npm - @rubytech/create-maxy - Versions diffs - 1.0.795 → 1.0.797 - Mend

@rubytech/create-maxy 1.0.795 → 1.0.797

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.795",
+  "version": "1.0.797",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/neo4j/migrations/003-person-name-eradicate.cypher ADDED Viewed

@@ -0,0 +1,24 @@
+// ============================================================
+// Migration 003 — Person.name eradication (Task 849)
+//
+// Removes the denormalised `name` property from every Person node.
+// `Person.name` is forbidden by schema-base.md "Forbidden Properties":
+// the canonical fields are `givenName` + `familyName`, composed at
+// read time by display-helpers.ts. Persisted `name` was a divergence
+// trap — LLM extraction emitted `name = givenName` ("Dan") alongside
+// the structured pair, so the canvas rendered "Dan" instead of
+// "Dan Brett".
+//
+// Idempotent: subsequent runs find no Persons with `name` set and
+// return removed=0.
+//
+// Applied at boot by platform/ui/app/lib/neo4j-migrations.ts. Safe to
+// run manually:
+//   cypher-shell -u neo4j -p <password> -a $NEO4J_URI \
+//     -f platform/neo4j/migrations/003-person-name-eradicate.cypher
+// ============================================================
+MATCH (p:Person)
+WHERE p.name IS NOT NULL
+REMOVE p.name
+RETURN count(p) AS removed

package/payload/platform/plugins/admin/PLUGIN.md CHANGED Viewed

@@ -51,6 +51,10 @@ Platform management tools for both the admin and public agents. The `plugin-read
 Tools are available via the `admin` MCP server.
+**Three-store admin auth invariant (Task 850).** `admin-add` writes to all three identity stores (`users.json` PIN auth, `account.json` `admins[]` role, Neo4j `:AdminUser`/`:Person` graph identity) with per-leg `[admin-auth-store]` log lines and returns `is_error: true` on any leg failure naming what's already written. `admin-update-pin` writes `users.json` only and emits the same line. Direct `Edit`/`Write` on `account.json` is blocked at the `pre-tool-use` hook — mutations go through `account-update`, `plugin-toggle-enabled`, or the `admin-*` tools. See `.docs/agents.md` § "Three-store admin auth invariant" for the full contract.
+`logs-read { type: "agent-stream" }` (Task 850) is the canonical name for the per-conversation tool-use/tool-result archive previously called `system`; both names work and the legacy alias is preserved.
 ## Skills
 | Task | When to use | Reference |

package/payload/platform/plugins/admin/hooks/pre-tool-use.sh CHANGED Viewed

@@ -47,11 +47,15 @@ if [ "$AGENT_TYPE" = "admin" ]; then
           echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=entitlement-file" >&2
           exit 2
           ;;
-        # account.json (Task 831) — agent must use the account-update MCP tool
-        # (or plugin-toggle-enabled for enabledPlugins changes), which whitelists
-        # editable fields server-side. Direct Edit/Write bypasses that whitelist;
-        # deny unconditionally including cwd-relative paths.
-        */data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|account.json)
+        # account.json (Task 831 + Task 850) — agent must use the account-update
+        # MCP tool (or plugin-toggle-enabled for enabledPlugins changes), which
+        # whitelists editable fields server-side. Direct Edit/Write bypasses
+        # that whitelist; deny unconditionally including cwd-relative paths.
+        # Task 850 adds */account.json and *account.json as a backstop so any
+        # layout the named patterns miss is still caught — the Adam Mackay
+        # incident showed a tier upgrade via raw Edit on account.json reach
+        # the disk, exactly the failure mode this hook exists to prevent.
+        */data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|*/account.json|*account.json|account.json)
           echo "Blocked: Admin agent cannot edit account.json directly. Use the account-update or plugin-toggle-enabled MCP tools — they whitelist editable fields server-side and exclude tier and purchasedPlugins by design." >&2
           echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=account-json" >&2
           exit 2

package/payload/platform/plugins/admin/mcp/dist/index.js CHANGED Viewed

@@ -621,7 +621,7 @@ server.tool("plugin-toggle-enabled", "Enable or disable a plugin in this account
 // ===================================================================
 // Admin user management tools
 // ===================================================================
-server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). PIN must be at least 4 digits. If no PIN is provided, a unique 4-digit PIN is generated. Returns the userId and PIN to share with the new admin.", {
+server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). PIN must be at least 4 digits. If no PIN is provided, a unique 4-digit PIN is generated. Returns the userId and PIN to share with the new admin.\n\nIMPORTANT — retry behaviour: if the user already stated a specific PIN earlier in the conversation and a first admin-add call failed (e.g. tier cap reached, PIN collision), every retry MUST re-pass that PIN as the `pin` parameter. Omitting `pin` on the retry auto-generates a different 4-digit PIN, silently substituting what the user asked for.", {
     name: z.string().describe("Display name for the new admin (stored on the AdminUser node in Neo4j)."),
     pin: z.string().optional().describe("Optional PIN (minimum 4 digits). If omitted, a unique 4-digit PIN is generated."),
 }, async ({ name, pin: rawPin }) => {
@@ -679,14 +679,25 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     }
     const pinHash = hashPin(plaintextPin);
     const userId = crypto.randomUUID();
+    // Three-store admin auth invariant (Task 850): users.json (device-level
+    // PIN auth), account.json admins[] (account-level role), Neo4j AdminUser
+    // (display + graph identity). Each leg emits a [admin-auth-store] line so
+    // a future incident can grep one log to know which leg failed; any leg
+    // failing makes the tool result is_error: true with a cause line citing
+    // what's already been written. No automatic rollback — the cause line is
+    // the manual-recovery diagnostic.
+    const userIdShort = userId.slice(0, 8);
     // 1. Write to users.json (device-level). Auth fields only — `name` lives
     //    on the AdminUser node in Neo4j (Task 829).
     users.push({ userId, pin: pinHash });
     try {
         writeUsersJson(users);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=users`);
     }
     catch (err) {
-        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${errMsg}` }], isError: true };
     }
     // 2. Write to account.json (account-level)
     try {
@@ -698,10 +709,12 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
             const configPath = join(getAccountDir(), "account.json");
             await writeFile(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
         }
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=account`);
     }
     catch (err) {
-        console.error(`${TAG} account.json write failed: ${err instanceof Error ? err.message : String(err)}`);
-        return { content: [{ type: "text", text: `${TAG} User created in users.json but failed to add to account: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=account error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} users.json updated; account.json write FAILED — manual reconciliation needed: ${errMsg}` }], isError: true };
     }
     // 3. Write to Neo4j (graph-level): AdminUser + Person + OWNS atomically,
     //    plus ADMIN_OF edge to the LocalBusiness for this account.
@@ -710,7 +723,12 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     //    in platform/ui/app/lib/neo4j-store.ts (case-insensitive exact match
     //    on givenName + familyName; partial-name ambiguity does NOT match —
     //    rationalisation is a separate agent-mediated concern).
-    let neo4jWarning = "";
+    //    Task 850 — Neo4j-leg failure now returns is_error: true with the
+    //    [admin-auth-store] line; previously it set a soft warning string and
+    //    returned success, which is what hid the Adam Mackay incident from
+    //    the recovery agent. The user is still functional via users.json +
+    //    account.json, but the graph state is divergent and the operator
+    //    must know.
     let personReused = false;
     try {
         const session = getSession();
@@ -759,18 +777,25 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         finally {
             await session.close();
         }
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=neo4j personReused=${personReused}`);
     }
     catch (err) {
         const errMsg = err instanceof Error ? err.message : String(err);
-        console.error(`${TAG} Neo4j sync failed during admin-add: userId=${userId} error=${errMsg} — files written, graph pending`);
-        neo4jWarning = ` Note: Neo4j sync failed (${errMsg}) — the admin user is functional but the graph will need reconciliation on next seed.`;
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=neo4j error=${errMsg}`);
+        return {
+            content: [{
+                    type: "text",
+                    text: `${TAG} users.json + account.json updated for userId ${userId} (PIN: ${plaintextPin}); Neo4j sync FAILED — manual reconciliation needed: ${errMsg}`,
+                }],
+            isError: true,
+        };
     }
-    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userId.slice(0, 8)} name=${name.trim()} personReused=${personReused}`);
+    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userIdShort} name=${name.trim()} personReused=${personReused}`);
     console.error(`${TAG} admin added: userId=${userId} userName=${name.trim()} accountId=${ACCOUNT_ID} role=admin addedBy=${callerUserId ?? "unknown"}`);
     return {
         content: [{
                 type: "text",
-                text: `Admin added successfully.\n\n- **Name:** ${name.trim()}\n- **userId:** ${userId}\n- **PIN:** ${plaintextPin}\n- **Role:** admin\n\nShare the PIN with ${name.trim()} so they can log in.${neo4jWarning}`,
+                text: `Admin added successfully.\n\n- **Name:** ${name.trim()}\n- **userId:** ${userId}\n- **PIN:** ${plaintextPin}\n- **Role:** admin\n\nShare the PIN with ${name.trim()} so they can log in.`,
             }],
     };
 });
@@ -912,18 +937,22 @@ server.tool("admin-update-pin", "Update an existing admin user's PIN. Defaults t
         users = readUsersJson();
     }
     catch (err) {
+        const errMsg = err instanceof Error ? err.message : String(err);
         console.error(`${TAG} userId=${userIdLabel} result=user-not-found reason=users-json-read-failed`);
-        return { content: [{ type: "text", text: `${TAG} ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} ${errMsg}` }], isError: true };
     }
     const targetIndex = users.findIndex(u => u.userId === userId);
     if (targetIndex === -1) {
         console.error(`${TAG} userId=${userIdLabel} result=user-not-found`);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=user-not-found`);
         return { content: [{ type: "text", text: `${TAG} User ${userId} not found in users.json.` }], isError: true };
     }
     const newHash = hashPin(newPin);
     const collidesWithOther = users.some((u, i) => i !== targetIndex && u.pin === newHash);
     if (collidesWithOther) {
         console.error(`${TAG} userId=${userIdLabel} result=collision`);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=pin-collision`);
         return { content: [{ type: "text", text: `${TAG} That PIN is already in use by another user. Choose a different PIN.` }], isError: true };
     }
     users[targetIndex].pin = newHash;
@@ -931,9 +960,12 @@ server.tool("admin-update-pin", "Update an existing admin user's PIN. Defaults t
         writeUsersJson(users);
     }
     catch (err) {
-        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${errMsg}` }], isError: true };
     }
     console.error(`${TAG} userId=${userIdLabel} result=ok`);
+    console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=ok store=users`);
     const self = userId === callerUserId;
     return {
         content: [{ type: "text", text: `PIN updated${self ? "" : ` for userId ${userId}`}. The new PIN takes effect on the next login.` }],
@@ -1147,8 +1179,8 @@ server.tool("agent-list", "List all public (non-admin) agents with their full co
         };
     }
 });
-server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=system/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=system: raw Claude stream-json + agent events + [tool-wait]/[tool-wait-diag]/[tool-wait-proc] telemetry + MCP server stderr via tee. type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in system via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. type=review: log-review detector decisions. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
-    type: z.enum(["system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc", "review"]).optional(),
+server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agent-stream/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=agent-stream: per-conversation tool-use/tool-result archive (every `[tool-use]` and `[tool-result]` pair with full input + output JSON, plus raw Claude stream-json, agent events, and MCP server stderr via tee). USE THIS when investigating what an agent ACTUALLY did with its tools — server.log only carries `[persist] tool-call persisted` markers, not bodies. (`type=system` is a backwards-compatible alias for the same archive.) type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in agent-stream via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. type=review: log-review detector decisions. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
+    type: z.enum(["agent-stream", "system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc", "review"]).optional(),
     lines: z.number().optional(),
     sessionKey: z.string().optional(),
     conversationId: z.string().optional(),
@@ -1181,16 +1213,17 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
                 return { content: [{ type: "text", text: `Log directory does not exist: ${LOG_DIR}` }] };
             }
             const prefixMap = {
-                system: "claude-agent-stream",
+                "agent-stream": "claude-agent-stream",
+                system: "claude-agent-stream", // Task 850 — backwards-compatible alias for agent-stream
                 error: "claude-agent-stderr",
                 session: "sse-events",
                 public: "public-agent-stream",
             };
-            const resolvedType = type ?? "system";
+            const resolvedType = type ?? "agent-stream";
             const prefix = prefixMap[resolvedType];
             if (!prefix) {
                 return {
-                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: system, error, session, public. For platform-scoped types (server, vnc, review, heartbeat, mcp) omit conversationId.` }],
+                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: agent-stream, error, session, public. For platform-scoped types (server, vnc, review, heartbeat, mcp) omit conversationId.` }],
                     isError: true,
                 };
             }
@@ -1234,7 +1267,8 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
         // --- Session-key filtered mode: grep across log files ---
         if (sessionKey) {
             const prefixes = {
-                system: "claude-agent-stream-",
+                "agent-stream": "claude-agent-stream-",
+                system: "claude-agent-stream-", // Task 850 — backwards-compatible alias
                 error: "claude-agent-stderr-",
                 session: "sse-events-",
                 public: "public-agent-stream-",
@@ -1332,7 +1366,7 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
             return { content: [{ type: "text", text: `# Session timeline: ${sessionKey}\n\n${sections.join("\n\n")}` }] };
         }
         // --- Standard mode: tail most recent file of the requested type ---
-        const resolvedType = type ?? "system";
+        const resolvedType = type ?? "agent-stream";
         // Heartbeat log is a single fixed file, not prefix-based
         if (resolvedType === "heartbeat") {
             const logFile = resolve(LOG_DIR, "check-due-events.log");
@@ -1381,6 +1415,8 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
             }).toString();
             return { content: [{ type: "text", text: `# review.log\n\n${result}` }] };
         }
+        // Task 850 — agent-stream and the legacy system alias both map to
+        // claude-agent-stream-. The fall-through default also covers them.
         const prefix = resolvedType === "error" ? "claude-agent-stderr-"
             : resolvedType === "session" ? "sse-events-"
                 : resolvedType === "public" ? "public-agent-stream-"