@rubytech/create-maxy 1.0.881 → 1.0.884

package/payload/server/chunk-ECAQVMRA.js

@@ -0,0 +1,759 @@
+import {
+  getSession
+} from "./chunk-DOIAYD3J.js";
+import {
+  __commonJS,
+  __toESM
+} from "./chunk-JSBRDJBE.js";
+
+// ../lib/graph-write/dist/audit.js
+var require_audit = __commonJS({
+  "../lib/graph-write/dist/audit.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.auditCypherWrite = auditCypherWrite;
+    exports.formatAuditLine = formatAuditLine;
+    var EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
+    var CREATE_OR_MERGE_NODE = /\b(?:CREATE|MERGE)\s*\(\s*[A-Za-z_][A-Za-z0-9_]*\s*:\s*[A-Z]/g;
+    var PROVENANCE_TOKEN = /\bcreatedBy(?:Agent|Tool|Session|Source)\b/g;
+    function stripStringLiterals(cypher) {
+      return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
+    }
+    function extractEdgeTypes(cleaned) {
+      const out = /* @__PURE__ */ new Set();
+      for (const m of cleaned.matchAll(EDGE_PATTERN)) {
+        for (const t of m[1].split("|")) {
+          const clean = t.trim();
+          if (clean)
+            out.add(clean);
+        }
+      }
+      return out;
+    }
+    function countCreateOrMergeNodes(cleaned) {
+      const matches = cleaned.match(CREATE_OR_MERGE_NODE);
+      return matches ? matches.length : 0;
+    }
+    function countProvenanceStamps(cleaned) {
+      const matches = cleaned.match(PROVENANCE_TOKEN);
+      return matches ? matches.length : 0;
+    }
+    function auditCypherWrite(input) {
+      const warnings = [];
+      const cleaned = stripStringLiterals(input.cypher);
+      const referencedTypes = extractEdgeTypes(cleaned);
+      for (const t of referencedTypes) {
+        if (!input.schema.relationshipTypes.has(t)) {
+          warnings.push({ kind: "unknown-type-warning", type: t });
+        }
+      }
+      if (input.nodesCreated > 0) {
+        const createOrMergeNodes = countCreateOrMergeNodes(cleaned);
+        if (createOrMergeNodes > 0) {
+          const stamps = countProvenanceStamps(cleaned);
+          if (stamps < createOrMergeNodes) {
+            warnings.push({
+              kind: "missing-provenance-warning",
+              created: createOrMergeNodes,
+              stamped: stamps
+            });
+          }
+        }
+      }
+      if (input.orphanIds.length > 0) {
+        warnings.push({ kind: "orphan-warning", orphanIds: input.orphanIds });
+      }
+      return warnings;
+    }
+    function formatAuditLine(line) {
+      const prefixField = `query="${line.cypherPrefix.replace(/"/g, "'")}"`;
+      switch (line.kind) {
+        case "accepted":
+          return `[graph-cypher-write] accepted ${prefixField} nodesCreated=${line.nodesCreated} relsCreated=${line.relsCreated} agentName=${line.agentName} sessionId=${line.sessionId}`;
+        case "orphan-warning":
+          return `[graph-cypher-write] orphan-warning ${prefixField} orphanIds=${line.orphanIds.join(",")}`;
+        case "unknown-type-warning":
+          return `[graph-cypher-write] unknown-type-warning ${prefixField} type=${line.type}`;
+        case "missing-provenance-warning":
+          return `[graph-cypher-write] missing-provenance-warning ${prefixField} created=${line.created} stamped=${line.stamped}`;
+      }
+    }
+  }
+});
+
+// ../lib/graph-write/dist/conversation-provenance.js
+var require_conversation_provenance = __commonJS({
+  "../lib/graph-write/dist/conversation-provenance.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.injectConversationProvenance = injectConversationProvenance;
+    var index_js_1 = require_dist();
+    async function injectConversationProvenance(params) {
+      const { session, relationships, accountId, writeLabels, conversationNodeId, logNamespace, tool } = params;
+      const original = [...relationships];
+      if (!writeLabels.some((l) => index_js_1.ACTION_PROVENANCE_LABELS.has(l)))
+        return original;
+      if (!conversationNodeId)
+        return original;
+      if (hasInboundProducedEdge(original))
+        return original;
+      let lookup;
+      try {
+        lookup = await session.run(`MATCH (n) WHERE elementId(n) = $id RETURN labels(n) AS labels, n.accountId AS accountId LIMIT 1`, { id: conversationNodeId });
+      } catch (err) {
+        process.stderr.write(`[${logNamespace}] [provenance-missing] tool=${tool} reason=driver-error message=${err instanceof Error ? err.message : String(err)} conversationNodeId=${conversationNodeId}
+`);
+        return original;
+      }
+      if (lookup.records.length === 0) {
+        process.stderr.write(`[${logNamespace}] [provenance-missing] tool=${tool} reason=node-not-found conversationNodeId=${conversationNodeId}
+`);
+        return original;
+      }
+      const labels = lookup.records[0].get("labels");
+      const sourceAccountId = lookup.records[0].get("accountId");
+      const sourceLabel = labels.find((l) => index_js_1.PROVENANCE_SOURCE_LABELS.has(l));
+      if (!sourceLabel) {
+        process.stderr.write(`[${logNamespace}] [provenance-missing] tool=${tool} reason=wrong-source-label labels=${labels.join(",")} conversationNodeId=${conversationNodeId}
+`);
+        return original;
+      }
+      if (sourceAccountId !== accountId) {
+        process.stderr.write(`[${logNamespace}] [provenance-missing] tool=${tool} reason=account-mismatch sourceAccountId=${sourceAccountId.slice(0, 8)} writeAccountId=${accountId.slice(0, 8)} conversationNodeId=${conversationNodeId}
+`);
+        return original;
+      }
+      process.stderr.write(`[${logNamespace}] [provenance-inject] tool=${tool} from=${sourceLabel}:${conversationNodeId}
+`);
+      return [
+        {
+          type: "PRODUCED",
+          direction: "incoming",
+          targetNodeId: conversationNodeId
+        },
+        ...original
+      ];
+    }
+    function hasInboundProducedEdge(relationships) {
+      return relationships.some((r) => r.type === "PRODUCED" && r.direction === "incoming");
+    }
+  }
+});
+
+// ../lib/graph-write/dist/index.js
+var require_dist = __commonJS({
+  "../lib/graph-write/dist/index.js"(exports) {
+    "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports && exports.__exportStar || function(m, exports2) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports2, p)) __createBinding(exports2, m, p);
+    };
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.PROVENANCE_SOURCE_LABELS = exports.ACTION_PROVENANCE_LABELS = void 0;
+    exports.stampCreatedBy = stampCreatedBy;
+    exports.writeNodeWithEdges = writeNodeWithEdges2;
+    __exportStar(require_audit(), exports);
+    __exportStar(require_conversation_provenance(), exports);
+    exports.ACTION_PROVENANCE_LABELS = /* @__PURE__ */ new Set([
+      "Person",
+      "UserProfile",
+      "AdminUser",
+      "Organization",
+      "LocalBusiness",
+      "CloudflareTunnel",
+      "CloudflareHostname"
+    ]);
+    exports.PROVENANCE_SOURCE_LABELS = /* @__PURE__ */ new Set([
+      "Task",
+      "Conversation",
+      "Message"
+    ]);
+    function requiresActionProvenance(labels) {
+      for (const label of labels) {
+        if (exports.ACTION_PROVENANCE_LABELS.has(label))
+          return true;
+      }
+      return false;
+    }
+    function findProvenanceCandidates(relationships) {
+      return relationships.filter((r) => r.type === "PRODUCED" && r.direction === "incoming");
+    }
+    function stampCreatedBy(props, createdBy) {
+      return {
+        ...props,
+        createdByAgent: createdBy.agent ?? "unknown",
+        createdBySession: createdBy.session ?? "unknown",
+        createdByTool: createdBy.tool ?? null,
+        createdBySource: createdBy.source ?? null
+      };
+    }
+    async function writeNodeWithEdges2(params) {
+      const { session, labels, props, relationships, createdBy } = params;
+      const agentLabel = createdBy.agent ?? createdBy.source ?? "unknown";
+      const labelCsv = labels.join(",");
+      const isSystemBootstrap = (createdBy.agent ?? "") === "system";
+      if (!isSystemBootstrap) {
+        const accountId = props.accountId;
+        const expectedAccountId = params.expectedAccountId ?? process.env.ACCOUNT_ID;
+        if (typeof accountId !== "string" || !expectedAccountId || accountId !== expectedAccountId) {
+          const slice = typeof accountId === "string" ? accountId.slice(0, 8) : "missing";
+          process.stderr.write(`[graph-write] reject reason=invalid-account-id accountId=${slice} writer=${agentLabel}
+`);
+          throw new Error(`Write doctrine violated: invalid-account-id (${slice}) \u2014 accountId must equal ACCOUNT_ID set by the spawning process. See .docs/neo4j.md "Account isolation invariant".`);
+        }
+      }
+      const reviewDigestActionTool = typeof props.actionTool === "string" && props.actionTool === "review-digest-compose";
+      if (labels.includes("ReviewAlert") || reviewDigestActionTool) {
+        const actionToolField = reviewDigestActionTool ? "review-digest-compose" : "n/a";
+        process.stderr.write(`[graph-write] reject reason=removed-feature labels=${labelCsv} actionTool=${actionToolField} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: review-detector feature removed (Task 884) \u2014 `:ReviewAlert` and `:Event {actionTool:'review-digest-compose'}` writes are not allowed.");
+      }
+      if (!relationships || relationships.length < 1) {
+        process.stderr.write(`[graph-write] reject reason=zero-relationships labels=${labelCsv} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: a node must be created with at least one relationship. See .docs/neo4j.md (Write doctrine).");
+      }
+      const labelStr = labels.map((l) => `\`${l.replace(/`/g, "")}\``).join(":");
+      const nodeProps = stampCreatedBy(props, createdBy);
+      return await session.executeWrite(async (tx) => {
+        const targetIds = relationships.map((r) => r.targetNodeId);
+        const check = await tx.run(`UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN elementId(t) AS id, labels(t) AS labels`, { ids: targetIds });
+        const labelsByTarget = /* @__PURE__ */ new Map();
+        for (const rec of check.records) {
+          labelsByTarget.set(rec.get("id"), rec.get("labels"));
+        }
+        const found = labelsByTarget.size;
+        const uniqueRequested = new Set(targetIds).size;
+        if (found !== uniqueRequested) {
+          process.stderr.write(`[graph-write] reject reason=unresolved-target labels=${labelCsv} agent=${agentLabel} requested=${uniqueRequested} found=${found}
+`);
+          throw new Error(`Write doctrine violated: ${uniqueRequested - found} of ${uniqueRequested} relationship target(s) did not resolve (elementId mismatch). No node created.`);
+        }
+        let provenanceSourceId = null;
+        let provenanceSourceLabel = null;
+        if (requiresActionProvenance(labels) && (createdBy.agent ?? "") !== "system") {
+          const candidates = findProvenanceCandidates(relationships);
+          const matched = candidates.map((r) => {
+            const lbls = labelsByTarget.get(r.targetNodeId);
+            if (!Array.isArray(lbls))
+              return null;
+            const sourceLabel = lbls.find((l) => exports.PROVENANCE_SOURCE_LABELS.has(l));
+            return sourceLabel ? { rel: r, sourceLabel } : null;
+          }).filter((m) => m !== null);
+          if (matched.length === 0) {
+            process.stderr.write(`[graph-write] reject reason=missing-provenance labels=${labelCsv} agent=${agentLabel}
+`);
+            throw new Error(`missing-provenance: write to ${labelCsv} requires an inbound :PRODUCED edge from a :Task, :Conversation, or :Message (createdBy.agent='${agentLabel}'). Either pass producedByTaskId on the write (autonomous workflows: call task-create at the start of the flow and thread the returned taskId), or rely on the MCP wrapper's CONVERSATION_NODE_ID env-stamp injection (direct admin asks).`);
+          }
+          provenanceSourceId = matched[0].rel.targetNodeId;
+          provenanceSourceLabel = matched[0].sourceLabel;
+        }
+        let nodeRes;
+        try {
+          nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
+        } catch (err) {
+          const code = err?.code ?? "";
+          if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
+            const accountIdProp = nodeProps.accountId;
+            const userIdProp = nodeProps.userId;
+            const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
+            const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
+            process.stderr.write(`[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}
+`);
+          }
+          throw err;
+        }
+        const nodeId = nodeRes.records[0].get("nodeId");
+        const nodeLabels = nodeRes.records[0].get("nodeLabels");
+        let edgesCreated = 0;
+        for (const rel of relationships) {
+          const type = rel.type.replace(/`/g, "");
+          const q = rel.direction === "outgoing" ? `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (a)-[:\`${type}\`]->(b)` : `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (b)-[:\`${type}\`]->(a)`;
+          const r = await tx.run(q, { from: nodeId, to: rel.targetNodeId });
+          const created = r.summary.counters.updates().relationshipsCreated;
+          if (created === 0) {
+            process.stderr.write(`[graph-write] reject reason=unresolved-target-on-create labels=${labelCsv} agent=${agentLabel} relType=${rel.type} targetId=${rel.targetNodeId}
+`);
+            throw new Error(`Write doctrine violated: relationship CREATE to target ${rel.targetNodeId} produced 0 edges (target likely deleted concurrently after pre-check). Transaction rolled back.`);
+          }
+          edgesCreated += created;
+        }
+        if (edgesCreated !== relationships.length) {
+          process.stderr.write(`[graph-write] reject reason=edge-count-mismatch labels=${labelCsv} agent=${agentLabel} requested=${relationships.length} created=${edgesCreated}
+`);
+          throw new Error(`Write doctrine violated: expected ${relationships.length} edges, created ${edgesCreated}. Transaction rolled back.`);
+        }
+        process.stderr.write(`[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"} producedBy=${provenanceSourceLabel ?? "none"}:${provenanceSourceId ?? "none"}
+`);
+        return { nodeId, labels: nodeLabels, edgesCreated };
+      });
+    }
+  }
+});
+
+// ../lib/task-secrets/dist/index.js
+var require_dist2 = __commonJS({
+  "../lib/task-secrets/dist/index.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.redactSecrets = redactSecrets2;
+    function redactSecrets2(payload, schema) {
+      if (!payload) {
+        return { redacted: {}, droppedFields: 0, droppedFieldNames: [] };
+      }
+      const secrets = new Set(schema?.secretFields ?? []);
+      const redacted = {};
+      const dropped = [];
+      for (const [key, value] of Object.entries(payload)) {
+        if (secrets.has(key)) {
+          dropped.push(key);
+          continue;
+        }
+        redacted[key] = value;
+      }
+      dropped.sort();
+      return { redacted, droppedFields: dropped.length, droppedFieldNames: dropped };
+    }
+  }
+});
+
+// app/lib/cloudflare-task-tracker.ts
+import { readFileSync, existsSync } from "fs";
+import { randomUUID } from "crypto";
+var import_dist = __toESM(require_dist(), 1);
+var import_dist2 = __toESM(require_dist2(), 1);
+var CREATED_BY_AGENT = "cloudflare-setup-endpoint";
+var TASK_KIND = "cloudflare-tunnel-login";
+async function openCloudflareTask(params) {
+  const { accountId, conversationId, inputsProvided, inputs, inputSchema, messageId } = params;
+  const taskId = randomUUID();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const session = getSession();
+  try {
+    const conv = await session.run(
+      `MATCH (c:Conversation {conversationId: $conversationId, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+      { conversationId, accountId }
+    );
+    if (conv.records.length === 0) {
+      throw new Error(
+        `cloudflare-task-tracker: conversationId=${conversationId.slice(0, 8)} has no :Conversation node \u2014 invariant violated, ensureConversation missed at session boot`
+      );
+    }
+    const conversationElementId = conv.records[0].get("id");
+    let messageElementId = null;
+    let raisedDuringTag = `raisedDuringConversation=${conversationId.slice(0, 8)}`;
+    if (messageId) {
+      const msgRow = await session.run(
+        `MATCH (m:Message {messageId: $messageId, accountId: $accountId, conversationId: $conversationId}) RETURN elementId(m) AS id LIMIT 1`,
+        { messageId, accountId, conversationId }
+      );
+      if (msgRow.records.length > 0) {
+        messageElementId = msgRow.records[0].get("id");
+        raisedDuringTag = `raisedDuringMessage=${messageId.slice(0, 8)}`;
+      }
+    }
+    const adminLabelStr = typeof inputs?.adminLabel === "string" ? inputs.adminLabel : "?";
+    const adminDomainStr = typeof inputs?.adminDomain === "string" ? inputs.adminDomain : "?";
+    const publicLabelStr = typeof inputs?.publicLabel === "string" ? inputs.publicLabel : "";
+    const publicDomainStr = typeof inputs?.publicDomain === "string" ? inputs.publicDomain : "";
+    const publicSegment = publicDomainStr ? `, public=${publicLabelStr}.${publicDomainStr}` : "";
+    const description = `Cloudflare setup for admin=${adminLabelStr}.${adminDomainStr}${publicSegment}`;
+    const props = {
+      taskId,
+      accountId,
+      name: "Cloudflare tunnel login + setup",
+      description,
+      status: "running",
+      priority: "normal",
+      kind: TASK_KIND,
+      inputsProvided,
+      startedAt: now,
+      createdAt: now,
+      updatedAt: now
+    };
+    if (inputs) {
+      if (!inputSchema) {
+        process.stderr.write(
+          `[task] redact-no-schema kind=${TASK_KIND} taskId=${taskId} fieldsCount=${Object.keys(inputs).length}
+`
+        );
+      }
+      const { redacted, droppedFields, droppedFieldNames } = (0, import_dist2.redactSecrets)(inputs, inputSchema);
+      for (const [key, value] of Object.entries(redacted)) {
+        if (value === void 0 || value === null || value === "") continue;
+        props[`inputs.${key}`] = value;
+      }
+      if (droppedFields > 0) {
+        process.stderr.write(
+          `[task] redacted kind=${TASK_KIND} taskId=${taskId} droppedFields=${droppedFields} fields=${droppedFieldNames.join(",")}
+`
+        );
+      }
+    }
+    const relationships = [
+      {
+        type: "RAISED_DURING",
+        direction: "outgoing",
+        targetNodeId: messageElementId ?? conversationElementId
+      }
+    ];
+    const result = await (0, import_dist.writeNodeWithEdges)({
+      session,
+      labels: ["Task"],
+      props,
+      relationships,
+      createdBy: {
+        agent: CREATED_BY_AGENT,
+        session: conversationId,
+        tool: "cloudflare-setup-endpoint"
+      }
+    });
+    process.stderr.write(
+      `[task] action-start kind=${TASK_KIND} taskId=${taskId} ${raisedDuringTag}
+`
+    );
+    return { taskId, taskElementId: result.nodeId };
+  } finally {
+    await session.close();
+  }
+}
+async function appendCloudflareSteps(taskId, accountId, streamLogPath) {
+  if (!existsSync(streamLogPath)) return [];
+  let content;
+  try {
+    content = readFileSync(streamLogPath, "utf-8");
+  } catch {
+    return [];
+  }
+  const steps = [];
+  for (const line of content.split(/\r?\n/)) {
+    const m = line.match(/\bphase_line\s+setup-tunnel\s+step=(\S+)/);
+    if (m) steps.push(m[1]);
+  }
+  if (steps.length === 0) return [];
+  const session = getSession();
+  try {
+    await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET t.steps = coalesce(t.steps, []) + $steps,
+           t.updatedAt = $updatedAt`,
+      { taskId, accountId, steps, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    );
+    for (const step of steps) {
+      process.stderr.write(
+        `[task] action-step kind=${TASK_KIND} taskId=${taskId} step=${step}
+`
+      );
+    }
+    return steps;
+  } finally {
+    await session.close();
+  }
+}
+async function completeCloudflareTask(params) {
+  const { taskId, taskElementId, accountId, conversationId, tunnelId, tunnelName, hostnames, status, errorMessage } = params;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  if (status === "failed" && (!errorMessage || errorMessage.trim().length === 0)) {
+    throw new Error(
+      "cloudflare-task-tracker: errorMessage is required when status='failed' (Task 885 process-provenance contract)."
+    );
+  }
+  const session = getSession();
+  try {
+    if (status === "completed" && tunnelId && tunnelName) {
+      const conv = await session.run(
+        `MATCH (c:Conversation {conversationId: $conversationId, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+        { conversationId, accountId }
+      );
+      const conversationElementId = conv.records.length > 0 ? conv.records[0].get("id") : null;
+      const tunnelProps = {
+        accountId,
+        tunnelId,
+        tunnelName,
+        createdAt: now,
+        updatedAt: now
+      };
+      const tunnelRels = [
+        { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId }
+      ];
+      if (conversationElementId) {
+        tunnelRels.push({
+          type: "RAISED_DURING",
+          direction: "outgoing",
+          targetNodeId: conversationElementId
+        });
+      }
+      const tunnelWrite = await (0, import_dist.writeNodeWithEdges)({
+        session,
+        labels: ["CloudflareTunnel"],
+        props: tunnelProps,
+        relationships: tunnelRels,
+        createdBy: {
+          agent: CREATED_BY_AGENT,
+          session: conversationId,
+          tool: "cloudflare-setup-endpoint"
+        }
+      });
+      for (const h of hostnames ?? []) {
+        const hostRels = [
+          { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId },
+          {
+            type: "ROUTES_TO",
+            direction: "outgoing",
+            targetNodeId: tunnelWrite.nodeId
+          }
+        ];
+        await (0, import_dist.writeNodeWithEdges)({
+          session,
+          labels: ["CloudflareHostname"],
+          props: {
+            accountId,
+            hostnameValue: h.hostnameValue,
+            tunnelId,
+            isApex: h.isApex,
+            createdAt: now,
+            updatedAt: now
+          },
+          relationships: hostRels,
+          createdBy: {
+            agent: CREATED_BY_AGENT,
+            session: conversationId,
+            tool: "cloudflare-setup-endpoint"
+          }
+        });
+      }
+    }
+    const setClauses = [
+      "t.status = $status",
+      "t.completedAt = $now",
+      "t.updatedAt = $now"
+    ];
+    const queryParams = { taskId, accountId, status, now };
+    if (status === "failed" && errorMessage) {
+      setClauses.push("t.errorMessage = $errorMessage");
+      queryParams.errorMessage = errorMessage;
+    }
+    if (status === "completed") {
+      setClauses.push("t.errorMessage = null");
+      if (tunnelId) {
+        setClauses.push("t.tunnelId = $tunnelId");
+        queryParams.tunnelId = tunnelId;
+      }
+      if (tunnelName) {
+        setClauses.push("t.tunnelName = $tunnelName");
+        queryParams.tunnelName = tunnelName;
+      }
+      if (hostnames && hostnames.length > 0) {
+        setClauses.push("t.hostnames = $hostnamesList");
+        queryParams.hostnamesList = hostnames.map((h) => h.hostnameValue);
+      }
+    }
+    const updateRes = await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET ${setClauses.join(", ")}
+       RETURN size(coalesce(t.steps, [])) AS stepsCount, count(t) AS affected`,
+      queryParams
+    );
+    const stepsCount = updateRes.records[0]?.get("stepsCount")?.toNumber?.() ?? 0;
+    const affected = updateRes.records[0]?.get("affected")?.toNumber?.() ?? 0;
+    if (affected !== 1) {
+      throw new Error(
+        `cloudflare-task-tracker: completeCloudflareTask MATCH count=${affected} for taskId=${taskId} \u2014 Task missing or accountId mismatch`
+      );
+    }
+    process.stderr.write(
+      `[task] action-done kind=${TASK_KIND} taskId=${taskId} status=${status} stepsCount=${stepsCount}
+`
+    );
+  } finally {
+    await session.close();
+  }
+}
+async function findMostRecentTerminalCloudflareTask(accountId, conversationId) {
+  const session = getSession();
+  try {
+    const res = await session.run(
+      `MATCH (c:Conversation {conversationId: $conversationId, accountId: $accountId})<-[:RAISED_DURING]-(t:Task {kind: $kind})
+       WHERE t.status IN ['completed', 'failed'] AND t.completedAt IS NOT NULL
+       RETURN t.taskId AS taskId, t.status AS status, t.completedAt AS completedAt, t.errorMessage AS errorMessage
+       ORDER BY t.completedAt DESC LIMIT 1`,
+      { conversationId, accountId, kind: TASK_KIND }
+    );
+    if (res.records.length === 0) return null;
+    const row = res.records[0];
+    const taskId = row.get("taskId");
+    const status = row.get("status");
+    const completedAt = row.get("completedAt");
+    const errorMessage = row.get("errorMessage");
+    if (status !== "completed" && status !== "failed") return null;
+    return { taskId, outcome: status, completedAt, errorMessage };
+  } catch (err) {
+    process.stderr.write(
+      `[cf-task-tracker] findMostRecentTerminalCloudflareTask failed: ${err instanceof Error ? err.message : String(err)}
+`
+    );
+    return null;
+  } finally {
+    await session.close();
+  }
+}
+function readTunnelState(brandConfigDir) {
+  const statePath = `${process.env.HOME ?? ""}/${brandConfigDir}/cloudflared/tunnel.state`;
+  if (!existsSync(statePath)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync(statePath, "utf-8"));
+    const tunnelId = typeof parsed.tunnelId === "string" ? parsed.tunnelId : null;
+    const tunnelName = typeof parsed.tunnelName === "string" ? parsed.tunnelName : null;
+    const domain = typeof parsed.domain === "string" ? parsed.domain : null;
+    if (!tunnelId || !tunnelName || !domain) return null;
+    return { tunnelId, tunnelName, domain };
+  } catch {
+    return null;
+  }
+}
+var CLOUDFLARE_TASK_DIAGNOSTICS = {
+  scriptExitedNonzero: "script-exited-nonzero",
+  noTunnelStateOnDisk: "no-tunnel-state-on-disk",
+  endpointDiedPreReconcile: "endpoint-died-pre-reconcile"
+};
+function resolveUnitGoneVerdict(args) {
+  const { tunnelState, expected } = args;
+  const tunnelStateFound = tunnelState !== null;
+  const nameSet = typeof expected.tunnelName === "string" && expected.tunnelName.length > 0;
+  const idSet = typeof expected.tunnelId === "string" && expected.tunnelId.length > 0;
+  const identityMatch = tunnelState !== null && (nameSet && tunnelState.tunnelName === expected.tunnelName || idSet && tunnelState.tunnelId === expected.tunnelId);
+  if (tunnelStateFound && identityMatch) {
+    return { kind: "close-completed", tunnelStateFound: true, identityMatch: true };
+  }
+  return { kind: "close-failed", tunnelStateFound, identityMatch };
+}
+var RECONCILE_DELAY_BUDGET_MS = 9e4;
+var RECONCILE_HARD_AGE_MS = 60 * 60 * 1e3;
+async function recoverRunningCloudflareTasks(accountId, brandConfigDir, conversationIdForState) {
+  const session = getSession();
+  try {
+    const cutoff = new Date(Date.now() - RECONCILE_DELAY_BUDGET_MS).toISOString();
+    const stale = await session.run(
+      `MATCH (t:Task {accountId: $accountId, kind: $kind, status: 'running'})
+       WHERE t.startedAt < $cutoff
+       RETURN t.taskId AS taskId, elementId(t) AS taskElementId, t.startedAt AS startedAt
+       ORDER BY t.startedAt ASC`,
+      { accountId, kind: TASK_KIND, cutoff }
+    );
+    const tunnelState = readTunnelState(brandConfigDir);
+    const tunnelStateFound = tunnelState !== null;
+    const resolved = [];
+    for (const record of stale.records) {
+      const taskId = record.get("taskId");
+      const taskElementId = record.get("taskElementId");
+      const startedAt = record.get("startedAt");
+      const ageMs = Date.now() - new Date(startedAt).getTime();
+      try {
+        if (tunnelStateFound && tunnelState) {
+          const tunnelExistsRow = await session.run(
+            `MATCH (t:Task {taskId: $taskId, accountId: $accountId})-[:PRODUCED]->(tn:CloudflareTunnel {tunnelId: $tunnelId})
+             RETURN count(tn) AS existsCount`,
+            { taskId, accountId, tunnelId: tunnelState.tunnelId }
+          );
+          const existsCountRaw = tunnelExistsRow.records[0]?.get("existsCount");
+          const tunnelAlreadyExists = (typeof existsCountRaw === "number" ? existsCountRaw : existsCountRaw?.toNumber?.() ?? 0) > 0;
+          if (tunnelAlreadyExists) {
+            const now = (/* @__PURE__ */ new Date()).toISOString();
+            const closeRes = await session.run(
+              `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+               SET t.status = 'completed', t.completedAt = $now, t.updatedAt = $now,
+                   t.errorMessage = null,
+                   t.tunnelId = $tunnelId, t.tunnelName = $tunnelName
+               RETURN count(t) AS affected`,
+              { taskId, accountId, now, tunnelId: tunnelState.tunnelId, tunnelName: tunnelState.tunnelName }
+            );
+            const aff = closeRes.records[0]?.get("affected");
+            const affN = typeof aff === "number" ? aff : aff?.toNumber?.() ?? 0;
+            if (affN !== 1) {
+              throw new Error(`reconciler close-out MATCH count=${affN} for taskId=${taskId}`);
+            }
+            resolved.push({ taskId, resolution: "completed-existing-tunnel" });
+            process.stderr.write(
+              `[task] action-recover kind=${TASK_KIND} taskId=${taskId} age=${Math.round(ageMs / 1e3)}s tunnel-state-found=true tunnel-already-written=true resolution=completed
+`
+            );
+            continue;
+          }
+          const convRow = await session.run(
+            `MATCH (t:Task {taskId: $taskId, accountId: $accountId})-[:RAISED_DURING]->(target)
+             OPTIONAL MATCH (target)-[:PART_OF]->(c:Conversation)
+             RETURN coalesce(c.conversationId, target.conversationId) AS conversationId LIMIT 1`,
+            { taskId, accountId }
+          );
+          const resolvedConversationId = convRow.records[0]?.get("conversationId");
+          await completeCloudflareTask({
+            taskId,
+            taskElementId,
+            accountId,
+            // Empty string when the edge resolution found no Conversation
+            // (rare — would require a malformed Task with no RAISED_DURING).
+            // The live close-out will produce a Tunnel without provenance
+            // edges in that case; better than silently dropping the close-out.
+            conversationId: resolvedConversationId ?? conversationIdForState ?? "",
+            tunnelId: tunnelState.tunnelId,
+            tunnelName: tunnelState.tunnelName,
+            hostnames: void 0,
+            status: "completed"
+          });
+          resolved.push({ taskId, resolution: "completed" });
+          process.stderr.write(
+            `[task] action-recover kind=${TASK_KIND} taskId=${taskId} age=${Math.round(ageMs / 1e3)}s tunnel-state-found=true tunnel-already-written=false resolution=completed
+`
+          );
+        } else {
+          const diagnostic = ageMs > RECONCILE_HARD_AGE_MS ? CLOUDFLARE_TASK_DIAGNOSTICS.noTunnelStateOnDisk : CLOUDFLARE_TASK_DIAGNOSTICS.endpointDiedPreReconcile;
+          await completeCloudflareTask({
+            taskId,
+            taskElementId,
+            accountId,
+            conversationId: conversationIdForState ?? "",
+            status: "failed",
+            errorMessage: diagnostic
+          });
+          resolved.push({ taskId, resolution: `failed-${diagnostic}` });
+          process.stderr.write(
+            `[task] action-recover kind=${TASK_KIND} taskId=${taskId} age=${Math.round(ageMs / 1e3)}s tunnel-state-found=false resolution=failed errorMessage=${diagnostic}
+`
+          );
+        }
+      } catch (err) {
+        process.stderr.write(
+          `[task] action-recover kind=${TASK_KIND} taskId=${taskId} resolution=error reason="${err instanceof Error ? err.message : String(err)}"
+`
+        );
+      }
+    }
+    return { scanned: stale.records.length, resolved };
+  } finally {
+    await session.close();
+  }
+}
+
+export {
+  openCloudflareTask,
+  appendCloudflareSteps,
+  completeCloudflareTask,
+  findMostRecentTerminalCloudflareTask,
+  readTunnelState,
+  CLOUDFLARE_TASK_DIAGNOSTICS,
+  resolveUnitGoneVerdict,
+  recoverRunningCloudflareTasks
+};