@rubytech/create-maxy 1.0.765 → 1.0.766

package/payload/server/server.js

@@ -606,8 +606,8 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync16, existsSync as existsSync20, watchFile } from "fs";
-import { resolve as resolve21, join as join10, basename as basename7 } from "path";
+import { readFileSync as readFileSync16, existsSync as existsSync22, watchFile } from "fs";
+import { resolve as resolve23, join as join10, basename as basename7 } from "path";
 import { homedir as homedir2 } from "os";
 
 // app/lib/agent-slug-pattern.ts
@@ -1351,9 +1351,9 @@ function discoverAllSources(configDir2, accountLogDir2) {
 }
 function readNewLines(filepath, prev) {
   if (!existsSync3(filepath)) return null;
-  const stat6 = statSync3(filepath);
-  const size = stat6.size;
-  const inode = stat6.ino;
+  const stat7 = statSync3(filepath);
+  const size = stat7.size;
+  const inode = stat7.ino;
   let startOffset = 0;
   let rotated = false;
   let truncated = false;
@@ -2692,7 +2692,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG3} draining credential save queue\u2026`);
   const timer2 = new Promise(
-    (resolve22) => setTimeout(() => resolve22("timeout"), timeoutMs)
+    (resolve24) => setTimeout(() => resolve24("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -2820,11 +2820,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve22, reject) => {
+  return new Promise((resolve24, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve22();
+        resolve24();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -2938,14 +2938,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise, timeoutMs) {
-  return new Promise((resolve22, reject) => {
+  return new Promise((resolve24, reject) => {
     const timer2 = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise.then(
       (value) => {
         clearTimeout(timer2);
-        resolve22(value);
+        resolve24(value);
       },
       (err) => {
         clearTimeout(timer2);
@@ -4159,11 +4159,11 @@ async function connectWithReconnect(conn) {
       console.error(
         `${TAG11} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve22) => {
-        const timer2 = setTimeout(resolve22, delay);
+      await new Promise((resolve24) => {
+        const timer2 = setTimeout(resolve24, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer2);
-          resolve22();
+          resolve24();
         }, { once: true });
       });
     }
@@ -4171,16 +4171,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve22) => {
+  return new Promise((resolve24) => {
     if (!conn.sock) {
-      resolve22();
+      resolve24();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve22();
+        resolve24();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -4397,8 +4397,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve22) => {
-      resolvePending = resolve22;
+    const sttPending = new Promise((resolve24) => {
+      resolvePending = resolve24;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -4511,20 +4511,20 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve22) => {
+  return new Promise((resolve24) => {
     const socket = createConnection(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve22(true);
+      resolve24(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve22(false);
+      resolve24(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve22(false);
+      resolve24(false);
     });
   });
 }
@@ -6734,8 +6734,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve22, reject) => {
-    resolveQr = resolve22;
+  const qrPromise = new Promise((resolve24, reject) => {
+    resolveQr = resolve24;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -9697,8 +9697,8 @@ function resolveDataPath(raw) {
   if (resolvedReal !== dataRootReal && !resolvedReal.startsWith(dataRootReal + sep)) {
     return { ok: false, status: 403, error: "Path escapes DATA_ROOT", resolved: resolvedReal };
   }
-  const relPath = relative(dataRootReal, resolvedReal) || ".";
-  return { ok: true, absolute: resolvedReal, dataRootReal, relative: relPath };
+  const relPath2 = relative(dataRootReal, resolvedReal) || ".";
+  return { ok: true, absolute: resolvedReal, dataRootReal, relative: relPath2 };
 }
 
 // ../lib/graph-trash/src/index.ts
@@ -9932,8 +9932,8 @@ async function restoreNode(params) {
 
 // app/lib/file-delete-cascade.ts
 var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-function parseAttachmentPath(relPath) {
-  const segments = relPath.split("/").filter(Boolean);
+function parseAttachmentPath(relPath2) {
+  const segments = relPath2.split("/").filter(Boolean);
   if (segments.length !== 4) return null;
   if (segments[0] !== "uploads") return null;
   const accountId = segments[1];
@@ -10076,9 +10076,9 @@ async function enrich(absolute, entry, accountNames) {
     }
   }
 }
-function buildDisplayPath(relPath, accountNames) {
-  if (relPath === "." || relPath === "") return [];
-  return relPath.split("/").filter(Boolean).map((seg) => {
+function buildDisplayPath(relPath2, accountNames) {
+  if (relPath2 === "." || relPath2 === "") return [];
+  return relPath2.split("/").filter(Boolean).map((seg) => {
     const dn = UUID_RE3.test(seg) ? accountNames.get(seg) : void 0;
     return dn ? { name: seg, displayName: dn } : { name: seg };
   });
@@ -10098,7 +10098,7 @@ app22.get("/", requireAdminSession, async (c) => {
     }
     return c.json({ error: resolution.error }, resolution.status);
   }
-  const { absolute, relative: relPath } = resolution;
+  const { absolute, relative: relPath2 } = resolution;
   try {
     const info = await stat4(absolute);
     if (!info.isDirectory()) {
@@ -10131,17 +10131,17 @@ app22.get("/", requireAdminSession, async (c) => {
       const bKey = b.displayName ?? b.name;
       return aKey.localeCompare(bKey);
     });
-    const displayPath = buildDisplayPath(relPath, accountNames);
-    console.error(`[data] file-list path="${relPath}" entries=${entries.length}`);
-    return c.json({ path: relPath, displayPath, entries });
+    const displayPath = buildDisplayPath(relPath2, accountNames);
+    console.error(`[data] file-list path="${relPath2}" entries=${entries.length}`);
+    return c.json({ path: relPath2, displayPath, entries });
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") {
-      console.error(`[data] file-list not-found path="${relPath}"`);
+      console.error(`[data] file-list not-found path="${relPath2}"`);
       return c.json({ error: "Not found" }, 404);
     }
     const message = err instanceof Error ? err.message : String(err);
-    console.error(`[data] file-list error path="${relPath}" err="${message}"`);
+    console.error(`[data] file-list error path="${relPath2}" err="${message}"`);
     return c.json({ error: message }, 500);
   }
 });
@@ -10160,7 +10160,7 @@ app22.get("/download", requireAdminSession, async (c) => {
     }
     return c.json({ error: resolution.error }, resolution.status);
   }
-  const { absolute, relative: relPath } = resolution;
+  const { absolute, relative: relPath2 } = resolution;
   try {
     const info = await stat4(absolute);
     if (!info.isFile()) {
@@ -10170,7 +10170,7 @@ app22.get("/download", requireAdminSession, async (c) => {
     const mimeType = detectMimeType(absolute);
     const nodeStream = createReadStream3(absolute);
     const webStream = Readable2.toWeb(nodeStream);
-    console.error(`[data] file-download path="${relPath}" size=${info.size}`);
+    console.error(`[data] file-download path="${relPath2}" size=${info.size}`);
     const safeQuotedName = filename.replace(/[\r\n"\\]/g, "_");
     const encodedName = encodeURIComponent(filename);
     return new Response(webStream, {
@@ -10185,11 +10185,11 @@ app22.get("/download", requireAdminSession, async (c) => {
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") {
-      console.error(`[data] file-download not-found path="${relPath}"`);
+      console.error(`[data] file-download not-found path="${relPath2}"`);
       return c.json({ error: "Not found" }, 404);
     }
     const message = err instanceof Error ? err.message : String(err);
-    console.error(`[data] file-download error path="${relPath}" err="${message}"`);
+    console.error(`[data] file-download error path="${relPath2}" err="${message}"`);
     return c.json({ error: message }, 500);
   }
 });
@@ -10267,11 +10267,11 @@ app22.delete("/", requireAdminSession, async (c) => {
     }
     return c.json({ error: resolution.error }, resolution.status);
   }
-  const { absolute, relative: relPath } = resolution;
+  const { absolute, relative: relPath2 } = resolution;
   const base = basename6(absolute);
-  const segments = relPath.split("/").filter(Boolean);
+  const segments = relPath2.split("/").filter(Boolean);
   if (base === "account.json" || segments.includes(".git")) {
-    console.error(`[data] file-delete blocked path="${relPath}" reason="protected"`);
+    console.error(`[data] file-delete blocked path="${relPath2}" reason="protected"`);
     return c.json({ error: "Protected file \u2014 refusing to delete" }, 403);
   }
   try {
@@ -10292,29 +10292,29 @@ app22.delete("/", requireAdminSession, async (c) => {
       } catch {
       }
     }
-    console.error(`[data] file-delete path="${relPath}" bytes=${info.size}`);
-    const parsed = parseAttachmentPath(relPath);
+    console.error(`[data] file-delete path="${relPath2}" bytes=${info.size}`);
+    const parsed = parseAttachmentPath(relPath2);
     if (parsed) {
       try {
         const { nodes } = await cascadeDeleteDocument({
           accountId,
           attachmentId: parsed.attachmentId
         });
-        console.error(`[data] file-delete graph-cascade path="${relPath}" nodes=${nodes}`);
+        console.error(`[data] file-delete graph-cascade path="${relPath2}" nodes=${nodes}`);
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
-        console.error(`[data] file-delete graph-cascade-failed path="${relPath}" err="${message}"`);
+        console.error(`[data] file-delete graph-cascade-failed path="${relPath2}" err="${message}"`);
       }
     }
     return c.json({ ok: true });
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") {
-      console.error(`[data] file-delete not-found path="${relPath}"`);
+      console.error(`[data] file-delete not-found path="${relPath2}"`);
       return c.json({ error: "Not found" }, 404);
     }
     const message = err instanceof Error ? err.message : String(err);
-    console.error(`[data] file-delete error path="${relPath}" err="${message}"`);
+    console.error(`[data] file-delete error path="${relPath2}" err="${message}"`);
     return c.json({ error: message }, 500);
   }
 });
@@ -11769,32 +11769,57 @@ async function fetchKnowledgeDocs(accountId) {
     await session.close();
   }
   return Promise.all(metas.map(async (m) => {
-    const content = await readArtefactContent(accountId, m.attachmentId, m.mimeType);
-    return { id: m.id, name: m.name, kind: "knowledge-doc", updatedAt: m.updatedAt, content };
+    const { content, skipReason } = await readArtefactContent(accountId, m.attachmentId, m.mimeType, m.name);
+    return {
+      id: m.id,
+      name: m.name,
+      kind: "knowledge-doc",
+      updatedAt: m.updatedAt,
+      content,
+      editable: skipReason === null,
+      mimeType: m.mimeType,
+      skipReason
+    };
   }));
 }
-async function readArtefactContent(accountId, attachmentId, mimeType) {
-  if (!attachmentId) return "";
+async function readArtefactContent(accountId, attachmentId, mimeType, displayName) {
+  if (!attachmentId) {
+    logSkip(displayName, "null-attachmentId", mimeType);
+    return { content: "", skipReason: "null-attachmentId" };
+  }
   const isText = TEXT_MIME_PREFIXES.some((p) => mimeType.startsWith(p));
-  if (!isText) return "";
+  if (!isText) {
+    logSkip(displayName, "non-text-mime", mimeType);
+    return { content: "", skipReason: "non-text-mime" };
+  }
   const accountDir = resolve20(ATTACHMENTS_ROOT, accountId);
   const dir = resolve20(accountDir, attachmentId);
   try {
     validateFilePathInAccount(dir, accountDir);
   } catch {
-    return "";
+    logSkip(displayName, "containment-rejected", mimeType);
+    return { content: "", skipReason: "containment-rejected" };
   }
   try {
     const entries = await readdir3(dir);
     const dataFile = entries.find((f) => !f.endsWith(".meta.json"));
-    if (!dataFile) return "";
-    return await readFile5(resolve20(dir, dataFile), "utf-8");
+    if (!dataFile) {
+      logSkip(displayName, "missing-on-disk", mimeType);
+      return { content: "", skipReason: "missing-on-disk" };
+    }
+    return { content: await readFile5(resolve20(dir, dataFile), "utf-8"), skipReason: null };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     console.error(`[admin/sidebar-artefacts] read-failed attachmentId=${attachmentId.slice(0, 8)} error="${message}"`);
-    return "";
+    logSkip(displayName, "missing-on-disk", mimeType);
+    return { content: "", skipReason: "missing-on-disk" };
   }
 }
+function logSkip(name, reason, mimeType) {
+  console.log(
+    `[admin/sidebar-artefacts] content-skipped name="${name}" reason=${reason} mimeType=${mimeType || "none"}`
+  );
+}
 async function fetchAgentTemplateRows(accountDir) {
   const rows = [];
   for (const filename of ADMIN_AGENT_FILES) {
@@ -11808,7 +11833,8 @@ async function fetchAgentTemplateRows(accountDir) {
       overridePath,
       overrideRoot: accountDir,
       bundledPath,
-      bundledRoot: PLATFORM_ROOT
+      bundledRoot: PLATFORM_ROOT,
+      editable: true
     });
     if (row) rows.push(row);
   }
@@ -11825,7 +11851,8 @@ async function fetchAgentTemplateRows(accountDir) {
       overridePath,
       overrideRoot: accountDir,
       bundledPath,
-      bundledRoot: PLATFORM_ROOT
+      bundledRoot: PLATFORM_ROOT,
+      editable: false
     });
     if (row) rows.push(row);
   }
@@ -11880,7 +11907,10 @@ async function readAgentTemplateRow(inp) {
       name: inp.displayName,
       kind: "agent-template",
       updatedAt: st.mtime.toISOString(),
-      content
+      content,
+      editable: inp.editable,
+      mimeType: "text/markdown",
+      skipReason: null
     };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
@@ -11896,32 +11926,172 @@ function isWithin(target, root) {
 }
 var sidebar_artefacts_default = app32;
 
-// server/routes/admin/index.ts
+// server/routes/admin/sidebar-artefact-save.ts
+import { mkdir as mkdir4, readdir as readdir4, stat as stat6, writeFile as writeFile5 } from "fs/promises";
+import { resolve as resolve21 } from "path";
+import { existsSync as existsSync20 } from "fs";
+var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
+var UUID_RE4 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app33 = new Hono();
-app33.route("/session", session_default2);
-app33.route("/chat", chat_default2);
-app33.route("/compact", compact_default);
-app33.route("/logs", logs_default);
-app33.route("/claude-info", claude_info_default);
-app33.route("/attachment", attachment_default);
-app33.route("/agents", agents_default);
-app33.route("/sessions", sessions_default);
-app33.route("/browser", browser_default);
-app33.route("/device-browser", device_browser_default);
-app33.route("/events", events_default);
-app33.route("/cloudflare", cloudflare_default);
-app33.route("/files", files_default);
-app33.route("/graph-search", graph_search_default);
-app33.route("/graph-subgraph", graph_subgraph_default);
-app33.route("/graph-delete", graph_delete_default);
-app33.route("/graph-restore", graph_restore_default);
-app33.route("/graph-labels-in-graph", graph_labels_in_graph_default);
-app33.route("/graph-default-view", graph_default_view_default);
-app33.route("/file-attach", file_attach_default);
-app33.route("/adherence", adherence_default);
-app33.route("/sidebar-projects", sidebar_projects_default);
-app33.route("/sidebar-artefacts", sidebar_artefacts_default);
-var admin_default = app33;
+app33.post("/", requireAdminSession, async (c) => {
+  const sessionKey = c.var.sessionKey;
+  const accountId = getAccountIdForSession(sessionKey);
+  if (!accountId) return c.json({ error: "Account not found for session" }, 401);
+  const body = await safeJson(c);
+  if (!body || typeof body.id !== "string" || typeof body.content !== "string") {
+    return c.json({ error: "id and content required" }, 400);
+  }
+  const accountDir = resolve21(ACCOUNTS_DIR, accountId);
+  const resolved = await resolveSavePath(body.id, accountId, accountDir);
+  if (resolved.kind === "reject") {
+    console.error(
+      `[admin/sidebar-artefact-save] auth-rejected reason=${resolved.reason} path=${body.id}`
+    );
+    return c.json({ error: resolved.reason }, resolved.status);
+  }
+  const start = Date.now();
+  try {
+    await writeFile5(resolved.path, body.content, "utf-8");
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(
+      `[admin/sidebar-artefact-save] write-failed path=${relPath(resolved.path, accountDir)} error="${message}"`
+    );
+    return c.json({ error: "Write failed" }, 500);
+  }
+  let updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  try {
+    const st = await stat6(resolved.path);
+    updatedAt = st.mtime.toISOString();
+  } catch {
+  }
+  const ms = Date.now() - start;
+  console.log(
+    `[admin/sidebar-artefact-save] account=${accountId} path=${relPath(resolved.path, accountDir)} bytes=${body.content.length} ms=${ms}`
+  );
+  return c.json({ updatedAt });
+});
+async function resolveSavePath(id, accountId, accountDir) {
+  if (id.startsWith("agent-template:")) {
+    const parts = id.split(":");
+    if (parts.length !== 3) return { kind: "reject", status: 400, reason: "invalid-id" };
+    const [, role, filename] = parts;
+    if (role === "specialist") {
+      return { kind: "reject", status: 403, reason: "specialist-write-blocked" };
+    }
+    if (role !== "admin" || !ADMIN_AGENT_FILES2.has(filename)) {
+      return { kind: "reject", status: 400, reason: "invalid-id" };
+    }
+    const parent = resolve21(accountDir, "agents", "admin");
+    await mkdir4(parent, { recursive: true });
+    try {
+      validateFilePathInAccount(parent, accountDir);
+    } catch {
+      return { kind: "reject", status: 400, reason: "containment-rejected" };
+    }
+    return { kind: "admin-template", path: resolve21(parent, filename) };
+  }
+  if (UUID_RE4.test(id)) {
+    const dir = resolve21(ATTACHMENTS_ROOT, accountId, id);
+    if (!existsSync20(dir)) {
+      return { kind: "reject", status: 400, reason: "not-found" };
+    }
+    try {
+      validateFilePathInAccount(dir, resolve21(ATTACHMENTS_ROOT, accountId));
+    } catch {
+      return { kind: "reject", status: 400, reason: "containment-rejected" };
+    }
+    const entries = await readdir4(dir);
+    const dataFile = entries.find((f) => !f.endsWith(".meta.json"));
+    if (!dataFile) {
+      return { kind: "reject", status: 400, reason: "not-found" };
+    }
+    return { kind: "knowledge-doc", path: resolve21(dir, dataFile) };
+  }
+  return { kind: "reject", status: 400, reason: "invalid-id" };
+}
+function relPath(absPath, root) {
+  return absPath.startsWith(root) ? absPath.slice(root.length + 1) : absPath;
+}
+var sidebar_artefact_save_default = app33;
+
+// server/routes/admin/sidebar-artefact-content.ts
+import { readFile as readFile6, readdir as readdir5 } from "fs/promises";
+import { existsSync as existsSync21 } from "fs";
+import { resolve as resolve22 } from "path";
+var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+var app34 = new Hono();
+app34.get("/", requireAdminSession, async (c) => {
+  const sessionKey = c.var.sessionKey;
+  const accountId = getAccountIdForSession(sessionKey);
+  if (!accountId) return new Response("Unauthorized", { status: 401 });
+  const id = c.req.query("id") ?? "";
+  if (!UUID_RE5.test(id)) {
+    console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
+    return new Response("Not found", { status: 404 });
+  }
+  const dir = resolve22(ATTACHMENTS_ROOT, accountId, id);
+  if (!existsSync21(dir)) {
+    console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
+    return new Response("Not found", { status: 404 });
+  }
+  let meta;
+  try {
+    meta = JSON.parse(await readFile6(resolve22(dir, `${id}.meta.json`), "utf-8"));
+  } catch {
+    console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
+    return new Response("Not found", { status: 404 });
+  }
+  const entries = await readdir5(dir);
+  const dataFile = entries.find((f) => !f.endsWith(".meta.json"));
+  if (!dataFile) {
+    console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
+    return new Response("Not found", { status: 404 });
+  }
+  const start = Date.now();
+  const buffer = await readFile6(resolve22(dir, dataFile));
+  const ms = Date.now() - start;
+  console.log(
+    `[admin/sidebar-artefact-content] account=${accountId} id=${id.slice(0, 8)} mime=${meta.mimeType} bytes=${buffer.length} ms=${ms}`
+  );
+  return new Response(new Uint8Array(buffer), {
+    headers: {
+      "Content-Type": meta.mimeType,
+      "Content-Disposition": `inline; filename="${meta.filename}"`,
+      "Cache-Control": "private, max-age=3600"
+    }
+  });
+});
+var sidebar_artefact_content_default = app34;
+
+// server/routes/admin/index.ts
+var app35 = new Hono();
+app35.route("/session", session_default2);
+app35.route("/chat", chat_default2);
+app35.route("/compact", compact_default);
+app35.route("/logs", logs_default);
+app35.route("/claude-info", claude_info_default);
+app35.route("/attachment", attachment_default);
+app35.route("/agents", agents_default);
+app35.route("/sessions", sessions_default);
+app35.route("/browser", browser_default);
+app35.route("/device-browser", device_browser_default);
+app35.route("/events", events_default);
+app35.route("/cloudflare", cloudflare_default);
+app35.route("/files", files_default);
+app35.route("/graph-search", graph_search_default);
+app35.route("/graph-subgraph", graph_subgraph_default);
+app35.route("/graph-delete", graph_delete_default);
+app35.route("/graph-restore", graph_restore_default);
+app35.route("/graph-labels-in-graph", graph_labels_in_graph_default);
+app35.route("/graph-default-view", graph_default_view_default);
+app35.route("/file-attach", file_attach_default);
+app35.route("/adherence", adherence_default);
+app35.route("/sidebar-projects", sidebar_projects_default);
+app35.route("/sidebar-artefacts", sidebar_artefacts_default);
+app35.route("/sidebar-artefact-save", sidebar_artefact_save_default);
+app35.route("/sidebar-artefact-content", sidebar_artefact_content_default);
+var admin_default = app35;
 
 // app/lib/graph-health.ts
 var HOUR_MS = 60 * 60 * 1e3;
@@ -12023,10 +12193,10 @@ function clientFrom(c) {
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
 var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join10(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync20(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync22(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync20(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
     const parsed = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
@@ -12050,7 +12220,7 @@ var brandLoginOpts = {
 var ALIAS_DOMAINS_PATH2 = join10(homedir2(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync20(ALIAS_DOMAINS_PATH2)) return null;
+    if (!existsSync22(ALIAS_DOMAINS_PATH2)) return null;
     const parsed = JSON.parse(readFileSync16(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
@@ -12075,9 +12245,9 @@ watchFile(ALIAS_DOMAINS_PATH2, { interval: 2e3 }, () => {
 function isPublicHost(host) {
   return host.startsWith("public.") || aliasDomains.has(host);
 }
-var app34 = new Hono();
-app34.use("*", clientIpMiddleware);
-app34.use("*", async (c, next) => {
+var app36 = new Hono();
+app36.use("*", clientIpMiddleware);
+app36.use("*", async (c, next) => {
   await next();
   c.header("X-Content-Type-Options", "nosniff");
   c.header("Referrer-Policy", "strict-origin-when-cross-origin");
@@ -12100,7 +12270,7 @@ var PUBLIC_ALLOWED_PREFIXES = [
   "/g/"
 ];
 var PUBLIC_ALLOWED_EXACT = ["/favicon.ico"];
-app34.use("*", async (c, next) => {
+app36.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (!isPublicHost(host)) {
     await next();
@@ -12140,7 +12310,7 @@ function resolveRemoteAuthOpts() {
   return brandLoginOpts;
 }
 var MAX_LOGIN_BODY = 8 * 1024;
-app34.post("/__remote-auth/login", async (c) => {
+app36.post("/__remote-auth/login", async (c) => {
   const client = clientFrom(c);
   const clientIp = client.ip || "unknown";
   if (!requestIsTlsTerminated(c)) {
@@ -12184,7 +12354,7 @@ app34.post("/__remote-auth/login", async (c) => {
     }
   });
 });
-app34.get("/__remote-auth/logout", (c) => {
+app36.get("/__remote-auth/logout", (c) => {
   return new Response(null, {
     status: 302,
     headers: {
@@ -12194,7 +12364,7 @@ app34.get("/__remote-auth/logout", (c) => {
     }
   });
 });
-app34.post("/__remote-auth/change-password", async (c) => {
+app36.post("/__remote-auth/change-password", async (c) => {
   const client = clientFrom(c);
   const clientIp = client.ip || "unknown";
   const rateLimited = checkRateLimit(client);
@@ -12244,13 +12414,13 @@ app34.post("/__remote-auth/change-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "change", changeError: "Failed to save password", redirect }), 200);
   }
 });
-app34.get("/__remote-auth/setup", (c) => {
+app36.get("/__remote-auth/setup", (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup" }), 200);
 });
-app34.post("/__remote-auth/set-initial-password", async (c) => {
+app36.post("/__remote-auth/set-initial-password", async (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
@@ -12286,10 +12456,10 @@ app34.post("/__remote-auth/set-initial-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup", setupError: "Failed to save password. Please try again." }), 200);
   }
 });
-app34.get("/api/remote-auth/status", (c) => {
+app36.get("/api/remote-auth/status", (c) => {
   return c.json({ configured: isRemoteAuthConfigured() });
 });
-app34.post("/api/remote-auth/set-password", async (c) => {
+app36.post("/api/remote-auth/set-password", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -12319,9 +12489,9 @@ app34.post("/api/remote-auth/set-password", async (c) => {
     return c.json({ error: "Failed to save password" }, 500);
   }
 });
-app34.route("/api/_client-error", client_error_default);
+app36.route("/api/_client-error", client_error_default);
 console.log("[client-error-route] mounted");
-app34.use("*", async (c, next) => {
+app36.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   const path2 = c.req.path;
   if (path2 === "/favicon.ico" || path2.startsWith("/assets/") || path2.startsWith("/brand/")) {
@@ -12354,15 +12524,15 @@ app34.use("*", async (c, next) => {
   console.error(`[remote-auth] login required ip=${clientIp} path=${path2} ${disambig}`);
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), redirect: path2 }), 200);
 });
-app34.route("/api/health", health_default);
-app34.route("/api/session", session_default);
-app34.route("/api/chat", chat_default);
-app34.route("/api/group", group_default);
-app34.route("/api/access", access_default);
-app34.route("/api/telegram", telegram_default);
-app34.route("/api/whatsapp", whatsapp_default);
-app34.route("/api/onboarding", onboarding_default);
-app34.route("/api/admin", admin_default);
+app36.route("/api/health", health_default);
+app36.route("/api/session", session_default);
+app36.route("/api/chat", chat_default);
+app36.route("/api/group", group_default);
+app36.route("/api/access", access_default);
+app36.route("/api/telegram", telegram_default);
+app36.route("/api/whatsapp", whatsapp_default);
+app36.route("/api/onboarding", onboarding_default);
+app36.route("/api/admin", admin_default);
 var SAFE_SLUG_RE = /^[a-z][a-z0-9-]{2,49}$/;
 var SAFE_FILENAME_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var IMAGE_MIME = {
@@ -12374,7 +12544,7 @@ var IMAGE_MIME = {
   ".svg": "image/svg+xml",
   ".ico": "image/x-icon"
 };
-app34.get("/agent-assets/:slug/:filename", (c) => {
+app36.get("/agent-assets/:slug/:filename", (c) => {
   const slug = c.req.param("slug");
   const filename = c.req.param("filename");
   if (!SAFE_SLUG_RE.test(slug)) {
@@ -12390,13 +12560,13 @@ app34.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve21(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve21(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve23(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve23(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync20(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -12409,7 +12579,7 @@ app34.get("/agent-assets/:slug/:filename", (c) => {
     "Cache-Control": "public, max-age=3600"
   });
 });
-app34.get("/generated/:filename", (c) => {
+app36.get("/generated/:filename", (c) => {
   const filename = c.req.param("filename");
   if (!SAFE_FILENAME_RE.test(filename) || filename.includes("..")) {
     console.error(`[generated] serve file=${filename} status=403`);
@@ -12420,13 +12590,13 @@ app34.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve21(account.accountDir, "generated", filename);
-  const expectedDir = resolve21(account.accountDir, "generated");
+  const filePath = resolve23(account.accountDir, "generated", filename);
+  const expectedDir = resolve23(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync20(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -12442,7 +12612,7 @@ app34.get("/generated/:filename", (c) => {
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync20(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
     const fullBrand = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
@@ -12462,7 +12632,7 @@ function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
     const versionFile = join10(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync20(versionFile)) return "unknown";
+    if (!existsSync22(versionFile)) return "unknown";
     const content = readFileSync16(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
@@ -12504,7 +12674,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync16(resolve21(process.cwd(), "public", file), "utf-8");
+    html = readFileSync16(resolve23(process.cwd(), "public", file), "utf-8");
     const productNameEsc = escapeHtml(BRAND.productName);
     html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -12523,12 +12693,12 @@ function loadBrandingCache(agentSlug) {
   const configDir2 = join10(homedir2(), BRAND.configDir);
   try {
     const accountJsonPath = join10(configDir2, "account.json");
-    if (!existsSync20(accountJsonPath)) return null;
+    if (!existsSync22(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
     const cachePath = join10(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync20(cachePath)) return null;
+    if (!existsSync22(cachePath)) return null;
     return JSON.parse(readFileSync16(cachePath, "utf-8"));
   } catch {
     return null;
@@ -12538,7 +12708,7 @@ function resolveDefaultSlug() {
   try {
     const configDir2 = join10(homedir2(), BRAND.configDir);
     const accountJsonPath = join10(configDir2, "account.json");
-    if (!existsSync20(accountJsonPath)) return null;
+    if (!existsSync22(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
@@ -12575,7 +12745,7 @@ function brandedPublicHtml(agentSlug) {
 function escapeHtml(s) {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-app34.get("/", (c) => {
+app36.get("/", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) {
     const defaultSlug = resolveDefaultSlug();
@@ -12583,12 +12753,12 @@ app34.get("/", (c) => {
   }
   return c.html(cachedHtml("index.html"));
 });
-app34.get("/public", (c) => {
+app36.get("/public", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
 });
-app34.get("/chat", (c) => {
+app36.get("/chat", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
@@ -12607,12 +12777,12 @@ async function logViewerFetch(c, next) {
     duration_ms: Date.now() - start
   });
 }
-app34.use("/vnc-viewer.html", logViewerFetch);
-app34.use("/vnc-popout.html", logViewerFetch);
-app34.get("/vnc-popout.html", (c) => {
+app36.use("/vnc-viewer.html", logViewerFetch);
+app36.use("/vnc-popout.html", logViewerFetch);
+app36.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync16(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync16(resolve23(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -12622,7 +12792,7 @@ app34.get("/vnc-popout.html", (c) => {
   }
   return c.html(html);
 });
-app34.post("/api/vnc/client-event", async (c) => {
+app36.post("/api/vnc/client-event", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -12643,20 +12813,20 @@ app34.post("/api/vnc/client-event", async (c) => {
   });
   return c.json({ ok: true });
 });
-app34.get("/g/:slug", (c) => {
+app36.get("/g/:slug", (c) => {
   return c.html(brandedPublicHtml());
 });
-app34.get("/graph", (c) => {
+app36.get("/graph", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("graph.html"));
 });
-app34.get("/data", (c) => {
+app36.get("/data", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("data.html"));
 });
-app34.get("/:slug", async (c, next) => {
+app36.get("/:slug", async (c, next) => {
   const slug = c.req.param("slug");
   if (AGENT_SLUG_PATTERN.test(`/${slug}`)) {
     const branding = loadBrandingCache(slug);
@@ -12665,10 +12835,10 @@ app34.get("/:slug", async (c, next) => {
   }
   await next();
 });
-app34.use("/*", serveStatic({ root: "./public" }));
+app36.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.MAXY_UI_INTERNAL_PORT ?? process.env.PORT ?? "19199", 10);
 var hostname = process.env.HOSTNAME ?? "127.0.0.1";
-var httpServer = serve({ fetch: app34.fetch, port, hostname });
+var httpServer = serve({ fetch: app36.fetch, port, hostname });
 console.log(`${BRAND.productName} listening on http://${hostname}:${port}`);
 var SUBAPP_MANIFEST = [
   { prefix: "/api/health", file: "server/routes/health.ts", subapp: health_default },
@@ -12688,7 +12858,7 @@ for (const m of SUBAPP_MANIFEST) {
 }
 try {
   const registered = [];
-  for (const r of app34.routes ?? []) {
+  for (const r of app36.routes ?? []) {
     if (typeof r.path !== "string" || r.path.includes(":") || r.path.includes("*")) continue;
     if (AGENT_SLUG_PATTERN.test(r.path)) {
       registered.push({ method: (r.method ?? "ALL").toUpperCase(), path: r.path });
@@ -12702,7 +12872,7 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync20(USERS_FILE)) {
+    if (existsSync22(USERS_FILE)) {
       const users = JSON.parse(readFileSync16(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
@@ -12755,7 +12925,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join10(__dirname, "..")),
+  platformRoot: resolve23(process.env.MAXY_PLATFORM_ROOT ?? join10(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {