@rubytech/create-maxy 1.0.793 → 1.0.795

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.793",
+  "version": "1.0.795",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/lib/graph-search/src/__tests__/fulltext-coverage.test.ts

@@ -85,6 +85,14 @@ const CANONICAL_TEXT_PROPERTIES = [
   "contactValue",
   // ToolCall
   "toolName",
+  // Agent (Task 837) — public-agent projection. `displayName` mirrors
+  // config.json; `slug` is the directory-name identifier; `role` is the
+  // discriminator carried on the four owned :KnowledgeDocument projections
+  // ('identity' | 'soul' | 'knowledge' | 'knowledge-summary'). Adding any
+  // new agent-side text property to the projector requires extending both
+  // the schema's ON EACH list and this canon, otherwise BM25 silently
+  // misses operator queries that match the new field.
+  "displayName", "slug", "role",
 ];
 
 interface IndexDeclaration {

package/payload/platform/neo4j/edge-annotations.json

@@ -111,6 +111,26 @@
     "OBSERVED_IN": {
       "direction": "(*)-[:OBSERVED_IN]->(Conversation)",
       "note": "Observation provenance."
+    },
+    "HAS_IDENTITY": {
+      "direction": "(Agent)-[:HAS_IDENTITY]->(KnowledgeDocument)",
+      "note": "Task 837 — public-agent IDENTITY.md projection (KnowledgeDocument with role='identity', namespaced attachmentId='agent:<slug>:identity')."
+    },
+    "HAS_SOUL": {
+      "direction": "(Agent)-[:HAS_SOUL]->(KnowledgeDocument)",
+      "note": "Task 837 — public-agent SOUL.md projection (role='soul')."
+    },
+    "HAS_KNOWLEDGE": {
+      "direction": "(Agent)-[:HAS_KNOWLEDGE]->(KnowledgeDocument)",
+      "note": "Task 837 — public-agent KNOWLEDGE.md projection (role='knowledge'); KNOWLEDGE-SUMMARY.md uses the same edge with role='knowledge-summary'."
+    },
+    "USES_KNOWLEDGE": {
+      "direction": "(Agent)-[:USES_KNOWLEDGE]->(KnowledgeDocument)",
+      "note": "Task 837 — operator-tagged docs (slug ∈ k.agents). Materialised at projection time only; runtime memory-search reads k.agents directly."
+    },
+    "HANDLED_BY": {
+      "direction": "(Conversation)-[:HANDLED_BY]->(Agent)",
+      "note": "Task 837 — public conversations only. Written by ensureConversation via OPTIONAL MATCH so orphan slugs do not block conversation creation."
     }
   },
   "sublabels": {

package/payload/platform/neo4j/migrations/002-project-public-agents.ts

@@ -0,0 +1,191 @@
+/**
+ * Migration 002 — Project file-based public agents into the graph (Task 837).
+ *
+ * Two passes:
+ *
+ *   1. Walk every account directory under data/accounts/<accountId>/agents/
+ *      and call projectAgent(accountId, accountDir, slug) for each non-admin
+ *      agent that has a config.json. The projector is idempotent: re-running
+ *      this migration produces no duplicate nodes or edges.
+ *
+ *   2. For every existing public Conversation that carries an agentSlug
+ *      property, MATCH the corresponding :Agent and MERGE the
+ *      (:Conversation)-[:HANDLED_BY]->(:Agent) edge. Conversations whose
+ *      slug doesn't resolve to an Agent (orphan slugs from deleted agents,
+ *      or DM-channel public flows that haven't been extended to register a
+ *      slug) are left edge-less; they will gain the edge automatically once
+ *      the slug is registered or a new agent at that slug is projected.
+ *
+ * Run via the platform/ui standalone runtime so it picks up the same
+ * NEO4J_URI / accounts-directory resolution as the server:
+ *
+ *   cd platform/ui && \
+ *     NEO4J_URI=bolt://… NEO4J_PASSWORD=… \
+ *     npx tsx ../neo4j/migrations/002-project-public-agents.ts
+ *
+ * Output: structured `[agent-graph-backfill]` lines per account + a final
+ * totals line. A non-zero exit code on any per-account failure surfaces to
+ * the operator; subsequent accounts are still attempted (the migration is
+ * isolating by account, not all-or-nothing).
+ */
+
+import { existsSync, readdirSync } from "node:fs";
+import { resolve } from "node:path";
+import {
+  projectAgent,
+  getSession,
+} from "../../ui/app/lib/neo4j-store";
+import { ACCOUNTS_DIR } from "../../ui/app/lib/claude-agent/account";
+
+interface PerAccountStats {
+  accountId: string;
+  agents: number;
+  agentFailures: number;
+  convEdges: number;
+  convOrphans: number;
+  convCandidates: number;
+}
+
+async function projectAccountAgents(
+  accountId: string,
+  accountDir: string,
+): Promise<{ agents: number; agentFailures: number }> {
+  const agentsDir = resolve(accountDir, "agents");
+  if (!existsSync(agentsDir)) return { agents: 0, agentFailures: 0 };
+
+  let agents = 0;
+  let agentFailures = 0;
+  for (const entry of readdirSync(agentsDir, { withFileTypes: true })) {
+    if (!entry.isDirectory()) continue;
+    if (entry.name === "admin") continue;
+
+    const configPath = resolve(agentsDir, entry.name, "config.json");
+    if (!existsSync(configPath)) continue;
+
+    try {
+      await projectAgent(accountId, accountDir, entry.name);
+      agents++;
+    } catch (err) {
+      agentFailures++;
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(
+        `[agent-graph-backfill] account=${accountId.slice(0, 8)} agent=${entry.name} project FAILED error="${msg}"`,
+      );
+    }
+  }
+  return { agents, agentFailures };
+}
+
+interface HandledByBackfillStats {
+  candidates: number;
+  edges: number;
+  orphans: number;
+}
+
+/**
+ * Two-pass: count candidate Conversations (those carrying agentSlug),
+ * then OPTIONAL MATCH to surface orphans separately from successful merges.
+ * A hard MATCH-then-MATCH chain would silently filter orphan-slug rows out,
+ * making `edges=0` indistinguishable from "no public conversations exist"
+ * vs "every slug is orphaned" — different incidents, different fixes.
+ */
+async function backfillHandledByEdges(accountId: string): Promise<HandledByBackfillStats> {
+  const session = getSession();
+  try {
+    const result = await session.run(
+      `MATCH (c:Conversation {accountId: $accountId, agentType: 'public'})
+       WHERE c.agentSlug IS NOT NULL
+       OPTIONAL MATCH (a:Agent {accountId: $accountId, slug: c.agentSlug})
+       FOREACH (_ IN CASE WHEN a IS NULL THEN [] ELSE [1] END | MERGE (c)-[:HANDLED_BY]->(a))
+       RETURN
+         count(c) AS candidates,
+         sum(CASE WHEN a IS NULL THEN 0 ELSE 1 END) AS edges,
+         sum(CASE WHEN a IS NULL THEN 1 ELSE 0 END) AS orphans`,
+      { accountId },
+    );
+    const toNum = (v: unknown): number => {
+      if (typeof v === "number") return v;
+      if (v && typeof (v as { toNumber: () => number }).toNumber === "function") {
+        return (v as { toNumber: () => number }).toNumber();
+      }
+      return 0;
+    };
+    return {
+      candidates: toNum(result.records[0]?.get("candidates")),
+      edges: toNum(result.records[0]?.get("edges")),
+      orphans: toNum(result.records[0]?.get("orphans")),
+    };
+  } finally {
+    await session.close();
+  }
+}
+
+async function main(): Promise<void> {
+  const start = Date.now();
+
+  if (!existsSync(ACCOUNTS_DIR)) {
+    console.error(`[agent-graph-backfill] ACCOUNTS_DIR missing at ${ACCOUNTS_DIR} — nothing to do`);
+    process.exit(0);
+  }
+
+  const accountEntries = readdirSync(ACCOUNTS_DIR, { withFileTypes: true })
+    .filter((e) => e.isDirectory());
+
+  console.error(`[agent-graph-backfill] start accounts=${accountEntries.length}`);
+
+  let totalAgents = 0;
+  let totalAgentFailures = 0;
+  let totalConvEdges = 0;
+  let totalConvOrphans = 0;
+  let totalConvCandidates = 0;
+  const perAccount: PerAccountStats[] = [];
+
+  for (const entry of accountEntries) {
+    const accountDir = resolve(ACCOUNTS_DIR, entry.name);
+    const accountId = entry.name;
+    const accountStart = Date.now();
+
+    const { agents, agentFailures } = await projectAccountAgents(accountId, accountDir);
+    totalAgents += agents;
+    totalAgentFailures += agentFailures;
+
+    let convStats: HandledByBackfillStats = { candidates: 0, edges: 0, orphans: 0 };
+    try {
+      convStats = await backfillHandledByEdges(accountId);
+      totalConvEdges += convStats.edges;
+      totalConvOrphans += convStats.orphans;
+      totalConvCandidates += convStats.candidates;
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(
+        `[agent-graph-backfill] account=${accountId.slice(0, 8)} handled-by-backfill FAILED error="${msg}"`,
+      );
+    }
+
+    perAccount.push({
+      accountId,
+      agents,
+      agentFailures,
+      convEdges: convStats.edges,
+      convOrphans: convStats.orphans,
+      convCandidates: convStats.candidates,
+    });
+    const ms = Date.now() - accountStart;
+    console.error(
+      `[agent-graph-backfill] account=${accountId.slice(0, 8)} agents=${agents} failures=${agentFailures} conv-candidates=${convStats.candidates} conv-edges=${convStats.edges} conv-orphans=${convStats.orphans} ms=${ms}`,
+    );
+  }
+
+  const ms = Date.now() - start;
+  console.error(
+    `[agent-graph-backfill] done totals: agents=${totalAgents} agent-failures=${totalAgentFailures} conv-candidates=${totalConvCandidates} conv-edges=${totalConvEdges} conv-orphans=${totalConvOrphans} ms=${ms}`,
+  );
+
+  process.exit(totalAgentFailures > 0 ? 1 : 0);
+}
+
+main().catch((err) => {
+  const msg = err instanceof Error ? err.message : String(err);
+  console.error(`[agent-graph-backfill] fatal error="${msg}"`);
+  process.exit(2);
+});

package/payload/platform/neo4j/schema.cypher

@@ -286,6 +286,7 @@ OPTIONS {
 //   - Email: Email, EmailAccount
 //   - Review signals: ReviewAlert
 //   - CV/career sublabels: Position, Credential
+//   - Public agents: Agent (Task 837 — projection of file-based public agents)
 //
 // Property union — every textual property the schema's writers assign:
 //   - Generic: name, title, summary, body, content, text, description, headline, abstract,
@@ -301,6 +302,11 @@ OPTIONS {
 //   - Credential: authority
 //   - AccessGrant: contactValue
 //   - ToolCall: toolName
+//   - Agent (Task 837): displayName, slug, role
+//     `displayName` = operator-facing name; `slug` = directory-name identifier;
+//     `role` = discriminator on KnowledgeDocument projections
+//     ('identity'|'soul'|'knowledge'|'knowledge-summary') so BM25 hits surface
+//     which file backed the result. Distinct from Person.role (no shadow).
 CREATE FULLTEXT INDEX entity_search IF NOT EXISTS
 FOR (n:LocalBusiness|Service|PriceSpecification|OpeningHoursSpecification|Organization
     |Person|UserProfile|Preference|AdminUser|AccessGrant
@@ -309,12 +315,13 @@ FOR (n:LocalBusiness|Service|PriceSpecification|OpeningHoursSpecification|Organi
     |Task|Project|Event
     |Workflow|WorkflowStep|WorkflowRun|StepResult
     |OnboardingState|Email|EmailAccount|ReviewAlert
-    |Position|Credential)
+    |Position|Credential|Agent)
 ON EACH [n.name, n.firstName, n.lastName, n.givenName, n.familyName,
          n.title, n.currentTitle, n.summary, n.body, n.content, n.text, n.description, n.headline, n.abstract,
          n.email, n.note, n.label, n.value, n.message, n.preview, n.tagline,
          n.subject, n.bodyPreview, n.fromName, n.fromAddress, n.agentAddress, n.screeningReason,
-         n.authority, n.contactValue, n.toolName];
+         n.authority, n.contactValue, n.toolName,
+         n.displayName, n.slug, n.role];
 
 // Project node (Task 740) — a standalone creative-output node distinct from
 // :Section. Anchored via (:UserProfile)-[:CREATED]->(:Project), with optional
@@ -724,6 +731,66 @@ FOR (ag:AccessGrant) ON (ag.magicToken);
 CREATE INDEX access_grant_status IF NOT EXISTS
 FOR (ag:AccessGrant) ON (ag.status);
 
+// ----------------------------------------------------------
+// Agent node — projection of file-based public agents (Task 837)
+//
+// Source of truth remains the filesystem: accountDir/agents/<slug>/
+// {config.json, IDENTITY.md, SOUL.md, KNOWLEDGE.md, KNOWLEDGE-SUMMARY.md}.
+// The Agent node is a graph projection so operators can see, on /graph,
+// which public agents exist, what knowledge they have access to, and
+// which conversations they have handled. Re-running the projector
+// is idempotent and never mutates the on-disk files.
+//
+// Properties (mirrored from config.json + filesystem mtime):
+//   slug              — directory name; immutable identifier within an account
+//   displayName       — operator-facing name from config.json
+//   status            — 'active' | 'inactive' | <other> per config.json
+//   model             — Anthropic model id used by the public agent
+//   liveMemory        — bool; whether memory-search runs at message time
+//   knowledgeKeywords — string[] (live-search keyword subscriptions)
+//   role              — always 'agent' (mirrors KnowledgeDocument.role
+//                       discriminator; surfaces in BM25 hits)
+//   createdAt         — ISO 8601, set on first projection
+//   updatedAt         — ISO 8601, set on every projection
+//
+// Owned KnowledgeDocument projections (deleted on agent delete):
+//   (Agent)-[:HAS_IDENTITY]->(:KnowledgeDocument {role:'identity'})
+//   (Agent)-[:HAS_SOUL    ]->(:KnowledgeDocument {role:'soul'})
+//   (Agent)-[:HAS_KNOWLEDGE]->(:KnowledgeDocument {role:'knowledge'})
+//   (Agent)-[:HAS_KNOWLEDGE]->(:KnowledgeDocument {role:'knowledge-summary'})
+// attachmentId is namespaced as "agent:<accountId>:<slug>:<role>" so the
+// projection reuses the existing knowledge_doc_id_unique constraint without
+// a parallel uniqueness scheme. The accountId segment is load-bearing —
+// without it, two accounts with the same agent slug would collide on the
+// global unique constraint and the second projection would silently
+// re-parent the first account's doc via the MERGE+SET path. Account
+// isolation is doctrine.
+//
+// Operator-tagged docs (NOT deleted on agent delete — only edges removed):
+//   (Agent)-[:USES_KNOWLEDGE]->(:KnowledgeDocument)
+// where slug ∈ KnowledgeDocument.agents. Materialised at projection time
+// only; the runtime memory-search path continues to read k.agents directly,
+// so a doc tagged after the last projection becomes graph-visible at the
+// next re-projection but is reachable at runtime immediately. The runtime
+// path is unchanged — see [public-agent.ts:130-160].
+//
+// Conversation→Agent edge (written by ensureConversation when
+// agentType='public' and agentSlug is set):
+//   (Conversation)-[:HANDLED_BY]->(Agent)
+// OPTIONAL MATCH on the Agent so a public conversation with an orphan
+// slug still writes (single `[agent-graph] handled-by-skip` log line).
+//
+// Composite uniqueness: one Agent per (accountId, slug) — the directory
+// name is the natural key within an account, slugs collide across
+// accounts and that's allowed.
+// ----------------------------------------------------------
+
+CREATE CONSTRAINT agent_account_slug_unique IF NOT EXISTS
+FOR (a:Agent) REQUIRE (a.accountId, a.slug) IS UNIQUE;
+
+CREATE INDEX agent_account IF NOT EXISTS
+FOR (a:Agent) ON (a.accountId);
+
 // ----------------------------------------------------------
 // AdminUser node — device-level admin identity
 // Platform-native. Represents a human who administers one or

package/payload/platform/plugins/admin/hooks/__tests__/archive-ingest-gate.test.sh

@@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+# Regression test for archive-ingest-gate.sh (Task 846).
+#
+# Six cases cover the contract:
+#   1. Edit on /platform/plugins/<x>/lib/* is BLOCKED (exit 2).
+#   2. Edit on a benign path is ALLOWED (exit 0).
+#   3. Bash with `npx vitest` is BLOCKED.
+#   4. PostToolUse on whatsapp-export-parse with isError:true sets the flag.
+#   5. Subsequent PreToolUse on ANY tool is BLOCKED (post-parse-error gate).
+#   6. UserPromptSubmit clears the flag, restoring normal allow behavior.
+#
+# Tests use ARCHIVE_INGEST_GATE_STATE_DIR to point at a tmp dir so they run
+# without a real account layout.
+
+set -u
+
+HOOK="$(cd "$(dirname "$0")/.." && pwd)/archive-ingest-gate.sh"
+if [[ ! -x "$HOOK" ]]; then
+  echo "FAIL: $HOOK not executable" >&2
+  exit 1
+fi
+
+# Per-run isolated state dir
+STATE_DIR=$(mktemp -d)
+export ARCHIVE_INGEST_GATE_STATE_DIR="$STATE_DIR"
+FLAG_FILE="$STATE_DIR/archive-ingest-parse-error.flag"
+
+cleanup() { rm -rf "$STATE_DIR"; }
+trap cleanup EXIT
+
+PASS=0
+FAIL=0
+
+run_case() {
+  local name="$1" stdin="$2" expected_exit="$3"
+  local actual_exit
+  printf '%s' "$stdin" | bash "$HOOK" >/dev/null 2>/dev/null
+  actual_exit=$?
+  if [[ "$actual_exit" -eq "$expected_exit" ]]; then
+    echo "PASS: $name (exit=$actual_exit)"
+    PASS=$((PASS + 1))
+  else
+    echo "FAIL: $name (expected exit=$expected_exit, got=$actual_exit)" >&2
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+# Case 1 — Edit on plugin lib path: BLOCKED
+run_case "Edit on platform/plugins/whatsapp-import/lib/src/parse-export.ts → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/platform/plugins/whatsapp-import/lib/src/parse-export.ts","old_string":"a","new_string":"b"}}' \
+  2
+
+# Case 2 — Edit on a benign path: ALLOWED
+run_case "Edit on README.md → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/README.md","old_string":"a","new_string":"b"}}' \
+  0
+
+# Case 3 — Bash with `npx vitest`: BLOCKED
+run_case "Bash 'npx vitest run parse-export.test.ts' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npx vitest run parse-export.test.ts"}}' \
+  2
+
+# Case 3b — Bash with benign command: ALLOWED
+run_case "Bash 'ls -la' → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"ls -la"}}' \
+  0
+
+# Case 3c — Bash with `bun test`: BLOCKED
+run_case "Bash 'bun test' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"bun test"}}' \
+  2
+
+# Case 3d — Bash with `npm test`: BLOCKED
+run_case "Bash 'npm test' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npm test"}}' \
+  2
+
+# Make sure flag is absent before parse-error simulation
+rm -f "$FLAG_FILE"
+
+# Case 4 — PostToolUse on whatsapp-export-parse with isError:true sets flag
+run_case "PostToolUse parse-error sets flag (exit 0, flag side-effect)" \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":true,"content":[{"type":"text","text":"parse-error file=_chat.txt line=1 reason=not-a-_chat.txt"}]}}' \
+  0
+
+if [[ -f "$FLAG_FILE" ]]; then
+  echo "PASS: parse-error flag created at $FLAG_FILE"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: parse-error flag NOT created at $FLAG_FILE" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 5 — Subsequent PreToolUse on ANY tool BLOCKED while flag is fresh
+run_case "PreToolUse Read after parse-error → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  2
+
+run_case "PreToolUse Bash after parse-error → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo hi"}}' \
+  2
+
+# Case 6 — UserPromptSubmit clears flag
+run_case "UserPromptSubmit clears flag (exit 0)" \
+  '{"hook_event_name":"UserPromptSubmit","prompt":"retry"}' \
+  0
+
+if [[ ! -f "$FLAG_FILE" ]]; then
+  echo "PASS: UserPromptSubmit cleared flag"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: UserPromptSubmit did NOT clear flag" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 7 — After clearance, normal allow resumes
+run_case "PreToolUse Read after clearance → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  0
+
+# Case 8 — PostToolUse with isError:false does NOT set flag
+rm -f "$FLAG_FILE"
+run_case "PostToolUse parse-success (isError:false) does NOT set flag" \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":false,"content":[{"type":"text","text":"{\"parsedLines\":[]}"}]}}' \
+  0
+
+if [[ ! -f "$FLAG_FILE" ]]; then
+  echo "PASS: parse-success leaves flag absent"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: parse-success incorrectly created flag" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 9 — Stale flag (>600s) auto-clears + allows
+PAST=$(( $(date -u +%s) - 700 ))
+echo "$PAST" > "$FLAG_FILE"
+run_case "Stale flag auto-clears, PreToolUse Read → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  0
+
+# Case 10 — No stdin (terminal) fails closed
+echo "Probing fail-closed behaviour (no stdin)..."
+bash "$HOOK" </dev/null >/dev/null 2>/dev/null
+ACTUAL=$?
+# /dev/null IS a stdin — the `[ -t 0 ]` check tests for terminal, not file.
+# A file/pipe stdin reads as empty, which produces empty hook_event_name and
+# falls through to default `exit 0` (allow). The terminal-only fail-closed
+# branch can't be tested non-interactively; verify the script reads `[ -t 0 ]`.
+if grep -q '\[ -t 0 \]' "$HOOK"; then
+  echo "PASS: fail-closed terminal check is present"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: fail-closed terminal check missing" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+echo
+echo "──────── archive-ingest-gate test summary ────────"
+echo "PASS: $PASS"
+echo "FAIL: $FAIL"
+
+if [[ "$FAIL" -gt 0 ]]; then
+  exit 1
+fi
+exit 0

package/payload/platform/plugins/admin/hooks/archive-ingest-gate.sh

@@ -0,0 +1,147 @@
+#!/usr/bin/env bash
+# Archive-ingest gate (Task 846).
+#
+# Three enforcements, one script — phase decided by `hook_event_name` on stdin:
+#
+# 1. PreToolUse Edit/Write/NotebookEdit: deny writes under
+#    `*platform/plugins/*/lib/*` (parser/CSV-shape source for any *-import or
+#    *-export plugin). The database-operator subagent has Read+Bash but not
+#    Edit/Write per its `tools:` frontmatter — yet it can still mutate files
+#    via Bash heredoc. The path block applies to every tool that takes a
+#    `file_path` and has been observed as the improvisation surface.
+#
+# 2. PreToolUse Bash: deny commands invoking JavaScript test runners
+#    (vitest|bun test|npm test|npx jest|node .*vitest). The reproducer
+#    incident (conv 47c6a590) saw the operator run all four variants in
+#    sequence after parse-export returned isError.
+#
+# 3. Parse-error gate: PostToolUse on any `mcp__*__*-export-parse` /
+#    `mcp__*__*-import-parse` tool whose `tool_response.isError == true`
+#    writes a flag file. Subsequent PreToolUse on ANY tool blocks until
+#    UserPromptSubmit clears the flag (semantics: "subagent's next action
+#    must be a user-facing message; further tool calls blocked"). A 600s
+#    TTL is the cross-session safety net.
+#
+# Exit codes follow Claude Code hook protocol: 0 = allow, 2 = block (stderr
+# message shown to the agent). Fail-closed on stdin read failure to match
+# pre-tool-use.sh.
+
+set -uo pipefail
+
+# Read stdin — fail closed if unavailable
+if [ -t 0 ]; then
+  echo "Blocked: archive-ingest-gate received no stdin (cannot inspect tool call). Failing closed." >&2
+  exit 2
+fi
+INPUT=$(cat)
+
+# ----- Resolve account dir for state file ----------------------------------
+# Mirrors pre-tool-use.sh lines 100-107: walk from this hook's location to
+# platform/, then `../data/accounts/<single-account>/`. Phase 0 has exactly
+# one account directory.
+HOOK_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)"
+PLATFORM_ROOT_RESOLVED="${HOOK_DIR}/../../.."
+ACCOUNTS_DIR="${PLATFORM_ROOT_RESOLVED}/../data/accounts"
+ACCOUNT_DIR=""
+if [ -d "$ACCOUNTS_DIR" ]; then
+  ACCOUNT_DIR=$(find "$ACCOUNTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | head -1)
+fi
+# Test harness override — tests pass `ARCHIVE_INGEST_GATE_STATE_DIR` to point
+# at a tmp dir without needing a real account layout.
+STATE_DIR="${ARCHIVE_INGEST_GATE_STATE_DIR:-${ACCOUNT_DIR}/state}"
+FLAG_FILE="${STATE_DIR}/archive-ingest-parse-error.flag"
+TTL_SECONDS=600
+
+# ----- Parse fields from stdin ---------------------------------------------
+# Hook protocol: every event includes `hook_event_name`. PreToolUse +
+# PostToolUse include `tool_name`. PostToolUse adds `tool_response`.
+# UserPromptSubmit has neither. Use grep/sed against the JSON envelope —
+# no jq dependency to match the rest of the hook fleet.
+HOOK_EVENT=$(printf '%s' "$INPUT" | grep -o '"hook_event_name"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+
+# ============================================================================
+# UserPromptSubmit — clear the parse-error flag.
+# ============================================================================
+if [ "$HOOK_EVENT" = "UserPromptSubmit" ]; then
+  if [ -f "$FLAG_FILE" ]; then
+    rm -f "$FLAG_FILE" 2>/dev/null
+    echo "[archive-ingest-gate] cleared reason=user-prompt-submit" >&2
+  fi
+  exit 0
+fi
+
+# ============================================================================
+# PostToolUse — record parse-error from any *-export-parse / *-import-parse.
+# ============================================================================
+if [ "$HOOK_EVENT" = "PostToolUse" ]; then
+  case "$TOOL_NAME" in
+    mcp__*__*-export-parse|mcp__*__*-import-parse)
+      # Inspect tool_response for isError true. Body is a JSON object; match
+      # `"isError":true` with optional whitespace.
+      if printf '%s' "$INPUT" | grep -Eq '"isError"[[:space:]]*:[[:space:]]*true'; then
+        mkdir -p "$STATE_DIR" 2>/dev/null
+        date -u +%s > "$FLAG_FILE" 2>/dev/null
+        echo "[archive-ingest-gate] surfaced reason=parse-error tool=${TOOL_NAME}" >&2
+      fi
+      ;;
+  esac
+  # PostToolUse must always allow the tool result through.
+  exit 0
+fi
+
+# ============================================================================
+# PreToolUse — three independent blocks.
+# ============================================================================
+if [ "$HOOK_EVENT" != "PreToolUse" ]; then
+  # Unknown event, or hook fired in a context without an event name. Allow.
+  exit 0
+fi
+
+# --- Block 1: post-parse-error gate (applies to ALL tools) -----------------
+if [ -f "$FLAG_FILE" ]; then
+  FLAG_TS=$(cat "$FLAG_FILE" 2>/dev/null | head -1)
+  NOW=$(date -u +%s)
+  if [ -n "$FLAG_TS" ] && [ "$FLAG_TS" -gt 0 ] 2>/dev/null; then
+    AGE=$(( NOW - FLAG_TS ))
+    if [ "$AGE" -lt "$TTL_SECONDS" ]; then
+      echo "[archive-ingest-gate] block tool=${TOOL_NAME} reason=post-parse-error age_s=${AGE}" >&2
+      echo "Blocked: an archive-parser MCP tool returned isError=true earlier in this turn. The subagent's next action must be a user-facing message naming the parse-error and yielding back to the operator. Further tool calls are blocked until the operator submits a new prompt." >&2
+      exit 2
+    fi
+    # Stale flag — clean up so we don't keep blocking on a corpse.
+    rm -f "$FLAG_FILE" 2>/dev/null
+  else
+    # Unparseable flag — remove rather than block on garbage.
+    rm -f "$FLAG_FILE" 2>/dev/null
+  fi
+fi
+
+# --- Block 2: plugin-source path block (Edit/Write/NotebookEdit) -----------
+case "$TOOL_NAME" in
+  Edit|Write|NotebookEdit)
+    FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+    case "$FILE_PATH" in
+      */platform/plugins/*/lib/*|platform/plugins/*/lib/*)
+        echo "[archive-ingest-gate] block tool=${TOOL_NAME} reason=plugin-source-edit path=${FILE_PATH}" >&2
+        echo "Blocked: ${TOOL_NAME} on ${FILE_PATH} is a platform plugin lib/ path. The database-operator subagent does not own plugin source; if a parser is broken, surface the parse-error to the operator and let them dispatch a code-edit task instead." >&2
+        exit 2
+        ;;
+    esac
+    ;;
+esac
+
+# --- Block 3: shell test-runner block (Bash) -------------------------------
+if [ "$TOOL_NAME" = "Bash" ]; then
+  COMMAND=$(printf '%s' "$INPUT" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+  # Match any of: `vitest`, `bun test`, `npm test`, `npx jest`, `node ... vitest`.
+  # Word-boundary checks via grep -E with explicit token boundaries — POSIX
+  # `[[:space:]]` covers leading-token edge cases, end-of-string covers tail.
+  if printf '%s' "$COMMAND" | grep -Eq '(^|[[:space:]/])vitest($|[[:space:]])|(^|[[:space:]])bun[[:space:]]+test($|[[:space:]])|(^|[[:space:]])npm[[:space:]]+test($|[[:space:]])|(^|[[:space:]])npx[[:space:]]+jest($|[[:space:]])|node[[:space:]].*vitest'; then
+    echo "[archive-ingest-gate] block tool=Bash reason=test-runner command=${COMMAND}" >&2
+    echo "Blocked: Bash command invokes a JavaScript test runner (vitest/bun test/npm test/npx jest). The database-operator subagent does not run plugin tests; surface the parse-error to the operator." >&2
+    exit 2
+  fi
+fi
+
+exit 0