@rubytech/create-maxy 1.0.647 → 1.0.649

package/dist/index.js

@@ -208,7 +208,7 @@ function canSudo() {
 // ---------------------------------------------------------------------------
 // Installation steps
 // ---------------------------------------------------------------------------
-const TOTAL = "11";
+const TOTAL = "12";
 function installSystemDeps() {
     log("1", TOTAL, "System dependencies and network...");
     if (!isLinux()) {
@@ -220,6 +220,11 @@ function installSystemDeps() {
         shell("apt-get", ["install", "-y", "curl", "git", "unzip", "jq", "avahi-daemon", "avahi-utils", "poppler-utils", "ffmpeg"], { sudo: true });
         shell("apt-get", ["install", "-y", "tigervnc-standalone-server", "python3-websockify", "novnc", "xdg-utils", "chromium"], { sudo: true });
         shell("apt-get", ["install", "-y", "hostapd", "dnsmasq"], { sudo: true });
+        // ttyd + tmux power the admin terminal surface (Task 591) — ttyd serves a
+        // WebSocket PTY on 127.0.0.1:7681, tmux provides the persistent named
+        // session that outlives admin-server restarts. Both are in Debian/Raspbian
+        // repos; no third-party source needed.
+        shell("apt-get", ["install", "-y", "ttyd", "tmux"], { sudo: true });
     }
     else {
         console.log("  Skipping apt-get (sudo unavailable non-interactively — deps assumed present from prior install)");
@@ -1400,9 +1405,17 @@ function createTunnelSymlink(linkPath, target) {
 function installTunnelScripts() {
     const setupSrc = join(INSTALL_DIR, "platform/plugins/cloudflare/scripts/setup-tunnel.sh");
     const resetSrc = join(INSTALL_DIR, "platform/plugins/cloudflare/scripts/reset-tunnel.sh");
+    const listSrc = join(INSTALL_DIR, "platform/plugins/cloudflare/scripts/list-cf-domains.sh");
+    // _cdp-authorize.mjs is invoked by setup-tunnel.sh via `node <path>` and
+    // resolved via readlink -f → same dir as the script. It does NOT get a
+    // $HOME symlink — it's a helper, not a top-level operator command. We do
+    // chmod +x defensively so `ls -l` and any ad-hoc `~/setup-tunnel.sh` copy
+    // flow sees it as executable (Task 588).
+    const cdpAuthorizeSrc = join(INSTALL_DIR, "platform/plugins/cloudflare/scripts/_cdp-authorize.mjs");
     const setupLink = resolve(process.env.HOME ?? "/root", "setup-tunnel.sh");
     const resetLink = resolve(process.env.HOME ?? "/root", "reset-tunnel.sh");
-    for (const src of [setupSrc, resetSrc]) {
+    const listLink = resolve(process.env.HOME ?? "/root", "list-cf-domains.sh");
+    for (const src of [setupSrc, resetSrc, listSrc, cdpAuthorizeSrc]) {
         try {
             chmodSync(src, 0o755);
         }
@@ -1415,6 +1428,7 @@ function installTunnelScripts() {
     }
     createTunnelSymlink(setupLink, setupSrc);
     createTunnelSymlink(resetLink, resetSrc);
+    createTunnelSymlink(listLink, listSrc);
 }
 // ---------------------------------------------------------------------------
 // Cron Registration
@@ -1490,8 +1504,65 @@ function installCrons() {
         logFile(`  crontab write failed: ${write.stderr}`);
     }
 }
+function installTerminalService() {
+    log("11", TOTAL, "Installing admin terminal service (ttyd + tmux)...");
+    if (!isLinux()) {
+        console.log("  Skipping admin terminal service (not Linux). On macOS start manually:");
+        console.log("    brew install ttyd tmux && ttyd -p 7681 -i 127.0.0.1 -W tmux new-session -A -s maxy-pty");
+        return;
+    }
+    // Default ~/.tmux.conf — only written if the operator doesn't already have
+    // one. `history-limit 50000` is load-bearing: a closed-tab + reopen during
+    // an upgrade must show every line the operator missed in scrollback.
+    const homeDir = process.env.HOME ?? "/root";
+    const tmuxConfDest = resolve(homeDir, ".tmux.conf");
+    if (!existsSync(tmuxConfDest)) {
+        const tmuxConfTemplate = resolve(INSTALL_DIR, "platform/templates/dotfiles/.tmux.conf");
+        try {
+            if (existsSync(tmuxConfTemplate)) {
+                writeFileSync(tmuxConfDest, readFileSync(tmuxConfTemplate, "utf-8"));
+                console.log(`  Wrote default ~/.tmux.conf (history-limit 50000)`);
+            }
+            else {
+                // Fallback if the template was not in the payload for any reason —
+                // preserves the load-bearing scrollback-size guarantee.
+                writeFileSync(tmuxConfDest, "set -g history-limit 50000\n");
+                console.log(`  Wrote default ~/.tmux.conf (fallback — template missing)`);
+            }
+        }
+        catch (err) {
+            console.error(`  WARNING: failed to write ~/.tmux.conf: ${err instanceof Error ? err.message : String(err)}`);
+        }
+    }
+    // Install and enable the maxy-ttyd.service --user unit. Independent of
+    // BRAND.serviceName — a single device runs one admin terminal regardless of
+    // brand, because the unit binds to 127.0.0.1:7681 which only one process can
+    // hold anyway. On a multi-brand device, the first brand's install writes the
+    // unit and every subsequent install is a no-op (idempotent overwrite).
+    const systemdUserDir = resolve(homeDir, ".config/systemd/user");
+    mkdirSync(systemdUserDir, { recursive: true });
+    const ttydUnitTemplate = resolve(INSTALL_DIR, "platform/templates/systemd/maxy-ttyd.service");
+    const ttydUnitDest = join(systemdUserDir, "maxy-ttyd.service");
+    try {
+        if (existsSync(ttydUnitTemplate)) {
+            writeFileSync(ttydUnitDest, readFileSync(ttydUnitTemplate, "utf-8"));
+        }
+        else {
+            console.error(`  WARNING: maxy-ttyd.service template missing at ${ttydUnitTemplate} — admin terminal will not work`);
+            return;
+        }
+    }
+    catch (err) {
+        console.error(`  WARNING: failed to write ${ttydUnitDest}: ${err instanceof Error ? err.message : String(err)}`);
+        return;
+    }
+    spawnSync("systemctl", ["--user", "daemon-reload"], { stdio: "inherit" });
+    spawnSync("systemctl", ["--user", "enable", "maxy-ttyd"], { stdio: "inherit" });
+    spawnSync("systemctl", ["--user", "restart", "maxy-ttyd"], { stdio: "inherit" });
+    console.log("  maxy-ttyd.service enabled — admin terminal available on 127.0.0.1:7681");
+}
 function installService() {
-    log("11", TOTAL, `Starting ${BRAND.productName}...`);
+    log("12", TOTAL, `Starting ${BRAND.productName}...`);
     if (!isLinux()) {
         console.log("  Skipping systemd service (not Linux). Start manually with:");
         console.log(`  cd ${INSTALL_DIR}/server && MAXY_PLATFORM_ROOT=${INSTALL_DIR}/platform PORT=${PORT} HOSTNAME=0.0.0.0 KEEP_ALIVE_TIMEOUT=61000 node --require ./server-init.cjs server.js`);
@@ -1716,6 +1787,7 @@ WantedBy=multi-user.target
     for (const linkPath of [
         resolve(process.env.HOME ?? "/root", "setup-tunnel.sh"),
         resolve(process.env.HOME ?? "/root", "reset-tunnel.sh"),
+        resolve(process.env.HOME ?? "/root", "list-cf-domains.sh"),
     ]) {
         try {
             accessSync(linkPath, fsConstants.X_OK);
@@ -2032,6 +2104,7 @@ try {
     setupVncViewer();
     setupAccount();
     installTunnelScripts(); // ~/setup-tunnel.sh, ~/reset-tunnel.sh — the SKILL contract
+    installTerminalService(); // Task 591: ttyd + tmux systemd --user unit (sibling of maxy-ui)
     installService();
     console.log("");
     console.log("================================================================");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.647",
+  "version": "1.0.649",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/plugins/admin/skills/onboarding/SKILL.md

@@ -129,22 +129,12 @@ If the user skips, let them know they can set up Cloudflare at any time by askin
 
 If the user wants to proceed, first confirm the domain state in one sentence: "Is your domain already on a Cloudflare account?" If not, quote the click-path from `plugins/cloudflare/references/dashboard-guide.md` § "Add a domain to a Cloudflare account" and wait for the user to confirm the zone is **Active**.
 
-Then call `render-component` with `name: "cloudflare-setup-form"` and data containing the domain option lists for this brand. The form collects admin label + admin domain + optional public label + public domain + optional apex + admin password in one submission, then the submit handler runs `setRemotePassword`, `~/setup-tunnel.sh`, and alias-domain writes server-side and relays the script's output — including any `ACTION REQUIRED` block — back as the component's submitted payload.
-
-Data shape (select the option lists by brand — read `brand.json` first to confirm which brand is installed):
-
-- **Maxy brand**: `adminDomainOptions: ["maxy.bot"]`, `publicDomainOptions: ["maxy.bot", "maxy.chat"]`, `apexDomainOptions: ["maxy.chat"]`.
-- **Real Agent brand**: `adminDomainOptions: ["realagent.network"]`, `publicDomainOptions: ["realagent.network"]`, `apexDomainOptions: []`.
+Then call `render-component` with `name: "cloudflare-setup-form"` and data containing only the form copy — the form self-discovers the admin/public/apex domain options from the operator's logged-in Cloudflare dashboard (Task 589) via `/api/admin/cloudflare/domains`. Do not read `brand.json` for domain options; brand identity has no authority over what zones the operator's Cloudflare account holds. The form collects admin label + admin domain + optional public label + public domain + optional apex + admin password in one submission, then the submit handler runs `setRemotePassword`, `~/setup-tunnel.sh`, and alias-domain writes server-side and relays the script's output — including any `ACTION REQUIRED` block — back as the component's submitted payload.
 
 ```
 {
   title: "Set up remote access",
   description: "Connect your device to a custom domain.",
-  adminDomainOptions: [...],
-  publicDomainOptions: [...],
-  apexDomainOptions: [...],
-  defaultAdminDomain: "<first admin domain>",
-  defaultPublicDomain: "<first public domain>",
   submitLabel: "Set up Cloudflare"
 }
 ```

package/payload/platform/plugins/cloudflare/PLUGIN.md

@@ -30,8 +30,9 @@ The plugin registers no agent-facing MCP tools (Task 554). Every Cloudflare oper
 
 | Script | Purpose |
 |---|---|
-| [`scripts/setup-tunnel.sh`](scripts/setup-tunnel.sh) | Autonomous end-to-end setup: OAuth login, tunnel create, DNS route, config + state, service restart, post-restart verification. Invocation: `~/setup-tunnel.sh <brand> <port> <admin-hostname> [<public-hostname>] [<apex-hostname>]`. Apex hostnames print an `ACTION REQUIRED` block for the dashboard record the CLI cannot create. |
-| [`scripts/reset-tunnel.sh`](scripts/reset-tunnel.sh) | Deletes every tunnel on the brand's CF account and wipes `${CFG_DIR}`. Does not touch the platform service, stray CNAMEs, or token-mode connectors — those require dashboard cleanup or `pkill`. Invocation: `~/reset-tunnel.sh <brand>`. |
+| [`scripts/setup-tunnel.sh`](scripts/setup-tunnel.sh) | Autonomous end-to-end setup: OAuth login, tunnel create, DNS route, config + state, service restart, post-restart verification. Invocation: `~/setup-tunnel.sh <brand> <port> <admin-hostname> [<public-hostname>] [<apex-hostname>]`. Apex hostnames print an `ACTION REQUIRED` block for the dashboard record the CLI cannot create. Task 588 drives the Cloudflare Authorize click via CDP WebSocket (`_cdp-authorize.mjs`, below) — no human click required when the VNC browser is already signed into Cloudflare. The OAuth cert-wait after the click is bounded at 20 s with a 2-second `step=oauth-login result=awaiting-cert elapsed=<N>s` heartbeat so no poll exceeds ~2 s silent. |
+| [`scripts/reset-tunnel.sh`](scripts/reset-tunnel.sh) | Deletes every tunnel on the brand's CF account and wipes `${CFG_DIR}`. Does not touch the platform service, stray CNAMEs, or token-mode connectors — those require dashboard cleanup or `pkill`. Invocation: `~/reset-tunnel.sh <brand>`. No polling blocks — every long-wait is bounded by `cloudflared`'s network round-trip, so no heartbeat contract applies. |
+| [`scripts/_cdp-authorize.mjs`](scripts/_cdp-authorize.mjs) | Node 22 ESM helper driving the Cloudflare argotunnel Authorize click via CDP WebSocket. Self-contained (native `fetch` + `WebSocket`), invoked by `setup-tunnel.sh` with the target id returned from the `PUT /json/new?<url>` step. Exits 0 on successful click; 1 on `authorize-button-not-found` (the happy-path loud failure when the VNC browser isn't signed into Cloudflare); 2/3/4/5 on CDP/protocol errors. Emits one `cdp-authorize result=<…> reason=<…>` line to stdout per invocation, teed into the stream log under the `[setup-tunnel:cdp-click]` tag. |
 
 ### Skills
 

package/payload/platform/plugins/cloudflare/scripts/_cdp-authorize.mjs

@@ -0,0 +1,274 @@
+#!/usr/bin/env node
+// Drive the Cloudflare argotunnel Authorize click via CDP WebSocket (Task 588).
+//
+// Why this exists: setup-tunnel.sh navigates the VNC browser to the argotunnel
+// consent URL via `PUT /json/new?<url>`. That opens the page but does not
+// press the Authorize button. Pre-Task 588 the script then polled for
+// cert.pem for up to 180 seconds, waiting for a human click in VNC. This
+// helper does the click from code, collapsing the wait to ~1-3 seconds.
+//
+// Protocol: Chrome DevTools Protocol over WebSocket (https://chromedevtools.github.io/devtools-protocol/).
+//   1. GET http://127.0.0.1:9222/json/list → find the target with matching id;
+//      extract webSocketDebuggerUrl.
+//   2. Open WS, enable Page + Runtime domains.
+//   3. Wait for Page.loadEventFired (or observe document.readyState==='complete').
+//   4. Poll Runtime.evaluate every 200 ms for up to ~3 s, looking for a
+//      button or input[type=submit] whose trimmed text/value matches
+//      /^(authorize|connect)$/i. When found, click via JS (click() on the
+//      matched node). Exit 0 on success, 1 with structured stderr otherwise.
+//
+// Exit codes:
+//   0 - clicked successfully
+//   1 - authorize-button-not-found (the happy-path loud failure)
+//   2 - cdp-ws-unreachable or node-websocket-unavailable
+//   3 - target-not-found (the target_id isn't in /json/list)
+//   4 - click-evaluate-threw (Runtime.evaluate returned wasThrown=true)
+//   5 - protocol-error (malformed CDP response)
+//
+// Each structured failure prints ONE line to stdout in phase_line-compatible
+// shape so setup-tunnel.sh's tee_subprocess picks it up into the stream log:
+//   cdp-authorize result=<ok|error> reason=<…> elapsed_ms=<…> [detail=<…>]
+
+const CDP_HOST = '127.0.0.1';
+const CDP_PORT = 9222;
+const HTTP_TIMEOUT_MS = 3000;
+const BUTTON_POLL_TIMEOUT_MS = 3000;
+const BUTTON_POLL_INTERVAL_MS = 200;
+const LOAD_WAIT_TIMEOUT_MS = 5000;
+const WS_CONNECT_TIMEOUT_MS = 3000;
+const RESULT_WAIT_TIMEOUT_MS = 3000;
+
+function emit(result, reason, extra = {}) {
+  const parts = [`cdp-authorize result=${result} reason=${reason}`];
+  for (const [k, v] of Object.entries(extra)) {
+    if (v === undefined || v === null) continue;
+    const s = String(v).replace(/\s+/g, ' ');
+    parts.push(`${k}="${s.slice(0, 200)}"`);
+  }
+  process.stdout.write(parts.join(' ') + '\n');
+}
+
+function die(code, reason, extra) {
+  emit('error', reason, extra);
+  process.exit(code);
+}
+
+if (typeof WebSocket === 'undefined') {
+  die(2, 'node-websocket-unavailable', {
+    detail: `Node ${process.version} has no global WebSocket — upgrade to Node 22+`,
+  });
+}
+
+const targetId = process.argv[2];
+if (!targetId) {
+  die(2, 'missing-target-id', { detail: 'usage: _cdp-authorize.mjs <target-id>' });
+}
+
+const started = Date.now();
+
+async function fetchTargets() {
+  const ac = new AbortController();
+  const timer = setTimeout(() => ac.abort(), HTTP_TIMEOUT_MS);
+  try {
+    const res = await fetch(`http://${CDP_HOST}:${CDP_PORT}/json/list`, { signal: ac.signal });
+    if (!res.ok) throw new Error(`/json/list returned ${res.status}`);
+    return await res.json();
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
+let targets;
+try {
+  targets = await fetchTargets();
+} catch (err) {
+  die(2, 'cdp-ws-unreachable', { detail: err instanceof Error ? err.message : String(err) });
+}
+
+const target = Array.isArray(targets) ? targets.find((t) => t && t.id === targetId) : undefined;
+if (!target || typeof target.webSocketDebuggerUrl !== 'string') {
+  die(3, 'target-not-found', { target_id: targetId, count: Array.isArray(targets) ? targets.length : -1 });
+}
+
+// Open WebSocket. Native Node 22 global.
+let ws;
+try {
+  ws = new WebSocket(target.webSocketDebuggerUrl);
+} catch (err) {
+  die(2, 'cdp-ws-unreachable', { detail: err instanceof Error ? err.message : String(err) });
+}
+
+// WS open with race guards. Three outcomes are possible:
+//   1. `open` fires before `error` / timeout → resolve and continue.
+//   2. `error` fires before `open` → reject; caller emits die() and exits.
+//   3. Timeout fires before either → reject; caller emits die() and exits.
+// The `.once` on `open`/`error` listeners handles the race where both fire
+// in quick succession (some proxy-protocol mismatches can emit `error`
+// before the open event is dispatched). The catch below awaits the die()
+// call and then `throw`s to guarantee execution does not fall through to
+// the Page.enable call with a dead socket — even if a future refactor
+// removes process.exit() from die().
+try {
+  await new Promise((resolveOpen, rejectOpen) => {
+    const timer = setTimeout(() => rejectOpen(new Error('ws open timeout')), WS_CONNECT_TIMEOUT_MS);
+    ws.addEventListener('open', () => { clearTimeout(timer); resolveOpen(); }, { once: true });
+    ws.addEventListener('error', (e) => { clearTimeout(timer); rejectOpen(new Error(`ws error: ${e.message ?? 'unknown'}`)); }, { once: true });
+  });
+} catch (err) {
+  die(2, 'cdp-ws-unreachable', { detail: err instanceof Error ? err.message : String(err) });
+  throw err; // unreachable — die() exits, but guards the type system and future refactors.
+}
+
+// Message router: CDP replies come back keyed by the `id` we sent. Events
+// arrive with no `id` but a `method` (e.g. "Page.loadEventFired").
+let nextId = 1;
+const pending = new Map();
+const eventListeners = new Map();
+
+ws.addEventListener('message', (evt) => {
+  let msg;
+  try {
+    msg = JSON.parse(typeof evt.data === 'string' ? evt.data : evt.data.toString());
+  } catch {
+    return;
+  }
+  if (typeof msg.id === 'number' && pending.has(msg.id)) {
+    const { resolveIt, rejectIt } = pending.get(msg.id);
+    pending.delete(msg.id);
+    if (msg.error) rejectIt(new Error(`CDP error: ${msg.error.message ?? JSON.stringify(msg.error)}`));
+    else resolveIt(msg.result);
+  } else if (typeof msg.method === 'string') {
+    const listeners = eventListeners.get(msg.method);
+    if (listeners) for (const l of listeners) l(msg.params);
+  }
+});
+
+ws.addEventListener('close', () => {
+  for (const { rejectIt } of pending.values()) {
+    rejectIt(new Error('ws closed while awaiting response'));
+  }
+  pending.clear();
+});
+
+function send(method, params = {}) {
+  const id = nextId++;
+  return new Promise((resolveIt, rejectIt) => {
+    const timer = setTimeout(() => {
+      pending.delete(id);
+      rejectIt(new Error(`CDP ${method} timed out after ${RESULT_WAIT_TIMEOUT_MS}ms`));
+    }, RESULT_WAIT_TIMEOUT_MS);
+    pending.set(id, {
+      resolveIt: (r) => { clearTimeout(timer); resolveIt(r); },
+      rejectIt: (e) => { clearTimeout(timer); rejectIt(e); },
+    });
+    ws.send(JSON.stringify({ id, method, params }));
+  });
+}
+
+function onEvent(method, listener) {
+  let set = eventListeners.get(method);
+  if (!set) { set = new Set(); eventListeners.set(method, set); }
+  set.add(listener);
+  return () => set.delete(listener);
+}
+
+// Enable the two domains we need. Page.enable fires events; Runtime.enable
+// lets us run expressions in the page context.
+try {
+  await send('Page.enable');
+  await send('Runtime.enable');
+} catch (err) {
+  die(5, 'protocol-error', { detail: err.message });
+}
+
+// Wait for load — if the page is already loaded (navigated before this helper
+// ran), Page.loadEventFired may never fire again; poll document.readyState
+// as a fallback. The first of the two to resolve wins.
+async function waitForLoad() {
+  const loadFired = new Promise((resolveIt) => {
+    const off = onEvent('Page.loadEventFired', () => { off(); resolveIt('loadEvent'); });
+  });
+  const readyStatePoll = (async () => {
+    const deadline = Date.now() + LOAD_WAIT_TIMEOUT_MS;
+    while (Date.now() < deadline) {
+      try {
+        const r = await send('Runtime.evaluate', {
+          expression: 'document.readyState',
+          returnByValue: true,
+        });
+        if (r?.result?.value === 'complete' || r?.result?.value === 'interactive') return 'readyState';
+      } catch { /* keep polling */ }
+      await new Promise((res) => setTimeout(res, 200));
+    }
+    throw new Error('load-wait-timeout');
+  })();
+  return Promise.race([loadFired, readyStatePoll]);
+}
+
+try {
+  await waitForLoad();
+} catch (err) {
+  die(1, 'page-load-timeout', { detail: err.message, elapsed_ms: Date.now() - started });
+}
+
+// Poll for the Authorize button. The expression finds the first
+// button/input[type=submit] whose trimmed textContent/value matches
+// /^(authorize|connect)$/i, clicks it, and returns a descriptor. Returns
+// null when no match yet.
+const CLICK_EXPR = `
+(() => {
+  const candidates = Array.from(document.querySelectorAll('button, input[type="submit"]'));
+  const match = candidates.find((el) => {
+    const text = (el.textContent ?? el.value ?? '').trim();
+    return /^(authorize|connect)$/i.test(text) && !el.disabled;
+  });
+  if (!match) return null;
+  const descriptor = {
+    tag: match.tagName.toLowerCase(),
+    text: (match.textContent ?? match.value ?? '').trim().slice(0, 40),
+    disabled: Boolean(match.disabled),
+  };
+  match.click();
+  return descriptor;
+})()
+`;
+
+const clickDeadline = Date.now() + BUTTON_POLL_TIMEOUT_MS;
+let clicked = null;
+while (Date.now() < clickDeadline) {
+  let r;
+  try {
+    r = await send('Runtime.evaluate', {
+      expression: CLICK_EXPR,
+      returnByValue: true,
+      awaitPromise: false,
+    });
+  } catch (err) {
+    die(5, 'protocol-error', { detail: err.message });
+  }
+  if (r?.exceptionDetails) {
+    die(4, 'click-evaluate-threw', {
+      detail: r.exceptionDetails.text ?? 'unknown exception',
+      elapsed_ms: Date.now() - started,
+    });
+  }
+  const val = r?.result?.value;
+  if (val && typeof val === 'object') {
+    clicked = val;
+    break;
+  }
+  await new Promise((res) => setTimeout(res, BUTTON_POLL_INTERVAL_MS));
+}
+
+if (!clicked) {
+  die(1, 'authorize-button-not-found', { elapsed_ms: Date.now() - started });
+}
+
+emit('ok', 'clicked', {
+  tag: clicked.tag,
+  text: clicked.text,
+  elapsed_ms: Date.now() - started,
+});
+
+try { ws.close(); } catch { /* best-effort */ }
+process.exit(0);

package/payload/platform/plugins/cloudflare/scripts/list-cf-domains.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# Deterministic scrape of the operator's Cloudflare dashboard to discover
+# the domains on the logged-in account. Output on stdout is a JSON `string[]`,
+# sorted and deduped. Every failure exits non-zero with a `reason=<enum>`
+# token on stderr tagged `[list-cf-domains]`.
+#
+# Usage:
+#   list-cf-domains.sh [<brand>]
+#
+# The brand arg (default: maxy) names the `${HOME}/.${BRAND}/logs/` directory
+# where selector-drift body dumps land. The script does not read brand.json —
+# the directory is the only brand-derived path it needs.
+#
+# Runtime: Node 22's `--experimental-strip-types` runs the .ts helper
+# directly, so no tsx / playwright / ws dependency exists.
+
+set -euo pipefail
+
+# --------------------------------------------------------------------------
+# Shared stream-log helpers (require STREAM_LOG_PATH, phase_line, …).
+# --------------------------------------------------------------------------
+
+# shellcheck source=_stream-log.sh
+# Resolve symlinks before dirname — ~/list-cf-domains.sh is installed as a
+# symlink into $HOME, so the raw BASH_SOURCE[0] points at $HOME, not the
+# scripts directory where _stream-log.sh lives.
+source "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")/_stream-log.sh"
+require_stream_log_path list-cf-domains
+
+BRAND="${1:-maxy}"
+CONFIG_DIR=".${BRAND}"
+mkdir -p "${HOME}/${CONFIG_DIR}/logs"
+
+phase_line list-cf-domains phase=script-start brand="${BRAND}" config_dir="${CONFIG_DIR}"
+
+SCRIPT_DIR="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
+TS_ENTRY="${SCRIPT_DIR}/list-cf-domains.ts"
+
+if [ ! -f "${TS_ENTRY}" ]; then
+  phase_line list-cf-domains phase=error reason=entry-missing path="${TS_ENTRY}"
+  exit 1
+fi
+
+# 30s hard ceiling. The node helper has its own per-phase budgets totalling
+# ~27s; the wrapper's extra 3s absorbs process startup and CF network jitter.
+# Use `timeout --preserve-status` so the exit code of a timeout is distinct
+# (124) from a helper-reported failure (1).
+HARD_TIMEOUT_SECS=30
+
+# CONFIG_DIR is consumed by the node helper when writing selector-drift dumps
+# to ~/.${BRAND}/logs/list-cf-domains-<ts>.html.
+#
+# `node --experimental-strip-types` (stable in Node 22.22) runs the .ts file
+# natively: type annotations are stripped, no enums / decorators are used, so
+# no TS type-transform is needed. `--no-warnings` suppresses the experimental
+# banner which would otherwise leak into stderr and confuse the route parser.
+set +e
+CONFIG_DIR="${CONFIG_DIR}" timeout --preserve-status --signal=TERM "${HARD_TIMEOUT_SECS}" \
+  node --experimental-strip-types --no-warnings "${TS_ENTRY}"
+EXIT_CODE=$?
+set -e
+
+if [ "${EXIT_CODE}" -eq 124 ]; then
+  phase_line list-cf-domains phase=script-exit code=124 reason=wrapper-timeout budget_secs="${HARD_TIMEOUT_SECS}"
+  exit 1
+fi
+
+phase_line list-cf-domains phase=script-exit code="${EXIT_CODE}"
+exit "${EXIT_CODE}"