@rubytech/create-maxy 1.0.739 → 1.0.741

package/dist/index.js

@@ -138,14 +138,23 @@ function shell(command, args, options) {
         stdio: "inherit",
         timeout: options?.timeout ?? 300_000,
         cwd: options?.cwd,
+        env: options?.env,
     });
     const dur = ((Date.now() - start) / 1000).toFixed(1);
+    // bestEffort (Task 787): tear-down ops on units/state that may or may not
+    // exist (stop/disable a system service we may never have started, reset-failed
+    // a freshly-created unit) log the non-zero exit but do not throw. Reserved
+    // for the "may not exist" pattern only — never use for ops that must succeed.
     if (result.signal) {
         logFile(`  KILLED (${result.signal}) after ${dur}s`);
+        if (options?.bestEffort)
+            return;
         throw new Error(`Command killed (${result.signal}) after ${dur}s: ${cmd} ${cmdArgs.join(" ")}`);
     }
     if (result.status !== 0) {
-        logFile(`  FAILED (exit ${result.status}) after ${dur}s`);
+        logFile(`  ${options?.bestEffort ? "best-effort non-zero" : "FAILED"} (exit ${result.status}) after ${dur}s`);
+        if (options?.bestEffort)
+            return;
         throw new Error(`Command failed (exit ${result.status}) after ${dur}s: ${cmd} ${cmdArgs.join(" ")}`);
     }
     logFile(`  OK in ${dur}s`);
@@ -835,8 +844,11 @@ function installNeo4j() {
 /**
  * Create a dedicated Neo4j instance for this brand when NEO4J_DEDICATED is true.
  * Produces: separate config dir, data dir, log dir, systemd service, and password.
- * On upgrade (config already exists), skips setup — ensureNeo4jPassword() handles
- * password verification for existing instances.
+ * On upgrade (config already exists), skips conf creation — but always runs the
+ * Task 787 state-remediation block (stop/disable system unit, reset-failed
+ * dedicated, start, verify) so a half-installed Pi recovers in-place without
+ * manual systemctl. ensureNeo4jPassword() handles password verification on the
+ * recovery path.
  */
 function setupDedicatedNeo4j() {
     if (!NEO4J_DEDICATED)
@@ -847,49 +859,52 @@ function setupDedicatedNeo4j() {
     const logDir = `/var/log/neo4j-${brandSuffix}`;
     const serviceName = `neo4j-${brandSuffix}`;
     const httpPort = NEO4J_PORT - 213; // Preserve standard 7687/7474 offset
-    // Upgrade detection: if dedicated config already exists, skip setup entirely.
-    // ensureNeo4jPassword() will verify the password is correct for this instance.
-    const confCheck = spawnSync("test", ["-f", `${confDir}/neo4j.conf`], { stdio: "pipe" });
-    if (confCheck.status === 0) {
+    // Conf creation is gated on first install; everything below the if/else
+    // (state remediation + start + verify) runs on every install — Task 787
+    // closes the recovery gap where a half-installed Pi (failed prior install
+    // hit start-limit-hit, dedicated unit in failed state) returned here without
+    // the fix being applied.
+    const confExists = spawnSync("test", ["-f", `${confDir}/neo4j.conf`], { stdio: "pipe" }).status === 0;
+    if (confExists) {
         console.log(`  Dedicated Neo4j instance for ${BRAND.productName} already configured at ${confDir}`);
-        logFile(`  Neo4j dedicated: existing config at ${confDir}, skipping setup`);
-        return;
-    }
-    console.log(`  Setting up dedicated Neo4j instance for ${BRAND.productName} on bolt://localhost:${NEO4J_PORT}...`);
-    // Pre-check: neo4j user must exist (created by the apt package)
-    const neo4jUserCheck = spawnSync("id", ["neo4j"], { stdio: "pipe" });
-    if (neo4jUserCheck.status !== 0) {
-        throw new Error("Neo4j system user 'neo4j' not found. Is Neo4j installed via apt?");
-    }
-    // Pre-check: source config must exist
-    if (!existsSync("/etc/neo4j/neo4j.conf")) {
-        throw new Error("/etc/neo4j/neo4j.conf not found. Cannot create dedicated instance without base config.");
+        logFile(`  Neo4j dedicated: existing config at ${confDir}, skipping conf creation`);
     }
-    // 1. Copy base config
-    console.log("  [privileged] cp -r");
-    shell("cp", ["-r", "/etc/neo4j", confDir], { sudo: true });
-    // 2. Modify config for this instance: bolt port, HTTP port, data/log directories
-    console.log("  [privileged] sed -i");
-    shell("sed", ["-i", `s/^#\\?server\\.bolt\\.listen_address=.*/server.bolt.listen_address=:${NEO4J_PORT}/`, `${confDir}/neo4j.conf`], { sudo: true });
-    console.log("  [privileged] sed -i");
-    shell("sed", ["-i", `s/^#\\?server\\.http\\.listen_address=.*/server.http.listen_address=:${httpPort}/`, `${confDir}/neo4j.conf`], { sudo: true });
-    console.log("  [privileged] sed -i");
-    shell("sed", ["-i", `s|^#\\?server\\.directories\\.data=.*|server.directories.data=${dataDir}/data|`, `${confDir}/neo4j.conf`], { sudo: true });
-    console.log("  [privileged] sed -i");
-    shell("sed", ["-i", `s|^#\\?server\\.directories\\.logs=.*|server.directories.logs=${logDir}|`, `${confDir}/neo4j.conf`], { sudo: true });
-    // Verify config was updated — sed silently no-ops if the key format changed
-    const confContent = spawnSync("grep", [`server.bolt.listen_address=:${NEO4J_PORT}`, `${confDir}/neo4j.conf`], { stdio: "pipe" });
-    if (confContent.status !== 0) {
-        console.error(`  WARNING: neo4j.conf may not have been updated correctly — bolt port ${NEO4J_PORT} not found in config`);
-        logFile(`  WARNING: sed verification failed — bolt port ${NEO4J_PORT} not found in ${confDir}/neo4j.conf`);
-    }
-    // 3. Create data and log directories
-    console.log("  [privileged] mkdir -p");
-    shell("mkdir", ["-p", `${dataDir}/data`, logDir], { sudo: true });
-    console.log("  [privileged] chown -R");
-    shell("chown", ["-R", "neo4j:neo4j", dataDir, logDir, confDir], { sudo: true });
-    // 4. Create systemd service
-    const serviceContent = `[Unit]
+    else {
+        console.log(`  Setting up dedicated Neo4j instance for ${BRAND.productName} on bolt://localhost:${NEO4J_PORT}...`);
+        // Pre-check: neo4j user must exist (created by the apt package)
+        const neo4jUserCheck = spawnSync("id", ["neo4j"], { stdio: "pipe" });
+        if (neo4jUserCheck.status !== 0) {
+            throw new Error("Neo4j system user 'neo4j' not found. Is Neo4j installed via apt?");
+        }
+        // Pre-check: source config must exist
+        if (!existsSync("/etc/neo4j/neo4j.conf")) {
+            throw new Error("/etc/neo4j/neo4j.conf not found. Cannot create dedicated instance without base config.");
+        }
+        // 1. Copy base config
+        console.log("  [privileged] cp -r");
+        shell("cp", ["-r", "/etc/neo4j", confDir], { sudo: true });
+        // 2. Modify config for this instance: bolt port, HTTP port, data/log directories
+        console.log("  [privileged] sed -i");
+        shell("sed", ["-i", `s/^#\\?server\\.bolt\\.listen_address=.*/server.bolt.listen_address=:${NEO4J_PORT}/`, `${confDir}/neo4j.conf`], { sudo: true });
+        console.log("  [privileged] sed -i");
+        shell("sed", ["-i", `s/^#\\?server\\.http\\.listen_address=.*/server.http.listen_address=:${httpPort}/`, `${confDir}/neo4j.conf`], { sudo: true });
+        console.log("  [privileged] sed -i");
+        shell("sed", ["-i", `s|^#\\?server\\.directories\\.data=.*|server.directories.data=${dataDir}/data|`, `${confDir}/neo4j.conf`], { sudo: true });
+        console.log("  [privileged] sed -i");
+        shell("sed", ["-i", `s|^#\\?server\\.directories\\.logs=.*|server.directories.logs=${logDir}|`, `${confDir}/neo4j.conf`], { sudo: true });
+        // Verify config was updated — sed silently no-ops if the key format changed
+        const confContent = spawnSync("grep", [`server.bolt.listen_address=:${NEO4J_PORT}`, `${confDir}/neo4j.conf`], { stdio: "pipe" });
+        if (confContent.status !== 0) {
+            console.error(`  WARNING: neo4j.conf may not have been updated correctly — bolt port ${NEO4J_PORT} not found in config`);
+            logFile(`  WARNING: sed verification failed — bolt port ${NEO4J_PORT} not found in ${confDir}/neo4j.conf`);
+        }
+        // 3. Create data and log directories
+        console.log("  [privileged] mkdir -p");
+        shell("mkdir", ["-p", `${dataDir}/data`, logDir], { sudo: true });
+        console.log("  [privileged] chown -R");
+        shell("chown", ["-R", "neo4j:neo4j", dataDir, logDir, confDir], { sudo: true });
+        // 4. Create systemd service
+        const serviceContent = `[Unit]
 Description=Neo4j Graph Database (${BRAND.productName})
 After=network-online.target
 Wants=network-online.target
@@ -905,53 +920,73 @@ LimitNOFILE=60000
 [Install]
 WantedBy=multi-user.target
 `;
-    const tmpServicePath = `/tmp/${serviceName}.service`;
-    writeFileSync(tmpServicePath, serviceContent);
-    console.log("  [privileged] cp");
-    shell("cp", [tmpServicePath, `/etc/systemd/system/${serviceName}.service`], { sudo: true });
-    spawnSync("rm", ["-f", tmpServicePath]);
-    // 5. Set initial password before first start
-    const password = randomBytes(24).toString("base64url");
-    const persistDir = resolve(process.env.HOME ?? "/root", BRAND.configDir);
-    mkdirSync(persistDir, { recursive: true });
-    writeFileSync(join(persistDir, ".neo4j-password"), password, { mode: 0o600 });
-    const configDir = resolve(INSTALL_DIR, "platform/config");
-    mkdirSync(configDir, { recursive: true });
-    writeFileSync(join(configDir, ".neo4j-password"), password, { mode: 0o600 });
-    // sudo env VAR=val passes NEO4J_CONF through sudo's env_reset policy
-    spawnSync("sudo", ["env", `NEO4J_CONF=${confDir}`, "neo4j-admin", "dbms", "set-initial-password", "--", password], {
-        stdio: "inherit",
-    });
-    // 6. Enable and start the dedicated service
+        const tmpServicePath = `/tmp/${serviceName}.service`;
+        writeFileSync(tmpServicePath, serviceContent);
+        console.log("  [privileged] cp");
+        shell("cp", [tmpServicePath, `/etc/systemd/system/${serviceName}.service`], { sudo: true });
+        spawnSync("rm", ["-f", tmpServicePath]);
+        // 5. Set initial password before first start
+        const password = randomBytes(24).toString("base64url");
+        const persistDir = resolve(process.env.HOME ?? "/root", BRAND.configDir);
+        mkdirSync(persistDir, { recursive: true });
+        writeFileSync(join(persistDir, ".neo4j-password"), password, { mode: 0o600 });
+        const configDir = resolve(INSTALL_DIR, "platform/config");
+        mkdirSync(configDir, { recursive: true });
+        writeFileSync(join(configDir, ".neo4j-password"), password, { mode: 0o600 });
+        // sudo env VAR=val passes NEO4J_CONF through sudo's env_reset policy
+        spawnSync("sudo", ["env", `NEO4J_CONF=${confDir}`, "neo4j-admin", "dbms", "set-initial-password", "--", password], {
+            stdio: "inherit",
+        });
+    }
+    // ============================================================================
+    // Task 787 — unified state remediation + start + verify.
+    //
+    // Runs on both fresh and recovery paths. The dedicated unit and the apt
+    // package's system unit both exec /usr/bin/neo4j console without overriding
+    // NEO4J_HOME, so server.directories.run resolves to /var/lib/neo4j/run for
+    // both — the launcher refuses with "Neo4j is already running (pid:N)" if
+    // the system unit holds the PID file. Stopping the system unit first frees
+    // the run-state; disabling prevents it returning at next boot. reset-failed
+    // clears any prior start-limit-hit from a half-installed Pi.
+    // ============================================================================
     spawnSync("sudo", ["systemctl", "daemon-reload"], { stdio: "inherit" });
     console.log("  [privileged] systemctl enable");
     shell("systemctl", ["enable", serviceName], { sudo: true });
+    console.log(`  [neo4j] disabling system unit (brand-dedicated active on port ${NEO4J_PORT})`);
+    logFile(`  [neo4j] disabling system unit (brand-dedicated active on port ${NEO4J_PORT})`);
+    shell("systemctl", ["stop", "neo4j"], { sudo: true, bestEffort: true });
+    shell("systemctl", ["disable", "neo4j"], { sudo: true, bestEffort: true });
+    console.log(`  [neo4j] reset-failed ${serviceName} before start`);
+    logFile(`  [neo4j] reset-failed ${serviceName} before start`);
+    shell("systemctl", ["reset-failed", serviceName], { sudo: true, bestEffort: true });
     console.log("  [privileged] systemctl start");
     shell("systemctl", ["start", serviceName], { sudo: true });
-    // 7. Verify connectivity — poll until cypher-shell can connect
+    // Verify the dedicated unit bound its port. Password verification is
+    // ensureNeo4jPassword()'s job (called next in the install pipeline) — that
+    // function tests the stored password against this port and resets auth if
+    // the password no longer matches the running instance.
     console.log(`  Waiting for dedicated Neo4j instance on port ${NEO4J_PORT}...`);
-    let connected = false;
+    let listening = false;
+    const portMatch = new RegExp(`:${NEO4J_PORT}\\b`);
     for (let i = 0; i < 15; i++) {
-        const check = spawnSync("cypher-shell", [
-            "-u", "neo4j", "-p", password,
-            "-a", `bolt://localhost:${NEO4J_PORT}`,
-            "RETURN 1",
-        ], { stdio: "pipe", timeout: 5000 });
-        if (check.status === 0) {
-            connected = true;
+        const portCheck = spawnSync("ss", ["-tln"], { stdio: "pipe", timeout: 5000 });
+        if (portMatch.test(portCheck.stdout?.toString() ?? "")) {
+            listening = true;
             break;
         }
         spawnSync("sleep", ["2"]);
     }
-    if (!connected) {
-        // Diagnostic: check what's on this port
+    if (!listening) {
+        // Loud failure — no silent fallback to the system instance (Task 787).
         const portCheck = spawnSync("ss", ["-tlnp"], { stdio: "pipe", timeout: 5000 });
-        const portLines = portCheck.stdout?.toString().split("\n").filter((l) => l.includes(String(NEO4J_PORT))) || [];
+        const portLines = (portCheck.stdout?.toString() ?? "").split("\n").filter((l) => l.includes(String(NEO4J_PORT)));
         const diagnostic = portLines.length > 0 ? portLines.join("; ") : "nothing listening on port";
-        console.error(`  WARNING: Dedicated Neo4j instance not responding on bolt://localhost:${NEO4J_PORT}`);
-        console.error(`  Port ${NEO4J_PORT} status: ${diagnostic}`);
-        logFile(`  Neo4j dedicated: connectivity check FAILED on port ${NEO4J_PORT} — ${diagnostic}`);
-        // Don't throw — ensureNeo4jPassword() will retry
+        const journal = spawnSync("journalctl", ["-u", serviceName, "--since", "5 min ago"], { stdio: "pipe", timeout: 5000 });
+        const journalTail = (journal.stdout?.toString() ?? "").split("\n").slice(-20).join("\n");
+        logFile(`  Neo4j dedicated: failed to bind port ${NEO4J_PORT} — ${diagnostic}`);
+        throw new Error(`Dedicated Neo4j instance ${serviceName} did not bind bolt://localhost:${NEO4J_PORT} within 30s.\n` +
+            `Port ${NEO4J_PORT}: ${diagnostic}\n` +
+            `journalctl -u ${serviceName} --since "5 min ago" | tail -20:\n${journalTail}`);
     }
     logFile(`  Neo4j dedicated: config=${confDir} data=${dataDir} service=${serviceName} bolt=:${NEO4J_PORT} http=:${httpPort}`);
     console.log(`  Dedicated Neo4j instance ready on bolt://localhost:${NEO4J_PORT}`);
@@ -1449,7 +1484,23 @@ function setupAccount() {
     log("10", TOTAL, "Setting up...");
     const seedScript = join(INSTALL_DIR, "platform/scripts/seed-neo4j.sh");
     if (existsSync(seedScript)) {
-        shell("bash", [seedScript], { cwd: INSTALL_DIR });
+        // Task 787 — explicit env to seed. The script no longer falls back to
+        // bolt://localhost:7687, so the installer is responsible for naming the
+        // brand-correct URI and providing the password. Missing password file is
+        // a hard error: ensureNeo4jPassword() ran upstream and would have thrown
+        // already if it couldn't reach the brand's Neo4j.
+        const passwordFile = join(INSTALL_DIR, "platform/config/.neo4j-password");
+        if (!existsSync(passwordFile)) {
+            throw new Error(`Neo4j password file missing at ${passwordFile} — required by seed step.`);
+        }
+        const password = readFileSync(passwordFile, "utf-8").trim();
+        const neo4jUri = `bolt://localhost:${NEO4J_PORT}`;
+        console.log(`  [neo4j] passing NEO4J_URI=${neo4jUri} to seed`);
+        logFile(`  [neo4j] passing NEO4J_URI=${neo4jUri} to seed`);
+        shell("bash", [seedScript], {
+            cwd: INSTALL_DIR,
+            env: { ...process.env, NEO4J_URI: neo4jUri, NEO4J_PASSWORD: password },
+        });
     }
     // Task 748 — universal embedding coverage backfill. Run after seed so the
     // entity_search index is in place and any pre-Task-748 nodes (e.g. the

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.739",
+  "version": "1.0.741",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/lib/brand-templating/dist/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Brand templating — single source of truth for the operator-visible brand name.
+ *
+ * Skills, agent templates, plugin manifests, and reference content reference
+ * the brand only via the literal `{{productName}}` placeholder. This module
+ * substitutes at read time from `brand.json`. Same shadow-source defect class
+ * as Tasks 787/788: there is no fallback; missing or empty `productName`
+ * hard-fails so the wrong brand can never reach the system prompt or the
+ * operator UI silently.
+ *
+ * Used by both `platform/ui` (admin/public agent system-prompt assembly) and
+ * `platform/plugins/admin/mcp` (the `plugin-read` MCP tool). Both call sites
+ * pass the absolute file path as `sourcePath` so the diagnostic line names
+ * exactly which file was substituted.
+ */
+export declare function getBrandProductName(): string;
+export declare function substituteBrandPlaceholders(content: string, sourcePath: string): string;
+//# sourceMappingURL=index.d.ts.map

package/payload/platform/lib/brand-templating/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAmBH,wBAAgB,mBAAmB,IAAI,MAAM,CAsB5C;AAED,wBAAgB,2BAA2B,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAkBvF"}

package/payload/platform/lib/brand-templating/dist/index.js

@@ -0,0 +1,69 @@
+"use strict";
+/**
+ * Brand templating — single source of truth for the operator-visible brand name.
+ *
+ * Skills, agent templates, plugin manifests, and reference content reference
+ * the brand only via the literal `{{productName}}` placeholder. This module
+ * substitutes at read time from `brand.json`. Same shadow-source defect class
+ * as Tasks 787/788: there is no fallback; missing or empty `productName`
+ * hard-fails so the wrong brand can never reach the system prompt or the
+ * operator UI silently.
+ *
+ * Used by both `platform/ui` (admin/public agent system-prompt assembly) and
+ * `platform/plugins/admin/mcp` (the `plugin-read` MCP tool). Both call sites
+ * pass the absolute file path as `sourcePath` so the diagnostic line names
+ * exactly which file was substituted.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBrandProductName = getBrandProductName;
+exports.substituteBrandPlaceholders = substituteBrandPlaceholders;
+const node_path_1 = require("node:path");
+const node_fs_1 = require("node:fs");
+const PLACEHOLDER = "{{productName}}";
+let cachedProductName = null;
+function brandJsonPath() {
+    const platformRoot = process.env.MAXY_PLATFORM_ROOT;
+    if (!platformRoot) {
+        throw new Error("[skill-loader] MAXY_PLATFORM_ROOT not set — cannot resolve brand.json");
+    }
+    return (0, node_path_1.join)(platformRoot, "config", "brand.json");
+}
+function getBrandProductName() {
+    if (cachedProductName !== null)
+        return cachedProductName;
+    const path = brandJsonPath();
+    if (!(0, node_fs_1.existsSync)(path)) {
+        throw new Error(`[skill-loader] brand.json missing at ${path}`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse((0, node_fs_1.readFileSync)(path, "utf-8"));
+    }
+    catch (err) {
+        throw new Error(`[skill-loader] brand.json unreadable at ${path}: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    const value = parsed.productName;
+    if (typeof value !== "string" || value.trim() === "") {
+        throw new Error(`[skill-loader] brand.json at ${path} has missing or empty productName`);
+    }
+    cachedProductName = value;
+    return value;
+}
+function substituteBrandPlaceholders(content, sourcePath) {
+    if (!content.includes(PLACEHOLDER))
+        return content;
+    let productName;
+    try {
+        productName = getBrandProductName();
+    }
+    catch (err) {
+        console.error(`[skill-loader] ERROR: brand.json missing — cannot resolve productName for skill ${sourcePath}`);
+        throw err;
+    }
+    // split-length counts non-overlapping literal matches without regex-escape risk.
+    const occurrences = content.split(PLACEHOLDER).length - 1;
+    const substituted = content.split(PLACEHOLDER).join(productName);
+    console.log(`[skill-loader] brand-substituted productName=${productName} skill=${sourcePath} occurrences=${occurrences}`);
+    return substituted;
+}
+//# sourceMappingURL=index.js.map

package/payload/platform/lib/brand-templating/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAmBH,kDAsBC;AAED,kEAkBC;AA3DD,yCAAiC;AACjC,qCAAmD;AAEnD,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAEtC,IAAI,iBAAiB,GAAkB,IAAI,CAAC;AAE5C,SAAS,aAAa;IACpB,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IACpD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,IAAA,gBAAI,EAAC,YAAY,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;AACpD,CAAC;AAED,SAAgB,mBAAmB;IACjC,IAAI,iBAAiB,KAAK,IAAI;QAAE,OAAO,iBAAiB,CAAC;IACzD,MAAM,IAAI,GAAG,aAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,IAAA,oBAAU,EAAC,IAAI,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,MAAiC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,sBAAY,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,2CAA2C,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACvG,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC;IACjC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrD,MAAM,IAAI,KAAK,CACb,gCAAgC,IAAI,mCAAmC,CACxE,CAAC;IACJ,CAAC;IACD,iBAAiB,GAAG,KAAK,CAAC;IAC1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,2BAA2B,CAAC,OAAe,EAAE,UAAkB;IAC7E,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,OAAO,CAAC;IACnD,IAAI,WAAmB,CAAC;IACxB,IAAI,CAAC;QACH,WAAW,GAAG,mBAAmB,EAAE,CAAC;IACtC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,mFAAmF,UAAU,EAAE,CAChG,CAAC;QACF,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,iFAAiF;IACjF,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjE,OAAO,CAAC,GAAG,CACT,gDAAgD,WAAW,UAAU,UAAU,gBAAgB,WAAW,EAAE,CAC7G,CAAC;IACF,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/payload/platform/lib/brand-templating/src/index.ts

@@ -0,0 +1,76 @@
+/**
+ * Brand templating — single source of truth for the operator-visible brand name.
+ *
+ * Skills, agent templates, plugin manifests, and reference content reference
+ * the brand only via the literal `{{productName}}` placeholder. This module
+ * substitutes at read time from `brand.json`. Same shadow-source defect class
+ * as Tasks 787/788: there is no fallback; missing or empty `productName`
+ * hard-fails so the wrong brand can never reach the system prompt or the
+ * operator UI silently.
+ *
+ * Used by both `platform/ui` (admin/public agent system-prompt assembly) and
+ * `platform/plugins/admin/mcp` (the `plugin-read` MCP tool). Both call sites
+ * pass the absolute file path as `sourcePath` so the diagnostic line names
+ * exactly which file was substituted.
+ */
+
+import { join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
+
+const PLACEHOLDER = "{{productName}}";
+
+let cachedProductName: string | null = null;
+
+function brandJsonPath(): string {
+  const platformRoot = process.env.MAXY_PLATFORM_ROOT;
+  if (!platformRoot) {
+    throw new Error(
+      "[skill-loader] MAXY_PLATFORM_ROOT not set — cannot resolve brand.json",
+    );
+  }
+  return join(platformRoot, "config", "brand.json");
+}
+
+export function getBrandProductName(): string {
+  if (cachedProductName !== null) return cachedProductName;
+  const path = brandJsonPath();
+  if (!existsSync(path)) {
+    throw new Error(`[skill-loader] brand.json missing at ${path}`);
+  }
+  let parsed: { productName?: unknown };
+  try {
+    parsed = JSON.parse(readFileSync(path, "utf-8"));
+  } catch (err) {
+    throw new Error(
+      `[skill-loader] brand.json unreadable at ${path}: ${err instanceof Error ? err.message : String(err)}`,
+    );
+  }
+  const value = parsed.productName;
+  if (typeof value !== "string" || value.trim() === "") {
+    throw new Error(
+      `[skill-loader] brand.json at ${path} has missing or empty productName`,
+    );
+  }
+  cachedProductName = value;
+  return value;
+}
+
+export function substituteBrandPlaceholders(content: string, sourcePath: string): string {
+  if (!content.includes(PLACEHOLDER)) return content;
+  let productName: string;
+  try {
+    productName = getBrandProductName();
+  } catch (err) {
+    console.error(
+      `[skill-loader] ERROR: brand.json missing — cannot resolve productName for skill ${sourcePath}`,
+    );
+    throw err;
+  }
+  // split-length counts non-overlapping literal matches without regex-escape risk.
+  const occurrences = content.split(PLACEHOLDER).length - 1;
+  const substituted = content.split(PLACEHOLDER).join(productName);
+  console.log(
+    `[skill-loader] brand-substituted productName=${productName} skill=${sourcePath} occurrences=${occurrences}`,
+  );
+  return substituted;
+}

package/payload/platform/lib/brand-templating/tsconfig.json

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"]
+}

package/payload/platform/lib/graph-write/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,UAAU,GAAG,UAAU,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6FAA6F;IAC7F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uFAAuF;IACvF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,4EAA4E;IAC5E,aAAa,EAAE,iBAAiB,EAAE,CAAC;IACnC,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,uDAAuD;AACvD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,SAAS,GACnB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQzB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,eAAe,CAAC,CAuF1B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,UAAU,GAAG,UAAU,CAAC;IACnC,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6FAA6F;IAC7F,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iFAAiF;IACjF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,uFAAuF;IACvF,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,4EAA4E;IAC5E,aAAa,EAAE,iBAAiB,EAAE,CAAC;IACnC,SAAS,EAAE,SAAS,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,uDAAuD;AACvD,wBAAgB,cAAc,CAC5B,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9B,SAAS,EAAE,SAAS,GACnB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAQzB;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,wBAAwB,GAC/B,OAAO,CAAC,eAAe,CAAC,CA8G1B"}

package/payload/platform/lib/graph-write/dist/index.js

@@ -59,7 +59,29 @@ async function writeNodeWithEdges(params) {
             process.stderr.write(`[graph-write] reject reason=unresolved-target labels=${labelCsv} agent=${agentLabel} requested=${uniqueRequested} found=${found}\n`);
             throw new Error(`Write doctrine violated: ${uniqueRequested - found} of ${uniqueRequested} relationship target(s) did not resolve (elementId mismatch). No node created.`);
         }
-        const nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
+        let nodeRes;
+        try {
+            nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
+        }
+        catch (err) {
+            // Task 792: surface UserProfile uniqueness violations as a structured
+            // reject line. Neo4j's ConstraintValidationFailed message names the
+            // violated label + properties (e.g. "Node(N) already exists with label
+            // `UserProfile` and properties accountId=… userId=…") but NOT the
+            // constraint name, so we key on the helper's input `labels` parameter
+            // rather than parsing the message. Other constraint violations
+            // propagate without specialised logging — they are unexpected and the
+            // raw error is the right signal.
+            const code = err?.code ?? "";
+            if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
+                const accountIdProp = nodeProps.accountId;
+                const userIdProp = nodeProps.userId;
+                const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
+                const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
+                process.stderr.write(`[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}\n`);
+            }
+            throw err;
+        }
         const nodeId = nodeRes.records[0].get("nodeId");
         const nodeLabels = nodeRes.records[0].get("nodeLabels");
         // Neo4j Community's default isolation is read-committed (not snapshot)

package/payload/platform/lib/graph-write/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AAqCH,wCAWC;AAQD,gDAyFC;AA7GD,uDAAuD;AACvD,SAAgB,cAAc,CAC5B,KAA8B,EAC9B,SAAoB;IAEpB,OAAO;QACL,GAAG,KAAK;QACR,cAAc,EAAE,SAAS,CAAC,KAAK,IAAI,SAAS;QAC5C,gBAAgB,EAAE,SAAS,CAAC,OAAO,IAAI,SAAS;QAChD,aAAa,EAAE,SAAS,CAAC,IAAI,IAAI,IAAI;QACrC,eAAe,EAAE,SAAS,CAAC,MAAM,IAAI,IAAI;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAgC;IAEhC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEpE,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yDAAyD,QAAQ,UAAU,UAAU,IAAI,CAC1F,CAAC;QACF,MAAM,IAAI,KAAK,CACb,sHAAsH,CACvH,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEnD,OAAO,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CACxB,uFAAuF,EACvF,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wDAAwD,QAAQ,UAAU,UAAU,cAAc,eAAe,UAAU,KAAK,IAAI,CACrI,CAAC;YACF,MAAM,IAAI,KAAK,CACb,4BAA4B,eAAe,GAAG,KAAK,OAAO,eAAe,gFAAgF,CAC1J,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,GAAG,CAC1B,aAAa,QAAQ,iEAAiE,EACtF,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACF,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAW,CAAC;QAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAa,CAAC;QAEpE,uEAAuE;QACvE,iEAAiE;QACjE,uEAAuE;QACvE,wEAAwE;QACxE,oEAAoE;QACpE,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,GACL,GAAG,CAAC,SAAS,KAAK,UAAU;gBAC1B,CAAC,CAAC,mFAAmF,IAAI,UAAU;gBACnG,CAAC,CAAC,mFAAmF,IAAI,UAAU,CAAC;YACxG,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC;YAClE,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kEAAkE,QAAQ,UAAU,UAAU,YAAY,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,YAAY,IAAI,CACpJ,CAAC;gBACF,MAAM,IAAI,KAAK,CACb,0DAA0D,GAAG,CAAC,YAAY,kGAAkG,CAC7K,CAAC;YACJ,CAAC;YACD,YAAY,IAAI,OAAO,CAAC;QAC1B,CAAC;QAED,IAAI,YAAY,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1C,mEAAmE;YACnE,+DAA+D;YAC/D,+CAA+C;YAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,QAAQ,UAAU,UAAU,cAAc,aAAa,CAAC,MAAM,YAAY,YAAY,IAAI,CACrJ,CAAC;YACF,MAAM,IAAI,KAAK,CACb,qCAAqC,aAAa,CAAC,MAAM,mBAAmB,YAAY,4BAA4B,CACrH,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iCAAiC,QAAQ,UAAU,YAAY,mBAAmB,SAAS,CAAC,KAAK,IAAI,SAAS,kBAAkB,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,IAAI,CACpL,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;;AAqCH,wCAWC;AAQD,gDAgHC;AApID,uDAAuD;AACvD,SAAgB,cAAc,CAC5B,KAA8B,EAC9B,SAAoB;IAEpB,OAAO;QACL,GAAG,KAAK;QACR,cAAc,EAAE,SAAS,CAAC,KAAK,IAAI,SAAS;QAC5C,gBAAgB,EAAE,SAAS,CAAC,OAAO,IAAI,SAAS;QAChD,aAAa,EAAE,SAAS,CAAC,IAAI,IAAI,IAAI;QACrC,eAAe,EAAE,SAAS,CAAC,MAAM,IAAI,IAAI;KAC1C,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAgC;IAEhC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEpE,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;IACpE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yDAAyD,QAAQ,UAAU,UAAU,IAAI,CAC1F,CAAC;QACF,MAAM,IAAI,KAAK,CACb,sHAAsH,CACvH,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;IAEnD,OAAO,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QAC7C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC;QAC3D,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,GAAG,CACxB,uFAAuF,EACvF,EAAE,GAAG,EAAE,SAAS,EAAE,CACnB,CAAC;QACF,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;QAChD,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wDAAwD,QAAQ,UAAU,UAAU,cAAc,eAAe,UAAU,KAAK,IAAI,CACrI,CAAC;YACF,MAAM,IAAI,KAAK,CACb,4BAA4B,eAAe,GAAG,KAAK,OAAO,eAAe,gFAAgF,CAC1J,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC;QACZ,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,EAAE,CAAC,GAAG,CACpB,aAAa,QAAQ,iEAAiE,EACtF,EAAE,KAAK,EAAE,SAAS,EAAE,CACrB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,sEAAsE;YACtE,oEAAoE;YACpE,uEAAuE;YACvE,kEAAkE;YAClE,sEAAsE;YACtE,+DAA+D;YAC/D,sEAAsE;YACtE,iCAAiC;YACjC,MAAM,IAAI,GAAI,GAAgC,EAAE,IAAI,IAAI,EAAE,CAAC;YAC3D,IAAI,IAAI,KAAK,mDAAmD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACnG,MAAM,aAAa,GAAI,SAAqC,CAAC,SAAS,CAAC;gBACvE,MAAM,UAAU,GAAI,SAAqC,CAAC,MAAM,CAAC;gBACjE,MAAM,SAAS,GAAG,OAAO,aAAa,KAAK,QAAQ,CAAC,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAC5F,MAAM,SAAS,GAAG,OAAO,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBACtF,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,2EAA2E,SAAS,WAAW,SAAS,WAAW,UAAU,IAAI,CAClI,CAAC;YACJ,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAW,CAAC;QAC1D,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAa,CAAC;QAEpE,uEAAuE;QACvE,iEAAiE;QACjE,uEAAuE;QACvE,wEAAwE;QACxE,oEAAoE;QACpE,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACxC,MAAM,CAAC,GACL,GAAG,CAAC,SAAS,KAAK,UAAU;gBAC1B,CAAC,CAAC,mFAAmF,IAAI,UAAU;gBACnG,CAAC,CAAC,mFAAmF,IAAI,UAAU,CAAC;YACxG,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,oBAAoB,CAAC;YAClE,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;gBAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,kEAAkE,QAAQ,UAAU,UAAU,YAAY,GAAG,CAAC,IAAI,aAAa,GAAG,CAAC,YAAY,IAAI,CACpJ,CAAC;gBACF,MAAM,IAAI,KAAK,CACb,0DAA0D,GAAG,CAAC,YAAY,kGAAkG,CAC7K,CAAC;YACJ,CAAC;YACD,YAAY,IAAI,OAAO,CAAC;QAC1B,CAAC;QAED,IAAI,YAAY,KAAK,aAAa,CAAC,MAAM,EAAE,CAAC;YAC1C,mEAAmE;YACnE,+DAA+D;YAC/D,+CAA+C;YAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0DAA0D,QAAQ,UAAU,UAAU,cAAc,aAAa,CAAC,MAAM,YAAY,YAAY,IAAI,CACrJ,CAAC;YACF,MAAM,IAAI,KAAK,CACb,qCAAqC,aAAa,CAAC,MAAM,mBAAmB,YAAY,4BAA4B,CACrH,CAAC;QACJ,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iCAAiC,QAAQ,UAAU,YAAY,mBAAmB,SAAS,CAAC,KAAK,IAAI,SAAS,kBAAkB,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,IAAI,CACpL,CAAC;QAEF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC"}

package/payload/platform/lib/graph-write/src/index.ts

@@ -112,10 +112,33 @@ export async function writeNodeWithEdges(
       );
     }
 
-    const nodeRes = await tx.run(
-      `CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`,
-      { props: nodeProps }
-    );
+    let nodeRes;
+    try {
+      nodeRes = await tx.run(
+        `CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`,
+        { props: nodeProps }
+      );
+    } catch (err) {
+      // Task 792: surface UserProfile uniqueness violations as a structured
+      // reject line. Neo4j's ConstraintValidationFailed message names the
+      // violated label + properties (e.g. "Node(N) already exists with label
+      // `UserProfile` and properties accountId=… userId=…") but NOT the
+      // constraint name, so we key on the helper's input `labels` parameter
+      // rather than parsing the message. Other constraint violations
+      // propagate without specialised logging — they are unexpected and the
+      // raw error is the right signal.
+      const code = (err as { code?: string } | null)?.code ?? "";
+      if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
+        const accountIdProp = (nodeProps as Record<string, unknown>).accountId;
+        const userIdProp = (nodeProps as Record<string, unknown>).userId;
+        const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
+        const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
+        process.stderr.write(
+          `[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}\n`
+        );
+      }
+      throw err;
+    }
     const nodeId = nodeRes.records[0].get("nodeId") as string;
     const nodeLabels = nodeRes.records[0].get("nodeLabels") as string[];
 

package/payload/platform/neo4j/schema.cypher

@@ -577,8 +577,11 @@ FOR (sr:StepResult) ON (sr.runId);
 // ----------------------------------------------------------
 
 // Composite unique constraint: one profile per admin per account.
-// Replaces the single-key accountId constraint (Task 249).
-CREATE CONSTRAINT user_profile_account_user_unique IF NOT EXISTS
+// Replaces the single-key accountId constraint (Task 249) and the
+// transitional name `user_profile_account_user_unique` (Task 792 — renamed
+// for grep parity with the doctrine name in .docs/neo4j.md and the
+// per-bucket dedupe script). Old name dropped in seed-neo4j.sh MIGRATE_EOF.
+CREATE CONSTRAINT user_profile_unique_per_user IF NOT EXISTS
 FOR (up:UserProfile) REQUIRE (up.accountId, up.userId) IS UNIQUE;
 
 // ----------------------------------------------------------

package/payload/platform/package.json

@@ -6,8 +6,8 @@
     "plugins/*/mcp"
   ],
   "scripts": {
-    "build": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && NODE_OPTIONS='--max-old-space-size=8192' tsc -b plugins/*/mcp/tsconfig.json",
-    "build:lib": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json",
+    "build": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json && NODE_OPTIONS='--max-old-space-size=8192' tsc -b plugins/*/mcp/tsconfig.json",
+    "build:lib": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json",
     "build:memory": "tsc -p plugins/memory/mcp/tsconfig.json",
     "build:contacts": "tsc -p plugins/contacts/mcp/tsconfig.json",
     "build:telegram": "tsc -p plugins/telegram/mcp/tsconfig.json",

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -9,6 +9,7 @@ import { execFileSync } from "node:child_process";
 import { appendFileSync, cpSync, existsSync, mkdirSync, readdirSync, readFileSync, renameSync, statSync, writeFileSync } from "node:fs";
 import { writeKey, validateKey, hasKey, keyFilePath, deleteKey } from "../../../../lib/anthropic-key/dist/index.js";
 import { deviceUrlBlock } from "../../../../lib/device-url/dist/index.js";
+import { substituteBrandPlaceholders } from "../../../../lib/brand-templating/dist/index.js";
 import { createHash, randomInt, randomUUID } from "node:crypto";
 import { createConnection } from "node:net";
 import { homedir, hostname as osHostname } from "node:os";
@@ -1226,7 +1227,11 @@ server.tool("plugin-read", "Read a plugin definition (PLUGIN.md) or one of its r
                 isError: true,
             };
         }
-        const content = await readFile(pluginPath, "utf-8");
+        const rawContent = await readFile(pluginPath, "utf-8");
+        // Brand-substitute every plugin file before it reaches the agent —
+        // PLUGIN.md, skills/<name>/SKILL.md, references/*.md all flow through
+        // here. Missing brand.json hard-throws (Tasks 787/788 doctrine).
+        const content = substituteBrandPlaceholders(rawContent, pluginPath);
         // Append file inventory on default calls (PLUGIN.md) so agents can discover
         // skill and reference paths without guessing
         if (resolvedFile === "PLUGIN.md") {