@rubytech/create-maxy 1.0.801 → 1.0.803

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.801",
+  "version": "1.0.803",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/plugins/cloudflare/PLUGIN.md

@@ -30,9 +30,8 @@ The plugin registers no agent-facing MCP tools (Task 554). Every Cloudflare oper
 
 | Script | Purpose |
 |---|---|
-| [`scripts/setup-tunnel.sh`](scripts/setup-tunnel.sh) | Autonomous end-to-end setup: OAuth login, tunnel create, DNS route, config + state, service restart, post-restart verification. Invocation: `~/setup-tunnel.sh <brand> <port> <admin-hostname> [<public-hostname>] [<apex-hostname>]`. Apex hostnames print an `ACTION REQUIRED` block for the dashboard record the CLI cannot create. Task 588 drives the Cloudflare Authorize click via CDP WebSocket (`_cdp-authorize.mjs`, below) — no human click required when the VNC browser is already signed into Cloudflare. The OAuth cert-wait after the click is bounded at 20 s with a 2-second `step=oauth-login result=awaiting-cert elapsed=<N>s` heartbeat so no poll exceeds ~2 s silent. |
+| [`scripts/setup-tunnel.sh`](scripts/setup-tunnel.sh) | Autonomous end-to-end setup: OAuth login, tunnel create, DNS route, config + state, service restart, post-restart verification. Invocation: `~/setup-tunnel.sh <brand> <port> <admin-hostname> [<public-hostname>] [<apex-hostname>]`. Apex hostnames print an `ACTION REQUIRED` block for the dashboard record the CLI cannot create. Step 1 (Task 858 — wrappers faithfully relay third-party CLI) spawns `cloudflared tunnel login`, extracts the argotunnel URL from its stdout, mechanically opens it on the Pi VNC chromium (`DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &`), then polls for `~/.cloudflared/cert.pem` while the operator clicks the zone row + Authorize on the VNC. 180 s budget with a 2-second `step=oauth-login result=awaiting-cert` heartbeat. No CDP auto-click, no DOM matcher. |
 | [`scripts/reset-tunnel.sh`](scripts/reset-tunnel.sh) | Deletes every tunnel on the brand's CF account and wipes `${CFG_DIR}`. Does not touch the platform service, stray CNAMEs, or token-mode connectors — those require dashboard cleanup or `pkill`. Invocation: `~/reset-tunnel.sh <brand>`. No polling blocks — every long-wait is bounded by `cloudflared`'s network round-trip, so no heartbeat contract applies. |
-| [`scripts/_cdp-authorize.mjs`](scripts/_cdp-authorize.mjs) | Node 22 ESM helper driving the Cloudflare argotunnel Authorize click via CDP WebSocket. Self-contained (native `fetch` + `WebSocket`), invoked by `setup-tunnel.sh` with the target id returned from the `PUT /json/new?<url>` step. Exits 0 on successful click; 1 on `authorize-button-not-found` (the happy-path loud failure when the VNC browser isn't signed into Cloudflare); 2/3/4/5 on CDP/protocol errors. Emits one `cdp-authorize result=<…> reason=<…>` line to stdout per invocation, teed into the stream log under the `[setup-tunnel:cdp-click]` tag. |
 
 ### Skills
 

package/payload/platform/plugins/cloudflare/references/manual-setup.md

@@ -131,17 +131,19 @@ ls /tmp/.X11-unix/
 
 You should see `X99`. If not, start VNC before retrying Step 1.
 
-### Three states the consent page can render
+### States the consent page can render
 
-The dashboard at `dash.cloudflare.com/argotunnel?...` shows one of three states. The automation script's CDP helper (`_cdp-authorize.mjs`) detects each one; the same triage applies when you walk the flow manually.
+The dashboard at `dash.cloudflare.com/argotunnel?...` is `cloudflared`'s native consent surface. The automation wrapper does not inspect or auto-click it; the operator drives every variation manually on the VNC.
 
-1. **Pre-authorize — the Authorize button is visible.** This is the normal first run. Click the zone you want, then click **Authorize**. Cloudflare's callback fires and `~/.cloudflared/cert.pem` lands a second or two later. Continue with the `mv` above.
+1. **Pre-authorize — the Authorize button is visible.** Single-zone account. Click **Authorize**. Cloudflare's callback fires and `~/.cloudflared/cert.pem` lands a second or two later. Continue with the `mv` above.
 
-2. **Post-success — "Cloudflared has installed a certificate" modal.** The bound account already has a cert authorised for the zones the dashboard knows about. The OAuth callback is idempotent — navigating to a fresh `cloudflared tunnel login` URL still fires the callback, so `~/.cloudflared/cert.pem` will land. Wait a second or two, then run the `mv`.
+2. **Multi-zone picker — "Please select the zone you want to add a Tunnel to" with a list of zones.** Multi-zone account. Click the zone row you want first; the page renders the Authorize button. Click **Authorize**. Same callback path as state 1.
+
+3. **Post-success — "Cloudflared has installed a certificate" modal.** The bound account already has a cert authorised for the zones the dashboard knows about. The OAuth callback is idempotent — navigating to a fresh `cloudflared tunnel login` URL still fires the callback, so `~/.cloudflared/cert.pem` will land. Wait a second or two, then run the `mv`.
 
    If the cert *also* exists at `${CFG_DIR}/cert.pem` from a prior partial run, Step 1 is already complete — skip to Step 2.
 
-3. **Blank or button-less — neither the Authorize button nor the success modal is on the page.** The browser may be mid-load, signed out of Cloudflare, blocking on captcha, or showing some other state. Sign in to Cloudflare in the same browser, navigate back to the URL `cloudflared tunnel login` printed, and complete the click manually. If the URL has expired, kill `cloudflared` (`Ctrl+C`) and re-run Step 1 to get a fresh URL.
+4. **Blank or button-less — neither the Authorize button nor the success modal is on the page.** The browser may be mid-load, signed out of Cloudflare, blocking on captcha, or showing some other state. Sign in to Cloudflare in the same browser, navigate back to the URL `cloudflared tunnel login` printed, and complete the click manually. If the URL has expired, kill `cloudflared` (`Ctrl+C`) and re-run Step 1 to get a fresh URL.
 
 ---
 

package/payload/platform/plugins/cloudflare/scripts/setup-tunnel.sh

@@ -14,13 +14,16 @@
 # hostnames. The script writes the ingress rule for them but prints an
 # explicit ACTION REQUIRED message naming the manual dashboard step.
 #
-# Task 556: Step 1 owns the browser-spawn deterministically. Instead of
-# delegating to cloudflared's xdg-open (which silently degrades to "print
-# URL and wait"), the script drives Chromium on :99 via CDP `PUT /json/new?<url>`
-# on http://127.0.0.1:9222 — the same mechanism
-# /api/admin/device-browser/navigate uses. cloudflared's stdout+stderr is
-# teed line-by-line into STREAM_LOG_PATH so the chat UI's server-side
-# tailer renders live progress in-turn.
+# Step 1 owns the browser-spawn deterministically. The wrapper extracts
+# cloudflared's argotunnel URL from its stdout (regex below) and the moment
+# the URL surfaces, mechanically opens it on the Pi's VNC chromium via
+# `DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &` — no reliance on
+# cloudflared's optimistic xdg-open, no CDP auto-click, no DOM matcher.
+# The operator clicks the zone row + Authorize on the VNC themselves.
+# This is the wrappers-faithfully-relay-third-party-cli doctrine (Task 858);
+# any layer that auto-clicks Authorize for the operator is forbidden.
+# cloudflared's stdout+stderr is teed line-by-line into STREAM_LOG_PATH so
+# the chat UI's server-side tailer renders live progress in-turn.
 
 set -euo pipefail
 
@@ -62,37 +65,43 @@ mkdir -p "${CFG_DIR}"
 # --------------------------------------------------------------------------
 # Step 1: OAuth login. Corresponds to runbook Step 1.
 #
-# Step 1 is a state machine over three observable variables — brand-scoped
-# cert path, default cert path, and the helper's outcome (Task 855):
+# Step 1 is a state machine over two observable variables — brand-scoped
+# cert path and default cert path:
 #
 #   ${CFG_DIR}/cert.pem present                   → Step 1 already done; skip.
 #   ${CFG_DIR}/cert.pem missing                AND
 #     ~/.cloudflared/cert.pem present             → pre-flight: a prior run
 #                                                   reached the OAuth callback
 #                                                   but failed before the mv;
-#                                                   promote and skip the
-#                                                   helper. Idempotent.
-#   both missing                                  → spawn cloudflared, drive
-#                                                   the consent page via CDP,
-#                                                   poll for cert.pem, mv.
+#                                                   promote and skip cloudflared.
+#   both missing                                  → spawn cloudflared, surface
+#                                                   the URL on the Pi VNC,
+#                                                   wait for the operator's
+#                                                   click, poll for cert.pem,
+#                                                   mv.
 #
-# Control flow when both certs are missing (Task 556 / 588 / 855):
-#   1. CDP precheck on 127.0.0.1:9222 — loud failure if Chromium isn't up.
-#   2. Spawn cloudflared with stdout+stderr teed line-by-line to
+# Control flow when both certs are missing (Task 858 — wrappers faithfully
+# relay third-party CLI):
+#   1. Spawn cloudflared with stdout+stderr teed line-by-line to
 #      $STREAM_LOG_PATH with prefix [script:setup-tunnel:cloudflared]
 #      (Task 605's chat-surface namespace — see _stream-log.sh header).
-#   3. Extract the authorize URL with a tolerant regex as it streams.
-#   4. Drive the VNC Chromium to that URL via CDP `PUT /json/new?<url>`.
-#   5. Run _cdp-authorize.mjs — tri-state matcher returns one of:
-#        reason=clicked                  → button matched + clicked
-#        reason=cert-already-installed   → Success modal detected
-#        reason=authorize-button-not-found → loud failure, exit 1
-#      (a)+(b) drop into the cert-pem poll; (c) bubbles up.
-#   6. Wait for ~/.cloudflared/cert.pem to land with bounded timeout.
-#   7. Move cert.pem into the brand-scoped path.
+#   2. Extract the authorize URL with a tolerant regex as it streams.
+#   3. The instant the URL is extracted, mechanically open it on the Pi
+#      VNC chromium via `DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &`.
+#      Fire-and-forget — chromium is already running with CDP enabled at
+#      :9222, so the invocation IPCs the URL into the running instance as
+#      a new tab. The spawn is intentionally NOT tracked in the EXIT trap:
+#      it is a sibling open, not a child of cloudflared, and an orphaned
+#      late-arriving tab is harmless. Replaces cloudflared's own optimistic
+#      xdg-open which does not reliably target VNC :99 in this environment.
+#   4. Emit `step=browser-spawn` and `step=browser-drive mode=operator-click`
+#      so the stream log records the surface state.
+#   5. Wait for ~/.cloudflared/cert.pem to land (180 s budget — operator
+#      must click the zone row + Authorize on VNC).
+#   6. Move cert.pem into the brand-scoped path.
 #
-# Every failure branch exits 1 loudly naming the cause — no silent retries,
-# no xdg-open race, no cloudflared-internal browser-spawn path.
+# No CDP auto-click. No DOM matcher. No consent-page driver of any kind.
+# Every failure branch exits 1 loudly naming the cause.
 # --------------------------------------------------------------------------
 
 # Pre-flight cert-promotion (Task 855). When ${CFG_DIR}/cert.pem is missing
@@ -131,20 +140,6 @@ fi
 if [ ! -f "${CFG_DIR}/cert.pem" ]; then
   phase_line setup-tunnel step=oauth-login cert_path="${CFG_DIR}/cert.pem" display="${DISPLAY:-:99}"
 
-  # CDP precheck — if Chromium DevTools is answering, we'll drive the
-  # Authorize click for the operator. If it isn't (action runner on a
-  # device without VNC — Task 664), we fall back to the ActionLogPanel
-  # URL-to-button flow: extract the URL, emit it as `OAUTH_URL: <url>`,
-  # and wait for cert.pem to land from the operator's own browser click.
-  CDP_AVAILABLE=1
-  if ! curl -sf --max-time 2 "http://127.0.0.1:9222/json/version" > /dev/null 2>&1; then
-    phase_line setup-tunnel step=oauth-login cdp=unavailable \
-      endpoint=http://127.0.0.1:9222 mode=operator-browser-fallback
-    CDP_AVAILABLE=0
-  else
-    phase_line setup-tunnel step=oauth-login cdp=ok
-  fi
-
   URL_FILE="$(mktemp -t maxy-setup-tunnel-url.XXXXXX)"
   LAST_LINE_FILE="$(mktemp -t maxy-setup-tunnel-last.XXXXXX)"
   : > "${URL_FILE}"
@@ -210,154 +205,38 @@ if [ ! -f "${CFG_DIR}/cert.pem" ]; then
   phase_line setup-tunnel step=browser-drive url_extracted=1
 
   # Emit the URL on stdout in a shape ActionLogPanel's regex captures.
-  # Structured-looking enough to route to the "Authorise in Cloudflare"
-  # button on Task 664's admin surface without interfering with the
-  # existing cloudflared-line extraction (which scans the same URL on
-  # stderr from the line above). Emitted before CDP so the button is
-  # available even when CDP succeeds — same-URL clicks are idempotent.
+  # The button is a redundant re-spawn fallback — by the time the chat-side
+  # ActionLogPanel renders, the page is already on the Pi VNC chromium per
+  # the spawn below. Button click POSTs to /api/admin/device-browser/navigate
+  # to re-target the same URL on the VNC; same end-effect as this spawn.
   printf 'OAUTH_URL: %s\n' "${AUTH_URL}"
 
-  # If CDP isn't available on this device, skip the auto-click branch
-  # and fall through to the cert.pem poll. The operator's own browser
-  # click (via ActionLogPanel's button) hits the same webhook; the
-  # callback writes ~/.cloudflared/cert.pem the moment consent lands,
-  # and the existing LOGIN_TIMEOUT loop below picks it up.
-  if [ "${CDP_AVAILABLE}" -eq 0 ]; then
-    phase_line setup-tunnel step=browser-drive mode=operator-click url="${AUTH_URL}"
-  else
-  # Drive CDP. Same PUT /json/new?<url> contract as
-  # platform/ui/app/lib/cdp-client.ts (which uses encodeURIComponent on
-  # the URL). Without percent-encoding, CDP's URL parser splits on the
-  # inner `?` and `&` in the argotunnel URL and drops the callback/token
-  # query params — Chromium lands on a bare argotunnel page and the
-  # consent screen is never reached. `jq -sRr @uri` percent-encodes a raw
-  # string, matching the TS client exactly.
-  AUTH_URL_ENC="$(printf '%s' "${AUTH_URL}" | jq -sRr @uri)"
-  CDP_RESP="$(curl -sf --max-time 5 -X PUT "http://127.0.0.1:9222/json/new?${AUTH_URL_ENC}" 2>&1 || true)"
-  if [ -z "${CDP_RESP}" ]; then
-    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
-    phase_line setup-tunnel step=browser-drive result=error reason=cdp-put-failed
-    echo "ERROR: CDP PUT /json/new?<url> returned empty — Chromium rejected the navigate." >&2
-    exit 1
-  fi
-  # Extract the CDP target id so _cdp-authorize.mjs can open a debugger
-  # WebSocket against the correct tab. The PUT response is a JSON object
-  # describing the newly-created target; `.id` is the only stable field
-  # across Chromium versions that works for `/json/list` lookup.
-  CDP_TARGET_ID="$(printf '%s' "${CDP_RESP}" | jq -r '.id // empty' 2>/dev/null || true)"
-  if [ -z "${CDP_TARGET_ID}" ]; then
-    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
-    phase_line setup-tunnel step=browser-drive result=error reason=cdp-target-id-missing \
-      resp_head="$(printf '%s' "${CDP_RESP}" | head -c 200)"
-    echo "ERROR: CDP PUT /json/new?<url> returned a body without an .id field — Chromium protocol drift?" >&2
-    exit 1
-  fi
-  phase_line setup-tunnel step=browser-drive result=accepted target_id="${CDP_TARGET_ID}"
-
-  # Task 588: drive the Authorize click via CDP WebSocket instead of waiting
-  # for a human. The helper shares a directory with this script; same
-  # readlink-resolve pattern as _stream-log.sh so the symlink install path
-  # (packages/create-maxy installs ~/setup-tunnel.sh as a symlink) doesn't
-  # point dirname at $HOME.
-  AUTH_HELPER="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")/_cdp-authorize.mjs"
-  if [ ! -x "${AUTH_HELPER}" ]; then
-    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
-    phase_line setup-tunnel step=browser-drive result=error reason=cdp-helper-missing \
-      path="${AUTH_HELPER}"
-    echo "ERROR: _cdp-authorize.mjs helper missing or not executable at ${AUTH_HELPER}" >&2
-    exit 1
-  fi
-  # tee_subprocess_capture pipes the helper's `cdp-authorize result=…` line
-  # into the stream log under the setup-tunnel:cdp-click tag (live-tailable)
-  # AND through this shell's stdout so the wrapper can capture it for the
-  # tri-state reason discriminator (Task 855). The helper writes exactly
-  # one such line per invocation and exits; the shape is its contract:
-  #   `cdp-authorize result=<ok|error> reason=<token> [k=v …]`.
-  # The wrapper's awk takes the LAST `cdp-authorize result=ok ` line so that
-  # any future emit() additions cannot mis-route the discriminator — the
-  # success line is always the last one before exit.
-  HELPER_OUT="$(mktemp -t maxy-cdp-authorize-out.XXXXXX)"
-  if tee_subprocess_capture setup-tunnel:cdp-click -- \
-      node "${AUTH_HELPER}" "${CDP_TARGET_ID}" \
-      > "${HELPER_OUT}"; then
-    HELPER_REASON="$(awk '/^cdp-authorize result=ok / {m=$0} END {if (m) {match(m, /reason=[a-z0-9-]+/); print substr(m, RSTART+7, RLENGTH-7)}}' "${HELPER_OUT}")"
-    rm -f "${HELPER_OUT}"
-    case "${HELPER_REASON}" in
-      clicked)
-        phase_line setup-tunnel step=browser-drive result=ok \
-          reason=clicked target_id="${CDP_TARGET_ID}"
-        ;;
-      cert-already-installed)
-        # The dashboard rendered the Success modal — the bound account
-        # already has a cert. The OAuth callback URL was exercised by this
-        # navigation, so the in-flight cloudflared subprocess receives the
-        # idempotent callback and writes ~/.cloudflared/cert.pem; the poll
-        # below picks it up.
-        phase_line setup-tunnel step=browser-drive result=ok \
-          reason=cert-already-installed target_id="${CDP_TARGET_ID}"
-        ;;
-      *)
-        # Helper exited 0 but emitted a reason this wrapper does not
-        # recognise — protocol drift between helper and wrapper. Loud-fail
-        # rather than silently fall through to the cert-poll, which would
-        # mask the cause if the cert never lands.
-        kill "${CF_PIPELINE_PID}" 2>/dev/null || true
-        phase_line setup-tunnel step=browser-drive result=error \
-          reason=helper-unknown-success-reason raw="${HELPER_REASON:-empty}"
-        echo "ERROR: CDP helper exited 0 with unrecognised reason: ${HELPER_REASON:-empty}" >&2
-        echo "       Expected reason=clicked or reason=cert-already-installed." >&2
-        echo "       Helper / wrapper protocol drift — investigate stream log." >&2
-        exit 1
-        ;;
-    esac
-  else
-    CLICK_RC=$?
-    rm -f "${HELPER_OUT}"
-    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
-    # Helper exit codes (mapped 1:1 to reason= so stream-log grep is precise;
-    # a catch-all reason would defeat the observability contract):
-    #   1 = authorize-button-not-found (loud — neither button nor success
-    #       modal matched before BUTTON_POLL_TIMEOUT_MS; the form surfaces
-    #       a verbatim quote of references/dashboard-guide.md "Authorise a
-    #       new tunnel" so the operator can recover without SSH).
-    #   2 = cdp-ws-unreachable, 3 = target-not-found, 4 = click-evaluate-threw,
-    #   5 = protocol-error. All are final — no retry, no silent fallback.
-    case "${CLICK_RC}" in
-      1) CLICK_REASON=authorize-button-not-found ;;
-      2) CLICK_REASON=cdp-ws-unreachable ;;
-      3) CLICK_REASON=target-not-found ;;
-      4) CLICK_REASON=click-evaluate-threw ;;
-      5) CLICK_REASON=protocol-error ;;
-      *) CLICK_REASON="unknown-exit-${CLICK_RC}" ;;
-    esac
-    phase_line setup-tunnel step=browser-drive result=error \
-      reason="${CLICK_REASON}" click_rc="${CLICK_RC}"
-    echo "ERROR: CDP-driven Authorize click failed (helper exit=${CLICK_RC}, reason=${CLICK_REASON})." >&2
-    if [ "${CLICK_REASON}" = "authorize-button-not-found" ]; then
-      echo "       The dashboard did not present an Authorize button or a Success modal." >&2
-      echo "       The form will surface the dashboard click-path for manual recovery." >&2
-    else
-      echo "       The CDP helper failed before reaching a terminal page state." >&2
-      echo "       Re-run setup — or run ~/reset-tunnel.sh first if state is corrupt." >&2
-    fi
-    exit 1
-  fi
-  fi  # end CDP-available branch (Task 664)
+  # Mechanically open the URL on the Pi VNC chromium (Task 858). Chromium
+  # is already running on :99 with CDP enabled (vnc.sh start_chrome at boot);
+  # invoking `/usr/bin/chromium <url>` against a running instance IPCs the
+  # URL into it as a new tab. Fire-and-forget — the spawn is intentionally
+  # NOT tracked in cleanup_oauth's EXIT trap because it is a sibling open,
+  # not a child of cloudflared, and an orphaned late-arriving tab is harmless.
+  # Replaces cloudflared's own optimistic xdg-open, which does not reliably
+  # target VNC :99 in this environment.
+  #
+  # Binary path: /usr/bin/chromium is the canonical runtime binary on every
+  # supported distro (Bookworm + Noble — see vnc.sh and packages/create-maxy/
+  # src/apt-resolve.ts). The Ubuntu transitional `chromium-browser` does not
+  # exist on Bookworm Pis, so using the absolute path is the only spelling
+  # that survives both distros.
+  DISPLAY="${DISPLAY:-:99}" /usr/bin/chromium "${AUTH_URL}" >/dev/null 2>&1 &
+  phase_line setup-tunnel step=browser-spawn result=ok \
+    display="${DISPLAY:-:99}" url_extracted=1
+  phase_line setup-tunnel step=browser-drive mode=operator-click url="${AUTH_URL}"
 
   # Wait for cert.pem to land — cloudflared writes to ~/.cloudflared/cert.pem
-  # regardless of --origincert, so watch the canonical location. Task 588
-  # collapses the pre-click 180 s human-latency window to a 20 s deterministic
-  # round-trip window (Cloudflare → cloudflared webhook after consent). The
-  # 2-second heartbeat inside the loop is the observability contract for
-  # this bounded wait — no form-spawned script is allowed a silent poll of
-  # more than ~2 s per criterion 3 of Task 588.
-  # Task 664: operator-click path (no CDP) needs a human-paced window;
-  # CDP auto-click stays on the 20s round-trip budget.
-  if [ "${CDP_AVAILABLE}" -eq 0 ]; then
-    LOGIN_TIMEOUT="${SETUP_TUNNEL_LOGIN_TIMEOUT:-180}"
-  else
-    LOGIN_TIMEOUT="${SETUP_TUNNEL_LOGIN_TIMEOUT:-20}"
-  fi
+  # regardless of --origincert, so watch the canonical location. The wait is
+  # human-paced: the operator must click the zone row + Authorize on the VNC.
+  # 180 s default budget; SETUP_TUNNEL_LOGIN_TIMEOUT overrides for testing.
+  # The 2-second heartbeat inside the loop is the observability contract —
+  # no form-spawned script is allowed a silent poll of more than ~2 s.
+  LOGIN_TIMEOUT="${SETUP_TUNNEL_LOGIN_TIMEOUT:-180}"
   LOGIN_WAIT=0
   while [ ! -f "${HOME}/.cloudflared/cert.pem" ]; do
     if ! kill -0 "${CF_PIPELINE_PID}" 2>/dev/null; then

package/payload/platform/plugins/cloudflare/skills/setup-tunnel/SKILL.md

@@ -22,7 +22,7 @@ Any Cloudflare action outside these four surfaces is a discipline violation —
 
 Use this when the operator wants Cloudflare set up (or re-set up) end-to-end on the device. The script handles OAuth login, tunnel creation, DNS routing for each subdomain, config.yml + tunnel.state, and dispatches the `${BRAND}.service` restart to a transient `systemd-run` unit (Task 558) — all in one invocation. The restart fires a few seconds after the script exits so the script does not kill its own cgroup when invoked via the Bash tool; the chat UI receives a `server_shutdown` SSE frame and reconnects automatically. Post-restart hostname verification is out of scope for the script (connector is not up when the script exits) — verify via the next admin turn or manually with `curl -I https://<hostname>`. Apex hostnames cannot be routed by the CLI; when one is passed, the script prints an `ACTION REQUIRED` block naming the exact dashboard record to edit.
 
-Step 1's OAuth flow is a state machine over three observable variables: the brand-scoped cert path (`${CFG_DIR}/cert.pem`), the OAuth-default cert path (`~/.cloudflared/cert.pem`), and the consent-page DOM via the CDP helper `_cdp-authorize.mjs` (Task 855). When the brand-scoped cert is missing but the default-path cert is present from any prior partial run, the wrapper promotes it (`mv`) and emits `step=oauth-login result=ok reason=cert-promoted-from-default-path` without re-spawning cloudflared. When both are missing, the helper polls `dash.cloudflare.com/argotunnel` and resolves to one of three terminal outcomes — `reason=clicked` (button matched and clicked), `reason=cert-already-installed` (Success modal text detected — the bound account already has a cert, callback is idempotent so the in-flight cloudflared subprocess writes the cert anyway), or `reason=authorize-button-not-found` (neither anchor matched; loud failure, exit 1). The first two paths drop into the existing brand-scoped cert poll; the third surfaces a remediation card in the form so the operator can complete the consent click in their own browser without SSH or `~/reset-tunnel.sh`.
+Step 1's OAuth flow is a state machine over two observable variables: the brand-scoped cert path (`${CFG_DIR}/cert.pem`) and the OAuth-default cert path (`~/.cloudflared/cert.pem`). When the brand-scoped cert is missing but the default-path cert is present from any prior partial run, the wrapper promotes it (`mv`) and emits `step=oauth-login result=ok reason=cert-promoted-from-default-path` without re-spawning cloudflared. When both are missing, the wrapper spawns `cloudflared tunnel login`, extracts the argotunnel URL from its stdout, and the instant the URL surfaces, mechanically opens it on the Pi's VNC chromium (`DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &`) — emitting `step=browser-spawn result=ok` and `step=browser-drive mode=operator-click`. The operator clicks the zone row + Authorize on the VNC; cloudflared's callback writes `~/.cloudflared/cert.pem`; the wrapper's cert-poll (180 s budget) picks it up and `mv`s it to the brand-scoped path. There is no CDP auto-click, no DOM matcher, no consent-page driver — the wrapper's job is to faithfully relay `cloudflared tunnel login`, never to layer automation on top (Task 858, doctrine `feedback_wrappers_faithfully_relay_third_party_cli`).
 
 ### How inputs reach the script
 
@@ -52,7 +52,7 @@ The agent does not invoke the script directly during onboarding — the endpoint
 
 The endpoint returns `{ ok: false, field: "script", message, output }` and the form surfaces the error inline. Relay the output to the user, name the exit code, and cite `references/reset-guide.md` for the next action. Offer to re-render the form after any manual steps the script's error output named. Do not attempt a second invocation outside the form, a Playwright-driven dashboard inspection, or an alternative `cloudflared` command sequence. The discipline rule below applies.
 
-When the failure reason is `authorize-button-not-found` (Task 855), the form renders a verbatim quote of `references/dashboard-guide.md` § "Authorise a new tunnel (pick the right zone)" alongside a "Try again" button — the operator completes the consent click in their own browser, then re-submits the same form. No agent action is required; relay the form's chat acknowledgement when it arrives. Do not suggest `~/reset-tunnel.sh` for this reason — the cert path is intact and a fresh consent click is the only remediation needed.
+When the failure reason is `timeout-waiting-cert` (Task 858 — operator did not click Authorize within the 180 s budget), the form surfaces the timeout and the operator can re-submit. The page is still on the Pi VNC; the operator can click Authorize there and the next form submit will complete via the cert-promotion pre-flight (the cert lands in `~/.cloudflared/cert.pem` after consent, and the wrapper's `mv` runs on the next invocation). Do not suggest `~/reset-tunnel.sh` — the cert path is intact and a fresh attempt is the only remediation needed.
 
 ---
 

package/payload/platform/plugins/whatsapp/PLUGIN.md

@@ -35,7 +35,7 @@ Activate when the user asks about WhatsApp — connecting, linking, checking sta
 
 ## Conversation Browsing
 
-Three tools for reading WhatsApp conversation context. Messages come from the in-memory store — they accumulate while the server is running and clear on restart.
+Three tools for reading WhatsApp conversation context. Messages come from the in-memory ring buffer (recent inbound, ~500 per JID, ephemeral). The graph carries the durable record — see "Live persistence" below.
 
 | Tool | Returns |
 |------|---------|
@@ -43,7 +43,9 @@ Three tools for reading WhatsApp conversation context. Messages come from the in
 | `whatsapp-messages` | Stored messages for a specific JID — sender, body, timestamp, reply context. Supports optional `limit` for most recent N messages |
 | `whatsapp-group-info` | Group metadata from WhatsApp servers — subject, description, participants with admin flags, creation date. Requires active connection |
 
-**Limitations:** In-memory only (Phase 0). Store clears on server restart. Inbound messages only — outbound messages sent by the agent are not stored.
+## Live persistence (Task 857)
+
+Every `messages.upsert` event (both `notify` and `append`, both `fromMe` directions) writes a `:Message:WhatsAppMessage` row to Neo4j attached to the sessionKey-keyed `:Conversation`. A single capture site at `platform/ui/app/lib/whatsapp/manager.ts` covers inbound, outbound (Baileys echoes agent-sent messages back through `messages.upsert` with `fromMe=true`), and owner-mirror — without touching `outbound/send.ts`. `messageId` namespace is `whatsapp-live:<accountId>:<remoteJid>:<msg.key.id>`, collision-free with the `whatsapp-export:` namespace used by the offline `whatsapp-import` plugin. Persist failures are loud (`[whatsapp-persist] FAIL …`) and never block dispatch — silent loss is the worse failure mode.
 
 ## Skills