@rubytech/create-maxy 1.0.884 → 1.0.886

package/payload/server/server.js

@@ -42,7 +42,8 @@ import {
   load,
   logPath,
   pickComponentBytes,
-  preflushSliceOf,
+  readBundleSubPlugins,
+  reconcileEnabledPlugins,
   recordFailedAttempt,
   render,
   renderLoginPage,
@@ -51,7 +52,6 @@ import {
   resolveAgentConfig,
   resolveBrowserTransport,
   resolveClientIp,
-  resolveConversationLogPaths,
   resolveDefaultAgentSlug,
   resolveEntitlement,
   resolveUserAccounts,
@@ -76,7 +76,7 @@ import {
   vncLog,
   waitForExit,
   writeChromiumWrapper
-} from "./chunk-5PQU2HW2.js";
+} from "./chunk-MOAY7KG2.js";
 import {
   CDP_PORT,
   COMMERCIAL_MODE,
@@ -90,6 +90,8 @@ import {
   clearSessionHistory,
   completeGrantSetup,
   consumeWantsPriorConversation,
+  emitMissingOnResolve,
+  fingerprintSessionKey,
   getAccountIdForSession,
   getActiveClient,
   getAgentNameForSession,
@@ -97,6 +99,7 @@ import {
   getGrantForSession,
   getGroupSlugForSession,
   getRoleForSession,
+  getSessionKeyByConversationId,
   getSessionMessages,
   getUserIdForSession,
   getUserNameForSession,
@@ -104,7 +107,6 @@ import {
   interruptClient,
   listAdminSessionsInProgress,
   mintAdminSessionToken,
-  preConversationLogStream,
   registerGrantSession,
   registerResumedSession,
   registerSession,
@@ -115,7 +117,7 @@ import {
   sigtermFlushStreamLogs,
   unregisterSession,
   validateSession
-} from "./chunk-2INJCOYG.js";
+} from "./chunk-IFMZ5I3E.js";
 import {
   CLOUDFLARE_TASK_DIAGNOSTICS,
   appendCloudflareSteps,
@@ -662,8 +664,8 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync18, existsSync as existsSync23, watchFile } from "fs";
-import { resolve as resolve21, join as join11, basename as basename4 } from "path";
+import { readFileSync as readFileSync18, existsSync as existsSync24, watchFile } from "fs";
+import { resolve as resolve21, join as join12, basename as basename4 } from "path";
 import { homedir as homedir3 } from "os";
 
 // app/lib/agent-slug-pattern.ts
@@ -4425,9 +4427,8 @@ app3.post("/", async (c) => {
   if (!account) {
     return c.json({ error: "No account configured" }, 500);
   }
-  const publicSseConvId = getConversationIdForSession(session_key);
-  const sseLog = publicSseConvId ? agentLogStream("sse-events", account.accountDir, publicSseConvId) : preConversationLogStream("sse-events", account.accountDir);
-  const sk = publicSseConvId?.slice(0, 8) ?? session_key.slice(0, 8);
+  const sseLog = agentLogStream("sse-events", account.accountDir, session_key);
+  const sk = session_key.slice(0, 8);
   const agentName = getAgentNameForSession(session_key);
   if (!agentName) {
     console.log(`[chat] no agent for session=${sk} \u2014 session expired or server restarted`);
@@ -7017,7 +7018,8 @@ async function resolveUserIdentity(accountId, userId) {
 async function createAdminSession(accountId, thinkingView, userId, userName, role, avatar) {
   const account = resolveAccount();
   const effectiveThinkingView = thinkingView ?? account?.config.thinkingView ?? "default";
-  const cacheKey = userId ? mintAdminSessionToken({ accountId, userId }) : crypto.randomUUID();
+  const signedSessionToken = userId ? mintAdminSessionToken({ accountId, userId }) : crypto.randomUUID();
+  const cacheKey = fingerprintSessionKey(signedSessionToken);
   registerSession(cacheKey, "admin", accountId, void 0, userId, userName, role);
   if (userId) setWantsPriorConversation(cacheKey);
   let onboardingComplete = true;
@@ -7053,7 +7055,7 @@ async function createAdminSession(accountId, thinkingView, userId, userName, rol
   console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} admin session created: userId=${userId ?? "\u2013"} userName=${userName ?? "\u2013"} accountId=${accountId} conversationId=${initialConversationId ?? "unbound"} cacheKey=${cacheKey.slice(0, 8)}`);
   console.log(`[admin-session] role=${role ?? "null"} cacheKey=${cacheKey.slice(0, 8)} phase=create eager-ensured=${initialConversationId ? "true" : "false"}`);
   return {
-    session_key: cacheKey,
+    session_key: signedSessionToken,
     agent_id: "admin",
     userId,
     userName,
@@ -7067,8 +7069,12 @@ async function createAdminSession(accountId, thinkingView, userId, userName, rol
 }
 var app10 = new Hono();
 app10.get("/", async (c) => {
-  const cacheKey = c.req.query("session_key");
-  if (!cacheKey || !validateSession(cacheKey, "admin").ok) {
+  const signedSessionToken = c.req.query("session_key");
+  if (!signedSessionToken) {
+    return c.json({ error: "Invalid or expired admin session" }, 401);
+  }
+  const cacheKey = fingerprintSessionKey(signedSessionToken);
+  if (!validateSession(cacheKey, "admin", signedSessionToken).ok) {
     return c.json({ error: "Invalid or expired admin session" }, 401);
   }
   const accountId = getAccountIdForSession(cacheKey);
@@ -7104,7 +7110,7 @@ app10.get("/", async (c) => {
     }
   }
   return c.json({
-    session_key: cacheKey,
+    session_key: signedSessionToken,
     agent_id: "admin",
     userId: restoredUserId,
     userName: restoredUserName,
@@ -7474,7 +7480,7 @@ var app11 = new Hono();
 app11.post("/cancel", requireAdminSession, async (c) => {
   const session_key = c.var.cacheKey;
   try {
-    const { interruptClient: interruptClient2 } = await import("./client-pool-JAM3QHGW.js");
+    const { interruptClient: interruptClient2 } = await import("./client-pool-M6NS5G2U.js");
     await interruptClient2(session_key);
     return c.json({ ok: true });
   } catch (err) {
@@ -7578,8 +7584,7 @@ app11.post("/", requireAdminSession, async (c) => {
   try {
     const parsed = JSON.parse(message);
     if (parsed._lifecycle) {
-      const lifecycleConvId = getConversationIdForSession(session_key);
-      const lifecycleLog = lifecycleConvId ? agentLogStream("component-lifecycle", account.accountDir, lifecycleConvId) : preConversationLogStream("component-lifecycle", account.accountDir);
+      const lifecycleLog = agentLogStream("component-lifecycle", account.accountDir, session_key);
       const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
       const detail = parsed.filePath ? ` filePath=${parsed.filePath}` : "";
       lifecycleLog.write(`[${ts}] [component:${parsed.component ?? "unknown"}] ${parsed.event ?? "unknown"}${detail}
@@ -7603,8 +7608,7 @@ app11.post("/", requireAdminSession, async (c) => {
   try {
     const parsed = JSON.parse(message);
     if (isComponentDone(parsed)) {
-      const componentConvId = getConversationIdForSession(session_key);
-      const componentLog = componentConvId ? agentLogStream("component-lifecycle", account.accountDir, componentConvId) : preConversationLogStream("component-lifecycle", account.accountDir);
+      const componentLog = agentLogStream("component-lifecycle", account.accountDir, session_key);
       const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
       message = transformComponentDone(parsed);
       componentLog.write(`[${ts}] [component:${parsed.component}] componentDone \u2192 transformed
@@ -7668,11 +7672,11 @@ app11.post("/", requireAdminSession, async (c) => {
     }
   }
   const encoder = new TextEncoder();
-  const sseLogStream = agentLogStream("sse-events", account.accountDir, conversationId);
+  const sseLogStream = agentLogStream("sse-events", account.accountDir, session_key);
   const sk = conversationId.slice(0, 8);
-  const teeStreamLogPath = resolve8(account.accountDir, "logs", `claude-agent-stream-${conversationId}.log`);
+  const teeStreamLogPath = resolve8(account.accountDir, "logs", `claude-agent-stream-${session_key}.log`);
   try {
-    appendFileSync3(teeStreamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task965-mint-at-entry] cacheKey=${session_key.slice(0, 12)}\u2026 conversationId=${conversationId}
+    appendFileSync3(teeStreamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task1006-sessionkey-on-disk] cacheKey=${session_key.slice(0, 12)}\u2026 conversationId=${conversationId}
 `);
   } catch {
   }
@@ -7760,7 +7764,7 @@ app11.post("/", requireAdminSession, async (c) => {
         const reqSignal = c.req.raw?.signal;
         if (reqSignal) {
           reqSignal.addEventListener("abort", () => {
-            const abortStreamLog = agentLogStream("claude-agent-stream", account.accountDir, conversationId);
+            const abortStreamLog = agentLogStream("claude-agent-stream", account.accountDir, session_key);
             const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
             sseLog.write(`[${ts}] [${sk}] admin: ABORT [operator-cancel] interrupting pool client
 `);
@@ -7976,8 +7980,25 @@ app13.post("/", requireAdminSession, async (c) => {
 var compact_default = app13;
 
 // server/routes/admin/logs.ts
-import { existsSync as existsSync12, readdirSync as readdirSync5, readFileSync as readFileSync11, statSync as statSync6 } from "fs";
+import { existsSync as existsSync13, readdirSync as readdirSync5, readFileSync as readFileSync11, statSync as statSync6 } from "fs";
 import { resolve as resolve9, basename as basename2 } from "path";
+
+// app/lib/logs-read-resolve.ts
+import { existsSync as existsSync12 } from "fs";
+import { join as join9 } from "path";
+function resolveSessionLogPaths(filename, logDirs) {
+  const tried = [filename];
+  const hits = [];
+  for (const dir of logDirs) {
+    const fullPath = join9(dir, filename);
+    if (existsSync12(fullPath)) {
+      hits.push({ path: fullPath, dir });
+    }
+  }
+  return { hits, tried };
+}
+
+// server/routes/admin/logs.ts
 var TAIL_BYTES = 8192;
 var app14 = new Hono();
 app14.get("/", async (c) => {
@@ -8040,31 +8061,29 @@ app14.get("/", async (c) => {
     }
     const cacheKey = cacheKeyParam ?? null;
     const conversationId = conversationIdParam ?? null;
-    const MISSING_SENTINEL = ".task702-identifier-not-supplied.log";
-    const fullFilename = conversationId ? `${prefix}-${conversationId}.log` : MISSING_SENTINEL;
-    const preflushFilename = cacheKey && typeParam === "public" ? `${prefix}-${preflushSliceOf(cacheKey)}.log` : MISSING_SENTINEL;
-    const { hits, stalePreflushPaths, tried } = resolveConversationLogPaths(
-      fullFilename,
-      preflushFilename,
-      logDirs
-    );
-    const stalePreflushCount = stalePreflushPaths.length;
+    const sessionKeyFromConv = conversationId ? getSessionKeyByConversationId(conversationId) ?? null : null;
+    const primaryId = cacheKey ?? sessionKeyFromConv ?? conversationId;
+    const fallbackId = primaryId !== conversationId && conversationId ? conversationId : null;
+    const tried = [];
+    let hit = null;
+    if (primaryId) {
+      const filename = `${prefix}-${primaryId}.log`;
+      tried.push(filename);
+      const result = resolveSessionLogPaths(filename, logDirs);
+      if (result.hits.length > 0) hit = result.hits[0];
+    }
+    if (!hit && fallbackId) {
+      const filename = `${prefix}-${fallbackId}.log`;
+      tried.push(filename);
+      const result = resolveSessionLogPaths(filename, logDirs);
+      if (result.hits.length > 0) hit = result.hits[0];
+    }
     const cacheKeySlice = cacheKey ? cacheKey.slice(0, 12) : "none";
     const conversationIdSlice = conversationId ? conversationId.slice(0, 12) : "none";
-    if (hits.length > 0) {
-      const hit = hits[0];
-      console.info(`[admin/logs] resolved cacheKey=${cacheKeySlice} conversationId=${conversationIdSlice} shape=${hit.shape} stalePreflushCount=${stalePreflushCount}`);
+    if (hit) {
+      console.info(`[admin/logs] resolved cacheKey=${cacheKeySlice} conversationId=${conversationIdSlice} via=${primaryId === cacheKey ? "cacheKey" : primaryId === sessionKeyFromConv ? "reverse-lookup" : "conversationId-fallback"}`);
       try {
         const filename = basename2(hit.path);
-        if (stalePreflushCount > 0 && !download) {
-          const content = readFileSync11(hit.path, "utf-8");
-          return c.json({
-            log: content,
-            filename,
-            shape: hit.shape,
-            warnings: stalePreflushPaths.map((path2) => ({ kind: "stale-preflush", path: path2 }))
-          });
-        }
         const buffer = readFileSync11(hit.path);
         const onDiskBytes = statSync6(hit.path).size;
         const headers = {
@@ -8083,7 +8102,8 @@ app14.get("/", async (c) => {
         );
       }
     }
-    const reason = !conversationId ? "no preflush log on disk for cacheKey and conversationId not derivable" : !cacheKey ? "no full log on disk and cacheKey not derivable" : "no preflush log, no full log";
+    const reason = "no log file on disk for the given identifier(s)";
+    if (primaryId) emitMissingOnResolve(primaryId, "admin-logs-route", reason);
     console.warn(`[admin/logs] not-found tried=[${tried.join(",")}] cacheKey=${cacheKeySlice} conversationId=${conversationIdSlice} reason=${JSON.stringify(reason)}`);
     return c.json(
       {
@@ -8099,7 +8119,7 @@ app14.get("/", async (c) => {
   const seen = /* @__PURE__ */ new Set();
   const logs = {};
   for (const dir of logDirs) {
-    if (!existsSync12(dir)) continue;
+    if (!existsSync13(dir)) continue;
     let files;
     try {
       files = readdirSync5(dir).filter((f) => f.endsWith(".log"));
@@ -8150,7 +8170,7 @@ var claude_info_default = app15;
 
 // server/routes/admin/attachment.ts
 import { readFile as readFile2, readdir } from "fs/promises";
-import { existsSync as existsSync13 } from "fs";
+import { existsSync as existsSync14 } from "fs";
 import { resolve as resolve10 } from "path";
 var app16 = new Hono();
 app16.get("/:attachmentId", requireAdminSession, async (c) => {
@@ -8164,11 +8184,11 @@ app16.get("/:attachmentId", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve10(ATTACHMENTS_ROOT, accountId, attachmentId);
-  if (!existsSync13(dir)) {
+  if (!existsSync14(dir)) {
     return new Response("Not found", { status: 404 });
   }
   const metaPath = resolve10(dir, `${attachmentId}.meta.json`);
-  if (!existsSync13(metaPath)) {
+  if (!existsSync14(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
   let meta;
@@ -8196,13 +8216,13 @@ var attachment_default = app16;
 
 // server/routes/admin/agents.ts
 import { resolve as resolve11 } from "path";
-import { readdirSync as readdirSync6, readFileSync as readFileSync12, existsSync as existsSync14, rmSync } from "fs";
+import { readdirSync as readdirSync6, readFileSync as readFileSync12, existsSync as existsSync15, rmSync } from "fs";
 var app17 = new Hono();
 app17.get("/", (c) => {
   const account = resolveAccount();
   if (!account) return c.json({ agents: [] });
   const agentsDir = resolve11(account.accountDir, "agents");
-  if (!existsSync14(agentsDir)) return c.json({ agents: [] });
+  if (!existsSync15(agentsDir)) return c.json({ agents: [] });
   const agents = [];
   try {
     const entries = readdirSync6(agentsDir, { withFileTypes: true });
@@ -8210,7 +8230,7 @@ app17.get("/", (c) => {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
       const configPath2 = resolve11(agentsDir, entry.name, "config.json");
-      if (!existsSync14(configPath2)) continue;
+      if (!existsSync15(configPath2)) continue;
       try {
         const config = JSON.parse(readFileSync12(configPath2, "utf-8"));
         agents.push({
@@ -8239,7 +8259,7 @@ app17.delete("/:slug", async (c) => {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
   const agentDir = resolve11(account.accountDir, "agents", slug);
-  if (!existsSync14(agentDir)) {
+  if (!existsSync15(agentDir)) {
     return c.json({ error: "Agent not found" }, 404);
   }
   try {
@@ -8269,7 +8289,7 @@ app17.post("/:slug/project", async (c) => {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
   const agentDir = resolve11(account.accountDir, "agents", slug);
-  if (!existsSync14(agentDir)) {
+  if (!existsSync15(agentDir)) {
     return c.json({ error: "Agent not found on disk" }, 404);
   }
   try {
@@ -8285,7 +8305,7 @@ var agents_default = app17;
 // server/routes/admin/sessions.ts
 import crypto2 from "crypto";
 import { resolve as resolvePath } from "path";
-import { appendFileSync as appendFileSync4, existsSync as existsSync16 } from "fs";
+import { appendFileSync as appendFileSync4, existsSync as existsSync17 } from "fs";
 
 // app/lib/synthetic-marker.ts
 var CLOUDFLARE_MARKER_PREFIX = "Cloudflare setup completed (actionId: ";
@@ -8297,9 +8317,9 @@ function isSyntheticUserMarker(content) {
 }
 
 // app/lib/claude-agent/jsonl-replay.ts
-import { existsSync as existsSync15, readFileSync as readFileSync13 } from "fs";
+import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
 function replayJsonl(jsonlPath) {
-  if (!existsSync15(jsonlPath)) {
+  if (!existsSync16(jsonlPath)) {
     return { messages: [], jsonlMissing: true, malformedLines: 0 };
   }
   let raw;
@@ -8464,7 +8484,7 @@ function validateAndShapeAttachments(raws, conversationAccountId, conversationId
     let reason = null;
     if (!a.attachmentId || !a.filename || !a.mimeType || !a.storagePath) reason = "schema-fail";
     else if (a.accountId !== conversationAccountId) reason = "account-mismatch";
-    else if (!existsSync16(a.storagePath)) reason = "missing-file";
+    else if (!existsSync17(a.storagePath)) reason = "missing-file";
     if (reason) {
       invalid++;
       try {
@@ -8619,13 +8639,14 @@ app18.post("/new", requireAdminSession, async (c) => {
   if (!accountId || !userId) {
     return c.json({ error: "Session missing account or user context" }, 400);
   }
-  const newCacheKey = crypto2.randomUUID();
+  const newSignedSessionToken = crypto2.randomUUID();
+  const newCacheKey = fingerprintSessionKey(newSignedSessionToken);
   const userName = getUserNameForSession(oldCacheKey);
   registerSession(newCacheKey, "admin", accountId, void 0, userId, userName);
   const previousConversationId = clearSessionHistory(oldCacheKey);
   unregisterSession(oldCacheKey);
   console.log(`[session] ${(/* @__PURE__ */ new Date()).toISOString()} session reset for new conversation: oldCacheKey=${oldCacheKey.slice(0, 8)}\u2026 newCacheKey=${newCacheKey.slice(0, 8)}\u2026 previousConversationId=${previousConversationId?.slice(0, 8) ?? "none"}\u2026 newConversationId=deferred`);
-  return c.json({ session_key: newCacheKey, conversationId: null });
+  return c.json({ session_key: newSignedSessionToken, conversationId: null });
 });
 app18.post("/switch", requireAdminSession, async (c) => {
   const cacheKey = c.var.cacheKey;
@@ -8635,11 +8656,12 @@ app18.post("/switch", requireAdminSession, async (c) => {
     return c.json({ error: "Session missing account or user context" }, 400);
   }
   const body = await c.req.json().catch(() => ({}));
-  const targetCacheKey = typeof body.target_session_key === "string" ? body.target_session_key : "";
-  if (!targetCacheKey) {
+  const targetSignedSessionToken = typeof body.target_session_key === "string" ? body.target_session_key : "";
+  if (!targetSignedSessionToken) {
     return c.json({ error: "target_session_key required" }, 400);
   }
-  const targetCheck = validateSession(targetCacheKey, "admin");
+  const targetCacheKey = fingerprintSessionKey(targetSignedSessionToken);
+  const targetCheck = validateSession(targetCacheKey, "admin", targetSignedSessionToken);
   if (!targetCheck.ok) {
     console.error(`[session-switch] reject reason=${targetCheck.reason} from=${cacheKey.slice(0, 8)} target=${targetCacheKey.slice(0, 8)}`);
     return c.json({ error: "Target session not registered or wrong agent type", code: targetCheck.reason }, 404);
@@ -8652,7 +8674,7 @@ app18.post("/switch", requireAdminSession, async (c) => {
   }
   const targetConversationId = getConversationIdForSession(targetCacheKey) ?? null;
   console.log(`[session-switch] from=${cacheKey.slice(0, 8)} to=${targetCacheKey.slice(0, 8)} targetConvId=${targetConversationId?.slice(0, 8) ?? "none"} accountId=${accountId.slice(0, 8)}`);
-  return c.json({ session_key: targetCacheKey, conversationId: targetConversationId });
+  return c.json({ session_key: targetSignedSessionToken, conversationId: targetConversationId });
 });
 app18.delete("/:id", requireAdminSession, async (c) => {
   const conversationId = c.req.param("id");
@@ -8671,13 +8693,14 @@ app18.delete("/:id", requireAdminSession, async (c) => {
 });
 app18.post("/:id/resume", async (c) => {
   const conversationId = c.req.param("id");
-  const cacheKey = c.req.query("session_key") ?? "";
-  if (!cacheKey) {
+  const signedSessionToken = c.req.query("session_key") ?? "";
+  if (!signedSessionToken) {
     console.error(`[session] middleware-reject status=400 code=session-missing reason="session_key required" path=${c.req.path}`);
     return c.json({ error: "session_key required", code: "session-missing" }, 400);
   }
+  const cacheKey = fingerprintSessionKey(signedSessionToken);
   let bridged = false;
-  let result = validateSession(cacheKey, "admin");
+  let result = validateSession(cacheKey, "admin", signedSessionToken);
   if (!result.ok) {
     if (result.reason === "session-not-registered") {
       const bridge = await tryCookieBridgeForConversation(c, cacheKey, conversationId);
@@ -8690,7 +8713,7 @@ app18.post("/:id/resume", async (c) => {
         return c.json({ error: "Invalid or expired admin session", code: "session-not-registered" }, 401);
       }
       bridged = true;
-      result = validateSession(cacheKey, "admin");
+      result = validateSession(cacheKey, "admin", signedSessionToken);
       if (!result.ok) {
         const tail = cacheKey.slice(0, 8);
         console.error(`[session] middleware-reject status=401 code=session-not-registered reason="post-bridge re-validate failed" path=${c.req.path} cacheKey=${tail}\u2026`);
@@ -9255,12 +9278,12 @@ function isValidDomain(value) {
 }
 
 // app/lib/alias-domains.ts
-import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync18, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
 import { dirname as dirname5 } from "path";
 import { resolve as resolve12 } from "path";
 var ALIAS_DOMAINS_PATH = resolve12(MAXY_DIR, "alias-domains.json");
 function readExisting() {
-  if (!existsSync17(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
+  if (!existsSync18(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
   try {
     const parsed = JSON.parse(readFileSync14(ALIAS_DOMAINS_PATH, "utf-8"));
     if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
@@ -9534,8 +9557,8 @@ app23.get("/tunnels", requireAdminSession, async (c) => {
   if (!correlationId) return err("session", "No active conversation for session \u2014 refresh chat.");
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   const certPath = resolve13(homedir2(), brand.configDir, "cloudflared", "cert.pem");
-  const { existsSync: existsSync24 } = await import("fs");
-  if (!existsSync24(certPath)) {
+  const { existsSync: existsSync25 } = await import("fs");
+  if (!existsSync25(certPath)) {
     return err("cert", `Cloudflare origin certificate is not on disk yet (${certPath}). Complete the Cloudflare login first by submitting the form once \u2014 the OAuth flow writes cert.pem.`);
   }
   const result = await runFormSpawn({
@@ -9859,7 +9882,7 @@ var cloudflare_default = app23;
 import { createReadStream as createReadStream3 } from "fs";
 import { readdir as readdir2, readFile as readFile3, stat as stat3, mkdir as mkdir2, writeFile as writeFile3, unlink as unlink2 } from "fs/promises";
 import { realpathSync as realpathSync3 } from "fs";
-import { basename as basename3, dirname as dirname6, join as join9, resolve as resolve15, sep as sep2 } from "path";
+import { basename as basename3, dirname as dirname6, join as join10, resolve as resolve15, sep as sep2 } from "path";
 import { Readable as Readable2 } from "stream";
 
 // app/lib/data-path.ts
@@ -10217,7 +10240,7 @@ async function cascadeDeleteDocument(params) {
 var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function readMeta(absDir, baseName) {
   try {
-    const raw = await readFile3(join9(absDir, `${baseName}.meta.json`), "utf8");
+    const raw = await readFile3(join10(absDir, `${baseName}.meta.json`), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed?.filename === "string") {
       return { filename: parsed.filename, mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0 };
@@ -10255,7 +10278,7 @@ async function readAccountNames() {
 }
 async function enrich(absolute, entry, accountNames) {
   if (entry.kind === "directory" && UUID_RE5.test(entry.name)) {
-    const meta = await readMeta(join9(absolute, entry.name), entry.name);
+    const meta = await readMeta(join10(absolute, entry.name), entry.name);
     if (meta?.filename) {
       entry.displayName = meta.filename;
       entry.mimeType = meta.mimeType;
@@ -10314,7 +10337,7 @@ app24.get("/", requireAdminSession, async (c) => {
         continue;
       }
       try {
-        const entryPath = join9(absolute, name);
+        const entryPath = join10(absolute, name);
         const s = await stat3(entryPath);
         entries.push({
           name,
@@ -10487,7 +10510,7 @@ app24.delete("/", requireAdminSession, async (c) => {
     }
     const dot = base.lastIndexOf(".");
     const stem = dot === -1 ? base : base.slice(0, dot);
-    const sidecarPath = UUID_RE5.test(stem) && base !== `${stem}.meta.json` ? join9(dirname6(absolute), `${stem}.meta.json`) : null;
+    const sidecarPath = UUID_RE5.test(stem) && base !== `${stem}.meta.json` ? join10(dirname6(absolute), `${stem}.meta.json`) : null;
     await unlink2(absolute);
     if (sidecarPath) {
       try {
@@ -12178,7 +12201,7 @@ var adherence_default = app32;
 import neo4j3 from "neo4j-driver";
 import { readFile as readFile4, readdir as readdir3, stat as stat4 } from "fs/promises";
 import { resolve as resolve16, relative as relative2, isAbsolute } from "path";
-import { existsSync as existsSync18 } from "fs";
+import { existsSync as existsSync19 } from "fs";
 var LIMIT = 50;
 var TEXT_MIME_PREFIXES = ["text/", "application/json", "application/markdown"];
 var ADMIN_AGENT_FILES = ["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"];
@@ -12326,7 +12349,7 @@ async function fetchAgentTemplateRows(accountDir) {
 async function unionSpecialistFilenames(overrideDir, bundledDir) {
   const names = /* @__PURE__ */ new Set();
   for (const dir of [overrideDir, bundledDir]) {
-    if (!existsSync18(dir)) continue;
+    if (!existsSync19(dir)) continue;
     try {
       const entries = await readdir3(dir);
       for (const entry of entries) {
@@ -12341,7 +12364,7 @@ async function unionSpecialistFilenames(overrideDir, bundledDir) {
 }
 async function readAgentTemplateRow(inp) {
   let chosenPath = null;
-  if (existsSync18(inp.overridePath)) {
+  if (existsSync19(inp.overridePath)) {
     try {
       validateFilePathInAccount(inp.overridePath, inp.overrideRoot);
       chosenPath = inp.overridePath;
@@ -12352,7 +12375,7 @@ async function readAgentTemplateRow(inp) {
       );
       return null;
     }
-  } else if (existsSync18(inp.bundledPath)) {
+  } else if (existsSync19(inp.bundledPath)) {
     if (!isWithin(inp.bundledPath, inp.bundledRoot)) {
       console.error(
         `[admin/sidebar-artefacts] agent-template-read-failed agent=${inp.displayName} kind=${inp.logName} error="bundled path outside PLATFORM_ROOT"`
@@ -12394,7 +12417,7 @@ var sidebar_artefacts_default = app33;
 // server/routes/admin/sidebar-artefact-save.ts
 import { mkdir as mkdir3, readdir as readdir4, stat as stat5, writeFile as writeFile4 } from "fs/promises";
 import { resolve as resolve17 } from "path";
-import { existsSync as existsSync19 } from "fs";
+import { existsSync as existsSync20 } from "fs";
 var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
 var UUID_RE6 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app34 = new Hono();
@@ -12462,7 +12485,7 @@ async function resolveSavePath(id, accountId, accountDir) {
   }
   if (UUID_RE6.test(id)) {
     const dir = resolve17(ATTACHMENTS_ROOT, accountId, id);
-    if (!existsSync19(dir)) {
+    if (!existsSync20(dir)) {
       const attShort = id.slice(0, 8);
       if (isHealPending(accountId, id)) {
         console.error(`[admin/sidebar-artefact-save] heal-race attachmentId=${attShort} outcome=503-retry source=heal-pending`);
@@ -12514,7 +12537,7 @@ var sidebar_artefact_save_default = app34;
 
 // server/routes/admin/sidebar-artefact-content.ts
 import { readFile as readFile5, readdir as readdir5 } from "fs/promises";
-import { existsSync as existsSync20 } from "fs";
+import { existsSync as existsSync21 } from "fs";
 import { resolve as resolve18 } from "path";
 var UUID_RE7 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app35 = new Hono();
@@ -12528,7 +12551,7 @@ app35.get("/", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve18(ATTACHMENTS_ROOT, accountId, id);
-  if (!existsSync20(dir)) {
+  if (!existsSync21(dir)) {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
@@ -12562,12 +12585,12 @@ app35.get("/", requireAdminSession, async (c) => {
 var sidebar_artefact_content_default = app35;
 
 // server/routes/admin/health.ts
-import { existsSync as existsSync21, readFileSync as readFileSync16 } from "fs";
-import { resolve as resolve19, join as join10 } from "path";
+import { existsSync as existsSync22, readFileSync as readFileSync16 } from "fs";
+import { resolve as resolve19, join as join11 } from "path";
 var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve19(process.cwd(), "..");
 var brandHostname = "maxy";
-var brandJsonPath = join10(PLATFORM_ROOT6, "config", "brand.json");
-if (existsSync21(brandJsonPath)) {
+var brandJsonPath = join11(PLATFORM_ROOT6, "config", "brand.json");
+if (existsSync22(brandJsonPath)) {
   try {
     const brand = JSON.parse(readFileSync16(brandJsonPath, "utf-8"));
     if (brand.hostname) brandHostname = brand.hostname;
@@ -12578,7 +12601,7 @@ var VERSION_FILE = resolve19(PLATFORM_ROOT6, `config/.${brandHostname}-version`)
 var PROCESS_STARTED_AT = (/* @__PURE__ */ new Date()).toISOString();
 var PROBE_TIMEOUT_MS = 1e3;
 function readVersion() {
-  if (!existsSync21(VERSION_FILE)) return "unknown";
+  if (!existsSync22(VERSION_FILE)) return "unknown";
   return readFileSync16(VERSION_FILE, "utf-8").trim() || "unknown";
 }
 async function probeConversationDb() {
@@ -12661,7 +12684,7 @@ app37.route("/health-brand", health_default2);
 var admin_default = app37;
 
 // server/routes/sites.ts
-import { existsSync as existsSync22, readFileSync as readFileSync17, realpathSync as realpathSync4, statSync as statSync7 } from "fs";
+import { existsSync as existsSync23, readFileSync as readFileSync17, realpathSync as realpathSync4, statSync as statSync7 } from "fs";
 import { resolve as resolve20 } from "path";
 var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var MIME = {
@@ -12727,7 +12750,7 @@ app38.get("/:rel{.*}", (c) => {
   }
   let stat6;
   try {
-    stat6 = existsSync22(filePath) ? statSync7(filePath) : null;
+    stat6 = existsSync23(filePath) ? statSync7(filePath) : null;
   } catch {
     stat6 = null;
   }
@@ -12746,7 +12769,7 @@ app38.get("/:rel{.*}", (c) => {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync22(filePath)) {
+  if (!existsSync23(filePath)) {
     console.error(`[sites] not-found path=${reqPath} status=404`);
     return c.text("Not found", 404);
   }
@@ -12867,10 +12890,42 @@ async function verifyUserProfileConstraint() {
     await session.close();
   }
 }
+async function verifySessionKeyAdherence() {
+  const session = getSession();
+  try {
+    const convResult = await session.run(
+      `MATCH (c:Conversation) WHERE c.sessionKey IS NULL RETURN count(c) AS n`
+    );
+    const convNull = convResult.records[0]?.get("n")?.toNumber?.() ?? 0;
+    console.error(
+      `[migration-1007] adherence-check label=Conversation rows-with-null-sessionkey=${convNull}`
+    );
+    const msgResult = await session.run(
+      `MATCH (m:Message) WHERE m.sessionKey IS NULL RETURN count(m) AS n`
+    );
+    const msgNull = msgResult.records[0]?.get("n")?.toNumber?.() ?? 0;
+    console.error(
+      `[migration-1007] adherence-check label=Message rows-with-null-sessionkey=${msgNull}`
+    );
+    if (convNull > 0 || msgNull > 0) {
+      console.error(
+        `[migration-1007] adherence-check P0=true reason=null-sessionkey-on-boot \u2014 re-run seed-neo4j.sh`
+      );
+    }
+  } catch (err) {
+    console.error(
+      `[migration-1007] adherence-check verify failed: ${err instanceof Error ? err.message : String(err)}`
+    );
+  } finally {
+    await session.close();
+  }
+}
 function startGraphHealthTimer() {
   if (timer) return;
   verifyUserProfileConstraint().catch(() => {
   });
+  verifySessionKeyAdherence().catch(() => {
+  });
   runGraphHealthTick().catch(() => {
   });
   timer = setInterval(() => {
@@ -12881,7 +12936,7 @@ function startGraphHealthTimer() {
 }
 
 // server/index.ts
-import { existsSync as existsSyncBoot, readFileSync as readFileSyncBoot } from "fs";
+import { existsSync as existsSyncBoot } from "fs";
 import { resolve as resolveBoot } from "path";
 function requestIsTlsTerminated(c) {
   const remote = c.env?.incoming?.socket?.remoteAddress ?? "";
@@ -12897,12 +12952,12 @@ function clientFrom(c) {
   );
 }
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join11(PLATFORM_ROOT7, "config", "brand.json") : "";
+var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join12(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync24(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
   try {
     const parsed = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
@@ -12923,10 +12978,10 @@ var brandLoginOpts = {
   bodyFont: BRAND.defaultFonts?.body,
   logoContainsName: !!BRAND.logoContainsName
 };
-var ALIAS_DOMAINS_PATH2 = join11(homedir3(), BRAND.configDir, "alias-domains.json");
+var ALIAS_DOMAINS_PATH2 = join12(homedir3(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync23(ALIAS_DOMAINS_PATH2)) return null;
+    if (!existsSync24(ALIAS_DOMAINS_PATH2)) return null;
     const parsed = JSON.parse(readFileSync18(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
@@ -13199,7 +13254,8 @@ app39.post("/api/remote-auth/set-password", async (c) => {
   } catch {
     return c.json({ error: "Invalid request" }, 400);
   }
-  if (!body.session_key || !validateSession(body.session_key, "admin").ok) {
+  const cacheKey = body.session_key ? fingerprintSessionKey(body.session_key) : "";
+  if (!cacheKey || !validateSession(cacheKey, "admin", body.session_key).ok) {
     return c.json({ error: "Unauthorized" }, 401);
   }
   if (!body.password) {
@@ -13306,7 +13362,7 @@ app39.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync24(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -13336,7 +13392,7 @@ app39.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync24(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -13353,7 +13409,7 @@ app39.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
   try {
     const fullBrand = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
@@ -13372,8 +13428,8 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
-    const versionFile = join11(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync23(versionFile)) return "unknown";
+    const versionFile = join12(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
+    if (!existsSync24(versionFile)) return "unknown";
     const content = readFileSync18(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
@@ -13431,15 +13487,15 @@ ${clientErrorReporterScript}
 }
 var brandedHtmlCache = /* @__PURE__ */ new Map();
 function loadBrandingCache(agentSlug) {
-  const configDir2 = join11(homedir3(), BRAND.configDir);
+  const configDir2 = join12(homedir3(), BRAND.configDir);
   try {
-    const accountJsonPath = join11(configDir2, "account.json");
-    if (!existsSync23(accountJsonPath)) return null;
+    const accountJsonPath = join12(configDir2, "account.json");
+    if (!existsSync24(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
-    const cachePath = join11(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync23(cachePath)) return null;
+    const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
+    if (!existsSync24(cachePath)) return null;
     return JSON.parse(readFileSync18(cachePath, "utf-8"));
   } catch {
     return null;
@@ -13447,9 +13503,9 @@ function loadBrandingCache(agentSlug) {
 }
 function resolveDefaultSlug() {
   try {
-    const configDir2 = join11(homedir3(), BRAND.configDir);
-    const accountJsonPath = join11(configDir2, "account.json");
-    if (!existsSync23(accountJsonPath)) return null;
+    const configDir2 = join12(homedir3(), BRAND.configDir);
+    const accountJsonPath = join12(configDir2, "account.json");
+    if (!existsSync24(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
@@ -13629,7 +13685,7 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync23(USERS_FILE)) {
+    if (existsSync24(USERS_FILE)) {
       const users = JSON.parse(readFileSync18(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
@@ -13647,7 +13703,7 @@ try {
 })();
 (async () => {
   try {
-    if (!existsSync23(USERS_FILE)) return;
+    if (!existsSync24(USERS_FILE)) return;
     const usersRaw = readFileSync18(USERS_FILE, "utf-8").trim();
     if (!usersRaw) return;
     const users = JSON.parse(usersRaw);
@@ -13700,6 +13756,11 @@ autoDeliverPremiumPlugins(
   bootAccount?.accountDir,
   bootAccount?.config
 );
+reconcileEnabledPlugins(
+  bootAccount?.accountDir,
+  bootAccount?.config,
+  bootEntitlement?.purchasedPlugins ?? void 0
+);
 (async () => {
   if (!bootAccount) return;
   try {
@@ -13749,25 +13810,8 @@ if (bootEntitlement?.purchasedPlugins?.length) {
   const enabledSet = new Set(bootEnabled);
   for (const purchased of bootEntitlement.purchasedPlugins) {
     const bundlePath = resolveBoot(PLATFORM_ROOT, "..", "premium-plugins", purchased, "BUNDLE.md");
-    if (!existsSyncBoot(bundlePath)) continue;
-    try {
-      const raw = readFileSyncBoot(bundlePath, "utf-8");
-      const fm = raw.match(/^---\n([\s\S]*?)\n---/);
-      if (!fm) continue;
-      let inPlugins = false;
-      for (const line of fm[1].split("\n")) {
-        if (/^plugins:/.test(line)) {
-          inPlugins = true;
-          continue;
-        }
-        if (inPlugins) {
-          const m = line.match(/^\s+- (.+)/);
-          if (!m) break;
-          const sub = m[1].trim();
-          if (!enabledSet.has(sub)) bootEnabledNotDelivered.push(sub);
-        }
-      }
-    } catch {
+    for (const sub of readBundleSubPlugins(bundlePath)) {
+      if (!enabledSet.has(sub)) bootEnabledNotDelivered.push(sub);
     }
   }
 }
@@ -13780,7 +13824,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join11(__dirname, "..")),
+  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {