@rubytech/create-maxy 1.0.685 → 1.0.686

package/payload/server/server.js

@@ -1203,14 +1203,14 @@ var Hono = class _Hono {
    * app.route("/api", app2) // GET /api/user
    * ```
    */
-  route(path2, app35) {
+  route(path2, app39) {
     const subApp = this.basePath(path2);
-    app35.routes.map((r) => {
+    app39.routes.map((r) => {
       let handler;
-      if (app35.errorHandler === errorHandler) {
+      if (app39.errorHandler === errorHandler) {
         handler = r.handler;
       } else {
-        handler = async (c, next) => (await compose([], app35.errorHandler)(c, () => r.handler(c, next))).res;
+        handler = async (c, next) => (await compose([], app39.errorHandler)(c, () => r.handler(c, next))).res;
         handler[COMPOSED_HANDLER] = r.handler;
       }
       subApp.#addRoute(r.method, r.path, handler);
@@ -2393,13 +2393,13 @@ function writeFromReadableStreamDefaultReader(reader, writable, currentReadPromi
     }
   }
 }
-function writeFromReadableStream(stream, writable) {
-  if (stream.locked) {
+function writeFromReadableStream(stream2, writable) {
+  if (stream2.locked) {
     throw new TypeError("ReadableStream is locked.");
   } else if (writable.destroyed) {
     return;
   }
-  return writeFromReadableStreamDefaultReader(stream.getReader(), writable);
+  return writeFromReadableStreamDefaultReader(stream2.getReader(), writable);
 }
 var buildOutgoingHttpHeaders = (headers) => {
   const res = {};
@@ -2528,7 +2528,7 @@ var responseViaResponseObject = async (res, outgoing, options = {}) => {
         });
         if (!chunk) {
           if (i === 1) {
-            await new Promise((resolve28) => setTimeout(resolve28));
+            await new Promise((resolve29) => setTimeout(resolve29));
             maxReadCount = 3;
             continue;
           }
@@ -2761,24 +2761,24 @@ var pr54206Applied = () => {
   return major >= 23 || major === 22 && minor >= 7 || major === 20 && minor >= 18;
 };
 var useReadableToWeb = pr54206Applied();
-var createStreamBody = (stream) => {
+var createStreamBody = (stream2) => {
   if (useReadableToWeb) {
-    return Readable2.toWeb(stream);
+    return Readable2.toWeb(stream2);
   }
   const body = new ReadableStream({
     start(controller) {
-      stream.on("data", (chunk) => {
+      stream2.on("data", (chunk) => {
         controller.enqueue(chunk);
       });
-      stream.on("error", (err) => {
+      stream2.on("error", (err) => {
         controller.error(err);
       });
-      stream.on("end", () => {
+      stream2.on("end", () => {
         controller.close();
       });
     },
     cancel() {
-      stream.destroy();
+      stream2.destroy();
     }
   });
   return body;
@@ -2883,10 +2883,10 @@ var serveStatic = (options = { root: "" }) => {
         end = size - 1;
       }
       const chunksize = end - start + 1;
-      const stream = createReadStream(path2, { start, end });
+      const stream2 = createReadStream(path2, { start, end });
       c.header("Content-Length", chunksize.toString());
       c.header("Content-Range", `bytes ${start}-${end}/${stats.size}`);
-      result = c.body(createStreamBody(stream), 206);
+      result = c.body(createStreamBody(stream2), 206);
     }
     await options.onFound?.(path2, c);
     return result;
@@ -2894,9 +2894,9 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync25, existsSync as existsSync23, watchFile } from "fs";
-import { resolve as resolve27, join as join12, basename as basename7 } from "path";
-import { homedir as homedir4 } from "os";
+import { readFileSync as readFileSync26, existsSync as existsSync25, watchFile } from "fs";
+import { resolve as resolve28, join as join13, basename as basename7 } from "path";
+import { homedir as homedir5 } from "os";
 
 // app/lib/agent-slug-pattern.ts
 var AGENT_SLUG_PATTERN = /^\/([a-z][a-z0-9-]{2,49})$/;
@@ -3992,8 +3992,8 @@ async function persistMessage(conversationId, role, content, accountId, tokens,
   const prev = persistMessageLocks.get(conversationId);
   const waited = prev !== void 0;
   let release;
-  const mine = new Promise((resolve28) => {
-    release = resolve28;
+  const mine = new Promise((resolve29) => {
+    release = resolve29;
   });
   const chained = (prev ?? Promise.resolve()).then(() => mine);
   persistMessageLocks.set(conversationId, chained);
@@ -4252,7 +4252,7 @@ ${userContent}`;
     "dontAsk",
     prompt
   ];
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     let stdout = "";
     let stderr = "";
     const spawnFn = _spawnOverride ?? spawn;
@@ -4270,35 +4270,35 @@ ${userContent}`;
     const timer = setTimeout(() => {
       proc.kill("SIGTERM");
       console.error("[persist] autoLabel: haiku subprocess timed out");
-      resolve28(null);
+      resolve29(null);
     }, SESSION_LABEL_TIMEOUT_MS);
     proc.on("error", (err) => {
       clearTimeout(timer);
       console.error(`[persist] autoLabel: subprocess error \u2014 ${err.message}`);
-      resolve28(null);
+      resolve29(null);
     });
     proc.on("close", (code) => {
       clearTimeout(timer);
       if (code !== 0) {
         console.error(`[persist] autoLabel: subprocess exited code=${code}${stderr ? ` stderr=${stderr.trim().slice(0, 200)}` : ""}`);
-        resolve28(null);
+        resolve29(null);
         return;
       }
       const text = stdout.trim();
       if (!text) {
         console.error("[persist] autoLabel: haiku returned empty response");
-        resolve28(null);
+        resolve29(null);
         return;
       }
       if (text === "SKIP") {
         console.error("[persist] autoLabel: haiku returned SKIP \u2014 messages too vague");
-        resolve28(null);
+        resolve29(null);
         return;
       }
       const words = text.split(/\s+/).slice(0, SESSION_LABEL_MAX_WORDS);
       const label = words.join(" ");
       console.error(`[persist] autoLabel: haiku response="${label}"`);
-      resolve28(label);
+      resolve29(label);
     });
   });
 }
@@ -5909,9 +5909,9 @@ function agentLogStream(name, accountDir, conversationId) {
   mkdirSync4(logDir, { recursive: true });
   purgeOldLogs(logDir, `${name}-`);
   const logPath2 = resolve5(logDir, `${name}-${conversationId}.log`);
-  const stream = createWriteStream(logPath2, { flags: "a" });
-  registerStreamLog(stream, { path: logPath2, conversationId, name });
-  return stream;
+  const stream2 = createWriteStream(logPath2, { flags: "a" });
+  registerStreamLog(stream2, { path: logPath2, conversationId, name });
+  return stream2;
 }
 function preConversationLogStream(name, accountDir) {
   const logDir = resolve5(accountDir, "logs");
@@ -5919,15 +5919,15 @@ function preConversationLogStream(name, accountDir) {
   const date = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
   purgeOldLogs(logDir, `preconversation-${name}-`);
   const logPath2 = resolve5(logDir, `preconversation-${name}-${date}.log`);
-  const stream = createWriteStream(logPath2, { flags: "a" });
-  registerStreamLog(stream, { path: logPath2, conversationId: null, name: `preconversation-${name}` });
-  return stream;
+  const stream2 = createWriteStream(logPath2, { flags: "a" });
+  registerStreamLog(stream2, { path: logPath2, conversationId: null, name: `preconversation-${name}` });
+  return stream2;
 }
 var openStreamLogs = /* @__PURE__ */ new Map();
-function registerStreamLog(stream, entry) {
-  openStreamLogs.set(stream, entry);
-  stream.once("close", () => {
-    openStreamLogs.delete(stream);
+function registerStreamLog(stream2, entry) {
+  openStreamLogs.set(stream2, entry);
+  stream2.once("close", () => {
+    openStreamLogs.delete(stream2);
   });
 }
 function sigtermFlushStreamLogs(reason, source) {
@@ -7777,7 +7777,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
     return null;
   }
   const startMs = Date.now();
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     const proc = spawn2(process.execPath, [serverPath], {
       env: {
         ...process.env,
@@ -7806,7 +7806,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
       } else {
         console.error(`[fetchMemoryContext] failed: ${reason} (${elapsed}ms)${stderrBuf ? ` stderr: ${stderrBuf.slice(0, 500)}` : ""}`);
       }
-      resolve28(value);
+      resolve29(value);
     };
     proc.stdout.on("data", (chunk) => {
       buffer += chunk.toString();
@@ -9882,7 +9882,7 @@ User messages are prefixed with the sender's name in brackets. Address participa
   try {
     while (turnCount < MAX_TOOL_TURNS) {
       turnCount++;
-      const stream = client.messages.stream({
+      const stream2 = client.messages.stream({
         model: publicModel,
         max_tokens: 1024,
         system,
@@ -9924,13 +9924,13 @@ User messages are prefixed with the sender's name in brackets. Address participa
           }
         }]
       });
-      for await (const event of stream) {
+      for await (const event of stream2) {
         if (event.type === "content_block_delta" && event.delta.type === "text_delta") {
           fullText += event.delta.text;
           yield { type: "text", content: event.delta.text };
         }
       }
-      const finalMessage = await stream.finalMessage();
+      const finalMessage = await stream2.finalMessage();
       if (finalMessage.stop_reason !== "tool_use") break;
       const toolUseBlocks = [];
       for (const block of finalMessage.content) {
@@ -12536,7 +12536,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG5} draining credential save queue\u2026`);
   const timer = new Promise(
-    (resolve28) => setTimeout(() => resolve28("timeout"), timeoutMs)
+    (resolve29) => setTimeout(() => resolve29("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -12664,11 +12664,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve28, reject) => {
+  return new Promise((resolve29, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve28();
+        resolve29();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -12782,14 +12782,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise, timeoutMs) {
-  return new Promise((resolve28, reject) => {
+  return new Promise((resolve29, reject) => {
     const timer = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise.then(
       (value) => {
         clearTimeout(timer);
-        resolve28(value);
+        resolve29(value);
       },
       (err) => {
         clearTimeout(timer);
@@ -13334,9 +13334,9 @@ function getDownloadableContent(message) {
   if (msg.stickerMessage) return { downloadable: msg.stickerMessage, mediaType: "sticker" };
   return void 0;
 }
-async function streamToBuffer(stream) {
+async function streamToBuffer(stream2) {
   const chunks = [];
-  for await (const chunk of stream) {
+  for await (const chunk of stream2) {
     chunks.push(Buffer.from(chunk));
   }
   return Buffer.concat(chunks);
@@ -13367,8 +13367,8 @@ async function downloadInboundMedia(msg, sock, opts) {
       const downloadable = getDownloadableContent(content);
       if (downloadable) {
         try {
-          const stream = await downloadContentFromMessage(downloadable.downloadable, downloadable.mediaType);
-          buffer = await streamToBuffer(stream);
+          const stream2 = await downloadContentFromMessage(downloadable.downloadable, downloadable.mediaType);
+          buffer = await streamToBuffer(stream2);
         } catch (fallbackErr) {
           console.error(`${TAG9} direct download fallback failed: ${String(fallbackErr)}`);
         }
@@ -13999,15 +13999,15 @@ async function connectWithReconnect(conn) {
       );
     }
     if (decision.reason === "short-lived" || cycleError) {
-      const delay = computeBackoff(Math.max(1, decision.nextAttempts));
+      const delay2 = computeBackoff(Math.max(1, decision.nextAttempts));
       console.error(
-        `${TAG13} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
+        `${TAG13} reconnecting account=${conn.accountId} in ${delay2}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve28) => {
-        const timer = setTimeout(resolve28, delay);
+      await new Promise((resolve29) => {
+        const timer = setTimeout(resolve29, delay2);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer);
-          resolve28();
+          resolve29();
         }, { once: true });
       });
     }
@@ -14015,16 +14015,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     if (!conn.sock) {
-      resolve28();
+      resolve29();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve28();
+        resolve29();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -14241,8 +14241,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve28) => {
-      resolvePending = resolve28;
+    const sttPending = new Promise((resolve29) => {
+      resolvePending = resolve29;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -14355,20 +14355,20 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     const socket = createConnection2(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve28(true);
+      resolve29(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve28(false);
+      resolve29(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve28(false);
+      resolve29(false);
     });
   });
 }
@@ -15338,7 +15338,7 @@ app3.post("/", async (c) => {
         `[chat-route] session=${session_key.slice(0, 8)} gateway=discard reason=${gatewayResult.screening.reason}`
       );
       const encoder2 = new TextEncoder();
-      const stream = new ReadableStream({
+      const stream2 = new ReadableStream({
         start(controller) {
           controller.enqueue(
             encoder2.encode(`data: ${JSON.stringify({ text: "I'm sorry, I can't help with that request." })}
@@ -15349,7 +15349,7 @@ app3.post("/", async (c) => {
           controller.close();
         }
       });
-      return new Response(stream, {
+      return new Response(stream2, {
         headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", Connection: "keep-alive" }
       });
     }
@@ -16518,12 +16518,12 @@ async function loginConnectionLoop(accountId, login) {
         return;
       }
       attempt++;
-      const delay = LOGIN_RECONNECT_DELAYS[attempt - 1] ?? 8e3;
+      const delay2 = LOGIN_RECONNECT_DELAYS[attempt - 1] ?? 8e3;
       console.error(
-        `${TAG17} status=${classification.statusCode ?? "unknown"} restart required \u2014 reconnecting with saved creds (attempt ${attempt}/${LOGIN_MAX_RECONNECTS}) delay=${delay}ms`
+        `${TAG17} status=${classification.statusCode ?? "unknown"} restart required \u2014 reconnecting with saved creds (attempt ${attempt}/${LOGIN_MAX_RECONNECTS}) delay=${delay2}ms`
       );
       closeSocket(current.sock);
-      await new Promise((r) => setTimeout(r, delay));
+      await new Promise((r) => setTimeout(r, delay2));
       const afterDelay = activeLogins.get(accountId);
       if (afterDelay?.id !== login.id) return;
       try {
@@ -16570,8 +16570,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve28, reject) => {
-    resolveQr = resolve28;
+  const qrPromise = new Promise((resolve29, reject) => {
+    resolveQr = resolve29;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -17721,8 +17721,8 @@ function startScriptStreamTailer(opts) {
         buffer = "";
       }
       await new Promise((res, rej) => {
-        const stream = createReadStream2(path2, { start: offset, end: size - 1 });
-        stream.on("data", (chunk) => {
+        const stream2 = createReadStream2(path2, { start: offset, end: size - 1 });
+        stream2.on("data", (chunk) => {
           buffer += typeof chunk === "string" ? chunk : utf8.write(chunk);
           let idx;
           while ((idx = buffer.indexOf("\n")) !== -1) {
@@ -17731,11 +17731,11 @@ function startScriptStreamTailer(opts) {
             if (line.length > 0) processLine(line);
           }
         });
-        stream.on("end", () => {
+        stream2.on("end", () => {
           offset = size;
           res();
         });
-        stream.on("error", rej);
+        stream2.on("error", rej);
       });
     } catch (err) {
       if (onError) onError(err instanceof Error ? err : new Error(String(err)));
@@ -18057,7 +18057,7 @@ app11.post("/", requireAdminSession, async (c) => {
 `);
       lifecycleLog.end();
       const encoder2 = new TextEncoder();
-      const stream = new ReadableStream({
+      const stream2 = new ReadableStream({
         start(controller) {
           controller.enqueue(encoder2.encode(`data: ${JSON.stringify({ type: "done" })}
 
@@ -18065,7 +18065,7 @@ app11.post("/", requireAdminSession, async (c) => {
           controller.close();
         }
       });
-      return new Response(stream, {
+      return new Response(stream2, {
         headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", Connection: "keep-alive" }
       });
     }
@@ -18212,7 +18212,7 @@ var app12 = new Hono2();
 app12.post("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const encoder = new TextEncoder();
-  const stream = new ReadableStream({
+  const stream2 = new ReadableStream({
     async start(controller) {
       const iter = compactSession(sessionKey);
       let step = await iter.next();
@@ -18228,7 +18228,7 @@ app12.post("/", requireAdminSession, async (c) => {
       controller.close();
     }
   });
-  return new Response(stream, {
+  return new Response(stream2, {
     headers: {
       "Content-Type": "text/event-stream",
       "Cache-Control": "no-cache",
@@ -18951,9 +18951,9 @@ app22.post("/", async (c) => {
 var events_default = app22;
 
 // server/routes/admin/cloudflare.ts
-import { homedir as homedir3 } from "os";
-import { resolve as resolve24 } from "path";
-import { readFileSync as readFileSync24 } from "fs";
+import { homedir as homedir4 } from "os";
+import { resolve as resolve25 } from "path";
+import { readFileSync as readFileSync25 } from "fs";
 
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -18991,9 +18991,13 @@ function addAliasDomain(hostname2) {
   writeFileSync14(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
 }
 
-// server/routes/admin/cloudflare.ts
-var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
-var DOMAINS_TIMEOUT_MS = 40 * 1e3;
+// server/lib/action-runner.ts
+import { spawn as spawn5 } from "child_process";
+import { createReadStream as createReadStream3, existsSync as existsSync23, mkdirSync as mkdirSync13, readdirSync as readdirSync7, statSync as statSync10, unlinkSync as unlinkSync5, watch } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join11, resolve as resolve24 } from "path";
+import { readFileSync as readFileSync24 } from "fs";
+import { setTimeout as delay } from "timers/promises";
 function loadBrandInfo() {
   const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve24(process.cwd(), "..");
   const brandPath = resolve24(platformRoot2, "config", "brand.json");
@@ -19006,6 +19010,333 @@ function loadBrandInfo() {
     return { hostname: "maxy", configDir: ".maxy" };
   }
 }
+function actionLogDir() {
+  const { configDir: configDir2 } = loadBrandInfo();
+  return join11(homedir3(), configDir2, "logs", "actions");
+}
+function actionLogPath(actionId) {
+  return join11(actionLogDir(), `${actionId}.log`);
+}
+var WHITELIST = {
+  upgrade: {
+    build: ({ sudoPassword }) => {
+      const { hostname: hostname2 } = loadBrandInfo();
+      const pkg = `@rubytech/create-${hostname2}`;
+      const cmd = [
+        // prime: read pw from stdin, silently cache
+        'printf %s "$SUDO_PASSWORD"',
+        "|",
+        "sudo -S -v 2>/dev/null",
+        "&&",
+        // run installer — it will re-prompt only if the cache expires
+        `npx -y ${pkg}@latest`
+      ].join(" ");
+      return {
+        argv: ["bash", "-c", cmd],
+        env: sudoPassword ? { SUDO_PASSWORD: sudoPassword } : void 0
+      };
+    }
+  },
+  "cloudflare-setup": {
+    build: ({ positional }) => {
+      if (!positional || positional.length < 3) {
+        throw new Error("cloudflare-setup requires [brand, port, ...hostnames]");
+      }
+      const scriptPath = join11(homedir3(), "setup-tunnel.sh");
+      if (!existsSync23(scriptPath)) {
+        throw new Error(
+          `cloudflare-setup: ~/setup-tunnel.sh not found. Re-run the installer to repair the symlink.`
+        );
+      }
+      return { argv: [scriptPath, ...positional] };
+    }
+  }
+};
+function isKnownAction(name) {
+  return Object.prototype.hasOwnProperty.call(WHITELIST, name);
+}
+function generateActionId(name) {
+  const ts = Date.now().toString(36);
+  const nonce = Math.floor(Math.random() * 4294967295).toString(16).padStart(8, "0");
+  return `${name}-${ts}-${nonce}`;
+}
+function cleanupStaleLogs() {
+  const dir = actionLogDir();
+  if (!existsSync23(dir)) return;
+  const cutoff = Date.now() - 7 * 24 * 60 * 60 * 1e3;
+  for (const entry of readdirSync7(dir)) {
+    const full = join11(dir, entry);
+    try {
+      const st = statSync10(full);
+      if (st.isFile() && st.mtimeMs < cutoff) unlinkSync5(full);
+    } catch {
+    }
+  }
+}
+async function isActionActive(actionName) {
+  return new Promise((resolveP) => {
+    const proc = spawn5(
+      "systemctl",
+      ["--user", "list-units", "--no-legend", "--state=active", `maxy-action-${actionName}-*`],
+      { stdio: ["ignore", "pipe", "pipe"] }
+    );
+    let out = "";
+    proc.stdout.on("data", (chunk) => {
+      out += chunk.toString();
+    });
+    proc.on("close", () => resolveP(out.trim().length > 0));
+    proc.on("error", () => resolveP(false));
+  });
+}
+async function launchAction(name, args) {
+  const actionId = generateActionId(name);
+  const dir = actionLogDir();
+  mkdirSync13(dir, { recursive: true });
+  cleanupStaleLogs();
+  const logPath2 = actionLogPath(actionId);
+  const unit = `maxy-action-${actionId}`;
+  const built = WHITELIST[name].build(args);
+  const systemdArgs = [
+    "--user",
+    `--unit=${unit}`,
+    "--collect",
+    "--property=RemainAfterExit=false",
+    `--property=StandardOutput=append:${logPath2}`,
+    `--property=StandardError=append:${logPath2}`,
+    `--description=Maxy action ${name} (${actionId})`
+  ];
+  if (built.env) {
+    for (const [k, v] of Object.entries(built.env)) {
+      systemdArgs.push(`--setenv=${k}=${v}`);
+    }
+  }
+  systemdArgs.push("--", ...built.argv);
+  await new Promise((resolveP, rejectP) => {
+    const proc = spawn5("systemd-run", systemdArgs, { stdio: ["ignore", "pipe", "pipe"] });
+    let stderr = "";
+    proc.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) resolveP();
+      else rejectP(new Error(`systemd-run exited ${code}: ${stderr.trim().slice(0, 400)}`));
+    });
+    proc.on("error", rejectP);
+  });
+  console.log(`[action-runner] launched action=${name} id=${actionId} unit=${unit} log=${logPath2}`);
+  return { actionId, unit, logPath: logPath2 };
+}
+async function getUnitStatus(unit) {
+  return new Promise((resolveP) => {
+    const proc = spawn5(
+      "systemctl",
+      ["--user", "show", unit, "--property=ActiveState,SubState,MainPID,ExecMainStatus,ExecMainCode"],
+      { stdio: ["ignore", "pipe", "pipe"] }
+    );
+    let out = "";
+    proc.stdout.on("data", (chunk) => {
+      out += chunk.toString();
+    });
+    proc.on("close", () => {
+      const kv = {};
+      for (const line of out.split("\n")) {
+        const eq = line.indexOf("=");
+        if (eq > 0) kv[line.slice(0, eq)] = line.slice(eq + 1);
+      }
+      if (!kv.ActiveState) return resolveP(null);
+      resolveP({
+        activeState: kv.ActiveState,
+        subState: kv.SubState ?? "",
+        mainPid: kv.MainPID ? Number(kv.MainPID) || null : null,
+        execMainStatus: kv.ExecMainStatus ? Number(kv.ExecMainStatus) : null,
+        execMainSignal: null
+        // systemd reports signal in SIGNAL (SIGTERM etc.), deferred — code is enough for our contract
+      });
+    });
+    proc.on("error", () => resolveP(null));
+  });
+}
+var HEARTBEAT_INTERVAL_MS = 5e3;
+var PHASE_BRACKETED = /\[(\d+)\/(\d+)\]/;
+var PHASE_STREAM_LOG = /step=([a-z0-9-]+)/;
+function extractPhase(text) {
+  const m1 = text.match(PHASE_BRACKETED);
+  if (m1) return m1[0];
+  const m2 = text.match(PHASE_STREAM_LOG);
+  if (m2) return m2[1];
+  return null;
+}
+async function* streamActionEvents(opts) {
+  const { actionId, unit, signal } = opts;
+  const logPath2 = actionLogPath(actionId);
+  const startedAt = Date.now();
+  let lastLineAt = startedAt;
+  let lastPhase = null;
+  let byteOffset = opts.fromByteOffset ?? 0;
+  if (existsSync23(logPath2)) {
+    const snapshot = statSync10(logPath2).size;
+    if (byteOffset < snapshot) {
+      for await (const ev of readLogLines(logPath2, byteOffset, snapshot)) {
+        const phase = extractPhase(ev.text);
+        if (phase) lastPhase = phase;
+        lastLineAt = ev.ts;
+        byteOffset = ev.byteOffset;
+        yield ev;
+        if (signal.aborted) return;
+      }
+    }
+  }
+  let watching = true;
+  let hbTimer = null;
+  const queue = [];
+  let resolveNext = null;
+  function push(ev) {
+    queue.push(ev);
+    if (resolveNext) {
+      const r = resolveNext;
+      resolveNext = null;
+      r();
+    }
+  }
+  const watcher = existsSync23(logPath2) ? watch(logPath2, async () => {
+    if (!watching) return;
+    try {
+      const size = statSync10(logPath2).size;
+      if (size <= byteOffset) return;
+      for await (const ev of readLogLines(logPath2, byteOffset, size)) {
+        const phase = extractPhase(ev.text);
+        if (phase) lastPhase = phase;
+        lastLineAt = ev.ts;
+        byteOffset = ev.byteOffset;
+        push(ev);
+      }
+    } catch (err) {
+      console.error(`[action-runner] watcher error action=${actionId}: ${err}`);
+    }
+  }) : null;
+  hbTimer = setInterval(async () => {
+    const status = await getUnitStatus(unit);
+    const now = Date.now();
+    push({
+      type: "heartbeat",
+      ts: now,
+      elapsed_since_last_line_ms: now - lastLineAt,
+      systemd_state: status ? status.activeState : "unknown",
+      pid: status ? status.mainPid : null,
+      last_phase: lastPhase
+    });
+    if (status && status.activeState !== "active" && status.activeState !== "activating") {
+      const finalStatus = await getUnitStatus(unit);
+      push({
+        type: "exit",
+        ts: Date.now(),
+        code: finalStatus?.execMainStatus ?? null,
+        signal: null,
+        duration_ms: Date.now() - startedAt
+      });
+      watching = false;
+    }
+  }, HEARTBEAT_INTERVAL_MS);
+  try {
+    while (watching && !signal.aborted) {
+      if (queue.length === 0) {
+        await new Promise((r) => {
+          resolveNext = r;
+        });
+      }
+      while (queue.length > 0) {
+        const ev = queue.shift();
+        yield ev;
+        if (ev.type === "exit") {
+          watching = false;
+          break;
+        }
+      }
+    }
+  } finally {
+    if (hbTimer) clearInterval(hbTimer);
+    watcher?.close();
+  }
+}
+async function* readLogLines(path2, fromOffset, toOffset) {
+  const stream2 = createReadStream3(path2, { start: fromOffset, end: toOffset - 1, encoding: "utf-8" });
+  let buffer = "";
+  let offset = fromOffset;
+  for await (const chunk of stream2) {
+    buffer += chunk;
+    let nl;
+    while ((nl = buffer.indexOf("\n")) !== -1) {
+      const text = buffer.slice(0, nl);
+      offset += Buffer.byteLength(text, "utf-8") + 1;
+      buffer = buffer.slice(nl + 1);
+      yield { type: "line", ts: Date.now(), stream: "stdout", text, byteOffset: offset };
+    }
+  }
+}
+var RATE_LIMIT_WINDOW_MS = 6e4;
+var RATE_LIMIT_MAX_ATTEMPTS = 5;
+var rateLimitBuckets = /* @__PURE__ */ new Map();
+function rateLimitCheck(ip) {
+  const now = Date.now();
+  const bucket = rateLimitBuckets.get(ip);
+  if (!bucket || now - bucket.windowStart > RATE_LIMIT_WINDOW_MS) {
+    rateLimitBuckets.set(ip, { count: 1, windowStart: now });
+    return "ok";
+  }
+  bucket.count += 1;
+  if (bucket.count > RATE_LIMIT_MAX_ATTEMPTS) return "limited";
+  return "ok";
+}
+async function primeSudo(password, clientIp) {
+  if (!password) return "invalid";
+  if (rateLimitCheck(clientIp) === "limited") return "limited";
+  return new Promise((resolveP) => {
+    const proc = spawn5("sudo", ["-S", "-v"], { stdio: ["pipe", "ignore", "pipe"] });
+    let stderr = "";
+    proc.stderr.on("data", (chunk) => {
+      stderr += chunk.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0) return resolveP("ok");
+      if (/incorrect password|authentication failure/i.test(stderr)) return resolveP("invalid");
+      console.error(`[action-runner] sudo-prime failed code=${code} stderr=${stderr.slice(0, 200)}`);
+      resolveP("error");
+    });
+    proc.on("error", (err) => {
+      console.error(`[action-runner] sudo-prime spawn error: ${err}`);
+      resolveP("error");
+    });
+    proc.stdin.write(`${password}
+`);
+    proc.stdin.end();
+  });
+}
+async function waitForExit(unit, timeoutMs = 10 * 60 * 1e3) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    const status = await getUnitStatus(unit);
+    if (!status) return null;
+    if (status.activeState !== "active" && status.activeState !== "activating") return status;
+    await delay(500);
+  }
+  return null;
+}
+
+// server/routes/admin/cloudflare.ts
+var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
+var DOMAINS_TIMEOUT_MS = 40 * 1e3;
+function loadBrandInfo2() {
+  const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "..");
+  const brandPath = resolve25(platformRoot2, "config", "brand.json");
+  try {
+    const parsed = JSON.parse(readFileSync25(brandPath, "utf-8"));
+    const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
+    const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
+    return { hostname: hostname2, configDir: configDir2 };
+  } catch {
+    return { hostname: "maxy", configDir: ".maxy" };
+  }
+}
 function resolvePort() {
   const raw2 = process.env.PORT;
   if (!raw2) throw new Error("PORT env var is not set \u2014 refusing to guess");
@@ -19100,8 +19431,8 @@ app23.get("/domains", requireAdminSession, async (c) => {
   if (!correlationId) return err("session", "No active conversation for session \u2014 refresh chat.");
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   log2(`phase=stream-log-resolved path=${streamLogPath}`);
-  const brand = loadBrandInfo();
-  const scriptPath = resolve24(homedir3(), "list-cf-domains.sh");
+  const brand = loadBrandInfo2();
+  const scriptPath = resolve25(homedir4(), "list-cf-domains.sh");
   const result = await runFormSpawn({
     scriptPath,
     args: [brand.hostname],
@@ -19186,8 +19517,8 @@ app23.post("/setup", requireAdminSession, async (c) => {
     };
     return c.json(body2, 200);
   }
-  function ok(result2) {
-    return c.json(result2, 200);
+  function ok(result) {
+    return c.json(result, 200);
   }
   let body;
   try {
@@ -19219,93 +19550,90 @@ app23.post("/setup", requireAdminSession, async (c) => {
   let brand;
   let port2;
   try {
-    brand = loadBrandInfo();
+    brand = loadBrandInfo2();
     port2 = resolvePort();
   } catch (e) {
     return err("script", `Server misconfigured: ${e instanceof Error ? e.message : String(e)}`);
   }
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   log2(`phase=stream-log-resolved path=${streamLogPath}`);
-  const scriptPath = resolve24(homedir3(), "setup-tunnel.sh");
   const args = [brand.hostname, String(port2), adminFqdn];
   if (publicFqdn) args.push(publicFqdn);
   if (apex) args.push(apex);
-  const result = await runFormSpawn({
-    scriptPath,
-    args,
-    streamLogPath,
-    correlationId,
-    timeoutMs: SETUP_TIMEOUT_MS,
-    log: log2,
-    logErr,
-    broadcast: broadcastToConversation
-  });
-  const combined = `${result.stdout}${result.stderr ? `
----
-${result.stderr}` : ""}`;
-  if (result.code !== 0) {
-    const reason = result.timedOut ? `Timed out after ${SETUP_TIMEOUT_MS / 1e3}s` : `Exited with code ${result.code ?? "null"}${result.signal ? ` (signal ${result.signal})` : ""}`;
-    return err("script", reason, combined);
-  }
-  const candidates = [publicFqdn, apex].filter((h) => typeof h === "string" && h.length > 0);
-  const aliasesWritten = [];
-  for (const host of candidates) {
-    if (host === adminFqdn) {
-      log2(`phase=alias-domain-write host=${host} result=skipped-admin`);
-      continue;
-    }
-    if (host.startsWith("public.")) {
-      log2(`phase=alias-domain-write host=${host} result=skipped-public-prefix`);
-      continue;
+  if (await isActionActive("cloudflare-setup")) {
+    return err("request", "Another Cloudflare setup is already running. Wait for it to finish before starting a new one.");
+  }
+  let actionId;
+  let unit;
+  try {
+    const launched = await launchAction("cloudflare-setup", { positional: args });
+    actionId = launched.actionId;
+    unit = launched.unit;
+  } catch (e) {
+    return err("script", `Failed to launch cloudflare-setup action: ${e instanceof Error ? e.message : String(e)}`);
+  }
+  log2(`phase=action-launched id=${actionId} unit=${unit}`);
+  void (async () => {
+    const status = await waitForExit(unit, SETUP_TIMEOUT_MS);
+    if (!status || status.execMainStatus !== 0) {
+      logErr(`phase=post-exit-skipped reason=${status ? `exit=${status.execMainStatus}` : "unit-gone"} id=${actionId}`);
+      return;
     }
-    try {
-      addAliasDomain(host);
-      aliasesWritten.push(host);
-      log2(`phase=alias-domain-write host=${host} result=written`);
-    } catch (e) {
-      return err(
-        "script",
-        `Tunnel created but alias-domains.json write failed for ${host}: ${e instanceof Error ? e.message : String(e)}`,
-        combined
-      );
+    const candidates = [publicFqdn, apex].filter((h) => typeof h === "string" && h.length > 0);
+    for (const host of candidates) {
+      if (host === adminFqdn) {
+        log2(`phase=alias-domain-write host=${host} result=skipped-admin`);
+        continue;
+      }
+      if (host.startsWith("public.")) {
+        log2(`phase=alias-domain-write host=${host} result=skipped-public-prefix`);
+        continue;
+      }
+      try {
+        addAliasDomain(host);
+        log2(`phase=alias-domain-write host=${host} result=written`);
+      } catch (e) {
+        logErr(`phase=alias-domain-write host=${host} result=error reason="${e instanceof Error ? e.message : String(e)}"`);
+      }
     }
-  }
+    log2(`phase=done action=${actionId}`);
+  })().catch((e) => logErr(`post-exit handler threw: ${e}`));
   const total = Date.now() - started;
-  log2(`phase=done total_ms=${total} aliases=${aliasesWritten.length}`);
+  log2(`phase=response-sent action_id=${actionId} total_ms=${total}`);
   writeRouteMilestone(
     streamLogPath,
     "cloudflare-setup",
-    `phase=done total_ms=${total} aliases=${aliasesWritten.length}`
+    `phase=action-launched id=${actionId}`
   );
   const success = {
     ok: true,
-    output: combined,
+    output: `Action launched \u2014 see live log in the form panel.
+actionId: ${actionId}`,
     adminFqdn,
     publicFqdn,
     apex,
-    aliasesWritten
+    aliasesWritten: [],
+    actionId
   };
-  const resp = ok(success);
-  log2(`phase=response-sent`);
-  return resp;
+  return ok(success);
 });
 var cloudflare_default = app23;
 
 // server/routes/admin/files.ts
-import { createReadStream as createReadStream3 } from "fs";
+import { createReadStream as createReadStream4 } from "fs";
 import { readdir as readdir2, readFile as readFile4, stat as stat4, mkdir as mkdir3, writeFile as writeFile4, unlink as unlink2 } from "fs/promises";
 import { realpathSync as realpathSync4 } from "fs";
-import { basename as basename6, dirname as dirname10, join as join11, resolve as resolve26, sep as sep2 } from "path";
+import { basename as basename6, dirname as dirname10, join as join12, resolve as resolve27, sep as sep2 } from "path";
 import { Readable as Readable3 } from "stream";
 
 // app/lib/data-path.ts
 import { realpathSync as realpathSync3 } from "fs";
-import { resolve as resolve25, normalize, sep, relative } from "path";
-var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "../platform");
-var DATA_ROOT = resolve25(PLATFORM_ROOT9, "..", "data");
+import { resolve as resolve26, normalize, sep, relative } from "path";
+var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve26(process.cwd(), "../platform");
+var DATA_ROOT = resolve26(PLATFORM_ROOT9, "..", "data");
 function resolveDataPath(raw2) {
   const cleaned = normalize("/" + (raw2 ?? "").replace(/\\/g, "/")).replace(/^\/+/, "");
-  const absolute = resolve25(DATA_ROOT, cleaned);
+  const absolute = resolve26(DATA_ROOT, cleaned);
   let dataRootReal;
   try {
     dataRootReal = realpathSync3(DATA_ROOT);
@@ -19653,7 +19981,7 @@ async function cascadeDeleteDocument(params) {
 var UUID_RE3 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function readMeta(absDir, baseName) {
   try {
-    const raw2 = await readFile4(join11(absDir, `${baseName}.meta.json`), "utf8");
+    const raw2 = await readFile4(join12(absDir, `${baseName}.meta.json`), "utf8");
     const parsed = JSON.parse(raw2);
     if (typeof parsed?.filename === "string") {
       return { filename: parsed.filename, mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0 };
@@ -19664,7 +19992,7 @@ async function readMeta(absDir, baseName) {
 }
 async function readAccountNames() {
   const map = /* @__PURE__ */ new Map();
-  const accountsDir = resolve26(DATA_ROOT, "accounts");
+  const accountsDir = resolve27(DATA_ROOT, "accounts");
   let names;
   try {
     names = await readdir2(accountsDir);
@@ -19673,7 +20001,7 @@ async function readAccountNames() {
   }
   for (const name of names) {
     if (!UUID_RE3.test(name)) continue;
-    const configPath2 = resolve26(accountsDir, name, "account.json");
+    const configPath2 = resolve27(accountsDir, name, "account.json");
     try {
       const raw2 = await readFile4(configPath2, "utf8");
       const parsed = JSON.parse(raw2);
@@ -19691,7 +20019,7 @@ async function readAccountNames() {
 }
 async function enrich(absolute, entry, accountNames) {
   if (entry.kind === "directory" && UUID_RE3.test(entry.name)) {
-    const meta = await readMeta(join11(absolute, entry.name), entry.name);
+    const meta = await readMeta(join12(absolute, entry.name), entry.name);
     if (meta?.filename) {
       entry.displayName = meta.filename;
       entry.mimeType = meta.mimeType;
@@ -19750,7 +20078,7 @@ app24.get("/", requireAdminSession, async (c) => {
         continue;
       }
       try {
-        const entryPath = join11(absolute, name);
+        const entryPath = join12(absolute, name);
         const s = await stat4(entryPath);
         entries.push({
           name,
@@ -19807,7 +20135,7 @@ app24.get("/download", requireAdminSession, async (c) => {
     }
     const filename = basename6(absolute);
     const mimeType = detectMimeType(absolute);
-    const nodeStream = createReadStream3(absolute);
+    const nodeStream = createReadStream4(absolute);
     const webStream = Readable3.toWeb(nodeStream);
     console.error(`[data] file-download path="${relPath}" size=${info.size}`);
     const safeQuotedName = filename.replace(/[\r\n"\\]/g, "_");
@@ -19864,8 +20192,8 @@ app24.post("/upload", requireAdminSession, async (c) => {
   }
   const safeName = basename6(file.name).replace(/[\0/\\]/g, "_");
   const finalName = `${Date.now()}-${safeName}`;
-  const destDir = resolve26(DATA_ROOT, "uploads", accountId);
-  const destPath = resolve26(destDir, finalName);
+  const destDir = resolve27(DATA_ROOT, "uploads", accountId);
+  const destPath = resolve27(destDir, finalName);
   try {
     await mkdir3(destDir, { recursive: true });
     const dataRootReal = realpathSync4(DATA_ROOT);
@@ -19923,7 +20251,7 @@ app24.delete("/", requireAdminSession, async (c) => {
     }
     const dot = base.lastIndexOf(".");
     const stem = dot === -1 ? base : base.slice(0, dot);
-    const sidecarPath = UUID_RE3.test(stem) && base !== `${stem}.meta.json` ? join11(dirname10(absolute), `${stem}.meta.json`) : null;
+    const sidecarPath = UUID_RE3.test(stem) && base !== `${stem}.meta.json` ? join12(dirname10(absolute), `${stem}.meta.json`) : null;
     await unlink2(absolute);
     if (sidecarPath) {
       try {
@@ -20200,7 +20528,8 @@ async function handleDefault(c, accountId) {
       );
     }
     const warnedClasses = /* @__PURE__ */ new Set();
-    const nodes = result.rawNodes.map((n) => pruneNode(n, warnedClasses));
+    const conversationWarnings = { loggedMissingMessageCount: false };
+    const nodes = result.rawNodes.map((n) => pruneNode(n, warnedClasses, conversationWarnings));
     const edges = result.rawEdges.filter((e) => e && e.id != null);
     const trashedSuffix = includeTrashed ? " includeTrashed=1" : "";
     console.error(
@@ -20244,7 +20573,8 @@ async function handleNeighbourhood(c, accountId) {
       return c.json({ error: "Node not found" }, 404);
     }
     const warnedClasses = /* @__PURE__ */ new Set();
-    const nodes = rawNodes.map((n) => pruneNode(n, warnedClasses));
+    const conversationWarnings = { loggedMissingMessageCount: false };
+    const nodes = rawNodes.map((n) => pruneNode(n, warnedClasses, conversationWarnings));
     const edges = rawEdges.filter((e) => e && e.id != null);
     console.error(
       `[graph-page] load mode=neighbourhood account=${accountId} elementId=${elementId} nodes=${nodes.length} edges=${edges.length} ms=${elapsed}`
@@ -20270,6 +20600,11 @@ var DEFAULT_COUNT_CYPHER = `
     AND n.deletedAt IS NULL
   RETURN count(n) AS matched
 `;
+var CONVERSATION_PROPS_PROJECTION = `CASE
+           WHEN 'Conversation' IN labels(x)
+           THEN properties(x) + {messageCount: size([(x)<-[:PART_OF]-(m:Message) WHERE NOT m:Trashed AND m.deletedAt IS NULL | m])}
+           ELSE properties(x)
+         END`;
 var DEFAULT_FETCH_CYPHER = `
   MATCH (n)
   WHERE n.accountId = $accountId
@@ -20288,7 +20623,7 @@ var DEFAULT_FETCH_CYPHER = `
          type: type(r)
        } END) AS rawEdges
   RETURN
-    [x IN nodes | {id: elementId(x), labels: labels(x), properties: properties(x)}] AS nodes,
+    [x IN nodes | {id: elementId(x), labels: labels(x), properties: ${CONVERSATION_PROPS_PROJECTION}}] AS nodes,
     [e IN rawEdges WHERE e IS NOT NULL] AS edges
 `;
 var DEFAULT_COUNT_CYPHER_INCLUDE_TRASHED = `
@@ -20315,7 +20650,7 @@ var DEFAULT_FETCH_CYPHER_INCLUDE_TRASHED = `
          type: type(r)
        } END) AS rawEdges
   RETURN
-    [x IN nodes | {id: elementId(x), labels: labels(x), properties: properties(x)}] AS nodes,
+    [x IN nodes | {id: elementId(x), labels: labels(x), properties: ${CONVERSATION_PROPS_PROJECTION}}] AS nodes,
     [e IN rawEdges WHERE e IS NOT NULL] AS edges
 `;
 var NEIGHBOURHOOD_CYPHER = `
@@ -20342,7 +20677,7 @@ var NEIGHBOURHOOD_CYPHER = `
          type: type(r)
        } END) AS rawEdges
   RETURN
-    [x IN windowNodes | {id: elementId(x), labels: labels(x), properties: properties(x)}] AS nodes,
+    [x IN windowNodes | {id: elementId(x), labels: labels(x), properties: ${CONVERSATION_PROPS_PROJECTION}}] AS nodes,
     [e IN rawEdges WHERE e IS NOT NULL] AS edges
 `;
 var KNOWN_DRIVER_CLASS_NAMES = /* @__PURE__ */ new Set([
@@ -20384,7 +20719,7 @@ function convertNeo4jValue(value, warnedClasses) {
   }
   return value;
 }
-function pruneNode(node, warnedClasses) {
+function pruneNode(node, warnedClasses, conversationWarnings) {
   const properties = {};
   for (const [key, value] of Object.entries(node.properties ?? {})) {
     if (STRIPPED_PROPERTIES.has(key)) continue;
@@ -20392,6 +20727,12 @@ function pruneNode(node, warnedClasses) {
   }
   const trashed = (node.labels ?? []).includes("Trashed");
   const labels = (node.labels ?? []).filter((l) => l !== "Trashed");
+  if (labels.includes("Conversation") && typeof properties.messageCount !== "number" && !conversationWarnings.loggedMissingMessageCount) {
+    console.error(
+      `[graph-subgraph] conversation-message-count missing elementId=${node.id} labels=${labels.join(",")}`
+    );
+    conversationWarnings.loggedMissingMessageCount = true;
+  }
   return trashed ? { id: node.id, labels, properties, trashed: true } : { id: node.id, labels, properties };
 }
 var graph_subgraph_default = app26;
@@ -20781,43 +21122,274 @@ app32.get("/", requireAdminSession, async (c) => {
 });
 var adherence_default = app32;
 
-// server/routes/admin/index.ts
+// server/routes/admin/actions/run.ts
 var app33 = new Hono2();
-app33.route("/session", session_default2);
-app33.route("/chat", chat_default2);
-app33.route("/compact", compact_default);
-app33.route("/logs", logs_default);
-app33.route("/claude-info", claude_info_default);
-app33.route("/attachment", attachment_default);
-app33.route("/account", account_default);
-app33.route("/agents", agents_default);
-app33.route("/version", version_default);
-app33.route("/sessions", sessions_default);
-app33.route("/browser", browser_default);
-app33.route("/device-browser", device_browser_default);
-app33.route("/events", events_default);
-app33.route("/cloudflare", cloudflare_default);
-app33.route("/files", files_default);
-app33.route("/graph-search", graph_search_default);
-app33.route("/graph-subgraph", graph_subgraph_default);
-app33.route("/graph-delete", graph_delete_default);
-app33.route("/graph-restore", graph_restore_default);
-app33.route("/graph-labels-in-graph", graph_labels_in_graph_default);
-app33.route("/graph-default-view", graph_default_view_default);
-app33.route("/file-attach", file_attach_default);
-app33.route("/adherence", adherence_default);
-var admin_default = app33;
+app33.post("/:name", requireAdminSession, async (c) => {
+  const name = c.req.param("name");
+  if (!isKnownAction(name)) {
+    return c.json({ error: `unknown action: ${name}` }, 400);
+  }
+  const actionName = name;
+  if (await isActionActive(actionName)) {
+    return c.json({ error: `action ${actionName} is already running`, code: "already-active" }, 409);
+  }
+  let body = {};
+  try {
+    body = await c.req.json();
+  } catch {
+  }
+  const launchArgs = {};
+  if (Array.isArray(body.positional)) {
+    if (!body.positional.every((x) => typeof x === "string")) {
+      return c.json({ error: "positional args must be strings" }, 400);
+    }
+    launchArgs.positional = body.positional;
+  }
+  if (typeof body.sudoPassword === "string" && body.sudoPassword) {
+    launchArgs.sudoPassword = body.sudoPassword;
+  }
+  try {
+    const result = await launchAction(actionName, launchArgs);
+    return c.json({ ok: true, actionId: result.actionId, unit: result.unit, logPath: result.logPath });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(`[admin/actions/run] launch failed action=${actionName}: ${message}`);
+    return c.json({ error: `launch failed: ${message}` }, 500);
+  }
+});
+var run_default = app33;
+
+// node_modules/hono/dist/utils/stream.js
+var StreamingApi = class {
+  writer;
+  encoder;
+  writable;
+  abortSubscribers = [];
+  responseReadable;
+  /**
+   * Whether the stream has been aborted.
+   */
+  aborted = false;
+  /**
+   * Whether the stream has been closed normally.
+   */
+  closed = false;
+  constructor(writable, _readable) {
+    this.writable = writable;
+    this.writer = writable.getWriter();
+    this.encoder = new TextEncoder();
+    const reader = _readable.getReader();
+    this.abortSubscribers.push(async () => {
+      await reader.cancel();
+    });
+    this.responseReadable = new ReadableStream({
+      async pull(controller) {
+        const { done, value } = await reader.read();
+        done ? controller.close() : controller.enqueue(value);
+      },
+      cancel: () => {
+        this.abort();
+      }
+    });
+  }
+  async write(input) {
+    try {
+      if (typeof input === "string") {
+        input = this.encoder.encode(input);
+      }
+      await this.writer.write(input);
+    } catch {
+    }
+    return this;
+  }
+  async writeln(input) {
+    await this.write(input + "\n");
+    return this;
+  }
+  sleep(ms) {
+    return new Promise((res) => setTimeout(res, ms));
+  }
+  async close() {
+    try {
+      await this.writer.close();
+    } catch {
+    }
+    this.closed = true;
+  }
+  async pipe(body) {
+    this.writer.releaseLock();
+    await body.pipeTo(this.writable, { preventClose: true });
+    this.writer = this.writable.getWriter();
+  }
+  onAbort(listener) {
+    this.abortSubscribers.push(listener);
+  }
+  /**
+   * Abort the stream.
+   * You can call this method when stream is aborted by external event.
+   */
+  abort() {
+    if (!this.aborted) {
+      this.aborted = true;
+      this.abortSubscribers.forEach((subscriber) => subscriber());
+    }
+  }
+};
+
+// node_modules/hono/dist/helper/streaming/utils.js
+var isOldBunVersion = () => {
+  const version = typeof Bun !== "undefined" ? Bun.version : void 0;
+  if (version === void 0) {
+    return false;
+  }
+  const result = version.startsWith("1.1") || version.startsWith("1.0") || version.startsWith("0.");
+  isOldBunVersion = () => result;
+  return result;
+};
+
+// node_modules/hono/dist/helper/streaming/stream.js
+var contextStash = /* @__PURE__ */ new WeakMap();
+var stream = (c, cb, onError) => {
+  const { readable, writable } = new TransformStream();
+  const stream2 = new StreamingApi(writable, readable);
+  if (isOldBunVersion()) {
+    c.req.raw.signal.addEventListener("abort", () => {
+      if (!stream2.closed) {
+        stream2.abort();
+      }
+    });
+  }
+  contextStash.set(stream2.responseReadable, c);
+  (async () => {
+    try {
+      await cb(stream2);
+    } catch (e) {
+      if (e === void 0) {
+      } else if (e instanceof Error && onError) {
+        await onError(e, stream2);
+      } else {
+        console.error(e);
+      }
+    } finally {
+      stream2.close();
+    }
+  })();
+  return c.newResponse(stream2.responseReadable);
+};
+
+// server/routes/admin/actions/stream.ts
+import { existsSync as existsSync24 } from "fs";
+var app34 = new Hono2();
+var ACTION_ID_RE = /^[a-z0-9-]+-[a-z0-9]+-[a-f0-9]{8}$/;
+app34.get("/:id/stream", requireAdminSession, async (c) => {
+  const id = c.req.param("id");
+  if (!ACTION_ID_RE.test(id)) {
+    return c.json({ error: "invalid action id" }, 400);
+  }
+  const logPath2 = actionLogPath(id);
+  if (!existsSync24(logPath2)) {
+    return c.json({ error: "action not found (log missing)" }, 404);
+  }
+  const lastEventId = c.req.header("Last-Event-ID") ?? c.req.query("from") ?? "";
+  const fromByteOffset = lastEventId ? Math.max(0, Number(lastEventId) || 0) : 0;
+  const unit = `maxy-action-${id}`;
+  const abort = new AbortController();
+  c.req.raw.signal.addEventListener("abort", () => abort.abort());
+  return stream(c, async (s) => {
+    s.onAbort(() => abort.abort());
+    c.header("Content-Type", "text/event-stream");
+    c.header("Cache-Control", "no-cache, no-transform");
+    c.header("Connection", "keep-alive");
+    await s.write(": ok\n\n");
+    try {
+      for await (const ev of streamActionEvents({ actionId: id, unit, fromByteOffset, signal: abort.signal })) {
+        const id_ = ev.type === "line" ? String(ev.byteOffset) : "";
+        const payload = JSON.stringify(ev);
+        const frame = `${id_ ? `id: ${id_}
+` : ""}event: ${ev.type}
+data: ${payload}
+
+`;
+        await s.write(frame);
+      }
+    } catch (err) {
+      console.error(`[admin/actions/stream] action=${id} error: ${err instanceof Error ? err.message : err}`);
+    }
+  });
+});
+var stream_default = app34;
+
+// server/routes/admin/actions/sudo-prime.ts
+var app35 = new Hono2();
+app35.post("/", requireAdminSession, async (c) => {
+  let body = {};
+  try {
+    body = await c.req.json();
+  } catch {
+  }
+  if (typeof body.password !== "string" || !body.password) {
+    return c.json({ error: "password required" }, 400);
+  }
+  const clientIp = c.var.clientIp ?? "unknown";
+  const result = await primeSudo(body.password, clientIp);
+  switch (result) {
+    case "ok":
+      return c.body(null, 204);
+    case "invalid":
+      return c.json({ error: "invalid password" }, 401);
+    case "limited":
+      return c.json({ error: "too many attempts; wait a minute" }, 429);
+    case "error":
+      return c.json({ error: "sudo prime failed \u2014 check server logs" }, 500);
+  }
+});
+var sudo_prime_default = app35;
+
+// server/routes/admin/actions/index.ts
+var app36 = new Hono2();
+app36.route("/sudo-prime", sudo_prime_default);
+app36.route("/", stream_default);
+app36.route("/", run_default);
+var actions_default = app36;
+
+// server/routes/admin/index.ts
+var app37 = new Hono2();
+app37.route("/session", session_default2);
+app37.route("/chat", chat_default2);
+app37.route("/compact", compact_default);
+app37.route("/logs", logs_default);
+app37.route("/claude-info", claude_info_default);
+app37.route("/attachment", attachment_default);
+app37.route("/account", account_default);
+app37.route("/agents", agents_default);
+app37.route("/version", version_default);
+app37.route("/sessions", sessions_default);
+app37.route("/browser", browser_default);
+app37.route("/device-browser", device_browser_default);
+app37.route("/events", events_default);
+app37.route("/cloudflare", cloudflare_default);
+app37.route("/files", files_default);
+app37.route("/graph-search", graph_search_default);
+app37.route("/graph-subgraph", graph_subgraph_default);
+app37.route("/graph-delete", graph_delete_default);
+app37.route("/graph-restore", graph_restore_default);
+app37.route("/graph-labels-in-graph", graph_labels_in_graph_default);
+app37.route("/graph-default-view", graph_default_view_default);
+app37.route("/file-attach", file_attach_default);
+app37.route("/adherence", adherence_default);
+app37.route("/actions", actions_default);
+var admin_default = app37;
 
 // server/index.ts
 var PLATFORM_ROOT10 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT10 ? join12(PLATFORM_ROOT10, "config", "brand.json") : "";
+var BRAND_JSON_PATH = PLATFORM_ROOT10 ? join13(PLATFORM_ROOT10, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync25(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync25(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync26(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -20836,11 +21408,11 @@ var brandLoginOpts = {
   bodyFont: BRAND.defaultFonts?.body,
   logoContainsName: !!BRAND.logoContainsName
 };
-var ALIAS_DOMAINS_PATH2 = join12(homedir4(), BRAND.configDir, "alias-domains.json");
+var ALIAS_DOMAINS_PATH2 = join13(homedir5(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync23(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync25(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync25(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync26(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -20864,9 +21436,9 @@ watchFile(ALIAS_DOMAINS_PATH2, { interval: 2e3 }, () => {
 function isPublicHost(host) {
   return host.startsWith("public.") || aliasDomains.has(host);
 }
-var app34 = new Hono2();
-app34.use("*", clientIpMiddleware);
-app34.use("*", async (c, next) => {
+var app38 = new Hono2();
+app38.use("*", clientIpMiddleware);
+app38.use("*", async (c, next) => {
   await next();
   c.header("X-Content-Type-Options", "nosniff");
   c.header("Referrer-Policy", "strict-origin-when-cross-origin");
@@ -20889,7 +21461,7 @@ var PUBLIC_ALLOWED_PREFIXES = [
   "/g/"
 ];
 var PUBLIC_ALLOWED_EXACT = ["/favicon.ico"];
-app34.use("*", async (c, next) => {
+app38.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (!isPublicHost(host)) {
     await next();
@@ -20929,7 +21501,7 @@ function resolveRemoteAuthOpts() {
   return brandLoginOpts;
 }
 var MAX_LOGIN_BODY = 8 * 1024;
-app34.post("/__remote-auth/login", async (c) => {
+app38.post("/__remote-auth/login", async (c) => {
   const clientIp = c.var.clientIp || "unknown";
   const rateLimited = checkRateLimit(clientIp);
   if (rateLimited) {
@@ -20965,7 +21537,7 @@ app34.post("/__remote-auth/login", async (c) => {
     }
   });
 });
-app34.get("/__remote-auth/logout", () => {
+app38.get("/__remote-auth/logout", () => {
   return new Response(null, {
     status: 302,
     headers: {
@@ -20975,7 +21547,7 @@ app34.get("/__remote-auth/logout", () => {
     }
   });
 });
-app34.post("/__remote-auth/change-password", async (c) => {
+app38.post("/__remote-auth/change-password", async (c) => {
   const clientIp = c.var.clientIp || "unknown";
   const rateLimited = checkRateLimit(clientIp);
   if (rateLimited) {
@@ -21024,13 +21596,13 @@ app34.post("/__remote-auth/change-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "change", changeError: "Failed to save password", redirect }), 200);
   }
 });
-app34.get("/__remote-auth/setup", (c) => {
+app38.get("/__remote-auth/setup", (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup" }), 200);
 });
-app34.post("/__remote-auth/set-initial-password", async (c) => {
+app38.post("/__remote-auth/set-initial-password", async (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
@@ -21066,10 +21638,10 @@ app34.post("/__remote-auth/set-initial-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup", setupError: "Failed to save password. Please try again." }), 200);
   }
 });
-app34.get("/api/remote-auth/status", (c) => {
+app38.get("/api/remote-auth/status", (c) => {
   return c.json({ configured: isRemoteAuthConfigured() });
 });
-app34.post("/api/remote-auth/set-password", async (c) => {
+app38.post("/api/remote-auth/set-password", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -21099,9 +21671,9 @@ app34.post("/api/remote-auth/set-password", async (c) => {
     return c.json({ error: "Failed to save password" }, 500);
   }
 });
-app34.route("/api/_client-error", client_error_default);
+app38.route("/api/_client-error", client_error_default);
 console.log("[client-error-route] mounted");
-app34.use("*", async (c, next) => {
+app38.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   const path2 = c.req.path;
   if (path2 === "/favicon.ico" || path2.startsWith("/assets/") || path2.startsWith("/brand/")) {
@@ -21131,15 +21703,15 @@ app34.use("*", async (c, next) => {
   console.error(`[remote-auth] login required ip=${clientIp} path=${path2}`);
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), redirect: path2 }), 200);
 });
-app34.route("/api/health", health_default);
-app34.route("/api/session", session_default);
-app34.route("/api/chat", chat_default);
-app34.route("/api/group", group_default);
-app34.route("/api/access", access_default);
-app34.route("/api/telegram", telegram_default);
-app34.route("/api/whatsapp", whatsapp_default);
-app34.route("/api/onboarding", onboarding_default);
-app34.route("/api/admin", admin_default);
+app38.route("/api/health", health_default);
+app38.route("/api/session", session_default);
+app38.route("/api/chat", chat_default);
+app38.route("/api/group", group_default);
+app38.route("/api/access", access_default);
+app38.route("/api/telegram", telegram_default);
+app38.route("/api/whatsapp", whatsapp_default);
+app38.route("/api/onboarding", onboarding_default);
+app38.route("/api/admin", admin_default);
 var SAFE_SLUG_RE = /^[a-z][a-z0-9-]{2,49}$/;
 var SAFE_FILENAME_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var IMAGE_MIME = {
@@ -21151,7 +21723,7 @@ var IMAGE_MIME = {
   ".svg": "image/svg+xml",
   ".ico": "image/x-icon"
 };
-app34.get("/agent-assets/:slug/:filename", (c) => {
+app38.get("/agent-assets/:slug/:filename", (c) => {
   const slug = c.req.param("slug");
   const filename = c.req.param("filename");
   if (!SAFE_SLUG_RE.test(slug)) {
@@ -21167,26 +21739,26 @@ app34.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve27(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve27(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve28(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve28(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync25(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync25(filePath);
+  const body = readFileSync26(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
   });
 });
-app34.get("/generated/:filename", (c) => {
+app38.get("/generated/:filename", (c) => {
   const filename = c.req.param("filename");
   if (!SAFE_FILENAME_RE.test(filename) || filename.includes("..")) {
     console.error(`[generated] serve file=${filename} status=403`);
@@ -21197,20 +21769,20 @@ app34.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve27(account.accountDir, "generated", filename);
-  const expectedDir = resolve27(account.accountDir, "generated");
+  const filePath = resolve28(account.accountDir, "generated", filename);
+  const expectedDir = resolve28(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync25(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync25(filePath);
+  const body = readFileSync26(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -21219,9 +21791,9 @@ app34.get("/generated/:filename", (c) => {
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync25(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync26(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -21238,9 +21810,9 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT10) return "unknown";
-    const versionFile = join12(PLATFORM_ROOT10, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync23(versionFile)) return "unknown";
-    const content = readFileSync25(versionFile, "utf-8").trim();
+    const versionFile = join13(PLATFORM_ROOT10, "config", `.${BRAND.hostname}-version`);
+    if (!existsSync25(versionFile)) return "unknown";
+    const content = readFileSync26(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -21281,7 +21853,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync25(resolve27(process.cwd(), "public", file), "utf-8");
+    html = readFileSync26(resolve28(process.cwd(), "public", file), "utf-8");
     html = html.replace("<title>Maxy</title>", `<title>${escapeHtml(BRAND.productName)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
     const headInjection = file === "index.html" ? `${brandScript}
@@ -21296,26 +21868,26 @@ ${clientErrorReporterScript}
 }
 var brandedHtmlCache = /* @__PURE__ */ new Map();
 function loadBrandingCache(agentSlug) {
-  const configDir2 = join12(homedir4(), BRAND.configDir);
+  const configDir2 = join13(homedir5(), BRAND.configDir);
   try {
-    const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync23(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync25(accountJsonPath, "utf-8"));
+    const accountJsonPath = join13(configDir2, "account.json");
+    if (!existsSync25(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync26(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
-    const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync23(cachePath)) return null;
-    return JSON.parse(readFileSync25(cachePath, "utf-8"));
+    const cachePath = join13(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
+    if (!existsSync25(cachePath)) return null;
+    return JSON.parse(readFileSync26(cachePath, "utf-8"));
   } catch {
     return null;
   }
 }
 function resolveDefaultSlug() {
   try {
-    const configDir2 = join12(homedir4(), BRAND.configDir);
-    const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync23(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync25(accountJsonPath, "utf-8"));
+    const configDir2 = join13(homedir5(), BRAND.configDir);
+    const accountJsonPath = join13(configDir2, "account.json");
+    if (!existsSync25(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync26(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -21351,7 +21923,7 @@ function brandedPublicHtml(agentSlug) {
 function escapeHtml(s) {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-app34.get("/", (c) => {
+app38.get("/", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) {
     const defaultSlug = resolveDefaultSlug();
@@ -21359,12 +21931,12 @@ app34.get("/", (c) => {
   }
   return c.html(cachedHtml("index.html"));
 });
-app34.get("/public", (c) => {
+app38.get("/public", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
 });
-app34.get("/chat", (c) => {
+app38.get("/chat", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
@@ -21383,12 +21955,12 @@ async function logViewerFetch(c, next) {
     duration_ms: Date.now() - start
   });
 }
-app34.use("/vnc-viewer.html", logViewerFetch);
-app34.use("/vnc-popout.html", logViewerFetch);
-app34.get("/vnc-popout.html", (c) => {
+app38.use("/vnc-viewer.html", logViewerFetch);
+app38.use("/vnc-popout.html", logViewerFetch);
+app38.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync25(resolve27(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync26(resolve28(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -21398,7 +21970,7 @@ app34.get("/vnc-popout.html", (c) => {
   }
   return c.html(html);
 });
-app34.post("/api/vnc/client-event", async (c) => {
+app38.post("/api/vnc/client-event", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -21419,20 +21991,20 @@ app34.post("/api/vnc/client-event", async (c) => {
   });
   return c.json({ ok: true });
 });
-app34.get("/g/:slug", (c) => {
+app38.get("/g/:slug", (c) => {
   return c.html(brandedPublicHtml());
 });
-app34.get("/graph", (c) => {
+app38.get("/graph", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("graph.html"));
 });
-app34.get("/data", (c) => {
+app38.get("/data", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("data.html"));
 });
-app34.get("/:slug", async (c, next) => {
+app38.get("/:slug", async (c, next) => {
   const slug = c.req.param("slug");
   if (AGENT_SLUG_PATTERN.test(`/${slug}`)) {
     const branding = loadBrandingCache(slug);
@@ -21441,10 +22013,10 @@ app34.get("/:slug", async (c, next) => {
   }
   await next();
 });
-app34.use("/*", serveStatic({ root: "./public" }));
+app38.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.PORT ?? "19199", 10);
 var hostname = process.env.HOSTNAME ?? "127.0.0.1";
-var httpServer = serve({ fetch: app34.fetch, port, hostname });
+var httpServer = serve({ fetch: app38.fetch, port, hostname });
 console.log(`${BRAND.productName} listening on http://${hostname}:${port}`);
 var SUBAPP_MANIFEST = [
   { prefix: "/api/health", file: "server/routes/health.ts", subapp: health_default },
@@ -21464,7 +22036,7 @@ for (const m of SUBAPP_MANIFEST) {
 }
 try {
   const registered = [];
-  for (const r of app34.routes ?? []) {
+  for (const r of app38.routes ?? []) {
     if (typeof r.path !== "string" || r.path.includes(":") || r.path.includes("*")) continue;
     if (AGENT_SLUG_PATTERN.test(r.path)) {
       registered.push({ method: (r.method ?? "ALL").toUpperCase(), path: r.path });
@@ -21478,8 +22050,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync23(USERS_FILE)) {
-      const users = JSON.parse(readFileSync25(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync25(USERS_FILE)) {
+      const users = JSON.parse(readFileSync26(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);
@@ -21505,7 +22077,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve27(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
+  platformRoot: resolve28(process.env.MAXY_PLATFORM_ROOT ?? join13(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {