cookie = c.req.header("cookie");
+    const decision = opts.canAccessAdmin({
+      host: hostHeader,
+      remoteAddress: remote,
+      xForwardedFor: xff,
+      cookieHeader: cookie,
+      isPublicHost: opts.isPublicHost
+    });
+    if (!decision.allow) {
+      return c.text(
+        decision.reason === "public-host" ? "Not Found" : "Unauthorized",
+        decision.reason === "public-host" ? 404 : 401
+      );
+    }
+    return next();
+  };
+}
+function headerString2(value) {
+  if (value == null) return void 0;
+  return Array.isArray(value) ? value[0] : value;
+}
+function parseOriginHost2(origin) {
+  if (!origin) return null;
+  try {
+    return new URL(origin).hostname;
+  } catch {
+    return null;
+  }
+}
+function writeStatusAndDestroy2(socket, status, statusText) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${statusText}\r
+Connection: close\r
+Content-Length: 0\r
+\r
+`
+    );
+  } catch {
+  }
+  socket.destroy();
+}
+
 // app/api/health/route.ts
 import { existsSync as existsSync11, readFileSync as readFileSync12 } from "fs";
-import { createConnection as createConnection3 } from "net";
+import { createConnection as createConnection4 } from "net";
 
 // app/lib/claude-auth.ts
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
@@ -4187,7 +4379,7 @@ function contextWindow(model) {
 
 // app/lib/vnc.ts
 import { spawnSync, execFileSync } from "child_process";
-import { createConnection as createConnection2 } from "net";
+import { createConnection as createConnection3 } from "net";
 import { mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve4 } from "path";
 var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve4(process.cwd(), "..");
@@ -4282,7 +4474,7 @@ async function waitForPort(port2, timeoutMs = 12e3) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const ready = await new Promise((res) => {
-      const socket = createConnection2(port2, "127.0.0.1");
+      const socket = createConnection3(port2, "127.0.0.1");
       socket.setTimeout(500);
       socket.once("connect", () => {
         socket.destroy();
@@ -7531,6 +7723,18 @@ function buildSpawnEnv(accountId, accountDir, conversationId) {
     STREAM_LOG_PATH: streamLogPath
   };
 }
+var cachedBrandHostname = null;
+function readBrandHostname() {
+  if (cachedBrandHostname !== null) return cachedBrandHostname;
+  try {
+    const brandPath3 = resolve6(PLATFORM_ROOT4, "config", "brand.json");
+    const parsed = JSON.parse(readFileSync7(brandPath3, "utf-8"));
+    cachedBrandHostname = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : "maxy";
+  } catch {
+    cachedBrandHostname = "maxy";
+  }
+  return cachedBrandHostname;
+}
 function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   if (!conversationId) {
     throw new Error(`getMcpServers: conversationId is required (accountId=${accountId.slice(0, 8)})`);
@@ -7582,6 +7786,26 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
     "plugin_playwright_playwright": {
       command: "npx",
       args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222", "--caps", "pdf"]
+    },
+    // Graph MCP shim (Task 557) — spawns upstream `uvx mcp-neo4j-cypher` locked
+    // into read-only mode and namespaced `maxy-graph`, wraps stderr with our
+    // tee, and emits one `[graph-query]` line per tool call. Credentials flow
+    // from the brand's own NEO4J_URI + config/.neo4j-password so a per-brand
+    // admin session only ever sees its own Neo4j instance (isolation is
+    // enforced upstream by the installer's process/port boundary per
+    // MAXY-PRD.md:627, not in any application-layer filter).
+    "graph": {
+      command: "node",
+      args: [resolve6(PLATFORM_ROOT4, "lib/graph-mcp/dist/index.js")],
+      env: {
+        ...baseEnv,
+        BRAND: readBrandHostname(),
+        NEO4J_URI: process.env.NEO4J_URI ?? "bolt://localhost:7687",
+        NEO4J_USERNAME: process.env.NEO4J_USERNAME ?? process.env.NEO4J_USER ?? "neo4j",
+        NEO4J_NAMESPACE: "maxy-graph",
+        NEO4J_READ_ONLY: "true",
+        NEO4J_RESPONSE_TOKEN_LIMIT: "20000"
+      }
     }
   };
   const tgConfig = resolveAccount()?.config?.telegram;
@@ -7645,6 +7869,12 @@ var ADMIN_CORE_TOOLS = [
   "Glob",
   "Grep",
   "Agent",
+  // Task 557 — upstream mcp-neo4j-cypher (namespaced maxy-graph, read-only).
+  // maxy-graph_write_neo4j_cypher is intentionally absent: writes go through
+  // the schema-aware memory-write tool, which validates labels, properties,
+  // and embeddings. Admin-only by virtue of not being in the public allow list.
+  "mcp__graph__maxy-graph_read_neo4j_cypher",
+  "mcp__graph__maxy-graph_get_neo4j_schema",
   "mcp__memory__memory-search",
   "mcp__memory__memory-rank",
   "mcp__memory__memory-write",
@@ -10217,6 +10447,15 @@ ${body}`;
 
 ${manifest}`;
     }
+    const graphRefPath = resolve6(PLATFORM_ROOT4, "plugins/memory/references/graph-primitives.md");
+    try {
+      const graphRef = readFileSync7(graphRefPath, "utf-8");
+      baseSystemPrompt += `
+
+${graphRef}`;
+    } catch (err) {
+      console.error(`[graph-primitives] reference missing at ${graphRefPath} \u2014 admin session will have no Cypher cookbook: ${err instanceof Error ? err.message : String(err)}`);
+    }
   }
   if (agentConfig?.budget) {
     const pluginTokens = embeddedPlugins.reduce((sum, p) => sum + estimateTokens(p.body), 0);
@@ -27923,7 +28162,7 @@ async function probeApiKey() {
 }
 function checkPort(port2, timeoutMs = 500) {
   return new Promise((resolve29) => {
-    const socket = createConnection3(port2, "127.0.0.1");
+    const socket = createConnection4(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
@@ -33202,6 +33441,9 @@ app.get("/:slug", async (c, next) => {
   }
   await next();
 });
+app.use("/graph/*", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+app.use("/graph", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+attachGraphHttpRoutes(app);
 app.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.PORT ?? "19200", 10);
 var hostname3 = process.env.HOSTNAME ?? "0.0.0.0";
@@ -33211,6 +33453,7 @@ attachVncWsProxy(httpServer, {
   upstreamHost: "127.0.0.1",
   upstreamPort: 6080
 });
+attachGraphWsProxy(httpServer, { isPublicHost, canAccessAdmin });
 console.log(`${BRAND.productName} listening on http://${hostname3}:${port}`);
 (async () => {
   try {