@rubytech/create-maxy 1.0.676 → 1.0.678

package/payload/server/server.js

@@ -1,28 +1,31 @@
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJS = (cb, mod) => function __require() {
-  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
+import {
+  BIN_DIR,
+  CLAUDE_CREDENTIALS_FILE,
+  LOG_DIR,
+  MAXY_DIR,
+  TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE,
+  TELEGRAM_WEBHOOK_SECRET_FILE,
+  USERS_FILE,
+  __commonJS,
+  __toESM,
+  canAccessAdmin,
+  checkRateLimit,
+  clearRateLimit,
+  createRemoteSession,
+  hashPassword,
+  invalidateRemoteSession,
+  isPasswordValid,
+  isRemoteAuthConfigured,
+  recordFailedAttempt,
+  renderLoginPage,
+  resolveClientIp,
+  sanitizeClientCorrId,
+  setRemotePassword,
+  validatePasswordStrength,
+  verifyPassword,
+  verifyRemotePassword,
+  vncLog
+} from "./chunk-5YIXIF6C.js";
 
 // ../lib/models/dist/index.js
 var require_dist = __commonJS({
@@ -2526,7 +2529,7 @@ var responseViaResponseObject = async (res, outgoing, options = {}) => {
         });
         if (!chunk) {
           if (i === 1) {
-            await new Promise((resolve31) => setTimeout(resolve31));
+            await new Promise((resolve28) => setTimeout(resolve28));
             maxReadCount = 3;
             continue;
           }
@@ -2892,1248 +2895,9 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync26, existsSync as existsSync25, watchFile } from "fs";
-import { createConnection as createConnection5 } from "net";
-import { resolve as resolve30, join as join13, basename as basename7 } from "path";
-import { homedir as homedir5 } from "os";
-
-// app/lib/vnc-logger.ts
-import { appendFileSync, mkdirSync } from "fs";
-import { resolve as resolve2 } from "path";
-
-// app/lib/paths.ts
-import { homedir } from "os";
-import { resolve, join as join2 } from "path";
-import { existsSync as existsSync2, readFileSync } from "fs";
-var configDirName = ".maxy";
-var platformRoot = process.env.MAXY_PLATFORM_ROOT;
-if (platformRoot) {
-  const brandPath = join2(platformRoot, "config", "brand.json");
-  if (existsSync2(brandPath)) {
-    try {
-      const brand = JSON.parse(readFileSync(brandPath, "utf-8"));
-      if (brand.configDir) configDirName = brand.configDir;
-    } catch {
-    }
-  }
-}
-var MAXY_DIR = resolve(homedir(), configDirName);
-var PLATFORM_ROOT = process.env.MAXY_PLATFORM_ROOT ?? resolve(process.cwd(), "..");
-var USERS_FILE = resolve(PLATFORM_ROOT, "config", "users.json");
-var LOG_DIR = resolve(MAXY_DIR, "logs");
-var BIN_DIR = resolve(MAXY_DIR, "bin");
-var REMOTE_PASSWORD_FILE = resolve(MAXY_DIR, ".remote-password");
-var TELEGRAM_WEBHOOK_SECRET_FILE = resolve(MAXY_DIR, ".telegram-webhook-secret");
-var TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE = resolve(MAXY_DIR, ".telegram-admin-webhook-secret");
-var CLAUDE_CREDENTIALS_FILE = resolve(homedir(), ".claude", ".credentials.json");
-
-// app/lib/vnc-logger.ts
-var VNC_LOG_FILE = resolve2(LOG_DIR, "vnc-boot.log");
-try {
-  mkdirSync(LOG_DIR, { recursive: true });
-} catch (err) {
-  console.error(`[vnc-log-fail] mkdir ${LOG_DIR} failed: ${err.message}`);
-}
-function vncLog(phase, fields = {}) {
-  const ts = (/* @__PURE__ */ new Date()).toISOString();
-  const kv = Object.entries(fields).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(" ");
-  const line = kv.length > 0 ? `[${ts}] [${phase}] ${kv}
-` : `[${ts}] [${phase}]
-`;
-  try {
-    appendFileSync(VNC_LOG_FILE, line);
-  } catch (err) {
-    console.error(`[vnc-log-fail] ${err.message} \u2014 dropped: ${line.slice(0, 300).trim()}`);
-  }
-}
-var corrCounter = 0;
-function newCorrId() {
-  corrCounter = corrCounter + 1 & 4294967295;
-  const counterHex = corrCounter.toString(16).padStart(8, "0");
-  const randomHex = Math.floor(Math.random() * 16777215).toString(16).padStart(6, "0");
-  return `${counterHex}-${randomHex}`;
-}
-function sanitizeClientCorrId(raw2) {
-  if (!raw2) return null;
-  if (raw2.length > 32) return null;
-  if (!/^[A-Za-z0-9_-]+$/.test(raw2)) return null;
-  return raw2;
-}
-
-// app/lib/remote-auth.ts
-import { scrypt, randomBytes, timingSafeEqual } from "crypto";
-import { readFileSync as readFileSync2, writeFileSync, existsSync as existsSync3 } from "fs";
-
-// app/lib/password-strength.ts
-function validatePasswordStrength(password) {
-  return [
-    { key: "length", label: "At least 8 characters", met: password.length >= 8 },
-    { key: "number", label: "Contains a number", met: /\d/.test(password) },
-    { key: "special", label: "Contains a special character", met: /[^A-Za-z0-9]/.test(password) },
-    { key: "whitespace", label: "No spaces", met: password.length > 0 && !/\s/.test(password) }
-  ];
-}
-function isPasswordValid(password) {
-  return validatePasswordStrength(password).every((r) => r.met);
-}
-
-// app/lib/remote-auth.ts
-var SCRYPT_N = 16384;
-var SCRYPT_R = 8;
-var SCRYPT_P = 1;
-var SCRYPT_KEYLEN = 64;
-function scryptAsync(password, salt) {
-  return new Promise((resolve31, reject) => {
-    scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, r: SCRYPT_R, p: SCRYPT_P }, (err, key) => {
-      if (err) reject(err);
-      else resolve31(key);
-    });
-  });
-}
-async function hashPassword(password) {
-  const salt = randomBytes(32);
-  const hash = await scryptAsync(password, salt);
-  return `${salt.toString("hex")}:${hash.toString("hex")}`;
-}
-async function verifyPassword(password, stored) {
-  const colonIndex = stored.indexOf(":");
-  if (colonIndex === -1) return false;
-  const saltHex = stored.slice(0, colonIndex);
-  const hashHex = stored.slice(colonIndex + 1);
-  if (!saltHex || !hashHex) return false;
-  try {
-    const salt = Buffer.from(saltHex, "hex");
-    const storedHash = Buffer.from(hashHex, "hex");
-    if (storedHash.length !== SCRYPT_KEYLEN) return false;
-    const computed = await scryptAsync(password, salt);
-    return timingSafeEqual(computed, storedHash);
-  } catch {
-    return false;
-  }
-}
-function isRemoteAuthConfigured() {
-  if (!existsSync3(REMOTE_PASSWORD_FILE)) return false;
-  const content = readFileSync2(REMOTE_PASSWORD_FILE, "utf-8").trim();
-  return content.length > 0 && content.includes(":");
-}
-function readPasswordHash() {
-  try {
-    if (!existsSync3(REMOTE_PASSWORD_FILE)) return null;
-    const content = readFileSync2(REMOTE_PASSWORD_FILE, "utf-8").trim();
-    if (!content || !content.includes(":")) return null;
-    return content;
-  } catch {
-    return null;
-  }
-}
-async function setRemotePassword(password) {
-  const hash = await hashPassword(password);
-  writeFileSync(REMOTE_PASSWORD_FILE, hash, "utf-8");
-}
-async function verifyRemotePassword(password) {
-  const stored = readPasswordHash();
-  if (!stored) return false;
-  return verifyPassword(password, stored);
-}
-var SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
-var remoteSessions = /* @__PURE__ */ new Map();
-function pruneExpiredSessions() {
-  const now = Date.now();
-  for (const [token, session] of remoteSessions) {
-    if (now - session.createdAt > SESSION_TTL_MS) {
-      remoteSessions.delete(token);
-    }
-  }
-}
-function createRemoteSession() {
-  const token = randomBytes(32).toString("hex");
-  remoteSessions.set(token, { createdAt: Date.now() });
-  return token;
-}
-function validateRemoteSession(token) {
-  if (!token) return false;
-  pruneExpiredSessions();
-  const session = remoteSessions.get(token);
-  if (!session) return false;
-  if (Date.now() - session.createdAt > SESSION_TTL_MS) {
-    remoteSessions.delete(token);
-    return false;
-  }
-  return true;
-}
-function invalidateRemoteSession(token) {
-  remoteSessions.delete(token);
-}
-var MAX_ATTEMPTS = 5;
-var LOCKOUT_MS = 15 * 60 * 1e3;
-var rateLimitMap = /* @__PURE__ */ new Map();
-function checkRateLimit(ip) {
-  const rec = rateLimitMap.get(ip);
-  if (!rec) return null;
-  if (rec.lockedUntil > Date.now()) {
-    const remaining = Math.ceil((rec.lockedUntil - Date.now()) / 1e3);
-    return `Too many attempts. Try again in ${remaining}s`;
-  }
-  if (rec.lockedUntil > 0) {
-    rateLimitMap.delete(ip);
-  }
-  return null;
-}
-function recordFailedAttempt(ip) {
-  const rec = rateLimitMap.get(ip) ?? { count: 0, lockedUntil: 0 };
-  rec.count++;
-  if (rec.count >= MAX_ATTEMPTS) {
-    rec.lockedUntil = Date.now() + LOCKOUT_MS;
-    rec.count = 0;
-  }
-  rateLimitMap.set(ip, rec);
-}
-function clearRateLimit(ip) {
-  rateLimitMap.delete(ip);
-}
-setInterval(() => {
-  const now = Date.now();
-  for (const [ip, rec] of rateLimitMap) {
-    if (rec.lockedUntil > 0 && rec.lockedUntil <= now) {
-      rateLimitMap.delete(ip);
-    }
-  }
-}, 15 * 60 * 1e3).unref();
-function normalizeIp(ip) {
-  if (!ip) return void 0;
-  const trimmed = ip.trim();
-  if (trimmed.startsWith("::ffff:")) return trimmed.slice(7);
-  return trimmed;
-}
-function isLoopback(ip) {
-  return ip === "127.0.0.1" || ip.startsWith("127.") || ip === "::1";
-}
-function isPrivateIp(ip) {
-  const parts = ip.split(".");
-  if (parts.length !== 4) return false;
-  const a = parseInt(parts[0], 10);
-  const b = parseInt(parts[1], 10);
-  if (Number.isNaN(a) || Number.isNaN(b)) return false;
-  if (a === 10) return true;
-  if (a === 172 && b >= 16 && b <= 31) return true;
-  if (a === 192 && b === 168) return true;
-  if (a === 169 && b === 254) return true;
-  return false;
-}
-function resolveClientIp(remoteAddress, xForwardedFor) {
-  const remote = normalizeIp(remoteAddress);
-  if (!remote) return void 0;
-  if (isLoopback(remote) && xForwardedFor) {
-    const firstIp = normalizeIp(xForwardedFor.split(",")[0]?.trim());
-    if (firstIp) {
-      if (isLoopback(firstIp) || isPrivateIp(firstIp)) return "loopback";
-      return firstIp;
-    }
-  }
-  return remote;
-}
-function isExternalIp(ip) {
-  if (!ip) return false;
-  const normalized = normalizeIp(ip);
-  if (!normalized) return false;
-  if (isLoopback(normalized)) return false;
-  if (isPrivateIp(normalized)) return false;
-  return true;
-}
-function renderLoginPage(opts) {
-  const error = opts?.error ?? "";
-  const lockout = opts?.lockoutSeconds ?? 0;
-  const redirect = opts?.redirect ?? "/";
-  const mode = opts?.mode ?? "login";
-  const changeError = opts?.changeError ?? "";
-  const success = opts?.success ?? "";
-  const setupError = opts?.setupError ?? "";
-  const primaryColor = opts?.primaryColor ?? "#7C8C72";
-  const primaryHoverColor = opts?.primaryHoverColor ?? "#6A7A62";
-  const primarySubtle = opts?.primarySubtle ?? "rgba(124,140,114,0.08)";
-  const productName = opts?.productName ?? "Maxy";
-  const logoPath = opts?.logoPath ?? "/brand/maxy-monochrome.png";
-  const faviconPath = opts?.faviconPath ?? "/favicon.ico";
-  const displayFont = opts?.displayFont ?? "'Cormorant', Georgia, serif";
-  const bodyFont = opts?.bodyFont ?? "'DM Sans', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif";
-  const logoContainsName = opts?.logoContainsName ?? false;
-  const errorHtml = error ? `<p class="msg msg--error">${escapeHtml(error)}</p>` : "";
-  const changeErrorHtml = changeError ? `<p class="msg msg--error">${escapeHtml(changeError)}</p>` : "";
-  const successHtml = success ? `<p class="msg msg--success">${escapeHtml(success)}</p>` : "";
-  const lockoutHtml = lockout > 0 ? `<p class="msg msg--error">Too many attempts. Try again in <span id="countdown">${lockout}</span>s</p>
-       <script>
-         (function() {
-           var s = ${lockout};
-           var el = document.getElementById('countdown');
-           var iv = setInterval(function() { s--; el.textContent = s; if (s <= 0) { clearInterval(iv); location.reload(); } }, 1000);
-         })();
-       </script>` : "";
-  const setupErrorHtml = setupError ? `<p class="msg msg--error">${escapeHtml(setupError)}</p>` : "";
-  const formDisabled = lockout > 0 ? "disabled" : "";
-  const loginDisplay = mode === "login" ? "block" : "none";
-  const changeDisplay = mode === "change" ? "block" : "none";
-  const setupDisplay = mode === "setup" ? "block" : "none";
-  const successDisplay = mode === "success" ? "block" : "none";
-  const subtitleText = mode === "setup" ? "Set your remote password" : "Remote access";
-  const displayFontName = displayFont.match(/^'([^']+)'/)?.[1] ?? "";
-  const bodyFontName = bodyFont.match(/^'([^']+)'/)?.[1] ?? "";
-  const googleFontsLink = displayFontName || bodyFontName ? [
-    '<link rel="preconnect" href="https://fonts.googleapis.com">',
-    '<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>',
-    '<link href="https://fonts.googleapis.com/css2?' + [
-      displayFontName ? `family=${displayFontName.replace(/ /g, "+")}:wght@300;400` : "",
-      bodyFontName ? `family=${bodyFontName.replace(/ /g, "+")}:wght@400;500` : ""
-    ].filter(Boolean).join("&") + '&display=swap" rel="stylesheet">'
-  ].join("\n  ") : "";
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <title>Sign in \u2014 ${escapeHtml(productName)}</title>
-  <link rel="icon" href="${escapeHtml(faviconPath)}">
-  ${googleFontsLink}
-  <style>
-    * { margin: 0; padding: 0; box-sizing: border-box; }
-    body {
-      font-family: ${bodyFont};
-      background: #FAFAF8;
-      color: #1A1A1A;
-      min-height: 100vh;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-    }
-    .page {
-      display: flex;
-      flex-direction: column;
-      align-items: center;
-      gap: 24px;
-      max-width: 420px;
-      width: 100%;
-      padding: 40px 20px;
-    }
-    .logo-img {
-      width: 110px;
-      height: 110px;
-      margin: -11px;
-      object-fit: contain;
-    }
-    .title {
-      font-family: ${displayFont};
-      font-weight: 300;
-      font-size: 28px;
-      color: #1A1A1A;
-      text-align: center;
-      letter-spacing: -0.01em;
-      line-height: 1.3;
-    }
-    .subtitle {
-      font-size: 15px;
-      color: #6B6B6B;
-      text-align: center;
-      margin-top: -8px;
-    }
-    .form-wrap {
-      width: 100%;
-      max-width: 300px;
-    }
-    .field { margin-bottom: 12px; }
-    .field-label {
-      display: block;
-      font-size: 13px;
-      font-weight: 500;
-      color: #6B6B6B;
-      margin-bottom: 6px;
-    }
-    .field-input {
-      width: 100%;
-      padding: 10px 12px;
-      border: 1px solid rgba(0,0,0,0.1);
-      border-radius: 8px;
-      font-size: 15px;
-      font-family: inherit;
-      outline: none;
-      background: #fff;
-      transition: border-color 0.15s, box-shadow 0.15s;
-    }
-    .field-input:focus {
-      border-color: ${primaryColor};
-      box-shadow: 0 0 0 3px ${primarySubtle};
-    }
-    .options {
-      display: flex;
-      align-items: center;
-      justify-content: space-between;
-      gap: 12px;
-      margin-top: 8px;
-    }
-
-    /* Checkbox \u2014 matches Maxy shared checkbox (asterisk-in-square) */
-    .check {
-      position: relative;
-      display: flex;
-      align-items: center;
-      gap: 8px;
-      cursor: pointer;
-      user-select: none;
-    }
-    .check input { position: absolute; opacity: 0; width: 0; height: 0; pointer-events: none; }
-    .check-box {
-      width: 14px;
-      height: 14px;
-      border: 1px solid rgba(0,0,0,0.1);
-      border-radius: 2px;
-      display: flex;
-      align-items: center;
-      justify-content: center;
-      font-size: 10px;
-      color: transparent;
-      transition: border-color 0.15s, color 0.15s;
-      flex-shrink: 0;
-    }
-    .check input:checked + .check-box {
-      border-color: ${primaryColor};
-      color: ${primaryColor};
-    }
-    .check-label {
-      font-size: 13px;
-      color: #6B6B6B;
-    }
-
-    /* Ghost button \u2014 matches Maxy ghost variant */
-    .ghost {
-      background: none;
-      border: none;
-      font-family: inherit;
-      font-size: 13px;
-      color: #6B6B6B;
-      cursor: pointer;
-      padding: 4px 0;
-      transition: color 0.15s;
-    }
-    .ghost:hover { color: #1A1A1A; }
-
-    /* Primary button */
-    .btn {
-      width: 100%;
-      padding: 12px;
-      margin-top: 16px;
-      background: ${primaryColor};
-      color: #fff;
-      border: none;
-      border-radius: 10px;
-      font-size: 15px;
-      font-weight: 500;
-      font-family: inherit;
-      cursor: pointer;
-      transition: background 0.15s;
-    }
-    .btn:hover:not(:disabled) { background: ${primaryHoverColor}; }
-    .btn:disabled { opacity: 0.5; cursor: not-allowed; }
-
-    /* Messages */
-    .msg {
-      font-size: 13px;
-      text-align: center;
-      margin-top: 8px;
-    }
-    .msg--error { color: #c44; }
-    .msg--success { color: ${primaryColor}; }
-
-    /* Strength checklist (setup mode) */
-    .strength-checklist { margin: 8px 0; }
-    .strength-item {
-      font-size: 13px;
-      color: #6B6B6B;
-      padding: 2px 0;
-      transition: color 0.15s;
-    }
-    .strength-icon {
-      display: inline-block;
-      width: 16px;
-      text-align: center;
-    }
-
-    @media (max-width: 440px) {
-      .page { padding: 24px 16px; }
-    }
-  </style>
-</head>
-<body>
-  <div class="page">
-    <img src="${escapeHtml(logoPath)}" alt="${escapeHtml(productName)}" class="logo-img">
-    <h1 class="title"${logoContainsName ? ' style="display:none"' : ""}>${escapeHtml(productName)}</h1>
-    <p class="subtitle">${escapeHtml(subtitleText)}</p>
-
-    ${successHtml}
-
-    <!-- Login -->
-    <div id="login-section" class="form-wrap" style="display:${loginDisplay}">
-      <form method="POST" action="/__remote-auth/login">
-        <input type="hidden" name="redirect" value="${escapeHtml(redirect)}">
-        <div class="field">
-          <label class="field-label" for="password">Password</label>
-          <input class="field-input" type="password" id="password" name="password" required autofocus ${formDisabled}>
-        </div>
-        <div class="options">
-          <label class="check">
-            <input type="checkbox" id="show-login-pw">
-            <span class="check-box">\u2731</span>
-            <span class="check-label">Show password</span>
-          </label>
-          <button type="button" class="ghost" onclick="toggleMode('change')">Change password</button>
-        </div>
-        <button type="submit" class="btn" ${formDisabled}>Sign in</button>
-      </form>
-      ${errorHtml}
-      ${lockoutHtml}
-    </div>
-
-    <!-- Change password -->
-    <div id="change-section" class="form-wrap" style="display:${changeDisplay}">
-      <form method="POST" action="/__remote-auth/change-password">
-        <input type="hidden" name="redirect" value="${escapeHtml(redirect)}">
-        <div class="field">
-          <label class="field-label" for="current_password">Current password</label>
-          <input class="field-input" type="password" id="current_password" name="current_password" required ${formDisabled}>
-        </div>
-        <div class="field">
-          <label class="field-label" for="new_password">New password</label>
-          <input class="field-input" type="password" id="new_password" name="new_password" required ${formDisabled}>
-        </div>
-        <div class="field">
-          <label class="field-label" for="confirm_password">Confirm new password</label>
-          <input class="field-input" type="password" id="confirm_password" name="confirm_password" required ${formDisabled}>
-        </div>
-        <div class="options">
-          <label class="check">
-            <input type="checkbox" id="show-change-pw">
-            <span class="check-box">\u2731</span>
-            <span class="check-label">Show passwords</span>
-          </label>
-          <button type="button" class="ghost" onclick="toggleMode('login')">Back to sign in</button>
-        </div>
-        <button type="submit" class="btn" ${formDisabled}>Change password</button>
-      </form>
-      ${changeErrorHtml}
-    </div>
-
-    <!-- Setup (initial password) -->
-    <div id="setup-section" class="form-wrap" style="display:${setupDisplay}">
-      <form method="POST" action="/__remote-auth/set-initial-password">
-        <div class="field">
-          <label class="field-label" for="setup_password">Password</label>
-          <input class="field-input" type="password" id="setup_password" name="password" required autofocus>
-        </div>
-        <div class="field">
-          <label class="field-label" for="setup_confirm">Confirm password</label>
-          <input class="field-input" type="password" id="setup_confirm" name="confirm_password" required>
-        </div>
-        <div id="strength-checklist" class="strength-checklist">
-          <div class="strength-item" id="req-length"><span class="strength-icon">\u25CB</span> At least 8 characters</div>
-          <div class="strength-item" id="req-number"><span class="strength-icon">\u25CB</span> Contains a number</div>
-          <div class="strength-item" id="req-special"><span class="strength-icon">\u25CB</span> Contains a special character</div>
-          <div class="strength-item" id="req-spaces"><span class="strength-icon">\u25CB</span> No spaces</div>
-        </div>
-        <div class="options">
-          <label class="check">
-            <input type="checkbox" id="show-setup-pw">
-            <span class="check-box">\u2731</span>
-            <span class="check-label">Show passwords</span>
-          </label>
-        </div>
-        <button type="submit" class="btn" id="setup-submit" disabled>Set password</button>
-      </form>
-      ${setupErrorHtml}
-    </div>
-
-    <!-- Success (after initial password set) -->
-    <div id="success-section" class="form-wrap" style="display:${successDisplay}">
-      <p class="msg msg--success" style="font-size:15px;margin-bottom:4px;">\u2713 Password set</p>
-      <p style="font-size:14px;color:#6B6B6B;text-align:center;">You can close this tab and return to the onboarding tab.</p>
-      <script>
-        (function() {
-          try {
-            var ch = new BroadcastChannel('platform-onboarding');
-            setTimeout(function() {
-              ch.postMessage({ type: 'remote-password-set' });
-              ch.close();
-            }, 2500);
-          } catch(e) {}
-        })();
-      </script>
-    </div>
-  </div>
-
-  <script>
-    /* Toggle between login and change-password modes */
-    function toggleMode(mode) {
-      document.getElementById('login-section').style.display = mode === 'login' ? 'block' : 'none';
-      document.getElementById('change-section').style.display = mode === 'change' ? 'block' : 'none';
-      /* Focus first input in the active section */
-      var id = mode === 'login' ? 'password' : 'current_password';
-      var el = document.getElementById(id);
-      if (el) el.focus();
-    }
-
-    /* Show/hide password toggles */
-    function bindShowHide(checkboxId, inputIds) {
-      var cb = document.getElementById(checkboxId);
-      if (!cb) return;
-      cb.addEventListener('change', function() {
-        var type = cb.checked ? 'text' : 'password';
-        inputIds.forEach(function(id) {
-          var el = document.getElementById(id);
-          if (el) el.type = type;
-        });
-      });
-    }
-    bindShowHide('show-login-pw', ['password']);
-    bindShowHide('show-change-pw', ['current_password', 'new_password', 'confirm_password']);
-    bindShowHide('show-setup-pw', ['setup_password', 'setup_confirm']);
-
-    /* Explicit Enter-to-submit for the login password field */
-    var loginPw = document.getElementById('password');
-    if (loginPw) {
-      loginPw.addEventListener('keydown', function(e) {
-        if (e.key === 'Enter') {
-          e.preventDefault();
-          this.closest('form').requestSubmit();
-        }
-      });
-    }
-
-    /* Live password strength validation (setup mode) */
-    (function() {
-      var pw = document.getElementById('setup_password');
-      var confirm = document.getElementById('setup_confirm');
-      var btn = document.getElementById('setup-submit');
-      if (!pw || !confirm || !btn) return;
-
-      var rules = [
-        { id: 'req-length', test: function(p) { return p.length >= 8; } },
-        { id: 'req-number', test: function(p) { return /\\d/.test(p); } },
-        { id: 'req-special', test: function(p) { return /[^A-Za-z0-9]/.test(p); } },
-        { id: 'req-spaces', test: function(p) { return p.length > 0 && !/\\s/.test(p); } }
-      ];
-
-      function check() {
-        var p = pw.value;
-        var allMet = true;
-        rules.forEach(function(r) {
-          var el = document.getElementById(r.id);
-          var met = r.test(p);
-          if (!met) allMet = false;
-          el.querySelector('.strength-icon').textContent = met ? '\\u2713' : '\\u25CB';
-          el.style.color = met ? '${primaryColor}' : '#6B6B6B';
-        });
-        var match = p.length > 0 && p === confirm.value;
-        btn.disabled = !(allMet && match);
-      }
-
-      pw.addEventListener('input', check);
-      confirm.addEventListener('input', check);
-    })();
-  </script>
-</body>
-</html>`;
-}
-function escapeHtml(str) {
-  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
-
-// app/lib/auth-gate.ts
-function canAccessAdmin(input) {
-  if (input.isPublicHost(input.host)) {
-    return { allow: false, reason: "public-host" };
-  }
-  const clientIp = resolveClientIp(input.remoteAddress, input.xForwardedFor);
-  if (!isExternalIp(clientIp)) {
-    return { allow: true };
-  }
-  if (!isRemoteAuthConfigured()) {
-    return { allow: false, reason: "remote-unconfigured" };
-  }
-  const token = parseCookieValue(input.cookieHeader, "__remote_session");
-  if (token && validateRemoteSession(token)) {
-    return { allow: true };
-  }
-  return { allow: false, reason: "unauthorized" };
-}
-function parseCookieValue(cookieHeader, name) {
-  if (!cookieHeader) return null;
-  const match2 = cookieHeader.match(new RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
-  if (!match2) return null;
-  try {
-    return decodeURIComponent(match2[1]);
-  } catch {
-    return null;
-  }
-}
-
-// server/ws-proxy.ts
-import { createConnection } from "net";
-var WS_PATH = "/websockify";
-var UPSTREAM_TIMEOUT_MS = 5e3;
-var HOP_BY_HOP = /* @__PURE__ */ new Set([
-  "connection",
-  "keep-alive",
-  "proxy-authenticate",
-  "proxy-authorization",
-  "te",
-  "trailer",
-  "transfer-encoding",
-  "upgrade"
-]);
-function attachVncWsProxy(server, opts) {
-  const upstreamHost = opts.upstreamHost ?? "127.0.0.1";
-  const upstreamPort = opts.upstreamPort ?? 6080;
-  server.on("upgrade", (req, clientSocket, head) => {
-    try {
-      handleUpgrade(req, clientSocket, head, {
-        isPublicHost: opts.isPublicHost,
-        upstreamHost,
-        upstreamPort
-      });
-    } catch (err) {
-      vncLog("ws-upgrade", {
-        decision: "rejected",
-        reason: "handler-exception",
-        err: err.message
-      });
-      clientSocket.destroy();
-    }
-  });
-}
-function handleUpgrade(req, clientSocket, head, opts) {
-  const url = req.url ?? "";
-  const qsIndex = url.indexOf("?");
-  const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
-  if (pathname !== WS_PATH) {
-    return;
-  }
-  const corrId = newCorrId();
-  const query = qsIndex === -1 ? "" : url.slice(qsIndex + 1);
-  const rawClientCorrId = parseQueryParam(query, "corrId");
-  const clientCorrId = sanitizeClientCorrId(rawClientCorrId);
-  const hostHeader = (req.headers.host ?? "").split(":")[0];
-  const originHeader = headerString(req.headers.origin);
-  const remote = req.socket.remoteAddress;
-  const xff = headerString(req.headers["x-forwarded-for"]);
-  const decision = canAccessAdmin({
-    host: hostHeader,
-    remoteAddress: remote,
-    xForwardedFor: xff,
-    cookieHeader: headerString(req.headers.cookie),
-    isPublicHost: opts.isPublicHost
-  });
-  if (!decision.allow) {
-    const status = decision.reason === "public-host" ? 404 : 401;
-    vncLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: decision.reason,
-      ip: remote,
-      xff: xff ?? null,
-      origin: originHeader ?? null,
-      host: hostHeader
-    });
-    writeStatusAndDestroy(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
-    return;
-  }
-  const originHost = parseOriginHost(originHeader);
-  if (!originHost) {
-    vncLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-missing-or-invalid",
-      origin: originHeader ?? null,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
-    return;
-  }
-  if (originHost !== hostHeader) {
-    vncLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-mismatch",
-      origin_host: originHost,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
-    return;
-  }
-  if (opts.isPublicHost(originHost)) {
-    vncLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-public-host",
-      origin_host: originHost,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy(clientSocket, 403, "Forbidden");
-    return;
-  }
-  vncLog("ws-upgrade", {
-    corrId,
-    clientCorrId: clientCorrId ?? null,
-    decision: "accepted",
-    ip: remote,
-    xff: xff ?? null,
-    origin: originHeader ?? null,
-    host: hostHeader,
-    sec_ws_version: headerString(req.headers["sec-websocket-version"]) ?? null,
-    sec_ws_protocol: headerString(req.headers["sec-websocket-protocol"]) ?? null
-  });
-  const upstream = createConnection({ host: opts.upstreamHost, port: opts.upstreamPort });
-  upstream.setTimeout(UPSTREAM_TIMEOUT_MS);
-  let bytesClientToUpstream = 0;
-  let bytesUpstreamToClient = 0;
-  let closedBy = null;
-  let proxyOpened = false;
-  const finish = (side, reason) => {
-    if (closedBy) return;
-    closedBy = side;
-    if (proxyOpened) {
-      vncLog("proxy-close", {
-        corrId,
-        closedBy: side,
-        reason,
-        clientBytes: bytesClientToUpstream,
-        upstreamBytes: bytesUpstreamToClient
-      });
-    }
-    clientSocket.destroy();
-    upstream.destroy();
-  };
-  upstream.once("connect", () => {
-    upstream.setTimeout(0);
-    proxyOpened = true;
-    vncLog("proxy-open", {
-      corrId,
-      upstream: `${opts.upstreamHost}:${opts.upstreamPort}`
-    });
-    const lines = [];
-    lines.push(`${req.method ?? "GET"} ${WS_PATH} HTTP/${req.httpVersion}`);
-    lines.push(`host: ${opts.upstreamHost}:${opts.upstreamPort}`);
-    for (const [name, value] of Object.entries(req.headers)) {
-      if (name === "host") continue;
-      if (HOP_BY_HOP.has(name)) continue;
-      if (value == null) continue;
-      if (Array.isArray(value)) {
-        for (const v of value) lines.push(`${name}: ${v}`);
-      } else {
-        lines.push(`${name}: ${value}`);
-      }
-    }
-    const upgradeHeader = headerString(req.headers.upgrade);
-    const connectionHeader = headerString(req.headers.connection);
-    if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
-    if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
-    upstream.write(lines.join("\r\n") + "\r\n\r\n");
-    if (head && head.length > 0) upstream.write(head);
-    clientSocket.on("data", (chunk) => {
-      bytesClientToUpstream += chunk.length;
-    });
-    upstream.on("data", (chunk) => {
-      bytesUpstreamToClient += chunk.length;
-    });
-    clientSocket.pipe(upstream);
-    upstream.pipe(clientSocket);
-    clientSocket.once("close", (hadError) => {
-      finish("client", hadError ? "error" : "normal");
-    });
-    upstream.once("close", (hadError) => {
-      finish("upstream", hadError ? "error" : "normal");
-    });
-    clientSocket.once("error", (err) => {
-      vncLog("proxy-error", { corrId, side: "client", err: err.message });
-      finish("client", "error");
-    });
-    upstream.once("error", (err) => {
-      vncLog("proxy-error", { corrId, side: "upstream", err: err.message });
-      finish("upstream", "error");
-    });
-  });
-  upstream.once("timeout", () => {
-    if (proxyOpened) return;
-    vncLog("proxy-error", {
-      corrId,
-      side: "upstream-connect",
-      err: "timeout",
-      timeout_ms: UPSTREAM_TIMEOUT_MS
-    });
-    writeStatusAndDestroy(clientSocket, 504, "Gateway Timeout");
-    upstream.destroy();
-  });
-  upstream.once("error", (err) => {
-    if (proxyOpened) return;
-    vncLog("proxy-error", {
-      corrId,
-      side: "upstream-connect",
-      err: err.message
-    });
-    writeStatusAndDestroy(clientSocket, 502, "Bad Gateway");
-    upstream.destroy();
-  });
-}
-function parseQueryParam(query, key) {
-  if (!query) return null;
-  for (const pair of query.split("&")) {
-    const eq = pair.indexOf("=");
-    const k = eq === -1 ? pair : pair.slice(0, eq);
-    if (k !== key) continue;
-    const v = eq === -1 ? "" : pair.slice(eq + 1);
-    try {
-      return decodeURIComponent(v);
-    } catch {
-      return null;
-    }
-  }
-  return null;
-}
-function headerString(value) {
-  if (value == null) return void 0;
-  return Array.isArray(value) ? value[0] : value;
-}
-function parseOriginHost(origin) {
-  if (!origin) return null;
-  try {
-    return new URL(origin).hostname;
-  } catch {
-    return null;
-  }
-}
-function writeStatusAndDestroy(socket, status, statusText) {
-  try {
-    socket.write(
-      `HTTP/1.1 ${status} ${statusText}\r
-Connection: close\r
-Content-Length: 0\r
-\r
-`
-    );
-  } catch {
-  }
-  socket.destroy();
-}
-
-// server/ws-proxy-terminal.ts
-import { createConnection as createConnection2 } from "net";
-
-// app/lib/terminal-logger.ts
-import { appendFileSync as appendFileSync2, mkdirSync as mkdirSync2 } from "fs";
-import { resolve as resolve3 } from "path";
-var TERMINAL_LOG_FILE = resolve3(LOG_DIR, "terminal.log");
-try {
-  mkdirSync2(LOG_DIR, { recursive: true });
-} catch (err) {
-  console.error(`[terminal-log-fail] mkdir ${LOG_DIR} failed: ${err.message}`);
-}
-function terminalLog(phase, fields = {}) {
-  const ts = (/* @__PURE__ */ new Date()).toISOString();
-  const kv = Object.entries(fields).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(" ");
-  const line = kv.length > 0 ? `[${ts}] [terminal-${phase}] ${kv}
-` : `[${ts}] [terminal-${phase}]
-`;
-  try {
-    appendFileSync2(TERMINAL_LOG_FILE, line);
-  } catch (err) {
-    console.error(`[terminal-log-fail] ${err.message} \u2014 dropped: ${line.slice(0, 300).trim()}`);
-  }
-}
-
-// server/ws-proxy-terminal.ts
-var WS_PATH2 = "/admin/terminal/ws";
-var UPSTREAM_TIMEOUT_MS2 = 5e3;
-var FLOW_TICK_MS = 5e3;
-var FLOW_IDLE_EMIT_MS = 3e4;
-var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
-  "connection",
-  "keep-alive",
-  "proxy-authenticate",
-  "proxy-authorization",
-  "te",
-  "trailer",
-  "transfer-encoding",
-  "upgrade"
-]);
-function attachTerminalWsProxy(server, opts) {
-  const upstreamHost = opts.upstreamHost ?? "127.0.0.1";
-  const upstreamPort = opts.upstreamPort ?? 7681;
-  server.on("upgrade", (req, clientSocket, head) => {
-    try {
-      handleUpgrade2(req, clientSocket, head, {
-        isPublicHost: opts.isPublicHost,
-        upstreamHost,
-        upstreamPort
-      });
-    } catch (err) {
-      terminalLog("ws-upgrade", {
-        decision: "rejected",
-        reason: "handler-exception",
-        err: err.message
-      });
-      clientSocket.destroy();
-    }
-  });
-}
-function handleUpgrade2(req, clientSocket, head, opts) {
-  const url = req.url ?? "";
-  const qsIndex = url.indexOf("?");
-  const pathname = qsIndex === -1 ? url : url.slice(0, qsIndex);
-  if (pathname !== WS_PATH2) {
-    return;
-  }
-  const corrId = newCorrId();
-  const query = qsIndex === -1 ? "" : url.slice(qsIndex + 1);
-  const rawClientCorrId = parseQueryParam2(query, "corrId");
-  const clientCorrId = sanitizeClientCorrId(rawClientCorrId);
-  const hostHeader = (req.headers.host ?? "").split(":")[0];
-  const originHeader = headerString2(req.headers.origin);
-  const remote = req.socket.remoteAddress;
-  const xff = headerString2(req.headers["x-forwarded-for"]);
-  const decision = canAccessAdmin({
-    host: hostHeader,
-    remoteAddress: remote,
-    xForwardedFor: xff,
-    cookieHeader: headerString2(req.headers.cookie),
-    isPublicHost: opts.isPublicHost
-  });
-  if (!decision.allow) {
-    const status = decision.reason === "public-host" ? 404 : 401;
-    terminalLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: decision.reason,
-      ip: remote,
-      xff: xff ?? null,
-      origin: originHeader ?? null,
-      host: hostHeader
-    });
-    writeStatusAndDestroy2(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
-    return;
-  }
-  const originHost = parseOriginHost2(originHeader);
-  if (!originHost) {
-    terminalLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-missing-or-invalid",
-      origin: originHeader ?? null,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
-    return;
-  }
-  if (originHost !== hostHeader) {
-    terminalLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-mismatch",
-      origin_host: originHost,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
-    return;
-  }
-  if (opts.isPublicHost(originHost)) {
-    terminalLog("ws-upgrade", {
-      corrId,
-      clientCorrId: clientCorrId ?? null,
-      decision: "rejected",
-      reason: "origin-public-host",
-      origin_host: originHost,
-      host: hostHeader,
-      ip: remote
-    });
-    writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
-    return;
-  }
-  terminalLog("ws-upgrade", {
-    corrId,
-    clientCorrId: clientCorrId ?? null,
-    decision: "accepted",
-    ip: remote,
-    xff: xff ?? null,
-    origin: originHeader ?? null,
-    host: hostHeader,
-    sec_ws_version: headerString2(req.headers["sec-websocket-version"]) ?? null,
-    sec_ws_protocol: headerString2(req.headers["sec-websocket-protocol"]) ?? null
-  });
-  const upstream = createConnection2({ host: opts.upstreamHost, port: opts.upstreamPort });
-  upstream.setTimeout(UPSTREAM_TIMEOUT_MS2);
-  let bytesClientToUpstream = 0;
-  let bytesUpstreamToClient = 0;
-  let closedBy = null;
-  let proxyOpened = false;
-  let lastUpstreamByteTs = 0;
-  let flowInterval = null;
-  let lastEmittedAt = 0;
-  let lastEmittedUpstreamBytes = 0;
-  const finish = (side, reason) => {
-    if (closedBy) return;
-    closedBy = side;
-    if (flowInterval) {
-      clearInterval(flowInterval);
-      flowInterval = null;
-    }
-    if (proxyOpened) {
-      terminalLog("proxy-close", {
-        corrId,
-        closedBy: side,
-        reason,
-        clientBytes: bytesClientToUpstream,
-        upstreamBytes: bytesUpstreamToClient
-      });
-    }
-    clientSocket.destroy();
-    upstream.destroy();
-  };
-  upstream.once("connect", () => {
-    upstream.setTimeout(0);
-    proxyOpened = true;
-    terminalLog("proxy-open", {
-      corrId,
-      upstream: `${opts.upstreamHost}:${opts.upstreamPort}`
-    });
-    const lines = [];
-    lines.push(`${req.method ?? "GET"} ${WS_PATH2} HTTP/${req.httpVersion}`);
-    lines.push(`host: ${opts.upstreamHost}:${opts.upstreamPort}`);
-    for (const [name, value] of Object.entries(req.headers)) {
-      if (name === "host") continue;
-      if (HOP_BY_HOP2.has(name)) continue;
-      if (value == null) continue;
-      if (Array.isArray(value)) {
-        for (const v of value) lines.push(`${name}: ${v}`);
-      } else {
-        lines.push(`${name}: ${value}`);
-      }
-    }
-    const upgradeHeader = headerString2(req.headers.upgrade);
-    const connectionHeader = headerString2(req.headers.connection);
-    if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
-    if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
-    upstream.write(lines.join("\r\n") + "\r\n\r\n");
-    if (head && head.length > 0) upstream.write(head);
-    clientSocket.on("data", (chunk) => {
-      bytesClientToUpstream += chunk.length;
-    });
-    upstream.on("data", (chunk) => {
-      bytesUpstreamToClient += chunk.length;
-      lastUpstreamByteTs = Date.now();
-    });
-    clientSocket.pipe(upstream);
-    upstream.pipe(clientSocket);
-    lastEmittedAt = Date.now();
-    lastEmittedUpstreamBytes = 0;
-    flowInterval = setInterval(() => {
-      const now = Date.now();
-      const idleMs = lastUpstreamByteTs === 0 ? now - lastEmittedAt : now - lastUpstreamByteTs;
-      const upstreamMoved = bytesUpstreamToClient !== lastEmittedUpstreamBytes;
-      const sinceLastEmit = now - lastEmittedAt;
-      if (upstreamMoved || sinceLastEmit >= FLOW_IDLE_EMIT_MS) {
-        terminalLog("proxy-flow", {
-          corrId,
-          clientBytes: bytesClientToUpstream,
-          upstreamBytes: bytesUpstreamToClient,
-          idleMs
-        });
-        lastEmittedAt = now;
-        lastEmittedUpstreamBytes = bytesUpstreamToClient;
-      }
-    }, FLOW_TICK_MS);
-    clientSocket.once("close", (hadError) => {
-      finish("client", hadError ? "error" : "normal");
-    });
-    upstream.once("close", (hadError) => {
-      finish("upstream", hadError ? "error" : "normal");
-    });
-    clientSocket.once("error", (err) => {
-      terminalLog("proxy-error", { corrId, side: "client", err: err.message });
-      finish("client", "error");
-    });
-    upstream.once("error", (err) => {
-      terminalLog("proxy-error", { corrId, side: "upstream", err: err.message });
-      finish("upstream", "error");
-    });
-  });
-  upstream.once("timeout", () => {
-    if (proxyOpened) return;
-    terminalLog("proxy-error", {
-      corrId,
-      side: "upstream-connect",
-      err: "timeout",
-      timeout_ms: UPSTREAM_TIMEOUT_MS2
-    });
-    writeStatusAndDestroy2(clientSocket, 504, "Gateway Timeout");
-    upstream.destroy();
-  });
-  upstream.once("error", (err) => {
-    if (proxyOpened) return;
-    terminalLog("proxy-error", {
-      corrId,
-      side: "upstream-connect",
-      err: err.message
-    });
-    writeStatusAndDestroy2(clientSocket, 502, "Bad Gateway");
-    upstream.destroy();
-  });
-}
-function parseQueryParam2(query, key) {
-  if (!query) return null;
-  for (const pair of query.split("&")) {
-    const eq = pair.indexOf("=");
-    const k = eq === -1 ? pair : pair.slice(0, eq);
-    if (k !== key) continue;
-    const v = eq === -1 ? "" : pair.slice(eq + 1);
-    try {
-      return decodeURIComponent(v);
-    } catch {
-      return null;
-    }
-  }
-  return null;
-}
-function headerString2(value) {
-  if (value == null) return void 0;
-  return Array.isArray(value) ? value[0] : value;
-}
-function parseOriginHost2(origin) {
-  if (!origin) return null;
-  try {
-    return new URL(origin).hostname;
-  } catch {
-    return null;
-  }
-}
-function writeStatusAndDestroy2(socket, status, statusText) {
-  try {
-    socket.write(
-      `HTTP/1.1 ${status} ${statusText}\r
-Connection: close\r
-Content-Length: 0\r
-\r
-`
-    );
-  } catch {
-  }
-  socket.destroy();
-}
+import { readFileSync as readFileSync24, existsSync as existsSync23, watchFile } from "fs";
+import { resolve as resolve27, join as join12, basename as basename7 } from "path";
+import { homedir as homedir4 } from "os";
 
 // app/lib/agent-slug-pattern.ts
 var AGENT_SLUG_PATTERN = /^\/([a-z][a-z0-9-]{2,49})$/;
@@ -4142,9 +2906,9 @@ var AGENT_SLUG_PATTERN = /^\/([a-z][a-z0-9-]{2,49})$/;
 import Anthropic3 from "@anthropic-ai/sdk";
 import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
-import { resolve as resolve8, join as join4 } from "path";
+import { resolve as resolve5, join as join3 } from "path";
 import { platform as osPlatform } from "os";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, readdirSync as readdirSync2, existsSync as existsSync7, mkdirSync as mkdirSync6, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync3, cpSync, rmSync as rmSync2, appendFileSync as appendFileSync3, openSync as openSync2, readSync as readSync2, closeSync as closeSync2 } from "fs";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync5, readdirSync as readdirSync2, existsSync as existsSync5, mkdirSync as mkdirSync4, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync3, cpSync, rmSync as rmSync2, appendFileSync, openSync as openSync2, readSync as readSync2, closeSync as closeSync2 } from "fs";
 import { lookup as dnsLookup } from "dns/promises";
 import { createConnection as netConnect } from "net";
 import { StringDecoder } from "string_decoder";
@@ -4152,34 +2916,34 @@ import { StringDecoder } from "string_decoder";
 // ../lib/anthropic-key/src/index.ts
 var import_dist = __toESM(require_dist());
 import {
-  existsSync as existsSync4,
-  mkdirSync as mkdirSync3,
-  readFileSync as readFileSync3,
+  existsSync as existsSync2,
+  mkdirSync,
+  readFileSync,
   unlinkSync,
-  writeFileSync as writeFileSync2
+  writeFileSync
 } from "fs";
-import { resolve as resolve4, join as join3, dirname } from "path";
-import { homedir as homedir2 } from "os";
+import { resolve, join as join2, dirname } from "path";
+import { homedir } from "os";
 var cachedKeyFilePath = null;
 function resolveKeyFilePath() {
   if (cachedKeyFilePath) return cachedKeyFilePath;
-  let configDirName2 = ".maxy";
-  const platformRoot3 = process.env.PLATFORM_ROOT ?? process.env.MAXY_PLATFORM_ROOT;
-  if (platformRoot3) {
-    const brandPath = join3(platformRoot3, "config", "brand.json");
-    if (!existsSync4(brandPath)) {
+  let configDirName = ".maxy";
+  const platformRoot2 = process.env.PLATFORM_ROOT ?? process.env.MAXY_PLATFORM_ROOT;
+  if (platformRoot2) {
+    const brandPath = join2(platformRoot2, "config", "brand.json");
+    if (!existsSync2(brandPath)) {
       throw new Error(
         `brand.json not found at ${brandPath} \u2014 platform not properly installed`
       );
     }
     try {
-      const brand = JSON.parse(readFileSync3(brandPath, "utf-8"));
+      const brand = JSON.parse(readFileSync(brandPath, "utf-8"));
       if (!brand.configDir) {
         throw new Error(
           `brand.json at ${brandPath} is missing the configDir field`
         );
       }
-      configDirName2 = brand.configDir;
+      configDirName = brand.configDir;
     } catch (err) {
       if (err instanceof SyntaxError) {
         throw new Error(
@@ -4189,7 +2953,7 @@ function resolveKeyFilePath() {
       throw err;
     }
   }
-  cachedKeyFilePath = resolve4(homedir2(), configDirName2, ".anthropic-api-key");
+  cachedKeyFilePath = resolve(homedir(), configDirName, ".anthropic-api-key");
   return cachedKeyFilePath;
 }
 function readKey() {
@@ -4211,7 +2975,7 @@ function readKey() {
     );
   }
   try {
-    const raw2 = readFileSync3(keyFilePath2, "utf-8").trim();
+    const raw2 = readFileSync(keyFilePath2, "utf-8").trim();
     if (!raw2) {
       console.error(
         `[anthropic-key] key file exists but is empty: ${keyFilePath2}`
@@ -4325,14 +3089,14 @@ function contextWindow(model) {
 }
 
 // app/lib/claude-auth.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync3 } from "fs";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
 var TOKEN_ENDPOINT = "https://platform.claude.com/v1/oauth/token";
 var CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
 var EXPIRING_THRESHOLD_MS = 5 * 60 * 1e3;
 function readCredentials() {
   let raw2;
   try {
-    raw2 = readFileSync4(CLAUDE_CREDENTIALS_FILE, "utf-8");
+    raw2 = readFileSync2(CLAUDE_CREDENTIALS_FILE, "utf-8");
   } catch {
     return null;
   }
@@ -4360,7 +3124,7 @@ function writeOAuthCredentials(tokens) {
   try {
     let fileData = {};
     try {
-      const rawFile = readFileSync4(CLAUDE_CREDENTIALS_FILE, "utf-8");
+      const rawFile = readFileSync2(CLAUDE_CREDENTIALS_FILE, "utf-8");
       fileData = JSON.parse(rawFile);
     } catch {
     }
@@ -4371,7 +3135,7 @@ function writeOAuthCredentials(tokens) {
       ...tokens.refreshToken != null ? { refreshToken: tokens.refreshToken } : {},
       expiresAt: newExpiresAt
     };
-    writeFileSync3(CLAUDE_CREDENTIALS_FILE, JSON.stringify(fileData, null, 2), "utf-8");
+    writeFileSync2(CLAUDE_CREDENTIALS_FILE, JSON.stringify(fileData, null, 2), "utf-8");
     return newExpiresAt;
   } catch (err) {
     console.error(`[claude-auth] credential write failed: ${err instanceof Error ? err.message : String(err)}`);
@@ -4475,11 +3239,11 @@ async function ensureAuth() {
 
 // app/lib/vnc.ts
 import { spawnSync, execFileSync } from "child_process";
-import { createConnection as createConnection3 } from "net";
-import { mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
-import { resolve as resolve5 } from "path";
-var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve5(process.cwd(), "..");
-var VNC_SCRIPT = resolve5(PLATFORM_ROOT2, "scripts/vnc.sh");
+import { createConnection } from "net";
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve2 } from "path";
+var PLATFORM_ROOT = process.env.MAXY_PLATFORM_ROOT ?? resolve2(process.cwd(), "..");
+var VNC_SCRIPT = resolve2(PLATFORM_ROOT, "scripts/vnc.sh");
 var displayMode = process.env.DISPLAY_MODE ?? "virtual";
 if (displayMode === "native") {
   console.log(`[vnc] DISPLAY_MODE=native \u2014 local requests use desktop display, remote requests use VNC`);
@@ -4488,8 +3252,8 @@ function resolveBrowserTransport(req, remoteAddress) {
   if (displayMode !== "native") return "vnc";
   const xff = req.headers.get("x-forwarded-for") ?? void 0;
   const clientIp = resolveClientIp(remoteAddress ?? "127.0.0.1", xff);
-  const isLoopback2 = clientIp === "127.0.0.1" || clientIp === "::1" || clientIp === "loopback";
-  const transport = isLoopback2 && !xff ? "native" : "vnc";
+  const isLoopback = clientIp === "127.0.0.1" || clientIp === "::1" || clientIp === "loopback";
+  const transport = isLoopback && !xff ? "native" : "vnc";
   if (remoteAddress && remoteAddress !== "127.0.0.1" && remoteAddress !== "::1") {
     const oldClientIp = resolveClientIp("127.0.0.1", xff);
     const oldIsLoopback = oldClientIp === "127.0.0.1" || oldClientIp === "::1" || oldClientIp === "loopback";
@@ -4537,7 +3301,7 @@ function discoverNativeDisplay() {
       const leaderPid = leaderResult.stdout?.trim();
       if (leaderPid) {
         try {
-          const environ = readFileSync5(`/proc/${leaderPid}/environ`, "utf8");
+          const environ = readFileSync3(`/proc/${leaderPid}/environ`, "utf8");
           const match2 = environ.split("\0").find((e) => e.startsWith("WAYLAND_DISPLAY="));
           if (match2) waylandDisplay = match2.split("=")[1];
         } catch {
@@ -4571,7 +3335,7 @@ async function waitForPort(port2, timeoutMs = 12e3) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const ready = await new Promise((res) => {
-      const socket = createConnection3(port2, "127.0.0.1");
+      const socket = createConnection(port2, "127.0.0.1");
       socket.setTimeout(500);
       socket.once("connect", () => {
         socket.destroy();
@@ -4592,10 +3356,10 @@ async function waitForPort(port2, timeoutMs = 12e3) {
   return false;
 }
 function ensureLogDir() {
-  mkdirSync4(LOG_DIR, { recursive: true });
+  mkdirSync2(LOG_DIR, { recursive: true });
 }
 function logPath(name) {
-  return resolve5(LOG_DIR, `${name}.log`);
+  return resolve2(LOG_DIR, `${name}.log`);
 }
 async function ensureVnc() {
   const up = await waitForPort(5900, 1e3);
@@ -4804,9 +3568,9 @@ async function ensureTerminalUpgrade(transport = "vnc") {
   return { ok: true };
 }
 function writeChromiumWrapper() {
-  mkdirSync4(BIN_DIR, { recursive: true });
-  const wrapperPath = resolve5(BIN_DIR, "chromium");
-  writeFileSync4(wrapperPath, `#!/bin/bash
+  mkdirSync2(BIN_DIR, { recursive: true });
+  const wrapperPath = resolve2(BIN_DIR, "chromium");
+  writeFileSync3(wrapperPath, `#!/bin/bash
 LOG="${LOG_DIR}/chromium.log"
 echo "==== [$(date)] chromium wrapper ====" >> "$LOG"
 echo "  DISPLAY=$DISPLAY WAYLAND=$WAYLAND_DISPLAY XDG_SESSION_TYPE=$XDG_SESSION_TYPE" >> "$LOG"
@@ -4890,15 +3654,15 @@ function buildX11Env(chromiumWrapperPath, transport = "vnc") {
 import neo4j from "neo4j-driver";
 import { randomUUID } from "crypto";
 import { spawn } from "child_process";
-import { readFileSync as readFileSync6, readdirSync, existsSync as existsSync5, openSync, readSync, closeSync, statSync as statSync2, rmSync } from "fs";
-import { resolve as resolve6 } from "path";
-var PLATFORM_ROOT3 = process.env.MAXY_PLATFORM_ROOT ?? resolve6(process.cwd(), "..");
+import { readFileSync as readFileSync4, readdirSync, existsSync as existsSync3, openSync, readSync, closeSync, statSync as statSync2, rmSync } from "fs";
+import { resolve as resolve3 } from "path";
+var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve3(process.cwd(), "..");
 var driver = null;
 function readPassword() {
   if (process.env.NEO4J_PASSWORD) return process.env.NEO4J_PASSWORD;
-  const passwordFile = resolve6(PLATFORM_ROOT3, "config/.neo4j-password");
+  const passwordFile = resolve3(PLATFORM_ROOT2, "config/.neo4j-password");
   try {
-    return readFileSync6(passwordFile, "utf-8").trim();
+    return readFileSync4(passwordFile, "utf-8").trim();
   } catch {
     throw new Error(
       `Neo4j password not found. Expected at ${passwordFile} or in NEO4J_PASSWORD env var.`
@@ -5361,8 +4125,8 @@ async function persistMessage(conversationId, role, content, accountId, tokens,
   const prev = persistMessageLocks.get(conversationId);
   const waited = prev !== void 0;
   let release;
-  const mine = new Promise((resolve31) => {
-    release = resolve31;
+  const mine = new Promise((resolve28) => {
+    release = resolve28;
   });
   const chained = (prev ?? Promise.resolve()).then(() => mine);
   persistMessageLocks.set(conversationId, chained);
@@ -5621,7 +4385,7 @@ ${userContent}`;
     "dontAsk",
     prompt
   ];
-  return new Promise((resolve31) => {
+  return new Promise((resolve28) => {
     let stdout = "";
     let stderr = "";
     const spawnFn = _spawnOverride ?? spawn;
@@ -5639,35 +4403,35 @@ ${userContent}`;
     const timer = setTimeout(() => {
       proc.kill("SIGTERM");
       console.error("[persist] autoLabel: haiku subprocess timed out");
-      resolve31(null);
+      resolve28(null);
     }, SESSION_LABEL_TIMEOUT_MS);
     proc.on("error", (err) => {
       clearTimeout(timer);
       console.error(`[persist] autoLabel: subprocess error \u2014 ${err.message}`);
-      resolve31(null);
+      resolve28(null);
     });
     proc.on("close", (code) => {
       clearTimeout(timer);
       if (code !== 0) {
         console.error(`[persist] autoLabel: subprocess exited code=${code}${stderr ? ` stderr=${stderr.trim().slice(0, 200)}` : ""}`);
-        resolve31(null);
+        resolve28(null);
         return;
       }
       const text = stdout.trim();
       if (!text) {
         console.error("[persist] autoLabel: haiku returned empty response");
-        resolve31(null);
+        resolve28(null);
         return;
       }
       if (text === "SKIP") {
         console.error("[persist] autoLabel: haiku returned SKIP \u2014 messages too vague");
-        resolve31(null);
+        resolve28(null);
         return;
       }
       const words = text.split(/\s+/).slice(0, SESSION_LABEL_MAX_WORDS);
       const label = words.join(" ");
       console.error(`[persist] autoLabel: haiku response="${label}"`);
-      resolve31(label);
+      resolve28(label);
     });
   });
 }
@@ -5939,10 +4703,10 @@ var MAX_RECENT_TOOL_FAILURES = 3;
 var RECENT_FAILURES_TAIL_BYTES = 10 * 1024;
 function readRecentToolFailures(accountId, conversationId) {
   try {
-    const platformRoot3 = process.env.MAXY_PLATFORM_ROOT ?? resolve6(process.cwd(), "..");
-    const logDir = resolve6(platformRoot3, "..", "data/accounts", accountId, "logs");
-    const logPath2 = resolve6(logDir, `claude-agent-stream-${conversationId}.log`);
-    if (!existsSync5(logPath2)) {
+    const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve3(process.cwd(), "..");
+    const logDir = resolve3(platformRoot2, "..", "data/accounts", accountId, "logs");
+    const logPath2 = resolve3(logDir, `claude-agent-stream-${conversationId}.log`);
+    if (!existsSync3(logPath2)) {
       console.error(`[review-tail-skip] path=${logPath2} reason=file-missing \u2014 first turn of conversation, subprocess not yet spawned, or log rotated`);
       return [];
     }
@@ -6098,13 +4862,13 @@ ${taskLines.join("\n")}`);
     let pendingCount = 0;
     let pendingLines = [];
     try {
-      const platformRoot3 = process.env.MAXY_PLATFORM_ROOT ?? resolve6(process.cwd(), "..");
-      const pendingDir = resolve6(platformRoot3, "..", "data/accounts", accountId, "pending-actions");
-      if (existsSync5(pendingDir)) {
+      const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve3(process.cwd(), "..");
+      const pendingDir = resolve3(platformRoot2, "..", "data/accounts", accountId, "pending-actions");
+      if (existsSync3(pendingDir)) {
         const files = readdirSync(pendingDir).filter((f) => f.endsWith(".json") && !f.startsWith("."));
         for (const file of files) {
           try {
-            const raw2 = readFileSync6(resolve6(pendingDir, file), "utf-8");
+            const raw2 = readFileSync4(resolve3(pendingDir, file), "utf-8");
             const action = JSON.parse(raw2);
             if (action.state === "pending") {
               const inputSummary = JSON.stringify(action.hookPayload?.tool_input ?? {}).slice(0, 150);
@@ -6171,12 +4935,12 @@ ${sections.join("\n\n")}
   }
 }
 async function consumeStep7FlagUI(session, accountId) {
-  const accountDir = resolve6(PLATFORM_ROOT3, "..", "data/accounts", accountId);
-  const flagPath = resolve6(accountDir, "onboarding", "step7-complete");
-  if (!existsSync5(flagPath)) return false;
+  const accountDir = resolve3(PLATFORM_ROOT2, "..", "data/accounts", accountId);
+  const flagPath = resolve3(accountDir, "onboarding", "step7-complete");
+  if (!existsSync3(flagPath)) return false;
   let completedAt = (/* @__PURE__ */ new Date()).toISOString();
   try {
-    const raw2 = readFileSync6(flagPath, "utf-8").trim();
+    const raw2 = readFileSync4(flagPath, "utf-8").trim();
     if (raw2) {
       const parsed = JSON.parse(raw2);
       if (typeof parsed.completedAt === "string") {
@@ -6614,8 +5378,8 @@ ${items}
 }
 
 // app/lib/adherence-ledger.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync7, renameSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve7, dirname as dirname2 } from "path";
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync5, renameSync, unlinkSync as unlinkSync2, writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve4, dirname as dirname2 } from "path";
 import lockfile from "proper-lockfile";
 var LOG_TAG = "[adherence-ledger]";
 var ADHERENCE_BLOCK_THRESHOLD = 5;
@@ -6630,7 +5394,7 @@ function nowIso() {
   return (/* @__PURE__ */ new Date()).toISOString();
 }
 function ledgerPath(accountDir, agentName) {
-  return resolve7(accountDir, "agents", agentName, "adherence-ledger.json");
+  return resolve4(accountDir, "agents", agentName, "adherence-ledger.json");
 }
 function lockPath(accountDir, agentName) {
   return `${ledgerPath(accountDir, agentName)}.lock`;
@@ -6655,8 +5419,8 @@ function pruneViolations(violations) {
   });
 }
 function readUnlocked(path2, accountId, agentName) {
-  if (!existsSync6(path2)) return emptyLedger(accountId, agentName);
-  const content = readFileSync7(path2, "utf-8");
+  if (!existsSync4(path2)) return emptyLedger(accountId, agentName);
+  const content = readFileSync5(path2, "utf-8");
   if (!content.trim()) return emptyLedger(accountId, agentName);
   const data = JSON.parse(content);
   if (typeof data !== "object" || data === null) {
@@ -6675,10 +5439,10 @@ function writeAtomic(path2, data) {
   }
   data.updated_at = nowIso();
   const dir = dirname2(path2);
-  mkdirSync5(dir, { recursive: true });
+  mkdirSync3(dir, { recursive: true });
   const tmp = `${path2}.tmp-${process.pid}-${Date.now()}`;
   try {
-    writeFileSync5(tmp, JSON.stringify(data, null, 2), "utf-8");
+    writeFileSync4(tmp, JSON.stringify(data, null, 2), "utf-8");
     renameSync(tmp, path2);
   } catch (err) {
     try {
@@ -6691,9 +5455,9 @@ function writeAtomic(path2, data) {
 async function withLock(accountDir, agentName, fn) {
   const path2 = ledgerPath(accountDir, agentName);
   const lock = lockPath(accountDir, agentName);
-  mkdirSync5(dirname2(lock), { recursive: true });
-  if (!existsSync6(lock)) {
-    writeFileSync5(lock, "", "utf-8");
+  mkdirSync3(dirname2(lock), { recursive: true });
+  if (!existsSync4(lock)) {
+    writeFileSync4(lock, "", "utf-8");
   }
   const release = await lockfile.lock(lock, {
     realpath: false,
@@ -7179,20 +5943,20 @@ function agentLogStream(name, accountDir, conversationId) {
   if (!conversationId) {
     throw new Error(`agentLogStream: conversationId is required (name=${name}) \u2014 use preConversationLogStream for pre-session events`);
   }
-  const logDir = resolve8(accountDir, "logs");
-  mkdirSync6(logDir, { recursive: true });
+  const logDir = resolve5(accountDir, "logs");
+  mkdirSync4(logDir, { recursive: true });
   purgeOldLogs(logDir, `${name}-`);
-  const logPath2 = resolve8(logDir, `${name}-${conversationId}.log`);
+  const logPath2 = resolve5(logDir, `${name}-${conversationId}.log`);
   const stream = createWriteStream(logPath2, { flags: "a" });
   registerStreamLog(stream, { path: logPath2, conversationId, name });
   return stream;
 }
 function preConversationLogStream(name, accountDir) {
-  const logDir = resolve8(accountDir, "logs");
-  mkdirSync6(logDir, { recursive: true });
+  const logDir = resolve5(accountDir, "logs");
+  mkdirSync4(logDir, { recursive: true });
   const date = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
   purgeOldLogs(logDir, `preconversation-${name}-`);
-  const logPath2 = resolve8(logDir, `preconversation-${name}-${date}.log`);
+  const logPath2 = resolve5(logDir, `preconversation-${name}-${date}.log`);
   const stream = createWriteStream(logPath2, { flags: "a" });
   registerStreamLog(stream, { path: logPath2, conversationId: null, name: `preconversation-${name}` });
   return stream;
@@ -7211,7 +5975,7 @@ function sigtermFlushStreamLogs(reason, source) {
     const line = `[${ts}] [server-sigterm] reason=${reason}${convPart} name=${entry.name} source=${source}
 `;
     try {
-      appendFileSync3(entry.path, line);
+      appendFileSync(entry.path, line);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       console.error(`[server-sigterm-flush-err] path=${entry.path} reason=${msg}`);
@@ -7230,7 +5994,7 @@ function purgeOldLogs(logDir, prefix) {
   }
   for (const file of entries) {
     if (!file.startsWith(prefix)) continue;
-    const filePath = resolve8(logDir, file);
+    const filePath = resolve5(logDir, file);
     try {
       if (statSync3(filePath).mtimeMs < cutoff) unlinkSync3(filePath);
     } catch (err) {
@@ -7299,7 +6063,7 @@ function sampleProcState(pid) {
       let sockets2 = 0;
       for (const tcpFile of ["/proc/" + pid + "/net/tcp", "/proc/" + pid + "/net/tcp6"]) {
         try {
-          const raw2 = readFileSync8(tcpFile, "utf-8");
+          const raw2 = readFileSync6(tcpFile, "utf-8");
           const lines2 = raw2.split("\n");
           for (let i = 1; i < lines2.length; i++) {
             const line = lines2[i].trim();
@@ -7315,7 +6079,7 @@ function sampleProcState(pid) {
       }
       let rssMb = 0;
       try {
-        const statm = readFileSync8(`/proc/${pid}/statm`, "utf-8").trim().split(/\s+/);
+        const statm = readFileSync6(`/proc/${pid}/statm`, "utf-8").trim().split(/\s+/);
         const rssPages = parseInt(statm[1] ?? "0", 10);
         if (Number.isFinite(rssPages)) rssMb = Math.round(rssPages * 4096 / (1024 * 1024));
       } catch {
@@ -7348,21 +6112,21 @@ function sampleProcState(pid) {
     return `proc_err=${JSON.stringify(msg.slice(0, 60))}`;
   }
 }
-var PLATFORM_ROOT4 = process.env.MAXY_PLATFORM_ROOT ?? resolve8(process.cwd(), "..");
-var ACCOUNTS_DIR = resolve8(PLATFORM_ROOT4, "..", "data/accounts");
-if (!existsSync7(PLATFORM_ROOT4)) {
+var PLATFORM_ROOT3 = process.env.MAXY_PLATFORM_ROOT ?? resolve5(process.cwd(), "..");
+var ACCOUNTS_DIR = resolve5(PLATFORM_ROOT3, "..", "data/accounts");
+if (!existsSync5(PLATFORM_ROOT3)) {
   throw new Error(
-    `PLATFORM_ROOT does not exist: ${PLATFORM_ROOT4}
+    `PLATFORM_ROOT does not exist: ${PLATFORM_ROOT3}
 Set the MAXY_PLATFORM_ROOT environment variable to the absolute path of the platform directory.`
   );
 }
 function resolveAccount() {
-  if (!existsSync7(ACCOUNTS_DIR)) return null;
-  const usersFilePath = resolve8(PLATFORM_ROOT4, "config", "users.json");
+  if (!existsSync5(ACCOUNTS_DIR)) return null;
+  const usersFilePath = resolve5(PLATFORM_ROOT3, "config", "users.json");
   let usersJsonUserId = null;
-  if (existsSync7(usersFilePath)) {
+  if (existsSync5(usersFilePath)) {
     try {
-      const raw2 = readFileSync8(usersFilePath, "utf-8").trim();
+      const raw2 = readFileSync6(usersFilePath, "utf-8").trim();
       if (raw2) {
         const users = JSON.parse(raw2);
         if (users.length > 0) {
@@ -7376,9 +6140,9 @@ function resolveAccount() {
   let fallback = null;
   for (const entry of entries) {
     if (!entry.isDirectory()) continue;
-    const configPath2 = resolve8(ACCOUNTS_DIR, entry.name, "account.json");
-    if (!existsSync7(configPath2)) continue;
-    const raw2 = readFileSync8(configPath2, "utf-8");
+    const configPath2 = resolve5(ACCOUNTS_DIR, entry.name, "account.json");
+    if (!existsSync5(configPath2)) continue;
+    const raw2 = readFileSync6(configPath2, "utf-8");
     let config;
     try {
       config = JSON.parse(raw2);
@@ -7393,7 +6157,7 @@ function resolveAccount() {
     }
     const result = {
       accountId: config.accountId,
-      accountDir: resolve8(ACCOUNTS_DIR, entry.name),
+      accountDir: resolve5(ACCOUNTS_DIR, entry.name),
       config
     };
     if (usersJsonUserId && config.admins?.some((a) => a.userId === usersJsonUserId)) {
@@ -7411,9 +6175,9 @@ function resolveAccount() {
   return fallback;
 }
 function readAgentFile(accountDir, agentName, filename) {
-  const filePath = resolve8(accountDir, "agents", agentName, filename);
-  if (!existsSync7(filePath)) return null;
-  return readFileSync8(filePath, "utf-8");
+  const filePath = resolve5(accountDir, "agents", agentName, filename);
+  if (!existsSync5(filePath)) return null;
+  return readFileSync6(filePath, "utf-8");
 }
 function readIdentity(accountDir, agentName) {
   return readAgentFile(accountDir, agentName, "IDENTITY.md");
@@ -7448,14 +6212,14 @@ function validateAgentSlug(slug) {
   return true;
 }
 function resolveDefaultAgentSlug(accountDir) {
-  const configPath2 = resolve8(accountDir, "account.json");
-  if (!existsSync7(configPath2)) {
+  const configPath2 = resolve5(accountDir, "account.json");
+  if (!existsSync5(configPath2)) {
     console.error("[agent-resolve] account.json not found \u2014 cannot resolve defaultAgent");
     return null;
   }
   let config;
   try {
-    config = JSON.parse(readFileSync8(configPath2, "utf-8"));
+    config = JSON.parse(readFileSync6(configPath2, "utf-8"));
   } catch (err) {
     console.error("[agent-resolve] failed to read account.json:", err);
     return null;
@@ -7464,8 +6228,8 @@ function resolveDefaultAgentSlug(accountDir) {
     console.error("[agent-resolve] defaultAgent not configured in account.json \u2014 set it via the connect-whatsapp skill");
     return null;
   }
-  const agentConfigPath = resolve8(accountDir, "agents", config.defaultAgent, "config.json");
-  if (!existsSync7(agentConfigPath)) {
+  const agentConfigPath = resolve5(accountDir, "agents", config.defaultAgent, "config.json");
+  if (!existsSync5(agentConfigPath)) {
     console.error(`[agent-resolve] defaultAgent="${config.defaultAgent}" has no config.json at ${agentConfigPath}`);
     return null;
   }
@@ -7537,23 +6301,23 @@ function resolveAgentConfig(accountDir, agentName) {
   }
   let knowledge = null;
   let knowledgeBaked = false;
-  const agentDir = resolve8(accountDir, "agents", agentName);
-  const knowledgePath = resolve8(agentDir, "KNOWLEDGE.md");
-  const summaryPath = resolve8(agentDir, "KNOWLEDGE-SUMMARY.md");
-  const hasKnowledge = existsSync7(knowledgePath);
-  const hasSummary = existsSync7(summaryPath);
+  const agentDir = resolve5(accountDir, "agents", agentName);
+  const knowledgePath = resolve5(agentDir, "KNOWLEDGE.md");
+  const summaryPath = resolve5(agentDir, "KNOWLEDGE-SUMMARY.md");
+  const hasKnowledge = existsSync5(knowledgePath);
+  const hasSummary = existsSync5(summaryPath);
   if (hasKnowledge && hasSummary) {
     const knowledgeMtime = statSync3(knowledgePath).mtimeMs;
     const summaryMtime = statSync3(summaryPath).mtimeMs;
     if (summaryMtime >= knowledgeMtime) {
-      knowledge = readFileSync8(summaryPath, "utf-8");
+      knowledge = readFileSync6(summaryPath, "utf-8");
     } else {
       console.warn(`[agent-config] ${agentName}: KNOWLEDGE-SUMMARY.md is stale (KNOWLEDGE.md is newer) \u2014 using full knowledge`);
-      knowledge = readFileSync8(knowledgePath, "utf-8");
+      knowledge = readFileSync6(knowledgePath, "utf-8");
     }
     knowledgeBaked = true;
   } else if (hasKnowledge) {
-    knowledge = readFileSync8(knowledgePath, "utf-8");
+    knowledge = readFileSync6(knowledgePath, "utf-8");
     knowledgeBaked = true;
   }
   let budget = null;
@@ -7575,11 +6339,11 @@ function resolveAgentConfig(accountDir, agentName) {
   return { model, plugins, status, displayName, image, imageShape, showAgentName, knowledge, knowledgeBaked, liveMemory, knowledgeKeywords, budget, accessMode };
 }
 function parsePluginFrontmatter(pluginDir) {
-  const pluginPath = resolve8(PLATFORM_ROOT4, "plugins", pluginDir, "PLUGIN.md");
-  if (!existsSync7(pluginPath)) return null;
+  const pluginPath = resolve5(PLATFORM_ROOT3, "plugins", pluginDir, "PLUGIN.md");
+  if (!existsSync5(pluginPath)) return null;
   let raw2;
   try {
-    raw2 = readFileSync8(pluginPath, "utf-8");
+    raw2 = readFileSync6(pluginPath, "utf-8");
   } catch {
     console.warn(`[plugins] cannot read ${pluginPath}`);
     return null;
@@ -7638,24 +6402,24 @@ function parsePluginFrontmatter(pluginDir) {
 function autoDeliverPremiumPlugins(purchasedPlugins) {
   if (!purchasedPlugins || purchasedPlugins.length === 0) return;
   const TAG19 = "[premium-auto-deliver]";
-  const stagingRoot = resolve8(PLATFORM_ROOT4, "../premium-plugins");
-  const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
-  if (!existsSync7(stagingRoot)) {
+  const stagingRoot = resolve5(PLATFORM_ROOT3, "../premium-plugins");
+  const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
+  if (!existsSync5(stagingRoot)) {
     console.log(`${TAG19} no staging directory \u2014 skipping`);
     return;
   }
   for (const pluginName of purchasedPlugins) {
-    const stagingDir = resolve8(stagingRoot, pluginName);
-    if (!existsSync7(stagingDir)) {
+    const stagingDir = resolve5(stagingRoot, pluginName);
+    if (!existsSync5(stagingDir)) {
       console.log(`${TAG19} ${pluginName}: not in staging \u2014 skipping`);
       continue;
     }
-    const bundlePath = join4(stagingDir, "BUNDLE.md");
-    const isBundle = existsSync7(bundlePath);
+    const bundlePath = join3(stagingDir, "BUNDLE.md");
+    const isBundle = existsSync5(bundlePath);
     if (isBundle) {
       let bundleRaw;
       try {
-        bundleRaw = readFileSync8(bundlePath, "utf-8");
+        bundleRaw = readFileSync6(bundlePath, "utf-8");
       } catch (err) {
         console.log(`${TAG19} ${pluginName}: cannot read BUNDLE.md \u2014 ${err instanceof Error ? err.message : String(err)}`);
         continue;
@@ -7686,13 +6450,13 @@ function autoDeliverPremiumPlugins(purchasedPlugins) {
       let delivered = 0;
       let skipped = 0;
       for (const sub of subPlugins) {
-        const target = resolve8(pluginsDir, sub);
-        if (existsSync7(resolve8(target, "PLUGIN.md"))) {
+        const target = resolve5(pluginsDir, sub);
+        if (existsSync5(resolve5(target, "PLUGIN.md"))) {
           skipped++;
           continue;
         }
-        const source = resolve8(stagingDir, "plugins", sub);
-        if (!existsSync7(source)) {
+        const source = resolve5(stagingDir, "plugins", sub);
+        if (!existsSync5(source)) {
           console.log(`${TAG19} ${pluginName}/${sub}: source missing in staging \u2014 skipping`);
           continue;
         }
@@ -7705,8 +6469,8 @@ function autoDeliverPremiumPlugins(purchasedPlugins) {
       }
       console.log(`${TAG19} ${pluginName} (bundle): ${delivered} delivered, ${skipped} already present`);
     } else {
-      const target = resolve8(pluginsDir, pluginName);
-      if (existsSync7(resolve8(target, "PLUGIN.md"))) {
+      const target = resolve5(pluginsDir, pluginName);
+      if (existsSync5(resolve5(target, "PLUGIN.md"))) {
         console.log(`${TAG19} ${pluginName}: already present \u2014 skipping`);
         continue;
       }
@@ -7746,21 +6510,21 @@ function migratePluginRenames(accountDir, config) {
     return name;
   });
   if (!changed) return;
-  const configPath2 = resolve8(accountDir, "account.json");
+  const configPath2 = resolve5(accountDir, "account.json");
   try {
-    const raw2 = readFileSync8(configPath2, "utf-8");
+    const raw2 = readFileSync6(configPath2, "utf-8");
     const parsed = JSON.parse(raw2);
     parsed.enabledPlugins = migrated;
-    writeFileSync6(configPath2, JSON.stringify(parsed, null, 2) + "\n");
+    writeFileSync5(configPath2, JSON.stringify(parsed, null, 2) + "\n");
     config.enabledPlugins = migrated;
     console.log(`${TAG19} account.json updated (${migrated.length} plugins)`);
   } catch (err) {
     console.error(`${TAG19} failed to update account.json \u2014 ${err instanceof Error ? err.message : String(err)}`);
   }
-  const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
+  const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
   for (const oldName of Object.keys(PLUGIN_RENAMES)) {
-    const orphan = resolve8(pluginsDir, oldName);
-    if (existsSync7(orphan)) {
+    const orphan = resolve5(pluginsDir, oldName);
+    if (existsSync5(orphan)) {
       try {
         rmSync2(orphan, { recursive: true });
         console.log(`${TAG19} removed orphan: ${oldName}`);
@@ -7773,22 +6537,22 @@ function migratePluginRenames(accountDir, config) {
 function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
   if (!purchasedPlugins || purchasedPlugins.length === 0) return;
   const TAG19 = "[bundle-agent-deliver]";
-  const stagingRoot = resolve8(PLATFORM_ROOT4, "../premium-plugins");
-  const specialistsDir = resolve8(accountDir, "specialists", "agents");
-  if (!existsSync7(stagingRoot)) return;
-  if (!existsSync7(specialistsDir)) {
-    mkdirSync6(specialistsDir, { recursive: true });
+  const stagingRoot = resolve5(PLATFORM_ROOT3, "../premium-plugins");
+  const specialistsDir = resolve5(accountDir, "specialists", "agents");
+  if (!existsSync5(stagingRoot)) return;
+  if (!existsSync5(specialistsDir)) {
+    mkdirSync4(specialistsDir, { recursive: true });
   }
-  const agentsmdPath = resolve8(accountDir, "agents", "admin", "AGENTS.md");
+  const agentsmdPath = resolve5(accountDir, "agents", "admin", "AGENTS.md");
   let agentsmd = "";
   try {
-    agentsmd = existsSync7(agentsmdPath) ? readFileSync8(agentsmdPath, "utf-8") : "";
+    agentsmd = existsSync5(agentsmdPath) ? readFileSync6(agentsmdPath, "utf-8") : "";
   } catch {
   }
   let delivered = 0;
   for (const pluginName of purchasedPlugins) {
-    const bundleAgentsDir = resolve8(stagingRoot, pluginName, "agents");
-    if (!existsSync7(bundleAgentsDir)) continue;
+    const bundleAgentsDir = resolve5(stagingRoot, pluginName, "agents");
+    if (!existsSync5(bundleAgentsDir)) continue;
     let entries;
     try {
       entries = readdirSync2(bundleAgentsDir).filter((f) => f.endsWith(".md"));
@@ -7796,9 +6560,9 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
       continue;
     }
     for (const filename of entries) {
-      const target = resolve8(specialistsDir, filename);
-      if (existsSync7(target)) continue;
-      const source = resolve8(bundleAgentsDir, filename);
+      const target = resolve5(specialistsDir, filename);
+      if (existsSync5(target)) continue;
+      const source = resolve5(bundleAgentsDir, filename);
       try {
         cpSync(source, target);
       } catch (err) {
@@ -7806,7 +6570,7 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
         continue;
       }
       try {
-        const content = readFileSync8(target, "utf-8");
+        const content = readFileSync6(target, "utf-8");
         const fmMatch = content.match(/^---\n([\s\S]*?)\n---/);
         if (fmMatch) {
           const nameMatch = fmMatch[1].match(/^name:\s*(.+)/m);
@@ -7830,7 +6594,7 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
   }
   if (delivered > 0) {
     try {
-      writeFileSync6(agentsmdPath, agentsmd);
+      writeFileSync5(agentsmdPath, agentsmd);
       console.log(`${TAG19} AGENTS.md updated (${delivered} agents added)`);
     } catch (err) {
       console.error(`${TAG19} AGENTS.md update failed \u2014 ${err instanceof Error ? err.message : String(err)}`);
@@ -7838,11 +6602,11 @@ function autoDeliverBundleAgents(accountDir, purchasedPlugins) {
   }
 }
 function assemblePublicPluginContent(pluginDir) {
-  const pluginRoot = resolve8(PLATFORM_ROOT4, "plugins", pluginDir);
-  const pluginPath = resolve8(pluginRoot, "PLUGIN.md");
+  const pluginRoot = resolve5(PLATFORM_ROOT3, "plugins", pluginDir);
+  const pluginPath = resolve5(pluginRoot, "PLUGIN.md");
   let raw2;
   try {
-    raw2 = readFileSync8(pluginPath, "utf-8");
+    raw2 = readFileSync6(pluginPath, "utf-8");
   } catch {
     return null;
   }
@@ -7851,7 +6615,7 @@ function assemblePublicPluginContent(pluginDir) {
   const parts = [pluginBody];
   let skillCount = 0;
   let refCount = 0;
-  const skillsDir = resolve8(pluginRoot, "skills");
+  const skillsDir = resolve5(pluginRoot, "skills");
   let skillDirs;
   try {
     skillDirs = readdirSync2(skillsDir).sort();
@@ -7859,11 +6623,11 @@ function assemblePublicPluginContent(pluginDir) {
     return { body: pluginBody, skillCount: 0, refCount: 0 };
   }
   for (const skillName of skillDirs) {
-    const skillDir = resolve8(skillsDir, skillName);
-    const skillMdPath = resolve8(skillDir, "SKILL.md");
+    const skillDir = resolve5(skillsDir, skillName);
+    const skillMdPath = resolve5(skillDir, "SKILL.md");
     let skillRaw;
     try {
-      skillRaw = readFileSync8(skillMdPath, "utf-8");
+      skillRaw = readFileSync6(skillMdPath, "utf-8");
     } catch {
       continue;
     }
@@ -7903,7 +6667,7 @@ function assemblePublicPluginContent(pluginDir) {
     parts.push(`
 <!-- skill: ${skillName} -->`);
     parts.push(skillBody);
-    const refsDir = resolve8(skillDir, "references");
+    const refsDir = resolve5(skillDir, "references");
     let refFiles;
     try {
       refFiles = readdirSync2(refsDir).filter((f) => f.endsWith(".md")).filter((f) => !publicExcludeReferences.includes(f)).sort();
@@ -7914,7 +6678,7 @@ function assemblePublicPluginContent(pluginDir) {
     }
     for (const refFile of refFiles) {
       try {
-        const refContent = readFileSync8(resolve8(refsDir, refFile), "utf-8").trim();
+        const refContent = readFileSync6(resolve5(refsDir, refFile), "utf-8").trim();
         if (refContent) {
           parts.push(`
 <!-- reference: ${refFile} -->`);
@@ -7932,7 +6696,7 @@ function assemblePublicPluginContent(pluginDir) {
   return { body: parts.join("\n"), skillCount, refCount };
 }
 function loadEmbeddedPlugins(agentType, selectedPlugins, enabledPlugins) {
-  const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
+  const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
   let dirs;
   try {
     dirs = readdirSync2(pluginsDir);
@@ -7985,10 +6749,10 @@ function loadEmbeddedPlugins(agentType, selectedPlugins, enabledPlugins) {
         console.log(`[plugins] loaded ${dir} for public (${assembled.body.length} chars, ${assembled.skillCount} skills, ${assembled.refCount} refs)`);
       }
     } else {
-      const pluginPath = resolve8(pluginsDir, dir, "PLUGIN.md");
+      const pluginPath = resolve5(pluginsDir, dir, "PLUGIN.md");
       let raw2;
       try {
-        raw2 = readFileSync8(pluginPath, "utf-8");
+        raw2 = readFileSync6(pluginPath, "utf-8");
       } catch (err) {
         console.warn(`[plugins] ${dir}: failed to read PLUGIN.md for ${agentType} embed: ${String(err)}`);
         continue;
@@ -8012,14 +6776,14 @@ var mcpToolsCache = /* @__PURE__ */ new Map();
 function fetchMcpToolsList(pluginDir) {
   const cached = mcpToolsCache.get(pluginDir);
   if (cached) return Promise.resolve(cached);
-  const serverPath = resolve8(PLATFORM_ROOT4, "plugins", pluginDir, "mcp/dist/index.js");
-  if (!existsSync7(serverPath)) return Promise.resolve([]);
+  const serverPath = resolve5(PLATFORM_ROOT3, "plugins", pluginDir, "mcp/dist/index.js");
+  if (!existsSync5(serverPath)) return Promise.resolve([]);
   const startMs = Date.now();
   return new Promise((resolvePromise) => {
     const proc = spawn2(process.execPath, [serverPath], {
       env: {
         ...process.env,
-        PLATFORM_ROOT: PLATFORM_ROOT4,
+        PLATFORM_ROOT: PLATFORM_ROOT3,
         ACCOUNT_ID: "__toolslist__",
         PLATFORM_PORT: process.env.PORT ?? "19200"
       }
@@ -8125,7 +6889,7 @@ var SPECIALIST_PLUGIN_DOMAINS = {
   // agent, so it retains a full manifest entry for routing clarity.
 };
 async function buildPluginManifest(enabledPlugins) {
-  const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
+  const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
   let dirs;
   try {
     dirs = readdirSync2(pluginsDir);
@@ -8212,16 +6976,16 @@ ${specialist}: ${plugins.join(", ")}`);
   for (let j = 0; j < adminPlugins.length; j++) {
     const { dir, parsed } = adminPlugins[j];
     const mcpTools = adminMcpResults[j];
-    const pluginRoot = resolve8(pluginsDir, dir);
+    const pluginRoot = resolve5(pluginsDir, dir);
     const skills = [];
     const references = [];
     const scanDir = (base, prefix, target) => {
-      const scanPath = resolve8(pluginRoot, base);
-      if (!existsSync7(scanPath)) return;
+      const scanPath = resolve5(pluginRoot, base);
+      if (!existsSync5(scanPath)) return;
       try {
         const walk = (current, rel) => {
           for (const entry of readdirSync2(current)) {
-            const full = resolve8(current, entry);
+            const full = resolve5(current, entry);
             try {
               const stat5 = statSync3(full);
               if (stat5.isDirectory()) {
@@ -8249,8 +7013,8 @@ ${specialist}: ${plugins.join(", ")}`);
         toolLines.push(desc ? `  ${tool.name} \u2014 ${desc}` : `  ${tool.name}`);
       }
     } else if (parsed.tools.length > 0) {
-      const serverPath = resolve8(PLATFORM_ROOT4, "plugins", dir, "mcp/dist/index.js");
-      if (existsSync7(serverPath)) {
+      const serverPath = resolve5(PLATFORM_ROOT3, "plugins", dir, "mcp/dist/index.js");
+      if (existsSync5(serverPath)) {
         fallbackSourced++;
         console.error(`[plugin-manifest] ${dir}: tools/list empty \u2014 fallback to frontmatter (${parsed.tools.length} tools)`);
       }
@@ -8325,16 +7089,16 @@ function getDefaultAccountId() {
   return resolveAccount()?.accountId ?? null;
 }
 function resolveUserAccounts(userId) {
-  if (!existsSync7(ACCOUNTS_DIR)) return [];
+  if (!existsSync5(ACCOUNTS_DIR)) return [];
   const results = [];
   const entries = readdirSync2(ACCOUNTS_DIR, { withFileTypes: true });
   for (const entry of entries) {
     if (!entry.isDirectory()) continue;
-    const configPath2 = resolve8(ACCOUNTS_DIR, entry.name, "account.json");
-    if (!existsSync7(configPath2)) continue;
+    const configPath2 = resolve5(ACCOUNTS_DIR, entry.name, "account.json");
+    if (!existsSync5(configPath2)) continue;
     let config;
     try {
-      config = JSON.parse(readFileSync8(configPath2, "utf-8"));
+      config = JSON.parse(readFileSync6(configPath2, "utf-8"));
     } catch {
       console.error(`[session] account.json corrupt at ${configPath2} \u2014 skipping`);
       continue;
@@ -8343,7 +7107,7 @@ function resolveUserAccounts(userId) {
     if (adminEntry) {
       results.push({
         accountId: config.accountId,
-        accountDir: resolve8(ACCOUNTS_DIR, entry.name),
+        accountDir: resolve5(ACCOUNTS_DIR, entry.name),
         config,
         role: adminEntry.role
       });
@@ -8404,8 +7168,75 @@ function clearSessionHistory(sessionKey) {
   session.stalledSubagents = void 0;
   session.pendingTrimmedMessages = void 0;
   session.pendingCommitmentOffers = void 0;
+  session.pendingTurns = void 0;
   return previousConversationId;
 }
+function bufferPendingTurn(sessionKey, turn) {
+  const session = sessionStore.get(sessionKey);
+  if (!session) {
+    console.error(`[conversation-gate] bufferPendingTurn: session not found sessionKey=${sessionKey.slice(0, 8)}\u2026`);
+    return;
+  }
+  if (!session.pendingTurns) session.pendingTurns = [];
+  session.pendingTurns.push(turn);
+  console.log(`[conversation-gate] ${(/* @__PURE__ */ new Date()).toISOString()} buffered sessionKey=${sessionKey.slice(0, 8)} role=${turn.role} turnCount=${session.pendingTurns.filter((t) => t.role === "user").length}`);
+}
+function getPendingTurnCount(sessionKey) {
+  const buf = sessionStore.get(sessionKey)?.pendingTurns;
+  if (!buf) return 0;
+  let n = 0;
+  for (const t of buf) if (t.role === "user") n++;
+  return n;
+}
+function drainPendingTurns(sessionKey) {
+  const session = sessionStore.get(sessionKey);
+  if (!session?.pendingTurns || session.pendingTurns.length === 0) return void 0;
+  const drained = session.pendingTurns;
+  session.pendingTurns = void 0;
+  return drained;
+}
+async function maybeFlushConversationBuffer(sessionKey, agentType, accountId) {
+  const session = sessionStore.get(sessionKey);
+  if (!session) return null;
+  if (session.conversationId) return session.conversationId;
+  if (getPendingTurnCount(sessionKey) < 2) return null;
+  if (session.flushInFlight) return session.flushInFlight;
+  const attempt = (async () => {
+    let conversationId = null;
+    if (agentType === "admin") {
+      const userId = session.userId;
+      if (!userId) {
+        console.error(`[conversation-gate] flush aborted: admin session missing userId sessionKey=${sessionKey.slice(0, 8)}\u2026`);
+        return null;
+      }
+      conversationId = await createNewAdminConversation(userId, accountId, sessionKey);
+    } else {
+      conversationId = await ensureConversation(accountId, "public", sessionKey, void 0, void 0, void 0);
+    }
+    if (!conversationId) return null;
+    session.conversationId = conversationId;
+    const buffered = drainPendingTurns(sessionKey) ?? [];
+    for (const turn of buffered) {
+      persistMessage(conversationId, turn.role, turn.content, accountId, turn.tokens, turn.timestamp, turn.sender).catch((err) => {
+        console.error(`[conversation-gate] replay persistMessage failed role=${turn.role}: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+    console.log(`[conversation-gate] ${(/* @__PURE__ */ new Date()).toISOString()} flushed sessionKey=${sessionKey.slice(0, 8)} conversationId=${conversationId.slice(0, 8)} bufferedMessages=${buffered.length} agentType=${agentType}`);
+    return conversationId;
+  })();
+  session.flushInFlight = attempt;
+  try {
+    return await attempt;
+  } finally {
+    if (session.flushInFlight === attempt) session.flushInFlight = void 0;
+  }
+}
+function isDmChannelSessionKey(sessionKey) {
+  return sessionKey.startsWith("whatsapp:") || sessionKey.startsWith("telegram:");
+}
+function preflushStreamLogKey(sessionKey) {
+  return `preflush-${sessionKey.slice(0, 12)}`;
+}
 function getAgentNameForSession(sessionKey) {
   return sessionStore.get(sessionKey)?.agentName;
 }
@@ -8560,8 +7391,8 @@ function consumeStalledSubagents(sessionKey) {
   return stalls && stalls.length > 0 ? stalls : void 0;
 }
 function streamLogPathFor(accountId, conversationId) {
-  const logDir = resolve8(ACCOUNTS_DIR, accountId, "logs");
-  const streamLogPath = resolve8(logDir, `claude-agent-stream-${conversationId}.log`);
+  const logDir = resolve5(ACCOUNTS_DIR, accountId, "logs");
+  const streamLogPath = resolve5(logDir, `claude-agent-stream-${conversationId}.log`);
   return { logDir, streamLogPath };
 }
 function buildSpawnEnv(accountId, accountDir, conversationId) {
@@ -8571,7 +7402,7 @@ function buildSpawnEnv(accountId, accountDir, conversationId) {
   const { logDir, streamLogPath } = streamLogPathFor(accountId, conversationId);
   return {
     ...process.env,
-    PLATFORM_ROOT: PLATFORM_ROOT4,
+    PLATFORM_ROOT: PLATFORM_ROOT3,
     ACCOUNT_DIR: accountDir,
     ACCOUNT_ID: accountId,
     LOG_DIR: logDir,
@@ -8582,8 +7413,8 @@ var cachedBrandHostname = null;
 function readBrandHostname() {
   if (cachedBrandHostname !== null) return cachedBrandHostname;
   try {
-    const brandPath = resolve8(PLATFORM_ROOT4, "config", "brand.json");
-    const parsed = JSON.parse(readFileSync8(brandPath, "utf-8"));
+    const brandPath = resolve5(PLATFORM_ROOT3, "config", "brand.json");
+    const parsed = JSON.parse(readFileSync6(brandPath, "utf-8"));
     cachedBrandHostname = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : "maxy";
   } catch {
     cachedBrandHostname = "maxy";
@@ -8612,7 +7443,7 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   const { logDir: LOG_DIR2, streamLogPath: STREAM_LOG_PATH } = streamLogPathFor(accountId, conversationId);
   const baseEnv = {
     ACCOUNT_ID: accountId,
-    PLATFORM_ROOT: PLATFORM_ROOT4,
+    PLATFORM_ROOT: PLATFORM_ROOT3,
     LOG_DIR: LOG_DIR2,
     STREAM_LOG_PATH,
     NEO4J_URI: requireNeo4jUri()
@@ -8620,37 +7451,37 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   const servers = {
     "memory": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/memory/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/memory/mcp/dist/index.js")],
       env: { ...baseEnv, ...userId ? { USER_ID: userId } : {} }
     },
     "contacts": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/contacts/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/contacts/mcp/dist/index.js")],
       env: { ...baseEnv }
     },
     "whatsapp": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/whatsapp/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/whatsapp/mcp/dist/index.js")],
       env: { ...baseEnv, PLATFORM_PORT: process.env.PORT ?? "19200" }
     },
     "admin": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/admin/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/admin/mcp/dist/index.js")],
       env: { ...baseEnv, PLATFORM_PORT: process.env.PORT ?? "19200", ...userId ? { USER_ID: userId } : {} }
     },
     "scheduling": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/scheduling/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/scheduling/mcp/dist/index.js")],
       env: { ...baseEnv }
     },
     "tasks": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/tasks/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/tasks/mcp/dist/index.js")],
       env: { ...baseEnv }
     },
     "email": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/email/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/email/mcp/dist/index.js")],
       env: { ...baseEnv }
     },
     // Workflows MCP — persistent admin-session server for list/get/update/delete/
@@ -8661,7 +7492,7 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
     // ToolSearches fruitlessly before degrading to a task-create stand-in (Task 571).
     "workflows": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/workflows/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/workflows/mcp/dist/index.js")],
       env: { ...baseEnv }
     },
     // Playwright MCP server — browser automation for browser-specialist.
@@ -8683,7 +7514,7 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
     // MAXY-PRD.md:627, not in any application-layer filter).
     "graph": {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "lib/graph-mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "lib/graph-mcp/dist/index.js")],
       env: {
         ...baseEnv,
         BRAND: readBrandHostname(),
@@ -8699,7 +7530,7 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   if (tgBotToken) {
     servers["telegram"] = {
       command: "node",
-      args: [resolve8(PLATFORM_ROOT4, "plugins/telegram/mcp/dist/index.js")],
+      args: [resolve5(PLATFORM_ROOT3, "plugins/telegram/mcp/dist/index.js")],
       env: { ...baseEnv, TELEGRAM_BOT_TOKEN: tgBotToken }
     };
   } else {
@@ -8707,11 +7538,11 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   }
   servers["cloudflare"] = {
     command: "node",
-    args: [resolve8(PLATFORM_ROOT4, "plugins/cloudflare/mcp/dist/index.js")],
+    args: [resolve5(PLATFORM_ROOT3, "plugins/cloudflare/mcp/dist/index.js")],
     env: { ...baseEnv, PLATFORM_PORT: process.env.PORT ?? "19200" }
   };
   if (Array.isArray(enabledPlugins) && enabledPlugins.length > 0) {
-    const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
+    const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
     let dirs;
     try {
       dirs = readdirSync2(pluginsDir);
@@ -8734,8 +7565,8 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
           continue;
         }
       }
-      const mcpEntry = resolve8(PLATFORM_ROOT4, "plugins", dir, "mcp/dist/index.js");
-      if (!existsSync7(mcpEntry)) continue;
+      const mcpEntry = resolve5(PLATFORM_ROOT3, "plugins", dir, "mcp/dist/index.js");
+      if (!existsSync5(mcpEntry)) continue;
       servers[dir] = {
         command: "node",
         args: [mcpEntry],
@@ -8870,7 +7701,7 @@ var ADMIN_CORE_TOOLS = [
 function getAdminAllowedTools(enabledPlugins) {
   const tools = [...ADMIN_CORE_TOOLS];
   if (Array.isArray(enabledPlugins) && enabledPlugins.length > 0) {
-    const pluginsDir = resolve8(PLATFORM_ROOT4, "plugins");
+    const pluginsDir = resolve5(PLATFORM_ROOT3, "plugins");
     let dirs;
     try {
       dirs = readdirSync2(pluginsDir);
@@ -8978,18 +7809,18 @@ ${message.slice(0, QUERY_CLASSIFIER_MSG_CAP)}`
   }
 }
 async function fetchMemoryContext(accountId, query, sessionKey, options) {
-  const serverPath = resolve8(PLATFORM_ROOT4, "plugins/memory/mcp/dist/index.js");
-  if (!existsSync7(serverPath)) {
+  const serverPath = resolve5(PLATFORM_ROOT3, "plugins/memory/mcp/dist/index.js");
+  if (!existsSync5(serverPath)) {
     console.error(`[fetchMemoryContext] MCP server not found: ${serverPath}`);
     return null;
   }
   const startMs = Date.now();
-  return new Promise((resolve31) => {
+  return new Promise((resolve28) => {
     const proc = spawn2(process.execPath, [serverPath], {
       env: {
         ...process.env,
         ACCOUNT_ID: accountId,
-        PLATFORM_ROOT: PLATFORM_ROOT4,
+        PLATFORM_ROOT: PLATFORM_ROOT3,
         READ_ONLY: "true",
         ALLOWED_SCOPES: "public,shared",
         ...sessionKey ? { SESSION_ID: sessionKey } : {},
@@ -9013,7 +7844,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
       } else {
         console.error(`[fetchMemoryContext] failed: ${reason} (${elapsed}ms)${stderrBuf ? ` stderr: ${stderrBuf.slice(0, 500)}` : ""}`);
       }
-      resolve31(value);
+      resolve28(value);
     };
     proc.stdout.on("data", (chunk) => {
       buffer += chunk.toString();
@@ -9076,8 +7907,8 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
 }
 async function compactTrimmedMessages(accountId, trimmedMessages) {
   if (trimmedMessages.length === 0) return true;
-  const serverPath = resolve8(PLATFORM_ROOT4, "plugins/memory/mcp/dist/index.js");
-  if (!existsSync7(serverPath)) return false;
+  const serverPath = resolve5(PLATFORM_ROOT3, "plugins/memory/mcp/dist/index.js");
+  if (!existsSync5(serverPath)) return false;
   const briefing = trimmedMessages.map((m) => `[${m.role.toUpperCase()}] ${m.content}`).join("\n\n");
   return new Promise((resolvePromise) => {
     const proc = spawn2(process.execPath, [serverPath], {
@@ -9394,8 +8225,8 @@ Then respond with only: [COMPACTED]`;
 var COMPACTION_TIMEOUT_MS = 45e3;
 async function* runCompactionTurn(accountDir, accountId, systemPrompt, resumeSessionId, adminModel, conversationId, enabledPlugins) {
   const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, conversationId, void 0, enabledPlugins) });
-  const specialistsDir = resolve8(accountDir, "specialists");
-  if (!existsSync7(specialistsDir)) agentLogStream("claude-agent-compaction-stream", accountDir, conversationId).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
+  const specialistsDir = resolve5(accountDir, "specialists");
+  if (!existsSync5(specialistsDir)) agentLogStream("claude-agent-compaction-stream", accountDir, conversationId).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
 `);
   const args = [
     "--print",
@@ -9668,7 +8499,7 @@ async function* parseClaudeStream(proc, streamLog, adminModel, conversationId, a
               const { logDir } = streamLogPathFor(accountId, conversationId);
               const date = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
               for (const s of failed) {
-                const stderrPath = resolve8(logDir, `mcp-${s.name}-stderr-${date}.log`);
+                const stderrPath = resolve5(logDir, `mcp-${s.name}-stderr-${date}.log`);
                 let tail = "(no stderr file)";
                 try {
                   const stats = statSync3(stderrPath);
@@ -10298,20 +9129,24 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
   const userTimestamp = clientTimestamp ?? (/* @__PURE__ */ new Date()).toISOString();
   const resumeSessionId = sessionKey ? getAgentSessionId(sessionKey) : void 0;
   const spawnConvId = sessionKey ? getConversationIdForSession(sessionKey) : void 0;
-  if (!spawnConvId) {
-    throw new Error(`invokeAdminAgent: conversationId missing for sessionKey=${sessionKey?.slice(0, 8) ?? "none"} \u2014 ensureConversation must run before invoking the agent`);
+  if (!spawnConvId && sessionKey && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokeAdminAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it before invoking the agent`);
+  }
+  const spawnLogKey = spawnConvId ?? (sessionKey ? preflushStreamLogKey(sessionKey) : void 0);
+  if (!spawnLogKey) {
+    throw new Error(`invokeAdminAgent: sessionKey required \u2014 cannot resolve log stream without one`);
   }
   const cdpOk = await ensureCdp();
   if (!cdpOk) {
-    const cdpLog = agentLogStream("claude-agent-stream", accountDir, spawnConvId);
+    const cdpLog = agentLogStream("claude-agent-stream", accountDir, spawnLogKey);
     cdpLog.write(`[${isoTs()}] [warn] ensureCdp failed \u2014 browser-specialist degraded
 `);
     cdpLog.end();
   }
   const ccUserId = sessionKey ? getUserIdForSession(sessionKey) : void 0;
-  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, spawnConvId, ccUserId, enabledPlugins) });
-  const specialistsDir = resolve8(accountDir, "specialists");
-  if (!existsSync7(specialistsDir)) agentLogStream("claude-agent-stream", accountDir, spawnConvId).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
+  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, spawnLogKey, ccUserId, enabledPlugins) });
+  const specialistsDir = resolve5(accountDir, "specialists");
+  if (!existsSync5(specialistsDir)) agentLogStream("claude-agent-stream", accountDir, spawnLogKey).write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
 `);
   const args = [
     "--print",
@@ -10342,19 +9177,19 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
     // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
-    env: buildSpawnEnv(accountId, accountDir, spawnConvId)
+    env: buildSpawnEnv(accountId, accountDir, spawnLogKey)
   });
-  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnConvId);
+  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnLogKey);
   stderrLog.on("error", () => {
   });
   proc.stderr?.pipe(stderrLog);
-  const streamLog = agentLogStream("claude-agent-stream", accountDir, spawnConvId);
+  const streamLog = agentLogStream("claude-agent-stream", accountDir, spawnLogKey);
   streamLog.on("error", () => {
   });
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
 `);
-  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${spawnConvId} site=admin
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${spawnConvId ?? "preflush"} logKey=${spawnLogKey} site=admin
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -10364,7 +9199,7 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     }
     activeProcesses.set(sessionKey, { pid: proc.pid, spawnedAt: Date.now() });
   }
-  streamLog.write(`[${isoTs()}] [spawn] pid=${proc.pid} resume=${resumeSessionId ?? "none"} sessionKey=${sessionKey ?? "none"} conversationId=${spawnConvId} pluginDir=${specialistsDir}
+  streamLog.write(`[${isoTs()}] [spawn] pid=${proc.pid} resume=${resumeSessionId ?? "none"} sessionKey=${sessionKey ?? "none"} conversationId=${spawnConvId ?? "preflush"} logKey=${spawnLogKey} pluginDir=${specialistsDir}
 `);
   streamLog.write(`[${isoTs()}] [stdin] len=${fullMessage.length} preview=${JSON.stringify(fullMessage.slice(0, 80))}
 `);
@@ -10436,7 +9271,7 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     }
     if (event.type === "usage" && sessionKey && currentAgentSessionId) {
       const peakReqPct = event.peak_request_pct ?? 0;
-      if (peakReqPct >= COMPACTION_THRESHOLD) {
+      if (peakReqPct >= COMPACTION_THRESHOLD && spawnConvId) {
         const compactionIter = runCompactionTurn(accountDir, accountId, systemPrompt, currentAgentSessionId, adminModel, spawnConvId, enabledPlugins);
         let step = await compactionIter.next();
         while (!step.done) {
@@ -10546,9 +9381,9 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
       } else {
         gotDone = true;
         if (!sessionWasReset) {
+          const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
           const convId = sessionKey ? sessionStore.get(sessionKey)?.conversationId : void 0;
           if (convId) {
-            const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
             persistMessage(convId, "user", fullMessage, accountId, void 0, userTimestamp).catch(() => {
             });
             autoLabelSession(convId, fullMessage).catch(() => {
@@ -10556,7 +9391,14 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
             if (responseText) persistMessage(convId, "assistant", responseText, accountId, capturedTokens, assistantTimestamp).catch(() => {
             });
           } else if (sessionKey) {
-            console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+            bufferPendingTurn(sessionKey, { role: "user", content: fullMessage, timestamp: userTimestamp });
+            if (responseText) bufferPendingTurn(sessionKey, { role: "assistant", content: responseText, timestamp: assistantTimestamp, tokens: capturedTokens });
+            const flushedId = await maybeFlushConversationBuffer(sessionKey, "admin", accountId);
+            if (flushedId) {
+              autoLabelSession(flushedId, fullMessage).catch(() => {
+              });
+              yield { type: "conversation_attributed", conversationId: flushedId };
+            }
           }
           if (sessionKey) {
             const commitSession = sessionStore.get(sessionKey);
@@ -10619,9 +9461,10 @@ ${summary}`;
 async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accountId, adminModel, sessionKey, maxTurns = 20, attachments = [], retryCount = 0, enabledPlugins, clientTimestamp, adherenceConstraints, agentName) {
   const userTimestamp = clientTimestamp ?? (/* @__PURE__ */ new Date()).toISOString();
   const managedConvId = getConversationIdForSession(sessionKey);
-  if (!managedConvId) {
-    throw new Error(`invokeManagedAdminAgent: conversationId missing for sessionKey=${sessionKey.slice(0, 8)} \u2014 ensureConversation must run first`);
+  if (!managedConvId && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokeManagedAdminAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it first`);
   }
+  const managedLogKey = managedConvId ?? preflushStreamLogKey(sessionKey);
   const pendingTrimmed = consumePendingTrimmedMessages(sessionKey);
   if (pendingTrimmed && pendingTrimmed.length > 0) {
     const ok = await compactTrimmedMessages(accountId, pendingTrimmed);
@@ -10629,7 +9472,7 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
       storePendingTrimmedMessages(sessionKey, pendingTrimmed);
     }
   }
-  const streamLog = agentLogStream("claude-agent-stream", accountDir, managedConvId);
+  const streamLog = agentLogStream("claude-agent-stream", accountDir, managedLogKey);
   streamLog.on("error", () => {
   });
   const systemPromptTokens = estimateTokens(systemPrompt);
@@ -10660,9 +9503,9 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
   if (!cdpOk) streamLog.write(`[${isoTs()}] [warn] ensureCdp failed \u2014 browser-specialist degraded
 `);
   const managedUserId = getUserIdForSession(sessionKey);
-  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, managedConvId, managedUserId, enabledPlugins) });
-  const specialistsDir = resolve8(accountDir, "specialists");
-  if (!existsSync7(specialistsDir)) streamLog.write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
+  const mcpConfig = JSON.stringify({ mcpServers: getMcpServers(accountId, managedLogKey, managedUserId, enabledPlugins) });
+  const specialistsDir = resolve5(accountDir, "specialists");
+  if (!existsSync5(specialistsDir)) streamLog.write(`[${isoTs()}] [warn] specialists plugin dir missing: ${specialistsDir}
 `);
   const fullMessage = attachments.length > 0 ? message + buildAttachmentMetaText(attachments) : message;
   const args = [
@@ -10691,16 +9534,16 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
     // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
-    env: buildSpawnEnv(accountId, accountDir, managedConvId)
+    env: buildSpawnEnv(accountId, accountDir, managedLogKey)
   });
-  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedConvId);
+  const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedLogKey);
   stderrLog.on("error", () => {
   });
   proc.stderr?.pipe(stderrLog);
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
 `);
-  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${managedConvId} site=managed
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${managedConvId ?? "preflush"} logKey=${managedLogKey} site=managed
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -10710,13 +9553,13 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
     }
     activeProcesses.set(sessionKey, { pid: proc.pid, spawnedAt: Date.now() });
   }
-  streamLog.write(`[${isoTs()}] [managed-spawn] pid=${proc.pid} sessionKey=${sessionKey} conversationId=${managedConvId} historyMessages=${history.length} pluginDir=${specialistsDir}
+  streamLog.write(`[${isoTs()}] [managed-spawn] pid=${proc.pid} sessionKey=${sessionKey} conversationId=${managedConvId ?? "preflush"} logKey=${managedLogKey} historyMessages=${history.length} pluginDir=${specialistsDir}
 `);
   streamLog.write(`[${isoTs()}] [stdin] len=${fullMessage.length} preview=${JSON.stringify(fullMessage.slice(0, 80))}
 `);
   proc.on("exit", (code, signal) => {
-    console.log(`[process-exit] pid=${proc.pid} code=${code} signal=${signal} sessionKey=${sessionKey ?? "none"} conversationId=${managedConvId}`);
-    if (!streamLog.destroyed && !streamLog.writableEnded) streamLog.write(`[${isoTs()}] [process-exit] pid=${proc.pid} code=${code} signal=${signal} conversationId=${managedConvId}
+    console.log(`[process-exit] pid=${proc.pid} code=${code} signal=${signal} sessionKey=${sessionKey ?? "none"} conversationId=${managedConvId ?? "preflush"}`);
+    if (!streamLog.destroyed && !streamLog.writableEnded) streamLog.write(`[${isoTs()}] [process-exit] pid=${proc.pid} code=${code} signal=${signal} conversationId=${managedConvId ?? "preflush"}
 `);
     if (sessionKey) activeProcesses.delete(sessionKey);
   });
@@ -10866,17 +9709,24 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
 `);
           const successSession = sessionStore.get(sessionKey);
           if (successSession) successSession.lastPeakContextPct = peakContextPct;
+          const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
           const convId = sessionStore.get(sessionKey)?.conversationId;
           if (convId) {
-            const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
             persistMessage(convId, "user", fullMessage, accountId, void 0, userTimestamp).catch(() => {
             });
             autoLabelSession(convId, fullMessage).catch(() => {
             });
             if (responseText) persistMessage(convId, "assistant", responseText, accountId, capturedTokens, assistantTimestamp).catch(() => {
             });
-          } else if (sessionKey) {
-            console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+          } else {
+            bufferPendingTurn(sessionKey, { role: "user", content: fullMessage, timestamp: userTimestamp });
+            if (responseText) bufferPendingTurn(sessionKey, { role: "assistant", content: responseText, timestamp: assistantTimestamp, tokens: capturedTokens });
+            const flushedId = await maybeFlushConversationBuffer(sessionKey, "admin", accountId);
+            if (flushedId) {
+              autoLabelSession(flushedId, fullMessage).catch(() => {
+              });
+              yield { type: "conversation_attributed", conversationId: flushedId };
+            }
           }
           const commitSession = sessionStore.get(sessionKey);
           if (commitSession?.pendingCommitmentOffers && commitSession.pendingCommitmentOffers.length > 0) {
@@ -10948,10 +9798,14 @@ async function* invokePublicAgent(message, systemPrompt, accountId, accountDir,
     return;
   }
   const publicConvId = sessionKey ? getConversationIdForSession(sessionKey) : void 0;
-  if (!publicConvId) {
-    throw new Error(`invokePublicAgent: conversationId missing for sessionKey=${sessionKey?.slice(0, 8) ?? "none"} \u2014 ensureConversation must run first`);
+  if (!publicConvId && sessionKey && getPendingTurnCount(sessionKey) >= 2) {
+    throw new Error(`invokePublicAgent: conversationId missing post-flush for sessionKey=${sessionKey.slice(0, 8)} \u2014 maybeFlushConversationBuffer must bind it first`);
+  }
+  const publicLogKey = publicConvId ?? (sessionKey ? preflushStreamLogKey(sessionKey) : void 0);
+  if (!publicLogKey) {
+    throw new Error(`invokePublicAgent: sessionKey required \u2014 cannot resolve log stream without one`);
   }
-  const streamLog = agentLogStream("public-agent-stream", accountDir, publicConvId);
+  const streamLog = agentLogStream("public-agent-stream", accountDir, publicLogKey);
   streamLog.write(`[${isoTs()}] [public-user-message] ${JSON.stringify(message)}
 `);
   if (sessionKey) {
@@ -11188,10 +10042,10 @@ User messages are prefixed with the sender's name in brackets. Address participa
 `);
     }
     const conversationId = sessionKey ? sessionStore.get(sessionKey)?.conversationId : void 0;
+    const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const sess = sessionKey ? sessionStore.get(sessionKey) : void 0;
+    const sender = sess?.groupSlug && sess.visitorId && sess.senderDisplayName ? { visitorId: sess.visitorId, displayName: sess.senderDisplayName } : void 0;
     if (conversationId) {
-      const assistantTimestamp = (/* @__PURE__ */ new Date()).toISOString();
-      const sess = sessionKey ? sessionStore.get(sessionKey) : void 0;
-      const sender = sess?.groupSlug && sess.visitorId && sess.senderDisplayName ? { visitorId: sess.visitorId, displayName: sess.senderDisplayName } : void 0;
       persistMessage(conversationId, "user", message, accountId, void 0, userTimestamp, sender).catch(() => {
       });
       autoLabelSession(conversationId, message).catch(() => {
@@ -11199,7 +10053,14 @@ User messages are prefixed with the sender's name in brackets. Address participa
       if (fullText) persistMessage(conversationId, "assistant", fullText, accountId, void 0, assistantTimestamp).catch(() => {
       });
     } else if (sessionKey) {
-      console.warn(`[persist] skipped: no conversationId for sessionKey=${sessionKey.slice(0, 12)}\u2026 (session registered=${sessionStore.has(sessionKey)})`);
+      bufferPendingTurn(sessionKey, { role: "user", content: message, timestamp: userTimestamp, sender });
+      if (fullText) bufferPendingTurn(sessionKey, { role: "assistant", content: fullText, timestamp: assistantTimestamp });
+      const flushedId = await maybeFlushConversationBuffer(sessionKey, "public", accountId);
+      if (flushedId) {
+        autoLabelSession(flushedId, message).catch(() => {
+        });
+        yield { type: "conversation_attributed", conversationId: flushedId };
+      }
     }
     streamLog.end();
   }
@@ -11355,10 +10216,10 @@ ${sessionContext}`;
       console.log(`[onboarding-inject] accountId=${accountId.slice(0, 8)}\u2026 error=neo4j-unreachable injected=false`);
     } else if (onboardingStep < 8) {
       const GENERIC_FALLBACK = "At every session start, call `onboarding-get`. If `currentStep` is less than 8, load the onboarding skill via `plugin-read` (find its path in the manifest under `admin`) and follow it \u2014 before any business setup. If `onboarding-get` fails (Neo4j unreachable), tell the user and skip onboarding for this session \u2014 it resumes automatically when the graph is available.";
-      const skillPath = resolve8(PLATFORM_ROOT4, "plugins/admin/skills/onboarding/SKILL.md");
+      const skillPath = resolve5(PLATFORM_ROOT3, "plugins/admin/skills/onboarding/SKILL.md");
       let skillContent = "";
       try {
-        skillContent = readFileSync8(skillPath, "utf-8");
+        skillContent = readFileSync6(skillPath, "utf-8");
       } catch (err) {
         console.error(`[onboarding-inject] accountId=${accountId.slice(0, 8)}\u2026 error=skill-read-failed path=${skillPath} reason=${err instanceof Error ? err.message : String(err)}`);
       }
@@ -11408,9 +10269,9 @@ ${body}`;
 
 ${manifest}`;
     }
-    const graphRefPath = resolve8(PLATFORM_ROOT4, "plugins/memory/references/graph-primitives.md");
+    const graphRefPath = resolve5(PLATFORM_ROOT3, "plugins/memory/references/graph-primitives.md");
     try {
-      const graphRef = readFileSync8(graphRefPath, "utf-8");
+      const graphRef = readFileSync6(graphRefPath, "utf-8");
       baseSystemPrompt += `
 
 ${graphRef}`;
@@ -11496,7 +10357,7 @@ Current session key: ${sessionKey}` : systemPromptBase;
 
 ${gwParts.join("\n")}`;
   }
-  if (sessionKey) {
+  if (sessionKey && isDmChannelSessionKey(sessionKey)) {
     try {
       await ensureConversation(accountId, agentType, sessionKey, void 0, void 0, sessionUserId);
     } catch (err) {
@@ -11625,8 +10486,8 @@ var clientIpMiddleware = async (c, next) => {
 };
 
 // server/routes/health.ts
-import { existsSync as existsSync12, readFileSync as readFileSync13 } from "fs";
-import { createConnection as createConnection4 } from "net";
+import { existsSync as existsSync10, readFileSync as readFileSync11 } from "fs";
+import { createConnection as createConnection2 } from "net";
 
 // app/lib/network.ts
 import { networkInterfaces } from "os";
@@ -11650,8 +10511,8 @@ function getLanIp() {
 import { basename as basename2 } from "path";
 
 // app/lib/review-detector/rules.ts
-import { readFileSync as readFileSync9, writeFileSync as writeFileSync7, existsSync as existsSync8, statSync as statSync4, mkdirSync as mkdirSync7, renameSync as renameSync2 } from "fs";
-import { resolve as resolve9, dirname as dirname3 } from "path";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync6, existsSync as existsSync6, statSync as statSync4, mkdirSync as mkdirSync5, renameSync as renameSync2 } from "fs";
+import { resolve as resolve6, dirname as dirname3 } from "path";
 var DEFAULT_SCAN_INTERVAL_MS = 5e3;
 var RATE_LIMIT_PATTERN = "rate[- ]?limit(?:ed| reached| hit)|(?:HTTP|status)[^a-z]{0,3}429|too many requests";
 var RATE_LIMIT_PATTERN_V1 = "\\b429\\b|rate.?limit|too.?many.?requests";
@@ -12080,12 +10941,12 @@ function defaultRules() {
   ];
 }
 function rulesFilePath(configDir2) {
-  return resolve9(configDir2, "review-rules.json");
+  return resolve6(configDir2, "review-rules.json");
 }
 function ensureRulesFile(configDir2) {
   const path2 = rulesFilePath(configDir2);
-  if (existsSync8(path2)) return { created: false, path: path2 };
-  mkdirSync7(dirname3(path2), { recursive: true });
+  if (existsSync6(path2)) return { created: false, path: path2 };
+  mkdirSync5(dirname3(path2), { recursive: true });
   const body = {
     scanIntervalMs: DEFAULT_SCAN_INTERVAL_MS,
     rules: defaultRules()
@@ -12095,10 +10956,10 @@ function ensureRulesFile(configDir2) {
 }
 function loadRules(configDir2) {
   const path2 = rulesFilePath(configDir2);
-  if (!existsSync8(path2)) {
+  if (!existsSync6(path2)) {
     throw new Error(`rules file missing at ${path2}`);
   }
-  const raw2 = readFileSync9(path2, "utf-8");
+  const raw2 = readFileSync7(path2, "utf-8");
   let parsed;
   try {
     parsed = JSON.parse(raw2);
@@ -12121,7 +10982,7 @@ function saveRules(configDir2, file) {
 }
 function atomicWriteJson(path2, body) {
   const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
-  writeFileSync7(tmp, JSON.stringify(body, null, 2) + "\n", "utf-8");
+  writeFileSync6(tmp, JSON.stringify(body, null, 2) + "\n", "utf-8");
   renameSync2(tmp, path2);
 }
 function validateRulesFile(input, sourceLabel) {
@@ -12263,16 +11124,16 @@ function validateRule(input, label, seenIds) {
 }
 
 // app/lib/review-detector/sources.ts
-import { existsSync as existsSync9, readdirSync as readdirSync3, statSync as statSync5, writeFileSync as writeFileSync8, renameSync as renameSync3, mkdirSync as mkdirSync8, openSync as openSync3, readSync as readSync3, closeSync as closeSync3, readFileSync as readFileSync10 } from "fs";
-import { resolve as resolve10, join as join5, basename, dirname as dirname4 } from "path";
+import { existsSync as existsSync7, readdirSync as readdirSync3, statSync as statSync5, writeFileSync as writeFileSync7, renameSync as renameSync3, mkdirSync as mkdirSync6, openSync as openSync3, readSync as readSync3, closeSync as closeSync3, readFileSync as readFileSync8 } from "fs";
+import { resolve as resolve7, join as join4, basename, dirname as dirname4 } from "path";
 function tailStatePath(configDir2) {
-  return resolve10(configDir2, "review-state.json");
+  return resolve7(configDir2, "review-state.json");
 }
 function loadTailState(configDir2) {
   const path2 = tailStatePath(configDir2);
-  if (!existsSync9(path2)) return {};
+  if (!existsSync7(path2)) return {};
   try {
-    const raw2 = readFileSync10(path2, "utf-8");
+    const raw2 = readFileSync8(path2, "utf-8");
     const parsed = JSON.parse(raw2);
     if (!parsed || typeof parsed !== "object") return {};
     const clean = {};
@@ -12290,26 +11151,26 @@ function loadTailState(configDir2) {
 }
 function saveTailState(configDir2, state) {
   const path2 = tailStatePath(configDir2);
-  mkdirSync8(dirname4(path2), { recursive: true });
+  mkdirSync6(dirname4(path2), { recursive: true });
   const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
-  writeFileSync8(tmp, JSON.stringify(state, null, 2) + "\n", "utf-8");
+  writeFileSync7(tmp, JSON.stringify(state, null, 2) + "\n", "utf-8");
   renameSync3(tmp, path2);
 }
 function discoverSourceFiles(configDir2, accountLogDir2, logicalSource) {
   if (logicalSource === "server") {
-    const p = resolve10(configDir2, "logs", "server.log");
-    return existsSync9(p) ? [{ logicalSource: "server", filepath: p }] : [];
+    const p = resolve7(configDir2, "logs", "server.log");
+    return existsSync7(p) ? [{ logicalSource: "server", filepath: p }] : [];
   }
   if (logicalSource === "vnc") {
-    const p = resolve10(configDir2, "logs", "vnc-boot.log");
-    return existsSync9(p) ? [{ logicalSource: "vnc", filepath: p }] : [];
+    const p = resolve7(configDir2, "logs", "vnc-boot.log");
+    return existsSync7(p) ? [{ logicalSource: "vnc", filepath: p }] : [];
   }
   if (logicalSource === "cloudflared") {
     const files2 = [];
-    const daemon = resolve10(configDir2, "logs", "cloudflared.log");
-    if (existsSync9(daemon)) files2.push({ logicalSource: "cloudflared", filepath: daemon });
-    const login = resolve10(configDir2, "logs", "cloudflared-login.log");
-    if (existsSync9(login)) files2.push({ logicalSource: "cloudflared", filepath: login });
+    const daemon = resolve7(configDir2, "logs", "cloudflared.log");
+    if (existsSync7(daemon)) files2.push({ logicalSource: "cloudflared", filepath: daemon });
+    const login = resolve7(configDir2, "logs", "cloudflared-login.log");
+    if (existsSync7(login)) files2.push({ logicalSource: "cloudflared", filepath: login });
     return files2;
   }
   const prefix = {
@@ -12319,7 +11180,7 @@ function discoverSourceFiles(configDir2, accountLogDir2, logicalSource) {
     public: "public-agent-stream-",
     mcp: "mcp-"
   }[logicalSource];
-  if (!existsSync9(accountLogDir2)) return [];
+  if (!existsSync7(accountLogDir2)) return [];
   const files = [];
   let scanned = 0;
   let skippedPrefixMismatch = 0;
@@ -12329,7 +11190,7 @@ function discoverSourceFiles(configDir2, accountLogDir2, logicalSource) {
     const matchesPrefix = entry.startsWith(prefix);
     const isLog = entry.endsWith(".log");
     if (matchesPrefix && isLog) {
-      files.push({ logicalSource, filepath: join5(accountLogDir2, entry) });
+      files.push({ logicalSource, filepath: join4(accountLogDir2, entry) });
     } else if (!matchesPrefix) {
       skippedPrefixMismatch += 1;
     } else {
@@ -12361,7 +11222,7 @@ function discoverAllSources(configDir2, accountLogDir2) {
   ];
 }
 function readNewLines(filepath, prev) {
-  if (!existsSync9(filepath)) return null;
+  if (!existsSync7(filepath)) return null;
   const stat5 = statSync5(filepath);
   const size = stat5.size;
   const inode = stat5.ino;
@@ -12414,12 +11275,12 @@ function readNewLines(filepath, prev) {
   }
 }
 function countRecentWrites(dir, sinceMs) {
-  if (!existsSync9(dir)) return 0;
+  if (!existsSync7(dir)) return 0;
   let count = 0;
   for (const entry of readdirSync3(dir, { withFileTypes: true })) {
     if (!entry.isFile()) continue;
     try {
-      const st = statSync5(join5(dir, entry.name));
+      const st = statSync5(join4(dir, entry.name));
       if (st.mtimeMs >= sinceMs) count += 1;
     } catch {
     }
@@ -12427,7 +11288,7 @@ function countRecentWrites(dir, sinceMs) {
   return count;
 }
 function fileLastWriteMs(path2) {
-  if (!existsSync9(path2)) return null;
+  if (!existsSync7(path2)) return null;
   try {
     return statSync5(path2).mtimeMs;
   } catch {
@@ -12435,31 +11296,31 @@ function fileLastWriteMs(path2) {
   }
 }
 function accountLogDir(accountDir) {
-  return resolve10(accountDir, "logs");
+  return resolve7(accountDir, "logs");
 }
 function sourceKey(file) {
   return `${file.logicalSource}:${basename(file.filepath)}`;
 }
 
 // app/lib/review-detector/writer.ts
-import { appendFileSync as appendFileSync4, existsSync as existsSync10, mkdirSync as mkdirSync9, readFileSync as readFileSync11, writeFileSync as writeFileSync9, renameSync as renameSync4, statSync as statSync6 } from "fs";
-import { resolve as resolve11, dirname as dirname5 } from "path";
+import { appendFileSync as appendFileSync2, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync9, writeFileSync as writeFileSync8, renameSync as renameSync4, statSync as statSync6 } from "fs";
+import { resolve as resolve8, dirname as dirname5 } from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 function reviewLogPath(configDir2) {
-  return resolve11(configDir2, "logs", "review.log");
+  return resolve8(configDir2, "logs", "review.log");
 }
 function pendingAlertsPath(configDir2) {
-  return resolve11(configDir2, "review-pending-alerts.jsonl");
+  return resolve8(configDir2, "review-pending-alerts.jsonl");
 }
 function reviewLog(configDir2, event) {
   const path2 = reviewLogPath(configDir2);
   try {
-    mkdirSync9(dirname5(path2), { recursive: true });
+    mkdirSync7(dirname5(path2), { recursive: true });
     const line = `${new Date(
       typeof event.ts === "number" ? event.ts : Date.now()
     ).toISOString()} [review] ${JSON.stringify(event)}
 `;
-    appendFileSync4(path2, line, "utf-8");
+    appendFileSync2(path2, line, "utf-8");
   } catch (err) {
     console.error(`[review] failed to write review log at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -12571,17 +11432,17 @@ async function upsertReviewAlert(accountId, match2) {
 function queueAlert(configDir2, accountId, match2) {
   const path2 = pendingAlertsPath(configDir2);
   try {
-    mkdirSync9(dirname5(path2), { recursive: true });
+    mkdirSync7(dirname5(path2), { recursive: true });
     const line = JSON.stringify({ accountId, match: match2 }) + "\n";
-    appendFileSync4(path2, line, "utf-8");
+    appendFileSync2(path2, line, "utf-8");
   } catch (err) {
     console.error(`[review] failed to queue alert at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
   }
 }
 async function drainPendingAlerts(configDir2) {
   const path2 = pendingAlertsPath(configDir2);
-  if (!existsSync10(path2)) return { drained: 0, remaining: 0 };
-  const raw2 = readFileSync11(path2, "utf-8");
+  if (!existsSync8(path2)) return { drained: 0, remaining: 0 };
+  const raw2 = readFileSync9(path2, "utf-8");
   const lines = raw2.split("\n").filter((l) => l.trim().length > 0);
   if (lines.length === 0) return { drained: 0, remaining: 0 };
   const remaining = [];
@@ -12602,9 +11463,9 @@ async function drainPendingAlerts(configDir2) {
   }
   const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
   if (remaining.length > 0) {
-    writeFileSync9(tmp, remaining.join("\n") + "\n", "utf-8");
+    writeFileSync8(tmp, remaining.join("\n") + "\n", "utf-8");
   } else {
-    writeFileSync9(tmp, "", "utf-8");
+    writeFileSync8(tmp, "", "utf-8");
   }
   renameSync4(tmp, path2);
   return { drained, remaining: remaining.length };
@@ -12704,7 +11565,7 @@ async function bootDetector() {
 }
 
 // app/lib/review-detector/scan-loop.ts
-import { resolve as resolve12 } from "path";
+import { resolve as resolve9 } from "path";
 
 // app/lib/review-detector/evaluator.ts
 var SAMPLE_MAX_CHARS = 500;
@@ -12998,14 +11859,14 @@ async function runScanCycle(runtime) {
           match2 = result.match;
         }
       } else if (rule.type === "file-write-storm") {
-        const dir = resolve12(runtime.configDir, rule.watchPath ?? "");
+        const dir = resolve9(runtime.configDir, rule.watchPath ?? "");
         const sinceMs = cycleStart - rule.thresholdWindowMinutes * 6e4;
         const count = countRecentWrites(dir, sinceMs);
         const result = evaluateFileWriteStormRule(rule, count, state, cycleStart);
         state = result.state;
         match2 = result.match;
       } else if (rule.type === "stale-log") {
-        const trackedPath = resolve12(runtime.configDir, rule.watchPath ?? "");
+        const trackedPath = resolve9(runtime.configDir, rule.watchPath ?? "");
         const lastMs = fileLastWriteMs(trackedPath);
         const result = evaluateStaleLogRule(rule, lastMs, state, cycleStart);
         state = result.state;
@@ -13244,20 +12105,20 @@ var WhatsAppConfigSchema = z.object({
 });
 
 // app/lib/whatsapp/config-persist.ts
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync10, existsSync as existsSync11 } from "fs";
-import { resolve as resolve13, join as join6 } from "path";
+import { readFileSync as readFileSync10, writeFileSync as writeFileSync9, existsSync as existsSync9 } from "fs";
+import { resolve as resolve10, join as join5 } from "path";
 var TAG3 = "[whatsapp:config]";
 function configPath(accountDir) {
-  return resolve13(accountDir, "account.json");
+  return resolve10(accountDir, "account.json");
 }
 function readConfig(accountDir) {
   const path2 = configPath(accountDir);
-  if (!existsSync11(path2)) throw new Error(`account.json not found at ${path2}`);
-  return JSON.parse(readFileSync12(path2, "utf-8"));
+  if (!existsSync9(path2)) throw new Error(`account.json not found at ${path2}`);
+  return JSON.parse(readFileSync10(path2, "utf-8"));
 }
 function writeConfig(accountDir, config) {
   const path2 = configPath(accountDir);
-  writeFileSync10(path2, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  writeFileSync9(path2, JSON.stringify(config, null, 2) + "\n", "utf-8");
 }
 function reloadManagerConfig(accountDir) {
   try {
@@ -13427,8 +12288,8 @@ function setPublicAgent(accountDir, slug) {
   if (!trimmed) {
     return { ok: false, error: "Agent slug cannot be empty." };
   }
-  const agentConfigPath = join6(accountDir, "agents", trimmed, "config.json");
-  if (!existsSync11(agentConfigPath)) {
+  const agentConfigPath = join5(accountDir, "agents", trimmed, "config.json");
+  if (!existsSync9(agentConfigPath)) {
     return { ok: false, error: `Agent "${trimmed}" not found \u2014 no config.json at ${agentConfigPath}. Check the agent slug and try again.` };
   }
   try {
@@ -13703,7 +12564,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG5} draining credential save queue\u2026`);
   const timer = new Promise(
-    (resolve31) => setTimeout(() => resolve31("timeout"), timeoutMs)
+    (resolve28) => setTimeout(() => resolve28("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -13831,11 +12692,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve31, reject) => {
+  return new Promise((resolve28, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve31();
+        resolve28();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -13949,14 +12810,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise, timeoutMs) {
-  return new Promise((resolve31, reject) => {
+  return new Promise((resolve28, reject) => {
     const timer = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise.then(
       (value) => {
         clearTimeout(timer);
-        resolve31(value);
+        resolve28(value);
       },
       (err) => {
         clearTimeout(timer);
@@ -14468,7 +13329,7 @@ async function sendMediaMessage(sock, to, media, opts) {
 // app/lib/whatsapp/inbound/media.ts
 import { randomUUID as randomUUID5 } from "crypto";
 import { writeFile, mkdir } from "fs/promises";
-import { join as join7 } from "path";
+import { join as join6 } from "path";
 import {
   downloadMediaMessage,
   downloadContentFromMessage,
@@ -14554,7 +13415,7 @@ async function downloadInboundMedia(msg, sock, opts) {
     await mkdir(MEDIA_DIR, { recursive: true });
     const ext = mimeToExt(mimetype ?? "application/octet-stream");
     const filename = `${randomUUID5()}.${ext}`;
-    const filePath = join7(MEDIA_DIR, filename);
+    const filePath = join6(MEDIA_DIR, filename);
     await writeFile(filePath, buffer);
     const sizeKB = (buffer.length / 1024).toFixed(0);
     console.error(`${TAG9} media downloaded type=${mimetype ?? "unknown"} size=${sizeKB}KB path=${filePath}`);
@@ -14898,6 +13759,14 @@ function deriveSessionKey(input) {
   if (input.isOwnerMirror || input.agentType === "admin") {
     return `whatsapp:${input.accountId}`;
   }
+  if (input.isGroup) {
+    if (!input.groupJid) {
+      throw new Error(
+        `deriveSessionKey: isGroup=true requires groupJid (accountId=${input.accountId}, senderPhone=${input.senderPhone})`
+      );
+    }
+    return `whatsapp:${input.accountId}:group:${input.groupJid}`;
+  }
   return `whatsapp:${input.accountId}:${input.senderPhone}`;
 }
 async function init(opts) {
@@ -15162,11 +14031,11 @@ async function connectWithReconnect(conn) {
       console.error(
         `${TAG13} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve31) => {
-        const timer = setTimeout(resolve31, delay);
+      await new Promise((resolve28) => {
+        const timer = setTimeout(resolve28, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer);
-          resolve31();
+          resolve28();
         }, { once: true });
       });
     }
@@ -15174,16 +14043,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve31) => {
+  return new Promise((resolve28) => {
     if (!conn.sock) {
-      resolve31();
+      resolve28();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve31();
+        resolve28();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -15369,6 +14238,8 @@ async function handleInboundMessage(conn, msg) {
         agentType: "admin",
         accountId: conn.accountId,
         senderPhone: senderPhone2,
+        isGroup: isGroup2,
+        groupJid: isGroup2 ? remoteJid : void 0,
         isOwnerMirror: true
       }),
       isOwnerMirror: true
@@ -15398,8 +14269,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve31) => {
-      resolvePending = resolve31;
+    const sttPending = new Promise((resolve28) => {
+      resolvePending = resolve28;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -15452,7 +14323,9 @@ async function handleInboundMessage(conn, msg) {
   const sessionKey = deriveSessionKey({
     agentType: accessResult.agentType,
     accountId: conn.accountId,
-    senderPhone
+    senderPhone,
+    isGroup,
+    groupJid: isGroup ? remoteJid : void 0
   });
   conn.lastMessageAt = Date.now();
   const payload = {
@@ -15510,44 +14383,30 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve31) => {
-    const socket = createConnection4(port2, "127.0.0.1");
+  return new Promise((resolve28) => {
+    const socket = createConnection2(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve31(true);
+      resolve28(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve31(false);
+      resolve28(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve31(false);
+      resolve28(false);
     });
   });
 }
-var TTYD_PROBE_CACHE_MS = 2e3;
-var TTYD_PROBE_TIMEOUT_MS = 200;
-var cachedTtydReady = null;
-async function probeTerminalReady() {
-  if (cachedTtydReady && Date.now() - cachedTtydReady.checkedAt < TTYD_PROBE_CACHE_MS) {
-    return cachedTtydReady.ok;
-  }
-  const ok = await checkPort(7681, TTYD_PROBE_TIMEOUT_MS);
-  if (!cachedTtydReady || cachedTtydReady.ok !== ok) {
-    console.log(`[health] terminal_ready: ${cachedTtydReady?.ok ?? "unknown"} \u2192 ${ok}`);
-  }
-  cachedTtydReady = { ok, checkedAt: Date.now() };
-  return ok;
-}
 var app = new Hono2();
 app.get("/", async (c) => {
   const browserTransport = resolveBrowserTransport(c.req.raw, c.env?.incoming?.socket?.remoteAddress);
   let pinConfigured = false;
   try {
-    if (existsSync12(USERS_FILE)) {
-      const raw2 = readFileSync13(USERS_FILE, "utf-8").trim();
+    if (existsSync10(USERS_FILE)) {
+      const raw2 = readFileSync11(USERS_FILE, "utf-8").trim();
       if (raw2) {
         const users = JSON.parse(raw2);
         pinConfigured = Array.isArray(users) && users.length > 0;
@@ -15564,10 +14423,9 @@ app.get("/", async (c) => {
   }
   const claudeAuthenticated = authHealth.status === "ok" || authHealth.status === "expiring";
   const vncRunning = await checkPort(6080);
-  const terminalReady = await probeTerminalReady();
   let apiKeyConfigured = false;
   try {
-    apiKeyConfigured = existsSync12(keyFilePath());
+    apiKeyConfigured = existsSync10(keyFilePath());
   } catch {
   }
   let apiKeyStatus = "missing";
@@ -15608,7 +14466,6 @@ app.get("/", async (c) => {
     claude_authenticated: claudeAuthenticated,
     ...onboardingComplete !== void 0 && { onboarding_complete: onboardingComplete },
     vnc_running: vncRunning,
-    terminal_ready: terminalReady,
     browser_transport: browserTransport,
     auth_status: authHealth.status,
     auth_expires_at: authHealth.expiresAt ?? null,
@@ -15636,14 +14493,14 @@ app.get("/", async (c) => {
 var health_default = app;
 
 // server/routes/session.ts
-import { resolve as resolve14 } from "path";
-import { existsSync as existsSync13, writeFileSync as writeFileSync11, mkdirSync as mkdirSync10 } from "fs";
+import { resolve as resolve11 } from "path";
+import { existsSync as existsSync11, writeFileSync as writeFileSync10, mkdirSync as mkdirSync8 } from "fs";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function writeBrandingCache(accountId, agentSlug, branding) {
   try {
-    const cacheDir = resolve14(MAXY_DIR, "branding-cache", accountId);
-    mkdirSync10(cacheDir, { recursive: true });
-    writeFileSync11(resolve14(cacheDir, `${agentSlug}.json`), JSON.stringify(branding), "utf-8");
+    const cacheDir = resolve11(MAXY_DIR, "branding-cache", accountId);
+    mkdirSync8(cacheDir, { recursive: true });
+    writeFileSync10(resolve11(cacheDir, `${agentSlug}.json`), JSON.stringify(branding), "utf-8");
   } catch (err) {
     console.error(`[branding] cache write failed: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -15713,9 +14570,9 @@ app2.post("/", async (c) => {
   }
   let agentConfig = null;
   if (account) {
-    const agentDir = resolve14(account.accountDir, "agents", agentSlug);
-    const agentConfigPath = resolve14(agentDir, "config.json");
-    if (!existsSync13(agentDir) || !existsSync13(agentConfigPath)) {
+    const agentDir = resolve11(account.accountDir, "agents", agentSlug);
+    const agentConfigPath = resolve11(agentDir, "config.json");
+    if (!existsSync11(agentDir) || !existsSync11(agentConfigPath)) {
       return c.json({ error: "Agent not found" }, 404);
     }
     agentConfig = resolveAgentConfig(account.accountDir, agentSlug);
@@ -15905,8 +14762,6 @@ app2.post("/", async (c) => {
   const newVisitorId = visitorId ?? crypto.randomUUID();
   const sessionKey = crypto.randomUUID();
   registerSession(sessionKey, "public", accountId, agentSlug);
-  ensureConversation(accountId, "public", sessionKey, newVisitorId, agentSlug).catch(() => {
-  });
   const hasImage = agentConfig?.image ? "yes" : "no";
   console.log(`[session] new-session visitor=${newVisitorId.slice(0, 8)}\u2026 session=${sessionKey.slice(0, 8)}\u2026 agent=${agentSlug} image=${hasImage} showAgentName=${agentConfig?.showAgentName ?? false}`);
   return withVisitorCookie(
@@ -15961,9 +14816,9 @@ ${raw2}`;
 import { randomUUID as randomUUID6 } from "crypto";
 import { mkdir as mkdir2, readFile, stat as stat2, writeFile as writeFile2 } from "fs/promises";
 import { realpathSync } from "fs";
-import { resolve as resolve15, extname, basename as basename3 } from "path";
-var PLATFORM_ROOT5 = process.env.MAXY_PLATFORM_ROOT ?? resolve15(process.cwd(), "../platform");
-var ATTACHMENTS_ROOT = resolve15(PLATFORM_ROOT5, "..", "data/uploads");
+import { resolve as resolve12, extname, basename as basename3 } from "path";
+var PLATFORM_ROOT4 = process.env.MAXY_PLATFORM_ROOT ?? resolve12(process.cwd(), "../platform");
+var ATTACHMENTS_ROOT = resolve12(PLATFORM_ROOT4, "..", "data/uploads");
 var SUPPORTED_MIME_TYPES = /* @__PURE__ */ new Set([
   "image/jpeg",
   "image/png",
@@ -15987,11 +14842,11 @@ function assertSupportedMime(mimeType) {
 }
 async function writeAttachment(scope, filename, mimeType, sizeBytes, buffer) {
   const attachmentId = randomUUID6();
-  const dir = resolve15(ATTACHMENTS_ROOT, scope, attachmentId);
+  const dir = resolve12(ATTACHMENTS_ROOT, scope, attachmentId);
   await mkdir2(dir, { recursive: true });
   const ext = extname(filename) || "";
-  const storagePath = resolve15(dir, `${attachmentId}${ext}`);
-  const metaPath = resolve15(dir, `${attachmentId}.meta.json`);
+  const storagePath = resolve12(dir, `${attachmentId}${ext}`);
+  const metaPath = resolve12(dir, `${attachmentId}.meta.json`);
   const meta = {
     attachmentId,
     scope,
@@ -16066,7 +14921,7 @@ async function storeGeneratedFile(accountId, filePath) {
 // app/lib/stt/voice-note.ts
 import { writeFile as writeFile3, mkdtemp, rm } from "fs/promises";
 import { tmpdir } from "os";
-import { join as join8 } from "path";
+import { join as join7 } from "path";
 var TAG14 = "[voice]";
 var AUDIO_MIME_TYPES = /* @__PURE__ */ new Set([
   "audio/ogg",
@@ -16104,9 +14959,9 @@ async function transcribeVoiceNote(file, source) {
   let tempDir;
   let tempPath;
   try {
-    tempDir = await mkdtemp(join8(tmpdir(), "voice-"));
+    tempDir = await mkdtemp(join7(tmpdir(), "voice-"));
     const ext = audioExtension(mimeType);
-    tempPath = join8(tempDir, `recording${ext}`);
+    tempPath = join7(tempDir, `recording${ext}`);
     const buffer = Buffer.from(await file.arrayBuffer());
     await writeFile3(tempPath, buffer);
   } catch (err) {
@@ -16668,16 +15523,16 @@ var group_default = app4;
 
 // app/lib/access-gate.ts
 import neo4j2 from "neo4j-driver";
-import { readFileSync as readFileSync14 } from "fs";
-import { resolve as resolve16 } from "path";
+import { readFileSync as readFileSync12 } from "fs";
+import { resolve as resolve13 } from "path";
 import { randomUUID as randomUUID7, randomInt } from "crypto";
-var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve16(process.cwd(), "..");
+var PLATFORM_ROOT5 = process.env.MAXY_PLATFORM_ROOT ?? resolve13(process.cwd(), "..");
 var driver2 = null;
 function readPassword2() {
   if (process.env.NEO4J_PASSWORD) return process.env.NEO4J_PASSWORD;
-  const passwordFile = resolve16(PLATFORM_ROOT6, "config/.neo4j-password");
+  const passwordFile = resolve13(PLATFORM_ROOT5, "config/.neo4j-password");
   try {
-    return readFileSync14(passwordFile, "utf-8").trim();
+    return readFileSync12(passwordFile, "utf-8").trim();
   } catch {
     throw new Error(
       `Neo4j password not found. Expected at ${passwordFile} or in NEO4J_PASSWORD env var.`
@@ -16710,13 +15565,13 @@ process.on("SIGINT", async () => {
     driver2 = null;
   }
 });
-var rateLimitMap2 = /* @__PURE__ */ new Map();
+var rateLimitMap = /* @__PURE__ */ new Map();
 var ACCESS_MAX_ATTEMPTS = 5;
 var ACCESS_LOCKOUT_MS = 15 * 60 * 1e3;
 var ACCESS_WINDOW_MS = 15 * 60 * 1e3;
 function checkAccessRateLimit(ip, agentSlug) {
   const key = `${ip}:${agentSlug}`;
-  const entry = rateLimitMap2.get(key);
+  const entry = rateLimitMap.get(key);
   if (!entry) return null;
   const now = Date.now();
   if (entry.lockedUntil && now < entry.lockedUntil) {
@@ -16725,7 +15580,7 @@ function checkAccessRateLimit(ip, agentSlug) {
     return `Too many attempts. Try again in ${remainingS}s`;
   }
   if (now - entry.firstAttempt > ACCESS_WINDOW_MS) {
-    rateLimitMap2.delete(key);
+    rateLimitMap.delete(key);
     return null;
   }
   return null;
@@ -16733,9 +15588,9 @@ function checkAccessRateLimit(ip, agentSlug) {
 function recordAccessFailedAttempt(ip, agentSlug) {
   const key = `${ip}:${agentSlug}`;
   const now = Date.now();
-  const entry = rateLimitMap2.get(key);
+  const entry = rateLimitMap.get(key);
   if (!entry || now - entry.firstAttempt > ACCESS_WINDOW_MS) {
-    rateLimitMap2.set(key, { attempts: 1, firstAttempt: now });
+    rateLimitMap.set(key, { attempts: 1, firstAttempt: now });
     return;
   }
   entry.attempts++;
@@ -16744,7 +15599,7 @@ function recordAccessFailedAttempt(ip, agentSlug) {
   }
 }
 function clearAccessRateLimit(ip, agentSlug) {
-  rateLimitMap2.delete(`${ip}:${agentSlug}`);
+  rateLimitMap.delete(`${ip}:${agentSlug}`);
 }
 var forgotPwdMap = /* @__PURE__ */ new Map();
 var FORGOT_PWD_MAX = 3;
@@ -16988,19 +15843,19 @@ async function findActiveGrantByContact(contactValue, agentSlug, accountId) {
 }
 
