@rubytech/create-maxy 1.0.878 → 1.0.879

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.878",
+  "version": "1.0.879",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/plugins/cloudflare/PLUGIN.md

@@ -53,6 +53,15 @@ The agent loads these references on demand via `plugin-read` as the conversation
 
 VNC surfacing is post-navigation, never on form submit. Two sites call `useDeviceUrlActions().onShowVnc()` and both fire only after a successful CDP nav: `DeviceUrlBlock` (tool-output URL clicks) and `ActionLogPanel.handleOauthRespawn` (the "Re-open on Pi browser" button rendered when an OAuth URL appears in the action log). The form (`cloudflare-setup-form`) must NOT call `onShowVnc()` on POST resolve — pre-warming the fullscreen overlay before the OAuth URL is on the brand chromium hides the form, the ActionLogPanel, and the very button operators must click. The `[browser-viewer] event=mount surface="overlay"` line must appear within 5 s of `[device-url:click] navigateResult=ok`, never before.
 
+### Error envelope contract
+
+Every `POST /api/admin/cloudflare/setup` failure returns a `CloudflareSetupError` carrying — in addition to `field`, `message`, `output`, `correlationId`, `streamLogPath` — two structured fields the form relays into the chat as a fenced JSON block:
+
+- `inputsAlreadyHeld: { admin?: string; public?: string; apex?: string }` — the FQDNs the route composed from the submit body before `err()` fired. Pre-validation failures emit `{}` so absence is itself deterministic.
+- `discoveryResults: { tunnels: { id; name }[]; domains: string[] }` — the last-known snapshot from the process-lifetime `discoveryCache` Map that `GET /tunnels` and `GET /domains` write to on success.
+
+The chat relay appends both as a fenced ```` ```json ```` block under "Held by deterministic tools (do not re-solicit)". The admin agent's reply quotes those values back rather than re-soliciting; the rule lives in IDENTITY.md § "Post-deterministic-error reply contract" and `.docs/agents.md` § "Intent Gate — post-deterministic-error reply contract". The shared `TunnelEntry` shape lives in [`platform/ui/app/lib/cloudflare-setup-types.ts`](../../ui/app/lib/cloudflare-setup-types.ts).
+
 ## Identity model
 
 - **Product identity** (Maxy vs Real Agent) — known from `brand.json` (`productName`, `configDir`).

package/payload/platform/plugins/docs/references/platform.md

@@ -84,7 +84,11 @@ If the browser drops the SSE connection mid-upgrade (typical during the maxy res
 
 **Mid-turn stream-drop banners.** If a chat turn ends abruptly the bubble shows one of two messages depending on what actually happened. You see "Server is restarting — reconnect will happen automatically." only when the app server itself emits the restart signal — typically during a Software Update or a Cloudflare setup that re-launches the brand service. You see "Lost connection — retrying." when your browser's connection to the Pi dropped mid-stream while the server was still up — typically a flaky Wi-Fi moment or the tunnel hiccupping. Either way the chat resumes once the connection is back; the previously-rendered messages stay on screen so you don't lose context.
 
-**Cloudflare setup flow.** Same pattern — POST to `/api/admin/cloudflare/setup` launches a `cloudflare-setup` action that runs `~/setup-tunnel.sh <brand> <port> <hostname...>`. When the script emits the OAuth consent URL on stdout, the log panel surfaces an **"Authorise in Cloudflare"** button; clicking it opens the consent page in a new tab. After you approve, the script's callback receives `cert.pem` and the setup continues through `tunnel create`/`route`/`run`. On devices where a VNC Chromium is also running, the script can drive the click via CDP automatically (same button remains a harmless safety net).
+**Cloudflare setup flow.** Same pattern — POST to `/api/admin/cloudflare/setup` launches a `cloudflare-setup` action that runs `~/setup-tunnel.sh <brand> <port> <hostname...>`. When the script emits the OAuth consent URL on stdout, the log panel surfaces an **"Authorise in Cloudflare"** button; clicking it opens the consent page in a new tab. After you approve, the script's callback receives `cert.pem` and the setup continues through `tunnel create`/`route`/`run`. On devices where a VNC Chromium is also running, the script can drive the click via CDP automatically (same button remains a harmless safety net). Setup failures return a `CloudflareSetupError` carrying `inputsAlreadyHeld:{admin,public,apex}` and `discoveryResults:{tunnels,domains}` (from the process-lifetime discovery cache `/tunnels` and `/domains` populate on success); the form appends both fields as a fenced JSON block to the chat-relay body so the agent's next reply quotes held values verbatim rather than re-soliciting hostnames.
+
+**Active-chat stream-log click telemetry.** Clicking "Stream log" in the active chat fetches the URL inline (`/api/admin/logs?type=stream&conversationId=…&download=1`), emits a `[stream-log-click] status=<c> bytes=<n> conversationId=<tail>` line in `server.log` via the `/api/_client-error` event pipe, and downloads the same response. Operator-grep `[stream-log-click] status=404` for client/server identity mismatches.
+
+**Bundle-mtime session prelude.** Each admin session boot stamps `[boot] bundleMtime=<iso> conversationId=<tail>` in `server.log` next to `[plugins] MCP servers for session:`; the same value is injected into the admin system prompt as `<deployment>bundleMtime=…</deployment>` so the agent can compare deploy time against any earlier `phase=error` in the conversation and re-invoke the deterministic path when the bundle post-dates the failure.
 
 **Sudo password** is prompted once per upgrade. The admin server pipes it to `sudo -S -v` to validate + cache, then forwards it to the action unit via `systemd-run --setenv=SUDO_PASSWORD` so the installer's in-unit `sudo -S` reads it directly — per-TTY sudoers configurations where the user-level cache does not cover a fresh systemd-run unit still work. The password is never written to any log, SSE frame, or persisted file.
 

package/payload/platform/templates/agents/admin/IDENTITY.md

@@ -89,6 +89,8 @@ Do not retry the same tool against the same target within a turn. A second ident
 
 When a tool returns a structured failure whose error content begins with an UPPERCASE_ERROR_CODE (for example `WEBFETCH_CANNOT_READ_JS_SPA`), the runtime has already determined that retrying the same tool will fail and that a substitute would launder uncertainty. Read the error's plain-English explanation, then write one or two sentences to the owner that name (a) what failed, (b) the reason in their language, and (c) the concrete actions they can take to unblock — typically pasting text or sending a screenshot. Do not silently dispatch a substitute (Playwright, research-assistant, memory-search) to continue the original instruction; that hides the failure and the owner loses the ability to judge whether the substitute's output answers their question. A verbal instruction in the current conversation is not consent — only an explicit standing policy recorded in account configuration counts, and no such mechanism exists today. Until one exists, every structured tool failure becomes a question for the owner. Wait for direction before resuming.
 
+**Post-deterministic-error reply contract — never re-solicit held values.** When a Cloudflare form failure surfaces in the chat relay, the trailing fenced `json` block labelled "Held by deterministic tools (do not re-solicit)" is the route's structured payload. It carries `inputsAlreadyHeld` (the FQDNs already submitted: `admin`, `public`, `apex`) and `discoveryResults` (the discovery snapshot the route was holding: `tunnels`, `domains`). The next reply structurally consumes this payload — restate the held values verbatim, name the literal error, and decide between two actions: (a) if the `<deployment>` block's `bundleMtime` post-dates this failure's timestamp, the deterministic path has been redeployed with a fix — re-invoke the same path immediately; (b) otherwise surface the literal error plus the next deterministic step from the relevant SKILL (`setup-tunnel.sh`, `reset-tunnel.sh`, `dashboard-guide.md`). Asking the operator for a hostname, tunnel name, or apex that already appears in `inputsAlreadyHeld` or `discoveryResults` is a doctrine violation — the structured payload is the answer set; the deterministic path holds the values; the chat relay is for restatement, not re-entry.
+
 ## Cypher schema
 
 Your system prompt contains a `# SCHEMA (Neo4j graph, canonical reference)` block listing every label and relationship type your graph actually contains. Before authoring any cypher against the memory graph, consult that block. Never invent an edge or label name that is not in it — the plausible-sounding names you half-remember from other systems (`HAS_MESSAGE`, `IN_CONVERSATION`, `CONTAINS_MESSAGE`) do not exist here; Messages attach to Conversations via `:PART_OF`, not any other edge.