 // app/lib/brevo-sms.ts
-import { readFileSync as readFileSync15, writeFileSync as writeFileSync12, mkdirSync as mkdirSync11, existsSync as existsSync14, chmodSync } from "fs";
+import { readFileSync as readFileSync13, writeFileSync as writeFileSync11, mkdirSync as mkdirSync9, existsSync as existsSync12, chmodSync } from "fs";
 import { dirname as dirname6 } from "path";
-import { resolve as resolve17 } from "path";
-var BREVO_API_KEY_FILE = resolve17(MAXY_DIR, ".brevo-api-key");
+import { resolve as resolve14 } from "path";
+var BREVO_API_KEY_FILE = resolve14(MAXY_DIR, ".brevo-api-key");
 var BREVO_API_URL = "https://api.brevo.com/v3/transactionalSMS/sms";
 var BREVO_TIMEOUT_MS = 1e4;
 var BREVO_SENDER = "Maxy";
-var platformRoot2 = process.env.MAXY_PLATFORM_ROOT;
-if (platformRoot2) {
+var platformRoot = process.env.MAXY_PLATFORM_ROOT;
+if (platformRoot) {
   try {
-    const brandPath = resolve17(platformRoot2, "config", "brand.json");
-    if (existsSync14(brandPath)) {
-      const brand = JSON.parse(readFileSync15(brandPath, "utf-8"));
+    const brandPath = resolve14(platformRoot, "config", "brand.json");
+    if (existsSync12(brandPath)) {
+      const brand = JSON.parse(readFileSync13(brandPath, "utf-8"));
       if (brand.productName) BREVO_SENDER = brand.productName;
     }
   } catch {
@@ -17008,7 +15863,7 @@ if (platformRoot2) {
 }
 function readBrevoApiKey() {
   try {
-    const key = readFileSync15(BREVO_API_KEY_FILE, "utf-8").trim();
+    const key = readFileSync13(BREVO_API_KEY_FILE, "utf-8").trim();
     if (!key) {
       throw new Error(`Brevo API key file is empty: ${BREVO_API_KEY_FILE}`);
     }
@@ -17023,7 +15878,7 @@ function readBrevoApiKey() {
   }
 }
 function hasBrevoApiKey() {
-  return existsSync14(BREVO_API_KEY_FILE);
+  return existsSync12(BREVO_API_KEY_FILE);
 }
 async function sendSms(recipient, content, opts) {
   let apiKey;
@@ -17395,8 +16250,8 @@ app5.post("/forgot-password", async (c) => {
 app5.post("/send-otp", async (c) => {
   const socketAddr = c.env?.incoming?.socket?.remoteAddress;
   const hasXff = !!c.req.header("x-forwarded-for");
-  const isLoopback2 = socketAddr === "127.0.0.1" || socketAddr === "::1" || socketAddr === "::ffff:127.0.0.1";
-  if (!isLoopback2 || hasXff) {
+  const isLoopback = socketAddr === "127.0.0.1" || socketAddr === "::1" || socketAddr === "::ffff:127.0.0.1";
+  if (!isLoopback || hasXff) {
     console.error(`[access-gate] send-otp rejected: socket=${socketAddr ?? "unknown"} xff=${hasXff}`);
     return c.json({ error: "Forbidden" }, 403);
   }
@@ -17439,8 +16294,8 @@ app5.post("/send-otp", async (c) => {
 var access_default = app5;
 
 // server/routes/telegram.ts
-import { existsSync as existsSync15, readFileSync as readFileSync16 } from "fs";
-import { timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { existsSync as existsSync13, readFileSync as readFileSync14 } from "fs";
+import { timingSafeEqual } from "crypto";
 
 // app/lib/telegram/access-control.ts
 function checkTelegramAccess(params) {
@@ -17476,8 +16331,8 @@ var TELEGRAM_API = "https://api.telegram.org";
 function getWebhookSecret(botType) {
   const filePath = botType === "admin" ? TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE : TELEGRAM_WEBHOOK_SECRET_FILE;
   try {
-    if (!existsSync15(filePath)) return null;
-    const secret = readFileSync16(filePath, "utf-8").trim();
+    if (!existsSync13(filePath)) return null;
+    const secret = readFileSync14(filePath, "utf-8").trim();
     return secret || null;
   } catch {
     return null;
@@ -17487,7 +16342,7 @@ function verifyWebhookSecret(headerValue, storedSecret) {
   const a = Buffer.from(headerValue);
   const b = Buffer.from(storedSecret);
   if (a.length !== b.length) return false;
-  return timingSafeEqual2(a, b);
+  return timingSafeEqual(a, b);
 }
 async function handleInbound(params) {
   const { chatId, senderId, text, botType, botToken, accountId, agentType } = params;
@@ -17635,9 +16490,9 @@ app6.post("/webhook", async (c) => {
 var telegram_default = app6;
 
 // server/routes/whatsapp.ts
-import { join as join9, resolve as resolve18, basename as basename4 } from "path";
+import { join as join8, resolve as resolve15, basename as basename4 } from "path";
 import { readFile as readFile2, stat as stat3 } from "fs/promises";
-import { realpathSync as realpathSync2, readdirSync as readdirSync4, readFileSync as readFileSync17, existsSync as existsSync16 } from "fs";
+import { realpathSync as realpathSync2, readdirSync as readdirSync4, readFileSync as readFileSync15, existsSync as existsSync14 } from "fs";
 
 // app/lib/whatsapp/login.ts
 import { randomUUID as randomUUID8 } from "crypto";
@@ -17743,8 +16598,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve31, reject) => {
-    resolveQr = resolve31;
+  const qrPromise = new Promise((resolve28, reject) => {
+    resolveQr = resolve28;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -17960,7 +16815,7 @@ function serializeWhatsAppSchema() {
 
 // server/routes/whatsapp.ts
 var TAG18 = "[whatsapp:api]";
-var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
+var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT || "";
 var app7 = new Hono2();
 app7.get("/status", (c) => {
   try {
@@ -17978,7 +16833,7 @@ app7.post("/login/start", async (c) => {
     const body = await c.req.json().catch(() => ({}));
     const accountId = validateAccountId(body.accountId);
     const force = body.force ?? false;
-    const authDir = join9(MAXY_DIR, "credentials", "whatsapp", accountId);
+    const authDir = join8(MAXY_DIR, "credentials", "whatsapp", accountId);
     const result = await startLogin({ accountId, authDir, force });
     console.error(`${TAG18} login/start result account=${accountId} hasQr=${!!result.qrRaw}${result.selfPhone ? ` phone=${result.selfPhone}` : ""}`);
     return c.json(result);
@@ -18115,17 +16970,17 @@ app7.post("/config", async (c) => {
         return c.json({ ok: true, slug: currentSlug });
       }
       case "list-public-agents": {
-        const agentsDir = resolve18(account.accountDir, "agents");
+        const agentsDir = resolve15(account.accountDir, "agents");
         const agents = [];
-        if (existsSync16(agentsDir)) {
+        if (existsSync14(agentsDir)) {
           try {
             const entries = readdirSync4(agentsDir, { withFileTypes: true });
             for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
               if (!entry.isDirectory() || entry.name === "admin") continue;
-              const configPath2 = resolve18(agentsDir, entry.name, "config.json");
-              if (!existsSync16(configPath2)) continue;
+              const configPath2 = resolve15(agentsDir, entry.name, "config.json");
+              if (!existsSync14(configPath2)) continue;
               try {
-                const config = JSON.parse(readFileSync17(configPath2, "utf-8"));
+                const config = JSON.parse(readFileSync15(configPath2, "utf-8"));
                 agents.push({ slug: entry.name, displayName: config.displayName ?? entry.name });
               } catch {
                 console.error(`${TAG18} config action=list-public-agents error="failed to parse config.json for agent ${entry.name}" \u2014 skipping`);
@@ -18197,10 +17052,10 @@ app7.post("/send-document", async (c) => {
     if (!to || !filePath) {
       return c.json({ error: "Missing required fields: to, filePath" }, 400);
     }
-    if (!maxyAccountId || !PLATFORM_ROOT7) {
+    if (!maxyAccountId || !PLATFORM_ROOT6) {
       return c.json({ error: "Cannot validate file path: missing account or platform context" }, 400);
     }
-    const accountDir = resolve18(PLATFORM_ROOT7, "..", "data/accounts", maxyAccountId);
+    const accountDir = resolve15(PLATFORM_ROOT6, "..", "data/accounts", maxyAccountId);
     let resolvedPath;
     try {
       resolvedPath = realpathSync2(filePath);
@@ -18337,16 +17192,16 @@ var whatsapp_default = app7;
 
 // server/routes/onboarding.ts
 import { spawn as spawn3, execFileSync as execFileSync2 } from "child_process";
-import { openSync as openSync4, closeSync as closeSync4, writeFileSync as writeFileSync13, writeSync, existsSync as existsSync17, mkdirSync as mkdirSync12, readFileSync as readFileSync18, unlinkSync as unlinkSync4 } from "fs";
-import { resolve as resolve19, dirname as dirname7 } from "path";
+import { openSync as openSync4, closeSync as closeSync4, writeFileSync as writeFileSync12, writeSync, existsSync as existsSync15, mkdirSync as mkdirSync10, readFileSync as readFileSync16, unlinkSync as unlinkSync4 } from "fs";
+import { resolve as resolve16, dirname as dirname7 } from "path";
 import { createHash, randomUUID as randomUUID9 } from "crypto";
-var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT || "";
+var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
 function hashPin(pin) {
   return createHash("sha256").update(pin).digest("hex");
 }
 function readUsersFile() {
-  if (!existsSync17(USERS_FILE)) return null;
-  const raw2 = readFileSync18(USERS_FILE, "utf-8").trim();
+  if (!existsSync15(USERS_FILE)) return null;
+  const raw2 = readFileSync16(USERS_FILE, "utf-8").trim();
   if (!raw2) return [];
   return JSON.parse(raw2);
 }
@@ -18412,7 +17267,7 @@ app8.post("/claude-auth", async (c) => {
     if (!vncReady) return c.json({ error: "VNC display failed to start" }, 500);
   }
   await ensureCdp(transport);
-  writeFileSync13(logPath("claude-auth"), "");
+  writeFileSync12(logPath("claude-auth"), "");
   const chromiumWrapper = writeChromiumWrapper();
   const x11Env = buildX11Env(chromiumWrapper, transport);
   vncLog("claude-auth", { action: "start", transport });
@@ -18451,17 +17306,17 @@ app8.post("/set-pin", async (c) => {
   }
   const hash = hashPin(body.pin);
   const userId = randomUUID9();
-  mkdirSync12(dirname7(USERS_FILE), { recursive: true });
-  writeFileSync13(USERS_FILE, JSON.stringify([{ userId, name: "Owner", pin: hash }]), { mode: 384 });
+  mkdirSync10(dirname7(USERS_FILE), { recursive: true });
+  writeFileSync12(USERS_FILE, JSON.stringify([{ userId, name: "Owner", pin: hash }]), { mode: 384 });
   console.log(`[set-pin] created users.json: userId=${userId.slice(0, 8)}\u2026 hash=${hash.slice(0, 8)}\u2026`);
   const account = resolveAccount();
   if (account) {
     try {
-      const config = JSON.parse(readFileSync18(`${account.accountDir}/account.json`, "utf-8"));
+      const config = JSON.parse(readFileSync16(`${account.accountDir}/account.json`, "utf-8"));
       if (!config.admins) config.admins = [];
       if (!config.admins.some((a) => a.userId === userId)) {
         config.admins.push({ userId, role: "owner" });
-        writeFileSync13(`${account.accountDir}/account.json`, JSON.stringify(config, null, 2) + "\n");
+        writeFileSync12(`${account.accountDir}/account.json`, JSON.stringify(config, null, 2) + "\n");
         console.log(`[set-pin] added userId=${userId.slice(0, 8)}\u2026 to account.json admins`);
       }
     } catch (err) {
@@ -18499,7 +17354,7 @@ app8.delete("/set-pin", async (c) => {
     unlinkSync4(USERS_FILE);
     console.log(`[set-pin] cleared users.json (last entry removed): userId=${matchedUser.userId.slice(0, 8)}\u2026`);
   } else {
-    writeFileSync13(USERS_FILE, JSON.stringify(remaining), { mode: 384 });
+    writeFileSync12(USERS_FILE, JSON.stringify(remaining), { mode: 384 });
     console.log(`[set-pin] removed entry from users.json: userId=${matchedUser.userId.slice(0, 8)}\u2026 remaining=${remaining.length}`);
   }
   return c.json({ ok: true });
@@ -18512,19 +17367,19 @@ app8.post("/skip", async (c) => {
   }
   const { accountId, accountDir } = account;
   let agentName = "Maxy";
-  const brandPath = PLATFORM_ROOT8 ? resolve19(PLATFORM_ROOT8, "config", "brand.json") : "";
-  if (brandPath && existsSync17(brandPath)) {
+  const brandPath = PLATFORM_ROOT7 ? resolve16(PLATFORM_ROOT7, "config", "brand.json") : "";
+  if (brandPath && existsSync15(brandPath)) {
     try {
-      const brand = JSON.parse(readFileSync18(brandPath, "utf-8"));
+      const brand = JSON.parse(readFileSync16(brandPath, "utf-8"));
       if (brand.productName) agentName = brand.productName;
     } catch (err) {
       console.error(`[onboarding-skip] brand.json read failed: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
-  const soulPath = resolve19(accountDir, "agents", "admin", "SOUL.md");
+  const soulPath = resolve16(accountDir, "agents", "admin", "SOUL.md");
   try {
-    mkdirSync12(dirname7(soulPath), { recursive: true });
-    writeFileSync13(soulPath, `You are ${agentName}, an AI operations manager.
+    mkdirSync10(dirname7(soulPath), { recursive: true });
+    writeFileSync12(soulPath, `You are ${agentName}, an AI operations manager.
 `);
     console.log(`[onboarding-skip] wrote SOUL.md: ${soulPath}`);
   } catch (err) {
@@ -18562,9 +17417,9 @@ app8.post("/skip", async (c) => {
 var onboarding_default = app8;
 
 // server/routes/client-error.ts
-import { appendFileSync as appendFileSync5, existsSync as existsSync18, renameSync as renameSync5, statSync as statSync7 } from "fs";
-import { join as join10 } from "path";
-var CLIENT_ERRORS_LOG = join10(LOG_DIR, "client-errors.log");
+import { appendFileSync as appendFileSync3, existsSync as existsSync16, renameSync as renameSync5, statSync as statSync7 } from "fs";
+import { join as join9 } from "path";
+var CLIENT_ERRORS_LOG = join9(LOG_DIR, "client-errors.log");
 var MAX_LOG_SIZE = 10 * 1024 * 1024;
 var MAX_BODY_SIZE = 8 * 1024;
 var MAX_STACK_LEN = 2e3;
@@ -18616,7 +17471,7 @@ function stackHead(stack) {
 }
 function rotateIfNeeded() {
   try {
-    if (!existsSync18(CLIENT_ERRORS_LOG)) return;
+    if (!existsSync16(CLIENT_ERRORS_LOG)) return;
     const stats = statSync7(CLIENT_ERRORS_LOG);
     if (stats.size < MAX_LOG_SIZE) return;
     renameSync5(CLIENT_ERRORS_LOG, CLIENT_ERRORS_LOG + ".1");
@@ -18699,7 +17554,7 @@ app9.post("/", async (c) => {
       tag: typeof body.tag === "string" ? truncate2(body.tag, 32) : void 0,
       status: typeof body.status === "number" ? body.status : void 0
     };
-    appendFileSync5(CLIENT_ERRORS_LOG, JSON.stringify(payload) + "\n", "utf-8");
+    appendFileSync3(CLIENT_ERRORS_LOG, JSON.stringify(payload) + "\n", "utf-8");
   } catch (err) {
     console.error(`[client-error] append failed: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -18709,14 +17564,14 @@ app9.post("/", async (c) => {
 var client_error_default = app9;
 
 // server/routes/admin/session.ts
-import { readFileSync as readFileSync19, existsSync as existsSync19 } from "fs";
+import { readFileSync as readFileSync17, existsSync as existsSync17 } from "fs";
 import { createHash as createHash2 } from "crypto";
 function hashPin2(pin) {
   return createHash2("sha256").update(pin).digest("hex");
 }
 function readUsersFile2() {
-  if (!existsSync19(USERS_FILE)) return null;
-  const raw2 = readFileSync19(USERS_FILE, "utf-8").trim();
+  if (!existsSync17(USERS_FILE)) return null;
+  const raw2 = readFileSync17(USERS_FILE, "utf-8").trim();
   if (!raw2) return [];
   return JSON.parse(raw2);
 }
@@ -18738,11 +17593,7 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
     businessName = branding?.name || void 0;
   } catch {
   }
-  let conversationId = null;
-  if (userId) {
-    conversationId = await createNewAdminConversation(userId, accountId, sessionKey);
-  }
-  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} admin session created: userId=${userId ?? "\u2013"} userName=${userName ?? "\u2013"} accountId=${accountId} conversationId=${conversationId?.slice(0, 8) ?? "\u2013"} sessionKey=${sessionKey.slice(0, 8)}`);
+  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} admin session created: userId=${userId ?? "\u2013"} userName=${userName ?? "\u2013"} accountId=${accountId} conversationId=deferred sessionKey=${sessionKey.slice(0, 8)}`);
   return {
     session_key: sessionKey,
     agent_id: "admin",
@@ -18751,7 +17602,7 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
     thinkingView: effectiveThinkingView,
     onboardingComplete,
     businessName,
-    conversationId
+    conversationId: null
   };
 }
 var app10 = new Hono2();
@@ -18846,11 +17697,11 @@ app10.post("/", async (c) => {
 var session_default2 = app10;
 
 // server/routes/admin/chat.ts
-import { resolve as resolve20 } from "path";
+import { resolve as resolve17 } from "path";
 
 // app/lib/script-stream-tailer.ts
 import * as childProcess from "child_process";
-import { appendFileSync as appendFileSync6, createReadStream as createReadStream2, mkdirSync as mkdirSync13, statSync as statSync8 } from "fs";
+import { appendFileSync as appendFileSync4, createReadStream as createReadStream2, mkdirSync as mkdirSync11, statSync as statSync8 } from "fs";
 import { dirname as dirname8 } from "path";
 import { StringDecoder as StringDecoder2 } from "string_decoder";
 var SCRIPT_STREAM_RE = /^\[([^\]]+)\] \[script:([a-z][a-z0-9-]*)((?::[a-z0-9:_-]+)?)\] (.*)$/;
@@ -18960,8 +17811,8 @@ function writeRouteMilestone(streamLogPath, scope, line) {
   }
   const ts = (/* @__PURE__ */ new Date()).toISOString();
   try {
-    mkdirSync13(dirname8(streamLogPath), { recursive: true });
-    appendFileSync6(streamLogPath, `[${ts}] [script:${scope}] ${line}
+    mkdirSync11(dirname8(streamLogPath), { recursive: true });
+    appendFileSync4(streamLogPath, `[${ts}] [script:${scope}] ${line}
 `);
   } catch (err) {
     console.error(
@@ -19291,7 +18142,7 @@ app11.post("/", requireAdminSession, async (c) => {
       try {
         registerAdminSSE(sseEntry);
         if (sseConvId) {
-          const streamLogPath = resolve20(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
+          const streamLogPath = resolve17(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
           tailer = startScriptStreamTailer({
             path: streamLogPath,
             onEvent: (event) => {
@@ -19416,8 +18267,8 @@ app12.post("/", requireAdminSession, async (c) => {
 var compact_default = app12;
 
 // server/routes/admin/logs.ts
-import { existsSync as existsSync20, readdirSync as readdirSync5, readFileSync as readFileSync20, statSync as statSync9 } from "fs";
-import { resolve as resolve21, basename as basename5 } from "path";
+import { existsSync as existsSync18, readdirSync as readdirSync5, readFileSync as readFileSync18, statSync as statSync9 } from "fs";
+import { resolve as resolve18, basename as basename5 } from "path";
 var TAIL_BYTES = 8192;
 var app13 = new Hono2();
 app13.get("/", async (c) => {
@@ -19426,16 +18277,16 @@ app13.get("/", async (c) => {
   const conversationIdParam = c.req.query("conversationId");
   const download = c.req.query("download") === "1";
   const account = resolveAccount();
-  const accountLogDir2 = account ? resolve21(account.accountDir, "logs") : null;
+  const accountLogDir2 = account ? resolve18(account.accountDir, "logs") : null;
   if (fileParam) {
     const safe = basename5(fileParam);
     const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve21(dir, safe);
+      const filePath = resolve18(dir, safe);
       searched.push(filePath);
       try {
-        const content = readFileSync20(filePath, "utf-8");
+        const content = readFileSync18(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${safe}"`;
         return new Response(content, { headers });
@@ -19474,10 +18325,10 @@ app13.get("/", async (c) => {
     const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve21(dir, fileName);
+      const filePath = resolve18(dir, fileName);
       searched.push(filePath);
       try {
-        const content = readFileSync20(filePath, "utf-8");
+        const content = readFileSync18(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${fileName}"`;
         return new Response(content, { headers });
@@ -19492,7 +18343,7 @@ app13.get("/", async (c) => {
   const seen = /* @__PURE__ */ new Set();
   const logs = {};
   for (const dir of [accountLogDir2, LOG_DIR]) {
-    if (!dir || !existsSync20(dir)) continue;
+    if (!dir || !existsSync18(dir)) continue;
     let files;
     try {
       files = readdirSync5(dir).filter((f) => f.endsWith(".log"));
@@ -19501,10 +18352,10 @@ app13.get("/", async (c) => {
       console.warn(`[admin/logs] readdir-fail dir=${dir} reason=${reason}`);
       continue;
     }
-    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync9(resolve21(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
+    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync9(resolve18(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
       seen.add(name);
       try {
-        const content = readFileSync20(resolve21(dir, name));
+        const content = readFileSync18(resolve18(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
       } catch (err) {
@@ -19544,8 +18395,8 @@ var claude_info_default = app14;
 
 // server/routes/admin/attachment.ts
 import { readFile as readFile3, readdir } from "fs/promises";
-import { existsSync as existsSync21 } from "fs";
-import { resolve as resolve22 } from "path";
+import { existsSync as existsSync19 } from "fs";
+import { resolve as resolve19 } from "path";
 var app15 = new Hono2();
 app15.get("/:attachmentId", requireAdminSession, async (c) => {
   const attachmentId = c.req.param("attachmentId");
@@ -19557,12 +18408,12 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
   if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.test(attachmentId)) {
     return new Response("Not found", { status: 404 });
   }
-  const dir = resolve22(ATTACHMENTS_ROOT, accountId, attachmentId);
-  if (!existsSync21(dir)) {
+  const dir = resolve19(ATTACHMENTS_ROOT, accountId, attachmentId);
+  if (!existsSync19(dir)) {
     return new Response("Not found", { status: 404 });
   }
-  const metaPath = resolve22(dir, `${attachmentId}.meta.json`);
-  if (!existsSync21(metaPath)) {
+  const metaPath = resolve19(dir, `${attachmentId}.meta.json`);
+  if (!existsSync19(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
   let meta;
@@ -19576,7 +18427,7 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
   if (!dataFile) {
     return new Response("Not found", { status: 404 });
   }
-  const filePath = resolve22(dir, dataFile);
+  const filePath = resolve19(dir, dataFile);
   const buffer = await readFile3(filePath);
   return new Response(new Uint8Array(buffer), {
     headers: {
@@ -19589,8 +18440,8 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
 var attachment_default = app15;
 
 // server/routes/admin/account.ts
-import { readFileSync as readFileSync21, writeFileSync as writeFileSync14 } from "fs";
-import { resolve as resolve23 } from "path";
+import { readFileSync as readFileSync19, writeFileSync as writeFileSync13 } from "fs";
+import { resolve as resolve20 } from "path";
 var VALID_CONTEXT_MODES = ["managed", "claude-code"];
 var app16 = new Hono2();
 app16.patch("/", requireAdminSession, async (c) => {
@@ -19606,12 +18457,12 @@ app16.patch("/", requireAdminSession, async (c) => {
   }
   const account = resolveAccount();
   if (!account) return c.json({ error: "No account configured" }, 500);
-  const configPath2 = resolve23(account.accountDir, "account.json");
+  const configPath2 = resolve20(account.accountDir, "account.json");
   try {
-    const raw2 = readFileSync21(configPath2, "utf-8");
+    const raw2 = readFileSync19(configPath2, "utf-8");
     const config = JSON.parse(raw2);
     config.contextMode = contextMode;
-    writeFileSync14(configPath2, JSON.stringify(config, null, 2) + "\n", "utf-8");
+    writeFileSync13(configPath2, JSON.stringify(config, null, 2) + "\n", "utf-8");
     console.error(`[account-update] contextMode=${contextMode}`);
     return c.json({ ok: true, contextMode });
   } catch (err) {
@@ -19622,24 +18473,24 @@ app16.patch("/", requireAdminSession, async (c) => {
 var account_default = app16;
 
 // server/routes/admin/agents.ts
-import { resolve as resolve24 } from "path";
-import { readdirSync as readdirSync6, readFileSync as readFileSync22, existsSync as existsSync22, rmSync as rmSync3 } from "fs";
+import { resolve as resolve21 } from "path";
+import { readdirSync as readdirSync6, readFileSync as readFileSync20, existsSync as existsSync20, rmSync as rmSync3 } from "fs";
 var app17 = new Hono2();
 app17.get("/", (c) => {
   const account = resolveAccount();
   if (!account) return c.json({ agents: [] });
-  const agentsDir = resolve24(account.accountDir, "agents");
-  if (!existsSync22(agentsDir)) return c.json({ agents: [] });
+  const agentsDir = resolve21(account.accountDir, "agents");
+  if (!existsSync20(agentsDir)) return c.json({ agents: [] });
   const agents = [];
   try {
     const entries = readdirSync6(agentsDir, { withFileTypes: true });
     for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
-      const configPath2 = resolve24(agentsDir, entry.name, "config.json");
-      if (!existsSync22(configPath2)) continue;
+      const configPath2 = resolve21(agentsDir, entry.name, "config.json");
+      if (!existsSync20(configPath2)) continue;
       try {
-        const config = JSON.parse(readFileSync22(configPath2, "utf-8"));
+        const config = JSON.parse(readFileSync20(configPath2, "utf-8"));
         agents.push({
           slug: entry.name,
           displayName: config.displayName ?? entry.name,
@@ -19665,8 +18516,8 @@ app17.delete("/:slug", (c) => {
   if (slug.includes("/") || slug.includes("..") || slug.includes("\\")) {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
-  const agentDir = resolve24(account.accountDir, "agents", slug);
-  if (!existsSync22(agentDir)) {
+  const agentDir = resolve21(account.accountDir, "agents", slug);
+  if (!existsSync20(agentDir)) {
     return c.json({ error: "Agent not found" }, 404);
   }
   try {
@@ -19681,27 +18532,27 @@ app17.delete("/:slug", (c) => {
 var agents_default = app17;
 
 // server/routes/admin/version.ts
-import { existsSync as existsSync23, readFileSync as readFileSync23 } from "fs";
-import { resolve as resolve25, join as join11 } from "path";
-var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "..");
+import { existsSync as existsSync21, readFileSync as readFileSync21 } from "fs";
+import { resolve as resolve22, join as join10 } from "path";
+var PLATFORM_ROOT8 = process.env.MAXY_PLATFORM_ROOT ?? resolve22(process.cwd(), "..");
 var brandHostname = "maxy";
 var brandNpmPackage = "@rubytech/create-maxy";
-var brandJsonPath = join11(PLATFORM_ROOT9, "config", "brand.json");
-if (existsSync23(brandJsonPath)) {
+var brandJsonPath = join10(PLATFORM_ROOT8, "config", "brand.json");
+if (existsSync21(brandJsonPath)) {
   try {
-    const brand = JSON.parse(readFileSync23(brandJsonPath, "utf-8"));
+    const brand = JSON.parse(readFileSync21(brandJsonPath, "utf-8"));
     if (brand.hostname) brandHostname = brand.hostname;
     if (brand.npm?.packageName) brandNpmPackage = brand.npm.packageName;
   } catch {
   }
 }
-var VERSION_FILE = resolve25(PLATFORM_ROOT9, `config/.${brandHostname}-version`);
+var VERSION_FILE = resolve22(PLATFORM_ROOT8, `config/.${brandHostname}-version`);
 var NPM_PACKAGE = brandNpmPackage;
 var REGISTRY_URL = `https://registry.npmjs.org/${NPM_PACKAGE}/latest`;
 var FETCH_TIMEOUT_MS = 5e3;
 function readInstalled() {
-  if (!existsSync23(VERSION_FILE)) return "unknown";
-  const content = readFileSync23(VERSION_FILE, "utf-8").trim();
+  if (!existsSync21(VERSION_FILE)) return "unknown";
+  const content = readFileSync21(VERSION_FILE, "utf-8").trim();
   return content || "unknown";
 }
 async function fetchLatest() {
@@ -19811,16 +18662,10 @@ app19.post("/new", requireAdminSession, async (c) => {
   const newSessionKey = crypto3.randomUUID();
   const userName = getUserNameForSession(oldSessionKey);
   registerSession(newSessionKey, "admin", accountId, void 0, userId, userName);
-  const conversationId = await createNewAdminConversation(userId, accountId, newSessionKey);
-  if (!conversationId) {
-    unregisterSession(newSessionKey);
-    console.error(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} new-conversation-failed: userId=${userId} accountId=${accountId.slice(0, 8)}\u2026 oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026`);
-    return c.json({ error: "Failed to create conversation" }, 500);
-  }
   const previousConversationId = clearSessionHistory(oldSessionKey);
   unregisterSession(oldSessionKey);
-  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} session reset for new conversation: oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026 previousConversationId=${previousConversationId?.slice(0, 8) ?? "none"}\u2026 newConversationId=${conversationId.slice(0, 8)}\u2026`);
-  return c.json({ session_key: newSessionKey, conversationId });
+  console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} session reset for new conversation: oldSessionKey=${oldSessionKey.slice(0, 8)}\u2026 newSessionKey=${newSessionKey.slice(0, 8)}\u2026 previousConversationId=${previousConversationId?.slice(0, 8) ?? "none"}\u2026 newConversationId=deferred`);
+  return c.json({ session_key: newSessionKey, conversationId: null });
 });
 app19.delete("/:id", requireAdminSession, async (c) => {
   const conversationId = c.req.param("id");
@@ -20194,9 +19039,9 @@ app23.post("/", async (c) => {
 var events_default = app23;
 
 // server/routes/admin/cloudflare.ts
-import { homedir as homedir4 } from "os";
-import { resolve as resolve27 } from "path";
-import { readFileSync as readFileSync25 } from "fs";
+import { homedir as homedir3 } from "os";
+import { resolve as resolve24 } from "path";
+import { readFileSync as readFileSync23 } from "fs";
 
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -20212,14 +19057,14 @@ function isValidDomain(value) {
 }
 
 // app/lib/alias-domains.ts
-import { existsSync as existsSync24, mkdirSync as mkdirSync14, readFileSync as readFileSync24, writeFileSync as writeFileSync15 } from "fs";
+import { existsSync as existsSync22, mkdirSync as mkdirSync12, readFileSync as readFileSync22, writeFileSync as writeFileSync14 } from "fs";
 import { dirname as dirname9 } from "path";
-import { resolve as resolve26 } from "path";
-var ALIAS_DOMAINS_PATH = resolve26(MAXY_DIR, "alias-domains.json");
+import { resolve as resolve23 } from "path";
+var ALIAS_DOMAINS_PATH = resolve23(MAXY_DIR, "alias-domains.json");
 function readExisting() {
-  if (!existsSync24(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
+  if (!existsSync22(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
   try {
-    const parsed = JSON.parse(readFileSync24(ALIAS_DOMAINS_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync22(ALIAS_DOMAINS_PATH, "utf-8"));
     if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
     return new Set(parsed.filter((h) => typeof h === "string"));
   } catch {
@@ -20230,18 +19075,18 @@ function addAliasDomain(hostname2) {
   const existing = readExisting();
   if (existing.has(hostname2)) return;
   existing.add(hostname2);
-  mkdirSync14(dirname9(ALIAS_DOMAINS_PATH), { recursive: true });
-  writeFileSync15(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
+  mkdirSync12(dirname9(ALIAS_DOMAINS_PATH), { recursive: true });
+  writeFileSync14(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
 }
 
 // server/routes/admin/cloudflare.ts
 var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
 var DOMAINS_TIMEOUT_MS = 40 * 1e3;
 function loadBrandInfo() {
-  const platformRoot3 = process.env.MAXY_PLATFORM_ROOT ?? resolve27(process.cwd(), "..");
-  const brandPath = resolve27(platformRoot3, "config", "brand.json");
+  const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve24(process.cwd(), "..");
+  const brandPath = resolve24(platformRoot2, "config", "brand.json");
   try {
-    const parsed = JSON.parse(readFileSync25(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync23(brandPath, "utf-8"));
     const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
     const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
     return { hostname: hostname2, configDir: configDir2 };
@@ -20344,7 +19189,7 @@ app24.get("/domains", requireAdminSession, async (c) => {
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   log2(`phase=stream-log-resolved path=${streamLogPath}`);
   const brand = loadBrandInfo();
-  const scriptPath = resolve27(homedir4(), "list-cf-domains.sh");
+  const scriptPath = resolve24(homedir3(), "list-cf-domains.sh");
   const result = await runFormSpawn({
     scriptPath,
     args: [brand.hostname],
@@ -20469,7 +19314,7 @@ app24.post("/setup", requireAdminSession, async (c) => {
   }
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   log2(`phase=stream-log-resolved path=${streamLogPath}`);
-  const scriptPath = resolve27(homedir4(), "setup-tunnel.sh");
+  const scriptPath = resolve24(homedir3(), "setup-tunnel.sh");
   const args = [brand.hostname, String(port2), adminFqdn];
   if (publicFqdn) args.push(publicFqdn);
   if (apex) args.push(apex);
@@ -20538,17 +19383,17 @@ var cloudflare_default = app24;
 import { createReadStream as createReadStream3 } from "fs";
 import { readdir as readdir2, readFile as readFile4, stat as stat4, mkdir as mkdir3, writeFile as writeFile4, unlink as unlink2 } from "fs/promises";
 import { realpathSync as realpathSync4 } from "fs";
-import { basename as basename6, dirname as dirname10, join as join12, resolve as resolve29, sep as sep2 } from "path";
+import { basename as basename6, dirname as dirname10, join as join11, resolve as resolve26, sep as sep2 } from "path";
 import { Readable as Readable3 } from "stream";
 
 // app/lib/data-path.ts
 import { realpathSync as realpathSync3 } from "fs";
-import { resolve as resolve28, normalize, sep, relative } from "path";
-var PLATFORM_ROOT10 = process.env.MAXY_PLATFORM_ROOT ?? resolve28(process.cwd(), "../platform");
-var DATA_ROOT = resolve28(PLATFORM_ROOT10, "..", "data");
+import { resolve as resolve25, normalize, sep, relative } from "path";
+var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "../platform");
+var DATA_ROOT = resolve25(PLATFORM_ROOT9, "..", "data");
 function resolveDataPath(raw2) {
   const cleaned = normalize("/" + (raw2 ?? "").replace(/\\/g, "/")).replace(/^\/+/, "");
-  const absolute = resolve28(DATA_ROOT, cleaned);
+  const absolute = resolve25(DATA_ROOT, cleaned);
   let dataRootReal;
   try {
     dataRootReal = realpathSync3(DATA_ROOT);
@@ -20815,7 +19660,7 @@ async function cascadeDeleteDocument(params) {
 var UUID_RE3 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function readMeta(absDir, baseName) {
   try {
-    const raw2 = await readFile4(join12(absDir, `${baseName}.meta.json`), "utf8");
+    const raw2 = await readFile4(join11(absDir, `${baseName}.meta.json`), "utf8");
     const parsed = JSON.parse(raw2);
     if (typeof parsed?.filename === "string") {
       return { filename: parsed.filename, mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0 };
@@ -20826,7 +19671,7 @@ async function readMeta(absDir, baseName) {
 }
 async function readAccountNames() {
   const map = /* @__PURE__ */ new Map();
-  const accountsDir = resolve29(DATA_ROOT, "accounts");
+  const accountsDir = resolve26(DATA_ROOT, "accounts");
   let names;
   try {
     names = await readdir2(accountsDir);
@@ -20835,7 +19680,7 @@ async function readAccountNames() {
   }
   for (const name of names) {
     if (!UUID_RE3.test(name)) continue;
-    const configPath2 = resolve29(accountsDir, name, "account.json");
+    const configPath2 = resolve26(accountsDir, name, "account.json");
     try {
       const raw2 = await readFile4(configPath2, "utf8");
       const parsed = JSON.parse(raw2);
@@ -20853,7 +19698,7 @@ async function readAccountNames() {
 }
 async function enrich(absolute, entry, accountNames) {
   if (entry.kind === "directory" && UUID_RE3.test(entry.name)) {
-    const meta = await readMeta(join12(absolute, entry.name), entry.name);
+    const meta = await readMeta(join11(absolute, entry.name), entry.name);
     if (meta?.filename) {
       entry.displayName = meta.filename;
       entry.mimeType = meta.mimeType;
@@ -20912,7 +19757,7 @@ app25.get("/", requireAdminSession, async (c) => {
         continue;
       }
       try {
-        const entryPath = join12(absolute, name);
+        const entryPath = join11(absolute, name);
         const s = await stat4(entryPath);
         entries.push({
           name,
@@ -21026,8 +19871,8 @@ app25.post("/upload", requireAdminSession, async (c) => {
   }
   const safeName = basename6(file.name).replace(/[\0/\\]/g, "_");
   const finalName = `${Date.now()}-${safeName}`;
-  const destDir = resolve29(DATA_ROOT, "uploads", accountId);
-  const destPath = resolve29(destDir, finalName);
+  const destDir = resolve26(DATA_ROOT, "uploads", accountId);
+  const destPath = resolve26(destDir, finalName);
   try {
     await mkdir3(destDir, { recursive: true });
     const dataRootReal = realpathSync4(DATA_ROOT);
@@ -21085,7 +19930,7 @@ app25.delete("/", requireAdminSession, async (c) => {
     }
     const dot = base.lastIndexOf(".");
     const stem = dot === -1 ? base : base.slice(0, dot);
-    const sidecarPath = UUID_RE3.test(stem) && base !== `${stem}.meta.json` ? join12(dirname10(absolute), `${stem}.meta.json`) : null;
+    const sidecarPath = UUID_RE3.test(stem) && base !== `${stem}.meta.json` ? join11(dirname10(absolute), `${stem}.meta.json`) : null;
     await unlink2(absolute);
     if (sidecarPath) {
       try {
@@ -21180,24 +20025,35 @@ var GRAPH_LABEL_COLOURS = {
   Review: "#059669",
   ImageObject: "#6EE7B7",
   // Conversational
+  //
+  // Task 649 palette — the four sublabelled conversation/message labels
+  // (AdminConversation, PublicConversation, UserMessage, AssistantMessage)
+  // are assigned four pairwise-distinguishable hues: indigo / purple /
+  // orange / yellow. The Task 633 violet-shade split (darker for admin,
+  // lighter for public) was indistinguishable on canvas and in the legend;
+  // hue-shift replaces lightness-shift.
+  //
+  // Constraints honoured:
+  //   - Pairwise distinct among the four in-family labels.
+  //   - UserMessage=#F97316 reserved (Person/Preference orange cue) —
+  //     the other three are non-orange.
+  //   - No collision with Task/Project/Event pinks (#DB2777/#BE185D/#EC4899),
+  //     Knowledge greens, Workflow cyans, LocalBusiness blues.
+  //   - Conversation base (#7C3AED) kept as pre-backfill fallback for
+  //     nodes that pre-date the AdminConversation/PublicConversation split.
+  //   - Message base reassigned away from old #A78BFA to avoid near-
+  //     collision with the new PublicConversation=#A855F7; slate signals
+  //     "legacy/system/tool" — nodes carrying only :Message without a
+  //     role-sublabel.
+  //   - Out of family (intentionally not touched): OnboardingState=#8B5CF6
+  //     sits in the violet neighbourhood; palette reassignment outside
+  //     the conversation/message family is out of scope for Task 649.
   Conversation: "#7C3AED",
-  // Task 633 — admin vs public disambiguation on /graph. Darker violet for
-  // admin conversations (the operator-facing side), lighter for public
-  // (customer-facing) so the operator can read chat topology by colour
-  // alone. Both within the Conversation family — the hue shift is subtle
-  // enough to stay legible on adjacent nodes yet distinct enough to be
-  // unmistakable in the popover legend.
-  AdminConversation: "#5B21B6",
-  PublicConversation: "#A78BFA",
-  Message: "#A78BFA",
-  // Task 633 — user vs assistant disambiguation on /graph. UserMessage
-  // picks up the Person/Preference orange family cue (the user is a
-  // person); AssistantMessage stays violet-adjacent to reinforce the
-  // AdminConversation cue (both are admin-side). system/tool Messages
-  // (not written by the persist path today; reserved shape) stay on the
-  // base `:Message` colour.
+  AdminConversation: "#4338CA",
+  PublicConversation: "#A855F7",
+  Message: "#64748B",
   UserMessage: "#F97316",
-  AssistantMessage: "#8B5CF6",
+  AssistantMessage: "#FACC15",
   ToolCall: "#C4B5FD",
   // Tasks / projects / events
   Task: "#DB2777",
@@ -21961,15 +20817,15 @@ app34.route("/adherence", adherence_default);
 var admin_default = app34;
 
 // server/index.ts
-var PLATFORM_ROOT11 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT11 ? join13(PLATFORM_ROOT11, "config", "brand.json") : "";
+var PLATFORM_ROOT10 = process.env.MAXY_PLATFORM_ROOT || "";
+var BRAND_JSON_PATH = PLATFORM_ROOT10 ? join12(PLATFORM_ROOT10, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync25(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync23(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync26(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync24(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -21988,11 +20844,11 @@ var brandLoginOpts = {
   bodyFont: BRAND.defaultFonts?.body,
   logoContainsName: !!BRAND.logoContainsName
 };
-var ALIAS_DOMAINS_PATH2 = join13(homedir5(), BRAND.configDir, "alias-domains.json");
+var ALIAS_DOMAINS_PATH2 = join12(homedir4(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync25(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync26(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync23(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync24(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -22332,20 +21188,20 @@ app35.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve30(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve30(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve27(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve27(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync25(filePath)) {
+  if (!existsSync23(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync26(filePath);
+  const body = readFileSync24(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -22362,20 +21218,20 @@ app35.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve30(account.accountDir, "generated", filename);
-  const expectedDir = resolve30(account.accountDir, "generated");
+  const filePath = resolve27(account.accountDir, "generated", filename);
+  const expectedDir = resolve27(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync25(filePath)) {
+  if (!existsSync23(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync26(filePath);
+  const body = readFileSync24(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -22384,9 +21240,9 @@ app35.get("/generated/:filename", (c) => {
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync26(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync24(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -22402,10 +21258,10 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 })}</script>`;
 function readInstalledVersion() {
   try {
-    if (!PLATFORM_ROOT11) return "unknown";
-    const versionFile = join13(PLATFORM_ROOT11, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync25(versionFile)) return "unknown";
-    const content = readFileSync26(versionFile, "utf-8").trim();
+    if (!PLATFORM_ROOT10) return "unknown";
+    const versionFile = join12(PLATFORM_ROOT10, "config", `.${BRAND.hostname}-version`);
+    if (!existsSync23(versionFile)) return "unknown";
+    const content = readFileSync24(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -22446,9 +21302,9 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync26(resolve30(process.cwd(), "public", file), "utf-8");
-    html = html.replace("<title>Maxy</title>", `<title>${escapeHtml2(BRAND.productName)}</title>`);
-    html = html.replace('href="/favicon.ico"', `href="${escapeHtml2(brandFaviconPath)}"`);
+    html = readFileSync24(resolve27(process.cwd(), "public", file), "utf-8");
+    html = html.replace("<title>Maxy</title>", `<title>${escapeHtml(BRAND.productName)}</title>`);
+    html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
     const headInjection = file === "index.html" ? `${brandScript}
 ${versionScript}
 ${clientErrorReporterScript}
@@ -22461,26 +21317,26 @@ ${clientErrorReporterScript}
 }
 var brandedHtmlCache = /* @__PURE__ */ new Map();
 function loadBrandingCache(agentSlug) {
-  const configDir2 = join13(homedir5(), BRAND.configDir);
+  const configDir2 = join12(homedir4(), BRAND.configDir);
   try {
-    const accountJsonPath = join13(configDir2, "account.json");
-    if (!existsSync25(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync26(accountJsonPath, "utf-8"));
+    const accountJsonPath = join12(configDir2, "account.json");
+    if (!existsSync23(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync24(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
-    const cachePath = join13(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync25(cachePath)) return null;
-    return JSON.parse(readFileSync26(cachePath, "utf-8"));
+    const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
+    if (!existsSync23(cachePath)) return null;
+    return JSON.parse(readFileSync24(cachePath, "utf-8"));
   } catch {
     return null;
   }
 }
 function resolveDefaultSlug() {
   try {
-    const configDir2 = join13(homedir5(), BRAND.configDir);
-    const accountJsonPath = join13(configDir2, "account.json");
-    if (!existsSync25(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync26(accountJsonPath, "utf-8"));
+    const configDir2 = join12(homedir4(), BRAND.configDir);
+    const accountJsonPath = join12(configDir2, "account.json");
+    if (!existsSync23(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync24(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -22494,26 +21350,26 @@ function brandedPublicHtml(agentSlug) {
   if (!branding) return baseHtml;
   const brandHash = JSON.stringify(branding).length;
   if (cached && cached.mtime === brandHash) return cached.html;
-  const title = escapeHtml2(branding.name);
-  const description = branding.tagline ? escapeHtml2(branding.tagline) : "";
+  const title = escapeHtml(branding.name);
+  const description = branding.tagline ? escapeHtml(branding.tagline) : "";
   const themeColor = branding.primaryColor || "";
   const ogImage = branding.logoUrl || "";
   const favicon = branding.faviconUrl || "";
   const metaTags = [
     `  <title>${title}</title>`,
-    favicon ? `  <link rel="icon" href="${escapeHtml2(favicon)}">` : `  <link rel="icon" href="${escapeHtml2(brandFaviconPath)}">`,
-    themeColor ? `  <meta name="theme-color" content="${escapeHtml2(themeColor)}">` : "",
+    favicon ? `  <link rel="icon" href="${escapeHtml(favicon)}">` : `  <link rel="icon" href="${escapeHtml(brandFaviconPath)}">`,
+    themeColor ? `  <meta name="theme-color" content="${escapeHtml(themeColor)}">` : "",
     `  <meta property="og:title" content="${title}">`,
     description ? `  <meta property="og:description" content="${description}">` : "",
-    ogImage ? `  <meta property="og:image" content="${escapeHtml2(ogImage)}">` : "",
+    ogImage ? `  <meta property="og:image" content="${escapeHtml(ogImage)}">` : "",
     '  <meta property="og:type" content="website">'
   ].filter(Boolean).join("\n");
-  const html = baseHtml.replace(`  <title>${escapeHtml2(BRAND.productName)}</title>
-  <link rel="icon" href="${escapeHtml2(brandFaviconPath)}">`, metaTags);
+  const html = baseHtml.replace(`  <title>${escapeHtml(BRAND.productName)}</title>
+  <link rel="icon" href="${escapeHtml(brandFaviconPath)}">`, metaTags);
   brandedHtmlCache.set(agentSlug, { html, mtime: brandHash });
   return html;
 }
-function escapeHtml2(s) {
+function escapeHtml(s) {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
 app35.get("/", (c) => {
@@ -22553,11 +21409,11 @@ app35.use("/vnc-popout.html", logViewerFetch);
 app35.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync26(resolve30(process.cwd(), "public", "vnc-popout.html"), "utf-8");
-    const name = escapeHtml2(BRAND.productName);
+    html = readFileSync24(resolve27(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
-  <link rel="icon" href="${escapeHtml2(brandFaviconPath)}">
+  <link rel="icon" href="${escapeHtml(brandFaviconPath)}">
 </head>`);
     htmlCache.set("vnc-popout.html", html);
   }
@@ -22607,36 +21463,10 @@ app35.get("/:slug", async (c, next) => {
   await next();
 });
 app35.use("/*", serveStatic({ root: "./public" }));
-var port = parseInt(process.env.PORT ?? "19200", 10);
-var hostname = process.env.HOSTNAME ?? "0.0.0.0";
+var port = parseInt(process.env.PORT ?? "19199", 10);
+var hostname = process.env.HOSTNAME ?? "127.0.0.1";
 var httpServer = serve({ fetch: app35.fetch, port, hostname });
-attachVncWsProxy(httpServer, {
-  isPublicHost,
-  upstreamHost: "127.0.0.1",
-  upstreamPort: 6080
-});
-attachTerminalWsProxy(httpServer, {
-  isPublicHost,
-  upstreamHost: "127.0.0.1",
-  upstreamPort: 7681
-});
 console.log(`${BRAND.productName} listening on http://${hostname}:${port}`);
-setTimeout(() => {
-  const socket = createConnection5(7681, "127.0.0.1");
-  socket.setTimeout(500);
-  socket.once("connect", () => {
-    socket.destroy();
-    console.log("[ttyd] upstream ready on 127.0.0.1:7681");
-  });
-  socket.once("error", (err) => {
-    socket.destroy();
-    console.error(`[ttyd] upstream NOT reachable on 127.0.0.1:7681 \u2014 admin terminal will be unavailable. Check 'sudo systemctl --user status maxy-ttyd' and /usr/local/bin/ttyd. (${err.message})`);
-  });
-  socket.once("timeout", () => {
-    socket.destroy();
-    console.error("[ttyd] upstream NOT reachable on 127.0.0.1:7681 (timeout) \u2014 admin terminal will be unavailable. Check 'sudo systemctl --user status maxy-ttyd'.");
-  });
-}, 5e3);
 var SUBAPP_MANIFEST = [
   { prefix: "/api/health", file: "server/routes/health.ts", subapp: health_default },
   { prefix: "/api/session", file: "server/routes/session.ts", subapp: session_default },
@@ -22669,8 +21499,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync25(USERS_FILE)) {
-      const users = JSON.parse(readFileSync26(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync23(USERS_FILE)) {
+      const users = JSON.parse(readFileSync24(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);
@@ -22696,7 +21526,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve30(process.env.MAXY_PLATFORM_ROOT ?? join13(__dirname, "..")),
+  platformRoot: resolve27(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {