npm - @rubytech/create-maxy - Versions diffs - 1.0.885 → 1.0.886 - Mend

@rubytech/create-maxy 1.0.885 → 1.0.886

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/package.json +1 -1
package/payload/platform/neo4j/schema.cypher +7 -0
package/payload/platform/scripts/check-no-conversation-id-leaks.mjs +165 -0
package/payload/platform/scripts/conversation-id-allowlist.txt +151 -0
package/payload/platform/scripts/seed-neo4j.sh +46 -0
package/payload/server/chunk-IFMZ5I3E.js +1460 -0
package/payload/server/chunk-MOAY7KG2.js +11667 -0
package/payload/server/client-pool-M6NS5G2U.js +34 -0
package/payload/server/maxy-edge.js +2 -2
package/payload/server/server.js +61 -19

package/payload/server/chunk-IFMZ5I3E.js ADDED Viewed

@@ -0,0 +1,1460 @@
+import {
+  createNewAdminConversation,
+  ensureConversation,
+  isMessageUseful,
+  persistMessage,
+  setConversationAgentSessionId,
+  setSessionStoreRef
+} from "./chunk-DOIAYD3J.js";
+// app/lib/claude-agent/client-pool.ts
+import { query } from "@anthropic-ai/claude-agent-sdk";
+import { appendFileSync as appendFileSync2 } from "fs";
+import { resolve as resolvePath } from "path";
+// app/lib/claude-agent/logging.ts
+import { spawnSync } from "child_process";
+import { resolve } from "path";
+import { platform as osPlatform, devNull } from "os";
+import { readFileSync, readdirSync, mkdirSync, createWriteStream, statSync, unlinkSync, appendFileSync } from "fs";
+import { lookup as dnsLookup } from "dns/promises";
+import { createConnection as netConnect } from "net";
+import { StringDecoder } from "string_decoder";
+var LOG_RETENTION_DAYS = 7;
+var isoTs = () => (/* @__PURE__ */ new Date()).toISOString();
+var BROWSER_TOOL_PREFIXES = [
+  "mcp__plugin_playwright_playwright__",
+  "mcp__plugin_chrome-devtools-mcp_chrome-devtools__"
+];
+function isBrowserTool(name) {
+  return BROWSER_TOOL_PREFIXES.some((p) => name.startsWith(p));
+}
+var DIAG_HARD_CAP_MS = 5e3;
+var DIAG_DNS_TIMEOUT_MS = 2e3;
+var DIAG_TCP_TIMEOUT_MS = 3e3;
+var DIAG_HTTP_TIMEOUT_MS = 4e3;
+function quoteDiag(value) {
+  return JSON.stringify(value);
+}
+function extractUrl(toolName, input) {
+  if (input === null || typeof input !== "object") return void 0;
+  const obj = input;
+  if (toolName === "WebFetch" && typeof obj.url === "string") return obj.url;
+  if (isBrowserTool(toolName) && typeof obj.url === "string") return obj.url;
+  if (typeof obj.url === "string" && /^https?:\/\//.test(obj.url)) return obj.url;
+  return void 0;
+}
+var FULL_REDACT_ENV_VARS = /* @__PURE__ */ new Set(["HTTPS_PROXY", "HTTP_PROXY", "NO_PROXY"]);
+function redactEnvField(name) {
+  const value = process.env[name];
+  if (!value) return `${name.toLowerCase()}=absent`;
+  if (FULL_REDACT_ENV_VARS.has(name)) {
+    return `${name.toLowerCase()}=present`;
+  }
+  const suffix = value.length > 40 ? value.slice(-40) : value;
+  return `${name.toLowerCase()}=present suffix=${quoteDiag(suffix)}`;
+}
+async function probeDns(host, family) {
+  const label = family === 4 ? "dns_a" : "dns_aaaa";
+  const start = Date.now();
+  let timer;
+  try {
+    const result = await Promise.race([
+      dnsLookup(host, { family, verbatim: true }),
+      new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new Error("timeout")), DIAG_DNS_TIMEOUT_MS);
+      })
+    ]);
+    if (timer) clearTimeout(timer);
+    const ms = Date.now() - start;
+    return `${label}=${result.address} ${label}_ms=${ms}`;
+  } catch (err) {
+    if (timer) clearTimeout(timer);
+    const ms = Date.now() - start;
+    const msg = err instanceof Error ? err.message : String(err);
+    return `${label}=err ${label}_err=${quoteDiag(msg.slice(0, 60))} ${label}_ms=${ms}`;
+  }
+}
+async function probeTcp(host, port) {
+  const start = Date.now();
+  return new Promise((resolvePromise) => {
+    let settled = false;
+    const sock = netConnect({ host, port, family: 0 });
+    const finish = (result) => {
+      if (settled) return;
+      settled = true;
+      try {
+        sock.destroy();
+      } catch {
+      }
+      resolvePromise(result);
+    };
+    const timer = setTimeout(() => finish(`tcp=timeout tcp_ms=${Date.now() - start}`), DIAG_TCP_TIMEOUT_MS);
+    sock.once("connect", () => {
+      clearTimeout(timer);
+      finish(`tcp=ok tcp_ms=${Date.now() - start}`);
+    });
+    sock.once("error", (err) => {
+      clearTimeout(timer);
+      const msg = err instanceof Error ? err.message : String(err);
+      finish(`tcp=err tcp_err=${quoteDiag(msg.slice(0, 60))} tcp_ms=${Date.now() - start}`);
+    });
+  });
+}
+async function probeHttp(url) {
+  const start = Date.now();
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), DIAG_HTTP_TIMEOUT_MS);
+  try {
+    const res = await fetch(url, { method: "HEAD", redirect: "manual", signal: controller.signal });
+    clearTimeout(timer);
+    return `http_status=${res.status} http_ms=${Date.now() - start}`;
+  } catch (err) {
+    clearTimeout(timer);
+    const msg = err instanceof Error ? err.message : String(err);
+    return `http_status=err http_err=${quoteDiag(msg.slice(0, 60))} http_ms=${Date.now() - start}`;
+  }
+}
+async function runFailureDiagnostic(toolName, toolInput) {
+  const inputKeys = toolInput !== null && typeof toolInput === "object" ? Object.keys(toolInput).join(",") : "";
+  const envFields = [
+    redactEnvField("HTTPS_PROXY"),
+    redactEnvField("HTTP_PROXY"),
+    redactEnvField("NO_PROXY"),
+    redactEnvField("NODE_OPTIONS")
+  ].join(" ");
+  const url = extractUrl(toolName, toolInput);
+  if (!url) {
+    return `diag_url=none input_keys=[${inputKeys}] ${envFields}`;
+  }
+  let host;
+  let port;
+  try {
+    const parsed = new URL(url);
+    host = parsed.hostname;
+    port = parsed.port ? Number(parsed.port) : parsed.protocol === "https:" ? 443 : 80;
+  } catch {
+    return `diag_url=unparseable input_keys=[${inputKeys}] ${envFields}`;
+  }
+  const probes = Promise.allSettled([
+    probeDns(host, 4),
+    probeDns(host, 6),
+    probeTcp(host, port),
+    probeHttp(url)
+  ]);
+  let capTimer;
+  const capped = await Promise.race([
+    probes,
+    new Promise((resolvePromise) => {
+      capTimer = setTimeout(() => resolvePromise("__diag_timeout__"), DIAG_HARD_CAP_MS);
+    })
+  ]);
+  if (capTimer) clearTimeout(capTimer);
+  if (capped === "__diag_timeout__") {
+    return `diag_host=${host} diag_port=${port} diag_timeout=true input_keys=[${inputKeys}] ${envFields}`;
+  }
+  const fields = capped.map((r) => r.status === "fulfilled" ? r.value : `probe_err=${quoteDiag(String(r.reason).slice(0, 40))}`).join(" ");
+  return `diag_host=${host} diag_port=${port} ${fields} input_keys=[${inputKeys}] ${envFields}`;
+}
+function agentLogStream(name, accountDir, sessionKey) {
+  if (!sessionKey) {
+    throw new Error(`agentLogStream: sessionKey is required (name=${name}) \u2014 chat-route entry binds it for every channel`);
+  }
+  const filenameBytes = Buffer.byteLength(name) + Buffer.byteLength(sessionKey) + 5;
+  if (filenameBytes > 240) {
+    logTeeLog(
+      `[log-tee] writer-bind-rejected reason=key-too-long sessionKey-bytes=${Buffer.byteLength(sessionKey)} name=${name} filename-bytes=${filenameBytes}`
+    );
+    return openNoOpStream(sessionKey, name);
+  }
+  const logDir = resolve(accountDir, "logs");
+  mkdirSync(logDir, { recursive: true });
+  purgeOldLogs(logDir, `${name}-`);
+  const logPath = resolve(logDir, `${name}-${sessionKey}.log`);
+  const stream = createWriteStream(logPath, { flags: "a" });
+  stream.once("error", (err) => {
+    logTeeLog(
+      `[log-tee] writer-bind-failed sessionKey=${sessionKey.slice(0, 8)} name=${name} errno=${err.code ?? "unknown"} path=${JSON.stringify(logPath)}`
+    );
+    openStreamLogs.delete(stream);
+  });
+  registerStreamLog(stream, { path: logPath, sessionKey, name });
+  return stream;
+}
+function openNoOpStream(sessionKey, name) {
+  const stream = createWriteStream(devNull, { flags: "a" });
+  stream.once("error", (err) => {
+    logTeeLog(`[log-tee] devnull-error sessionKey=${sessionKey.slice(0, 8)} name=${name} errno=${err.code ?? "unknown"}`);
+    openStreamLogs.delete(stream);
+  });
+  registerStreamLog(stream, { path: devNull, sessionKey, name });
+  return stream;
+}
+var openStreamLogs = /* @__PURE__ */ new Map();
+function registerStreamLog(stream, entry) {
+  openStreamLogs.set(stream, entry);
+  stream.once("close", () => {
+    openStreamLogs.delete(stream);
+    logTeeLog(`[log-tee] deregister sessionKey=${entry.sessionKey.slice(0, 8)} path=${JSON.stringify(entry.path)}`);
+  });
+  logTeeLog(`[log-tee] file-created sessionKey=${entry.sessionKey.slice(0, 8)} path=${JSON.stringify(entry.path)} first-token-at=${isoTs()}`);
+}
+var LOG_TEE_TAG_RE = /^\[[a-zA-Z][a-zA-Z0-9:_\-]*\]/;
+var originalConsoleError = null;
+var originalConsoleLog = null;
+var logTeeInstalled = false;
+var logTeeCycleTimer = null;
+var logTeeAdherenceTimer = null;
+var logTeeLinesEmitted = 0;
+var logTeeLinesRouted = 0;
+var logTeeBytesRouted = 0;
+var logTeeFailCount = 0;
+function logTeeLog(line) {
+  (originalConsoleError ?? console.error.bind(console))(line);
+}
+function appendToActiveStreams(line) {
+  if (openStreamLogs.size === 0) return;
+  const ts = isoTs();
+  const teeLine = `[${ts}] ${line.replace(/\n$/, "")}
+`;
+  let routed = 0;
+  for (const entry of openStreamLogs.values()) {
+    try {
+      appendFileSync(entry.path, teeLine);
+      routed++;
+      logTeeBytesRouted += teeLine.length;
+    } catch (err) {
+      logTeeFailCount++;
+      const msg = err instanceof Error ? err.message : String(err);
+      logTeeLog(`[log-tee] FAIL emit reason=${JSON.stringify(msg.slice(0, 80))} path=${JSON.stringify(entry.path)}`);
+    }
+  }
+  if (routed > 0) {
+    logTeeLinesRouted += routed;
+    logTeeLinesEmitted++;
+  }
+}
+function installLogTee() {
+  if (logTeeInstalled) return;
+  logTeeInstalled = true;
+  originalConsoleError = console.error.bind(console);
+  originalConsoleLog = console.log.bind(console);
+  const wrap = (orig) => {
+    return (...args) => {
+      orig(...args);
+      const rendered = args.map((a) => typeof a === "string" ? a : safeStringify(a)).join(" ");
+      if (LOG_TEE_TAG_RE.test(rendered)) {
+        appendToActiveStreams(rendered);
+      }
+    };
+  };
+  console.error = wrap(originalConsoleError);
+  console.log = wrap(originalConsoleLog);
+  logTeeCycleTimer = setInterval(() => {
+    const active = openStreamLogs.size;
+    logTeeLog(
+      `[log-tee] cycle activeSessions=${active} linesEmitted=${logTeeLinesEmitted} linesRouted=${logTeeLinesRouted} bytesRouted=${logTeeBytesRouted} failCount=${logTeeFailCount}`
+    );
+  }, 3e4);
+  logTeeCycleTimer.unref?.();
+  logTeeAdherenceTimer = setInterval(() => {
+    runAdherenceCheck();
+  }, 60 * 60 * 1e3);
+  logTeeAdherenceTimer.unref?.();
+  logTeeLog(`[log-tee] installed pid=${process.pid}`);
+}
+function safeStringify(value) {
+  try {
+    if (value instanceof Error) return value.stack ?? value.message;
+    return JSON.stringify(value);
+  } catch {
+    return String(value);
+  }
+}
+function emitMissingOnResolve(sessionKey, surface, reason) {
+  logTeeLog(`[log-tee] missing-on-resolve sessionKey=${sessionKey.slice(0, 8)} surface=${surface} reason=${JSON.stringify(reason.slice(0, 120))}`);
+}
+function runAdherenceCheck() {
+  const start = Date.now();
+  let sessions = 0;
+  let misses = 0;
+  try {
+    const accountsRoot = resolveAccountsRoot();
+    if (!accountsRoot) {
+      logTeeLog(`[log-tee] adherence-check window=24h sessions=0 misses=0 ts=${isoTs()} note=accounts-root-unresolved`);
+      return;
+    }
+    const sessionKeysOnDisk = collectSessionKeysFromOpenStreams();
+    sessions = sessionKeysOnDisk.size;
+    for (const key of sessionKeysOnDisk) {
+      if (!resolveStreamLogPath(accountsRoot, key)) {
+        misses++;
+        emitMissingOnResolve(key, "adherence-check", "file-not-on-disk");
+      }
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logTeeLog(`[log-tee] adherence-check-err reason=${JSON.stringify(msg.slice(0, 120))}`);
+    return;
+  }
+  const ms = Date.now() - start;
+  logTeeLog(`[log-tee] adherence-check window=24h sessions=${sessions} misses=${misses} ms=${ms} ts=${isoTs()}`);
+}
+function collectSessionKeysFromOpenStreams() {
+  const keys = /* @__PURE__ */ new Set();
+  for (const entry of openStreamLogs.values()) {
+    keys.add(entry.sessionKey);
+  }
+  return keys;
+}
+function resolveAccountsRoot() {
+  const envRoot = process.env.ADHERENCE_INSTALL_DIR;
+  if (envRoot) return resolve(envRoot, "data", "accounts");
+  const platformRoot2 = process.env.MAXY_PLATFORM_ROOT;
+  if (platformRoot2) return resolve(platformRoot2, "..", "data", "accounts");
+  return resolve(process.cwd(), "..", "..", "data", "accounts");
+}
+function resolveStreamLogPath(accountsRoot, sessionKey) {
+  let entries;
+  try {
+    entries = readdirSync(accountsRoot);
+  } catch {
+    return null;
+  }
+  for (const acct of entries) {
+    const logsDir = resolve(accountsRoot, acct, "logs");
+    let logFiles;
+    try {
+      logFiles = readdirSync(logsDir);
+    } catch {
+      continue;
+    }
+    const wanted = `claude-agent-stream-${sessionKey}.log`;
+    if (logFiles.includes(wanted)) return resolve(logsDir, wanted);
+  }
+  return null;
+}
+if (process.env.NODE_ENV !== "test") {
+  installLogTee();
+}
+function sigtermFlushStreamLogs(reason, source) {
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  for (const entry of openStreamLogs.values()) {
+    const line = `[${ts}] [server-sigterm] reason=${reason} sessionKey=${entry.sessionKey} name=${entry.name} source=${source}
+`;
+    try {
+      appendFileSync(entry.path, line);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[server-sigterm-flush-err] path=${entry.path} reason=${msg}`);
+    }
+  }
+}
+function purgeOldLogs(logDir, prefix) {
+  const cutoff = Date.now() - LOG_RETENTION_DAYS * 24 * 60 * 60 * 1e3;
+  let entries;
+  try {
+    entries = readdirSync(logDir);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`[log-purge-err] readdir dir=${logDir} prefix=${prefix} reason=${msg}`);
+    return;
+  }
+  for (const file of entries) {
+    if (!file.startsWith(prefix)) continue;
+    const filePath = resolve(logDir, file);
+    try {
+      if (statSync(filePath).mtimeMs < cutoff) unlinkSync(filePath);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[log-purge-err] file=${file} reason=${msg}`);
+    }
+  }
+}
+// app/lib/claude-agent/session-store.ts
+import { createHash, createHmac, randomBytes, timingSafeEqual } from "crypto";
+import { readFileSync as readFileSync3, writeFileSync, mkdirSync as mkdirSync2 } from "fs";
+import { dirname } from "path";
+// app/lib/paths.ts
+import { homedir } from "os";
+import { resolve as resolve2, join } from "path";
+import { existsSync, readFileSync as readFileSync2 } from "fs";
+var configDirName = ".maxy";
+var commercialMode = false;
+var vncDisplayNum = 99;
+var rfbPortNum = 5900;
+var websockifyPortNum = 6080;
+var cdpPortNum = 9222;
+var portSource = "dev-default";
+var platformRoot = process.env.MAXY_PLATFORM_ROOT;
+if (platformRoot) {
+  const brandPath = join(platformRoot, "config", "brand.json");
+  if (existsSync(brandPath)) {
+    let brand;
+    try {
+      brand = JSON.parse(readFileSync2(brandPath, "utf-8"));
+    } catch (err) {
+      const detail = (err instanceof Error ? err.message : String(err)).slice(0, 160);
+      console.error(`[paths] error reason=brand-config-missing path=${brandPath} detail="parse failed: ${detail.replace(/"/g, "'")}"`);
+      throw err;
+    }
+    if (typeof brand.configDir === "string") configDirName = brand.configDir;
+    if (brand.commercialMode === true) commercialMode = true;
+    if (typeof brand.vncDisplay === "number") vncDisplayNum = brand.vncDisplay;
+    const brandLabel = configDirName.replace(/^\./, "");
+    const required = [
+      ["rfbPort", brand.rfbPort],
+      ["websockifyPort", brand.websockifyPort],
+      ["cdpPort", brand.cdpPort]
+    ];
+    for (const [field, value] of required) {
+      if (typeof value !== "number") {
+        const keys = Object.keys(brand).join(",");
+        console.error(`[paths] error reason=cdp-port-unresolved brand=${brandLabel} path=${brandPath} field=${field} json_keys=${keys}`);
+        throw new Error(`brand.json at ${brandPath} missing required field: ${field}`);
+      }
+    }
+    rfbPortNum = brand.rfbPort;
+    websockifyPortNum = brand.websockifyPort;
+    cdpPortNum = brand.cdpPort;
+    portSource = "brand.json";
+  }
+}
+var MAXY_DIR = resolve2(homedir(), configDirName);
+var BRAND_NAME = configDirName.replace(/^\./, "");
+var COMMERCIAL_MODE = commercialMode;
+var VNC_DISPLAY = `:${vncDisplayNum}`;
+var RFB_PORT = rfbPortNum;
+var WEBSOCKIFY_PORT = websockifyPortNum;
+var CDP_PORT = cdpPortNum;
+console.log(
+  `[paths] brand=${configDirName.replace(/^\./, "")} vncDisplay=${vncDisplayNum} rfbPort=${RFB_PORT} websockifyPort=${WEBSOCKIFY_PORT} cdpPort=${CDP_PORT} source=${portSource}`
+);
+var CHROMIUM_PROFILE_DIR = resolve2(homedir(), configDirName, "chromium-profile");
+var PLATFORM_ROOT = process.env.MAXY_PLATFORM_ROOT ?? resolve2(process.cwd(), "..");
+var USERS_FILE = resolve2(MAXY_DIR, "users.json");
+var LOG_DIR = resolve2(MAXY_DIR, "logs");
+var BIN_DIR = resolve2(MAXY_DIR, "bin");
+var REMOTE_PASSWORD_FILE = resolve2(MAXY_DIR, ".remote-password");
+var REMOTE_SESSION_SECRET_FILE = resolve2(MAXY_DIR, "credentials", "remote-session-secret");
+var ADMIN_SESSION_SECRET_FILE = resolve2(MAXY_DIR, "credentials", "admin-session-secret");
+var TELEGRAM_WEBHOOK_SECRET_FILE = resolve2(MAXY_DIR, ".telegram-webhook-secret");
+var TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE = resolve2(MAXY_DIR, ".telegram-admin-webhook-secret");
+var CLAUDE_CREDENTIALS_FILE = resolve2(MAXY_DIR, ".claude", ".credentials.json");
+// app/lib/claude-agent/session-store.ts
+function findFirstSubstantiveUserMessage(turns) {
+  for (const t of turns) {
+    if (t.role !== "user") continue;
+    if (isMessageUseful(t.content)) return t.content;
+  }
+  return null;
+}
+var sessionStore = /* @__PURE__ */ new Map();
+function getSession(cacheKey) {
+  return sessionStore.get(cacheKey);
+}
+setSessionStoreRef(sessionStore);
+var TOKEN_PREFIX = "v1.";
+var TOKEN_VERSION = "adm";
+var TOKEN_TTL_MS = 24 * 60 * 60 * 1e3;
+var TOKEN_SECRET_BYTES = 32;
+var TOKEN_NONCE_BYTES = 16;
+var cachedAdminSecret = null;
+function getAdminSessionSecret() {
+  if (cachedAdminSecret) return cachedAdminSecret;
+  try {
+    const hex2 = readFileSync3(ADMIN_SESSION_SECRET_FILE, "utf-8").trim();
+    if (hex2.length === TOKEN_SECRET_BYTES * 2) {
+      cachedAdminSecret = Buffer.from(hex2, "hex");
+      return cachedAdminSecret;
+    }
+  } catch {
+  }
+  const fresh = randomBytes(TOKEN_SECRET_BYTES).toString("hex");
+  try {
+    mkdirSync2(dirname(ADMIN_SESSION_SECRET_FILE), { recursive: true, mode: 448 });
+    writeFileSync(ADMIN_SESSION_SECRET_FILE, fresh, { mode: 384, flag: "wx" });
+  } catch {
+  }
+  let hex;
+  try {
+    hex = readFileSync3(ADMIN_SESSION_SECRET_FILE, "utf-8").trim();
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`admin-session-secret unreadable at ${ADMIN_SESSION_SECRET_FILE}: ${msg}`);
+  }
+  cachedAdminSecret = Buffer.from(hex, "hex");
+  return cachedAdminSecret;
+}
+function base64urlEncode(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlDecode(s) {
+  const padded = s.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat((4 - s.length % 4) % 4);
+  return Buffer.from(padded, "base64");
+}
+function signDigest(payloadJson, secret) {
+  return createHmac("sha256", secret).update(payloadJson).digest();
+}
+function fingerprintSessionKey(raw) {
+  if (typeof raw !== "string" || !raw) return raw;
+  if (/^sk_[a-f0-9]{16}$/.test(raw)) return raw;
+  if (!raw.startsWith("v1.")) return raw;
+  return `sk_${createHash("sha256").update(raw).digest("hex").slice(0, 16)}`;
+}
+function mintAdminSessionToken(identity) {
+  const payload = {
+    v: TOKEN_VERSION,
+    a: identity.accountId,
+    u: identity.userId,
+    c: Date.now(),
+    n: randomBytes(TOKEN_NONCE_BYTES).toString("hex")
+  };
+  const payloadJson = JSON.stringify(payload);
+  const payloadB64 = base64urlEncode(Buffer.from(payloadJson, "utf-8"));
+  const sigB64 = base64urlEncode(signDigest(payloadJson, getAdminSessionSecret()));
+  return `${TOKEN_PREFIX}${payloadB64}.${sigB64}`;
+}
+function parseAdminSessionToken(token) {
+  if (!token.startsWith(TOKEN_PREFIX)) return null;
+  const rest = token.slice(TOKEN_PREFIX.length);
+  const dot = rest.indexOf(".");
+  if (dot === -1) return null;
+  const payloadB64 = rest.slice(0, dot);
+  const sigB64 = rest.slice(dot + 1);
+  if (!payloadB64 || !sigB64) return null;
+  let payloadJson;
+  let providedDigest;
+  try {
+    payloadJson = base64urlDecode(payloadB64).toString("utf-8");
+    providedDigest = base64urlDecode(sigB64);
+  } catch {
+    return null;
+  }
+  const expectedDigest = signDigest(payloadJson, getAdminSessionSecret());
+  if (providedDigest.length !== expectedDigest.length || !timingSafeEqual(providedDigest, expectedDigest)) {
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(payloadJson);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object") return null;
+  const p = parsed;
+  if (p.v !== TOKEN_VERSION) return null;
+  if (typeof p.a !== "string" || !p.a) return null;
+  if (typeof p.u !== "string" || !p.u) return null;
+  if (typeof p.c !== "number" || !Number.isFinite(p.c)) return null;
+  if (typeof p.n !== "string" || !p.n) return null;
+  return p;
+}
+function tryRehydrateAdminSession(cacheKey, signedToken) {
+  const payload = parseAdminSessionToken(signedToken);
+  if (!payload) return { kind: "invalid-token" };
+  const ageMs = Date.now() - payload.c;
+  if (ageMs > TOKEN_TTL_MS) return { kind: "expired", ageMs };
+  sessionStore.set(cacheKey, {
+    createdAt: Date.now(),
+    agentType: "admin",
+    accountId: payload.a,
+    userId: payload.u,
+    wantsPriorConversation: true
+  });
+  console.log(`[session-rehydrate-from-token] cacheKey=${cacheKey.slice(0, 12)}\u2026 accountId=${payload.a.slice(0, 8)} userId=${payload.u.slice(0, 8)} ageMs=${ageMs}`);
+  return { kind: "ok", payload, ageMs };
+}
+function setWantsPriorConversation(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (session) session.wantsPriorConversation = true;
+}
+function consumeWantsPriorConversation(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session || !session.wantsPriorConversation) return false;
+  delete session.wantsPriorConversation;
+  return true;
+}
+function registerSession(cacheKey, agentType, accountId, agentName, userId, userName, role) {
+  const existing = sessionStore.get(cacheKey);
+  if (existing) {
+    existing.agentType = agentType;
+    existing.accountId = accountId;
+    existing.agentName = agentName ?? existing.agentName;
+    existing.userId = userId ?? existing.userId;
+    existing.userName = userName ?? existing.userName;
+    existing.role = role ?? existing.role;
+    return;
+  }
+  sessionStore.set(cacheKey, { createdAt: Date.now(), agentType, accountId, agentName, userId, userName, role });
+}
+function registerResumedSession(cacheKey, accountId, agentName, conversationId, messages) {
+  const messageHistory = messages.map((m) => ({
+    role: m.role,
+    content: m.content,
+    timestamp: m.timestamp ?? Date.now()
+  }));
+  sessionStore.set(cacheKey, {
+    createdAt: Date.now(),
+    agentType: "public",
+    accountId,
+    agentName,
+    conversationId,
+    messageHistory
+  });
+}
+function getSessionMessages(cacheKey) {
+  return sessionStore.get(cacheKey)?.messageHistory;
+}
+function clearSessionHistory(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return void 0;
+  const previousConversationId = session.conversationId;
+  session.agentSessionId = void 0;
+  session.pendingCompactionSummary = void 0;
+  session.stalledSubagents = void 0;
+  session.pendingTrimmedMessages = void 0;
+  session.pendingCommitmentOffers = void 0;
+  session.pendingTurns = void 0;
+  session.stallResume = void 0;
+  session.assistantTurnCount = void 0;
+  return previousConversationId;
+}
+function bufferPendingTurn(cacheKey, turn) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.error(`[conversation-gate] bufferPendingTurn: session not found cacheKey=${cacheKey.slice(0, 8)}\u2026`);
+    return;
+  }
+  if (!session.pendingTurns) session.pendingTurns = [];
+  session.pendingTurns.push(turn);
+  console.log(`[conversation-gate] ${(/* @__PURE__ */ new Date()).toISOString()} buffered cacheKey=${cacheKey.slice(0, 8)} role=${turn.role} turnCount=${session.pendingTurns.filter((t) => t.role === "user").length}`);
+}
+function getPendingTurnCount(cacheKey) {
+  const buf = sessionStore.get(cacheKey)?.pendingTurns;
+  if (!buf) return 0;
+  let n = 0;
+  for (const t of buf) if (t.role === "user") n++;
+  return n;
+}
+function drainPendingTurns(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session?.pendingTurns || session.pendingTurns.length === 0) return void 0;
+  const drained = session.pendingTurns;
+  session.pendingTurns = void 0;
+  return drained;
+}
+function isFlushError(o) {
+  return o !== null && "error" in o;
+}
+async function maybeFlushConversationBuffer(cacheKey, agentType, accountId) {
+  const sk8 = cacheKey.slice(0, 8);
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.log(`[admin/conversation-flush] cacheKey=${sk8} agentType=${agentType} result=missing-session`);
+    return { error: "missing-session" };
+  }
+  if (session.conversationId) {
+    console.log(`[admin/conversation-flush] cacheKey=${sk8} agentType=${agentType} result=already-flushed conversationId=${session.conversationId.slice(0, 8)}`);
+    return { conversationId: session.conversationId, buffered: [] };
+  }
+  const bufferedCount = session.pendingTurns?.length ?? 0;
+  if (bufferedCount === 0) {
+    console.log(`[admin/conversation-flush] cacheKey=${sk8} agentType=${agentType} result=empty-buffer`);
+    return null;
+  }
+  if (session.flushInFlight) return session.flushInFlight;
+  const attempt = (async () => {
+    let conversationId = null;
+    if (agentType === "admin") {
+      const userId = session.userId;
+      if (!userId) {
+        console.error(`[admin/conversation-flush] cacheKey=${sk8} agentType=admin result=missing-userId bufferedCount=${bufferedCount}`);
+        return { error: "missing-userId" };
+      }
+      conversationId = await createNewAdminConversation(userId, accountId, cacheKey, session.userName);
+    } else {
+      conversationId = (await ensureConversation(accountId, "public", cacheKey, void 0, session.agentName, void 0)).conversationId;
+    }
+    if (!conversationId) {
+      console.error(`[admin/conversation-flush] cacheKey=${sk8} agentType=${agentType} result=writer-failed bufferedCount=${bufferedCount}`);
+      return { error: "writer-failed" };
+    }
+    session.conversationId = conversationId;
+    if (agentType === "admin" && session.agentSessionId) {
+      setConversationAgentSessionId(conversationId, session.agentSessionId).catch(() => {
+      });
+    }
+    const buffered = drainPendingTurns(cacheKey) ?? [];
+    for (const turn of buffered) {
+      persistMessage(conversationId, turn.role, turn.content, accountId, turn.tokens, turn.timestamp, turn.sender, turn.components, turn.attachments).catch((err) => {
+        console.error(`[admin/conversation-flush] replay persistMessage failed role=${turn.role}: ${err instanceof Error ? err.message : String(err)}`);
+      });
+    }
+    console.log(`[admin/conversation-flush] cacheKey=${sk8} agentType=${agentType} result=ok conversationId=${conversationId.slice(0, 8)} bufferedMessages=${buffered.length}`);
+    return { conversationId, buffered };
+  })();
+  session.flushInFlight = attempt;
+  try {
+    return await attempt;
+  } finally {
+    if (session.flushInFlight === attempt) session.flushInFlight = void 0;
+  }
+}
+function isDmChannelCacheKey(cacheKey) {
+  return cacheKey.startsWith("whatsapp:") || cacheKey.startsWith("telegram:");
+}
+function getAgentNameForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.agentName;
+}
+function listAdminSessionsInProgress(accountId, userId) {
+  const rows = [];
+  for (const [cacheKey, session] of Array.from(sessionStore.entries())) {
+    if (session.agentType !== "admin") continue;
+    if (session.accountId !== accountId) continue;
+    if (session.userId !== userId) continue;
+    if (session.conversationId) continue;
+    rows.push({ cacheKey, createdAt: session.createdAt });
+  }
+  rows.sort((a, b) => b.createdAt - a.createdAt);
+  return rows;
+}
+function validateSession(cacheKey, agentType, signedSessionToken) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    if (agentType === "admin" && signedSessionToken) {
+      const outcome = tryRehydrateAdminSession(cacheKey, signedSessionToken);
+      if (outcome.kind === "ok") return { ok: true };
+      if (outcome.kind === "expired") return { ok: false, reason: "session-expired-age" };
+    }
+    return { ok: false, reason: "session-not-registered" };
+  }
+  if (session.agentType !== agentType) return { ok: false, reason: "agent-type-mismatch" };
+  if (Date.now() - session.createdAt > 24 * 60 * 60 * 1e3) {
+    sessionStore.delete(cacheKey);
+    return { ok: false, reason: "session-expired-age" };
+  }
+  if (session.grantExpiresAt && Date.now() > session.grantExpiresAt) {
+    sessionStore.delete(cacheKey);
+    return { ok: false, reason: "grant-expired" };
+  }
+  return { ok: true };
+}
+function storeAgentSessionId(cacheKey, agentSessionId) {
+  const session = sessionStore.get(cacheKey);
+  if (session) {
+    session.agentSessionId = agentSessionId;
+    console.error(`[session-store] storeAgentSessionId cacheKey=${cacheKey.slice(0, 12)}\u2026 sessionId=${agentSessionId.slice(0, 8)}\u2026`);
+    if (session.agentType === "admin" && session.conversationId) {
+      setConversationAgentSessionId(session.conversationId, agentSessionId).catch(() => {
+      });
+    }
+  } else {
+    console.error(`[session-store] storeAgentSessionId SKIPPED \u2014 no session entry cacheKey=${cacheKey.slice(0, 12)}\u2026 sessionId=${agentSessionId.slice(0, 8)}\u2026`);
+  }
+}
+function getAgentSessionId(cacheKey) {
+  return sessionStore.get(cacheKey)?.agentSessionId;
+}
+function setAgentSessionId(cacheKey, agentSessionId) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return false;
+  session.agentSessionId = agentSessionId;
+  return true;
+}
+function storePendingCompactionSummary(cacheKey, summary) {
+  const session = sessionStore.get(cacheKey);
+  if (session) session.pendingCompactionSummary = summary;
+}
+function consumePendingCompactionSummary(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return void 0;
+  const summary = session.pendingCompactionSummary;
+  delete session.pendingCompactionSummary;
+  return summary;
+}
+function getAccountIdForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.accountId;
+}
+function getUserIdForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.userId;
+}
+function getUserNameForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.userName;
+}
+function getRoleForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.role;
+}
+function getConversationIdForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.conversationId;
+}
+function getSessionKeyByConversationId(conversationId) {
+  for (const [cacheKey, session] of sessionStore.entries()) {
+    if (session.conversationId === conversationId) return cacheKey;
+  }
+  return void 0;
+}
+function setConversationIdForSession(cacheKey, conversationId) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return false;
+  session.conversationId = conversationId;
+  return true;
+}
+function unregisterSession(cacheKey) {
+  return sessionStore.delete(cacheKey);
+}
+function getGroupSlugForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.groupSlug;
+}
+function getVisitorIdForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.visitorId;
+}
+function setGroupContextForSession(cacheKey, context) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return false;
+  session.groupSlug = context.groupSlug;
+  session.groupName = context.groupName;
+  session.conversationId = context.conversationId;
+  session.visitorId = context.visitorId;
+  session.senderDisplayName = context.senderDisplayName;
+  return true;
+}
+function registerGrantSession(cacheKey, accountId, agentName, opts) {
+  sessionStore.set(cacheKey, {
+    createdAt: Date.now(),
+    agentType: "public",
+    accountId,
+    agentName,
+    grantId: opts.grantId,
+    grantExpiresAt: opts.grantExpiresAt,
+    grantStatus: opts.grantStatus,
+    grantDisplayName: opts.grantDisplayName,
+    grantContactValue: opts.grantContactValue,
+    setupRequired: opts.setupRequired
+  });
+}
+function getGrantForSession(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session?.grantId) return void 0;
+  return {
+    grantId: session.grantId,
+    grantExpiresAt: session.grantExpiresAt,
+    grantStatus: session.grantStatus,
+    grantDisplayName: session.grantDisplayName,
+    grantContactValue: session.grantContactValue,
+    setupRequired: session.setupRequired
+  };
+}
+function completeGrantSetup(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (session) {
+    session.setupRequired = false;
+    session.grantStatus = "active";
+  }
+}
+function getMessageHistory(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return [];
+  if (!session.messageHistory) session.messageHistory = [];
+  return session.messageHistory;
+}
+function appendMessage(cacheKey, role, content, timestamp) {
+  if (!content) return;
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.error(`[managed] appendMessage: session not found for key ${cacheKey.slice(0, 8)}\u2026 (store size: ${sessionStore.size})`);
+    return;
+  }
+  if (!session.messageHistory) session.messageHistory = [];
+  session.messageHistory.push({ role, content, timestamp: timestamp ?? Date.now() });
+}
+function storePendingTrimmedMessages(cacheKey, messages) {
+  const session = sessionStore.get(cacheKey);
+  if (session) session.pendingTrimmedMessages = messages;
+}
+function consumePendingTrimmedMessages(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return void 0;
+  const messages = session.pendingTrimmedMessages;
+  delete session.pendingTrimmedMessages;
+  return messages;
+}
+function storeStalledSubagent(cacheKey, info) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.error(`[stall-recovery] storeStalledSubagent: session not found for key ${cacheKey.slice(0, 8)}\u2026 \u2014 stall context lost`);
+    return;
+  }
+  if (!session.stalledSubagents) session.stalledSubagents = [];
+  session.stalledSubagents.push(info);
+}
+function consumeStalledSubagents(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) return void 0;
+  const stalls = session.stalledSubagents;
+  delete session.stalledSubagents;
+  return stalls && stalls.length > 0 ? stalls : void 0;
+}
+function setPendingCommitmentOffers(cacheKey, offers) {
+  const session = sessionStore.get(cacheKey);
+  if (session) session.pendingCommitmentOffers = offers;
+}
+function getAgentTypeForSession(cacheKey) {
+  return sessionStore.get(cacheKey)?.agentType;
+}
+function clearMessageHistory(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (session) session.messageHistory = [];
+}
+var clearAgentSessionIdHandlers = [];
+function onClearAgentSessionId(handler) {
+  clearAgentSessionIdHandlers.push(handler);
+}
+var evictPoolHandlers = [];
+function onEvictPool(handler) {
+  evictPoolHandlers.push(handler);
+}
+function clearAgentSessionId(cacheKey, reason) {
+  const session = sessionStore.get(cacheKey);
+  if (session) {
+    session.agentSessionId = void 0;
+    session.lastClearReason = reason;
+    console.error(`[session-store] clearAgentSessionId cacheKey=${cacheKey.slice(0, 12)}\u2026 reason=${reason}`);
+  } else {
+    console.error(`[session-store] clearAgentSessionId SKIPPED \u2014 no session entry cacheKey=${cacheKey.slice(0, 12)}\u2026 reason=${reason}`);
+  }
+  for (const handler of clearAgentSessionIdHandlers) {
+    try {
+      handler(cacheKey, reason);
+    } catch (err) {
+      console.error(`[session-store] clearAgentSessionId handler threw: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+}
+function evictPool(cacheKey, reason) {
+  for (const handler of evictPoolHandlers) {
+    try {
+      handler(cacheKey, reason);
+    } catch (err) {
+      console.error(`[session-store] evictPool handler threw: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+}
+function storeRecoveryHandoff(cacheKey, info) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.error(`[recovery-handoff] storeRecoveryHandoff: session not found for key ${cacheKey.slice(0, 8)}\u2026 \u2014 handoff context lost reason=${info.reason}`);
+    return;
+  }
+  session.recoveryHandoff = { reason: info.reason, summary: info.summary, createdAt: Date.now() };
+}
+function consumeRecoveryHandoff(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session?.recoveryHandoff) return void 0;
+  const handoff = session.recoveryHandoff;
+  delete session.recoveryHandoff;
+  delete session.lastClearReason;
+  return handoff;
+}
+function getLastClearReason(cacheKey) {
+  return sessionStore.get(cacheKey)?.lastClearReason;
+}
+function clearLastClearReason(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (session) delete session.lastClearReason;
+}
+function storeStallResume(cacheKey, info) {
+  const session = sessionStore.get(cacheKey);
+  if (!session) {
+    console.error(`[stall-resume] storeStallResume: session not found for key ${cacheKey.slice(0, 8)}\u2026 \u2014 resume context lost kind=${info.kind}`);
+    return;
+  }
+  session.stallResume = { ...info, createdAt: Date.now() };
+}
+function consumeStallResume(cacheKey) {
+  const session = sessionStore.get(cacheKey);
+  if (!session?.stallResume) return void 0;
+  const payload = session.stallResume;
+  delete session.stallResume;
+  return payload;
+}
+// app/lib/claude-agent/client-pool.ts
+var AsyncQueue = class {
+  buffer = [];
+  resolvers = [];
+  closed = false;
+  push(item) {
+    if (this.closed) return;
+    const resolver = this.resolvers.shift();
+    if (resolver) resolver({ value: item, done: false });
+    else this.buffer.push(item);
+  }
+  close() {
+    if (this.closed) return;
+    this.closed = true;
+    while (this.resolvers.length > 0) {
+      const r = this.resolvers.shift();
+      r({ value: void 0, done: true });
+    }
+  }
+  [Symbol.asyncIterator]() {
+    return {
+      next: () => new Promise((resolve3) => {
+        if (this.buffer.length > 0) {
+          resolve3({ value: this.buffer.shift(), done: false });
+        } else if (this.closed) {
+          resolve3({ value: void 0, done: true });
+        } else {
+          this.resolvers.push(resolve3);
+        }
+      }),
+      return: async () => {
+        this.close();
+        return { value: void 0, done: true };
+      }
+    };
+  }
+};
+var clientPool = /* @__PURE__ */ new Map();
+var DEFAULT_IDLE_MS = 30 * 60 * 1e3;
+var idleEvictMs = (() => {
+  const v = Number(process.env.CLAUDE_CLIENT_IDLE_MS);
+  return Number.isFinite(v) && v > 0 ? v : DEFAULT_IDLE_MS;
+})();
+var ABORT_SDK_TIMEOUT_MS = 2e3;
+function acquireClient(cacheKey, opts, streamLog) {
+  const existing = clientPool.get(cacheKey);
+  if (existing) {
+    existing.lastUsedAt = Date.now();
+    existing.turnsServed += 1;
+    safeWrite(
+      streamLog,
+      `[${isoTs()}] [client-warm-reuse] cacheKey=${sk(cacheKey)} ageMs=${Date.now() - existing.createdAt} turnsServed=${existing.turnsServed} cachedTokens=${existing.cachedTokensLastTurn}
+`
+    );
+    return { entry: existing, isCold: false };
+  }
+  const userQueue = new AsyncQueue();
+  const abortController = new AbortController();
+  let q;
+  try {
+    const sdkOptions = opts.buildSdkOptions();
+    q = query({ prompt: userQueue, options: { ...sdkOptions, abortController } });
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    safeWrite(
+      streamLog,
+      `[${isoTs()}] [client-spawn-error] cacheKey=${sk(cacheKey)} reason=${JSON.stringify(reason.slice(0, 200))}
+`
+    );
+    throw err;
+  }
+  const entry = {
+    query: q,
+    userQueue,
+    abortController,
+    inflight: null,
+    createdAt: Date.now(),
+    lastUsedAt: Date.now(),
+    turnsServed: 1,
+    resumedFromSessionId: opts.resumedFromSessionId,
+    cachedTokensLastTurn: -1,
+    accountId: opts.accountId,
+    accountDir: opts.accountDir,
+    logKey: opts.logKey
+  };
+  clientPool.set(cacheKey, entry);
+  safeWrite(
+    streamLog,
+    `[${isoTs()}] [client-cold-create] cacheKey=${sk(cacheKey)} resumedFrom=${opts.resumedFromSessionId ?? "none"} createdAtMs=${entry.createdAt}
+`
+  );
+  safeWrite(
+    streamLog,
+    `[${isoTs()}] [client-sdk-argv] cacheKey=${sk(cacheKey)} cwd=${opts.accountDir} resume=${opts.resumedFromSessionId ?? "none"} configDir=${process.env.CLAUDE_CONFIG_DIR ?? "<unset>"}
+`
+  );
+  return { entry, isCold: true };
+}
+function pushUserMessage(entry, content) {
+  const msg = {
+    type: "user",
+    message: { role: "user", content },
+    parent_tool_use_id: null
+  };
+  entry.userQueue.push(msg);
+}
+function pushUserToolResult(entry, toolUseId, content, isError = false) {
+  const msg = {
+    type: "user",
+    message: {
+      role: "user",
+      content: [{ type: "tool_result", tool_use_id: toolUseId, content, is_error: isError }]
+    },
+    parent_tool_use_id: null
+  };
+  entry.userQueue.push(msg);
+}
+function setInflight(entry, promise) {
+  entry.inflight = promise;
+  promise.finally(() => {
+    if (entry.inflight === promise) entry.inflight = null;
+  }).catch(() => {
+  });
+}
+function recordCachedTokens(entry, cachedTokens) {
+  entry.cachedTokensLastTurn = cachedTokens;
+}
+function getActiveClient(cacheKey) {
+  return clientPool.get(cacheKey);
+}
+function appendAbortLine(entry, line) {
+  const path = resolvePath(entry.accountDir, "logs", `claude-agent-stream-${entry.logKey}.log`);
+  try {
+    appendFileSync2(path, line);
+  } catch {
+  }
+  console.error(line.trimEnd());
+}
+async function interruptClient(cacheKey, _streamLog) {
+  void _streamLog;
+  const entry = clientPool.get(cacheKey);
+  if (!entry) return;
+  const startedAt = Date.now();
+  let resolved = false;
+  const timeout = new Promise(
+    (resolve3) => setTimeout(() => resolve3("timeout"), ABORT_SDK_TIMEOUT_MS)
+  );
+  const sdkAbort = entry.query.interrupt().then(() => {
+    resolved = true;
+    return "ok";
+  }).catch((err) => {
+    resolved = true;
+    return { error: err instanceof Error ? err.message : String(err) };
+  });
+  const result = await Promise.race([sdkAbort, timeout]);
+  const durationMs = Date.now() - startedAt;
+  if (result === "timeout" && !resolved) {
+    appendAbortLine(
+      entry,
+      `[${isoTs()}] [client-abort] cacheKey=${sk(cacheKey)} method=signal durationMs=${durationMs}
+`
+    );
+    evictClient(cacheKey, "abort-signal-fallback", null);
+    return;
+  }
+  if (typeof result === "object" && "error" in result) {
+    appendAbortLine(
+      entry,
+      `[${isoTs()}] [client-abort] cacheKey=${sk(cacheKey)} method=sdk durationMs=${durationMs} error=${JSON.stringify(result.error.slice(0, 120))}
+`
+    );
+    evictClient(cacheKey, "abort-error", null);
+    return;
+  }
+  appendAbortLine(
+    entry,
+    `[${isoTs()}] [client-abort] cacheKey=${sk(cacheKey)} method=sdk durationMs=${durationMs}
+`
+  );
+}
+function evictClient(cacheKey, reason, streamLog) {
+  const entry = clientPool.get(cacheKey);
+  if (!entry) return false;
+  const ageMs = Date.now() - entry.createdAt;
+  clientPool.delete(cacheKey);
+  try {
+    entry.userQueue.close();
+  } catch {
+  }
+  try {
+    entry.query.close();
+  } catch {
+  }
+  const line = `[${isoTs()}] [client-evict] reason=${reason} cacheKey=${sk(cacheKey)} ageMs=${ageMs} turnsServed=${entry.turnsServed}
+`;
+  if (streamLog) {
+    safeWrite(streamLog, line);
+  } else {
+    appendAbortLine(entry, line);
+  }
+  return true;
+}
+function acquireOneShotClient(cacheKey, opts, streamLog) {
+  const userQueue = new AsyncQueue();
+  const abortController = new AbortController();
+  let q;
+  try {
+    const sdkOptions = opts.buildSdkOptions();
+    q = query({ prompt: userQueue, options: { ...sdkOptions, abortController } });
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : String(err);
+    safeWrite(
+      streamLog,
+      `[${isoTs()}] [client-spawn-error] cacheKey=${sk(cacheKey)} site=compaction-one-shot reason=${JSON.stringify(reason.slice(0, 200))}
+`
+    );
+    throw err;
+  }
+  const entry = {
+    query: q,
+    userQueue,
+    abortController,
+    inflight: null,
+    createdAt: Date.now(),
+    lastUsedAt: Date.now(),
+    turnsServed: 1,
+    resumedFromSessionId: opts.resumedFromSessionId,
+    cachedTokensLastTurn: -1,
+    accountId: opts.accountId,
+    accountDir: opts.accountDir,
+    logKey: opts.logKey
+  };
+  safeWrite(
+    streamLog,
+    `[${isoTs()}] [client-cold-create] reason=compaction-one-shot cacheKey=${sk(cacheKey)} createdAtMs=${entry.createdAt}
+`
+  );
+  let evicted = false;
+  const evict = (reason) => {
+    if (evicted) return;
+    evicted = true;
+    const ageMs = Date.now() - entry.createdAt;
+    try {
+      entry.userQueue.close();
+    } catch {
+    }
+    try {
+      entry.query.close();
+    } catch {
+    }
+    safeWrite(
+      streamLog,
+      `[${isoTs()}] [client-evict] reason=${reason} cacheKey=${sk(cacheKey)} ageMs=${ageMs}
+`
+    );
+  };
+  return { entry, evict };
+}
+function recordCrash(cacheKey, reason, streamLog) {
+  const entry = clientPool.get(cacheKey);
+  if (!entry) return;
+  const tail = JSON.stringify(reason.slice(-512));
+  clientPool.delete(cacheKey);
+  try {
+    entry.userQueue.close();
+  } catch {
+  }
+  try {
+    entry.query.close();
+  } catch {
+  }
+  safeWrite(
+    streamLog,
+    `[${isoTs()}] [client-crash] cacheKey=${sk(cacheKey)} reason=${JSON.stringify(reason.slice(0, 80))} tail=${tail}
+`
+  );
+}
+var IDLE_TICK_MS = 6e4;
+var idleTickHandle = null;
+function evictIdleTick() {
+  const now = Date.now();
+  for (const [cacheKey, entry] of Array.from(clientPool.entries())) {
+    if (entry.inflight !== null) continue;
+    if (now - entry.lastUsedAt < idleEvictMs) continue;
+    const ageMs = now - entry.createdAt;
+    clientPool.delete(cacheKey);
+    try {
+      entry.userQueue.close();
+    } catch {
+    }
+    try {
+      entry.query.close();
+    } catch {
+    }
+    console.error(
+      `[${isoTs()}] [client-evict] reason=idle cacheKey=${sk(cacheKey)} ageMs=${ageMs} idleMs=${now - entry.lastUsedAt} turnsServed=${entry.turnsServed}`
+    );
+  }
+}
+function startIdleEvictTick() {
+  if (idleTickHandle) return;
+  idleTickHandle = setInterval(evictIdleTick, IDLE_TICK_MS);
+  if (idleTickHandle.unref) idleTickHandle.unref();
+}
+function stopIdleEvictTick() {
+  if (idleTickHandle) {
+    clearInterval(idleTickHandle);
+    idleTickHandle = null;
+  }
+}
+startIdleEvictTick();
+onClearAgentSessionId((cacheKey, reason) => {
+  const entry = clientPool.get(cacheKey);
+  if (!entry) return;
+  const ageMs = Date.now() - entry.createdAt;
+  clientPool.delete(cacheKey);
+  try {
+    entry.userQueue.close();
+  } catch {
+  }
+  try {
+    entry.query.close();
+  } catch {
+  }
+  console.error(
+    `[${isoTs()}] [client-evict] reason=clearAgentSessionId-${reason} cacheKey=${sk(cacheKey)} ageMs=${ageMs} turnsServed=${entry.turnsServed}`
+  );
+});
+onEvictPool((cacheKey, reason) => {
+  const entry = clientPool.get(cacheKey);
+  if (!entry) return;
+  const ageMs = Date.now() - entry.createdAt;
+  clientPool.delete(cacheKey);
+  try {
+    entry.userQueue.close();
+  } catch {
+  }
+  try {
+    entry.query.close();
+  } catch {
+  }
+  console.error(
+    `[${isoTs()}] [client-evict] reason=evictPool-${reason} cacheKey=${sk(cacheKey)} ageMs=${ageMs} turnsServed=${entry.turnsServed}`
+  );
+});
+function sk(cacheKey) {
+  return cacheKey.length > 12 ? cacheKey.slice(0, 12) + "\u2026" : cacheKey;
+}
+function safeWrite(stream, line) {
+  if (!stream || stream.destroyed) return;
+  if (stream.writableEnded) return;
+  try {
+    stream.write(line);
+  } catch {
+  }
+}
+function _poolSnapshotForTest() {
+  const now = Date.now();
+  return Array.from(clientPool.entries()).map(([cacheKey, entry]) => ({
+    cacheKey,
+    ageMs: now - entry.createdAt,
+    idleMs: now - entry.lastUsedAt,
+    turnsServed: entry.turnsServed,
+    inflight: entry.inflight !== null
+  }));
+}
+function _evictAllForTest(reason = "test-tear-down") {
+  for (const cacheKey of Array.from(clientPool.keys())) {
+    const entry = clientPool.get(cacheKey);
+    if (!entry) continue;
+    clientPool.delete(cacheKey);
+    try {
+      entry.userQueue.close();
+    } catch {
+    }
+    try {
+      entry.query.close();
+    } catch {
+    }
+  }
+  void reason;
+}
+export {
+  MAXY_DIR,
+  BRAND_NAME,
+  COMMERCIAL_MODE,
+  VNC_DISPLAY,
+  RFB_PORT,
+  WEBSOCKIFY_PORT,
+  CDP_PORT,
+  CHROMIUM_PROFILE_DIR,
+  USERS_FILE,
+  LOG_DIR,
+  BIN_DIR,
+  REMOTE_PASSWORD_FILE,
+  REMOTE_SESSION_SECRET_FILE,
+  TELEGRAM_WEBHOOK_SECRET_FILE,
+  TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE,
+  CLAUDE_CREDENTIALS_FILE,
+  findFirstSubstantiveUserMessage,
+  getSession,
+  fingerprintSessionKey,
+  mintAdminSessionToken,
+  setWantsPriorConversation,
+  consumeWantsPriorConversation,
+  registerSession,
+  registerResumedSession,
+  getSessionMessages,
+  clearSessionHistory,
+  bufferPendingTurn,
+  getPendingTurnCount,
+  drainPendingTurns,
+  isFlushError,
+  maybeFlushConversationBuffer,
+  isDmChannelCacheKey,
+  getAgentNameForSession,
+  listAdminSessionsInProgress,
+  validateSession,
+  storeAgentSessionId,
+  getAgentSessionId,
+  setAgentSessionId,
+  storePendingCompactionSummary,
+  consumePendingCompactionSummary,
+  getAccountIdForSession,
+  getUserIdForSession,
+  getUserNameForSession,
+  getRoleForSession,
+  getConversationIdForSession,
+  getSessionKeyByConversationId,
+  setConversationIdForSession,
+  unregisterSession,
+  getGroupSlugForSession,
+  getVisitorIdForSession,
+  setGroupContextForSession,
+  registerGrantSession,
+  getGrantForSession,
+  completeGrantSetup,
+  getMessageHistory,
+  appendMessage,
+  storePendingTrimmedMessages,
+  consumePendingTrimmedMessages,
+  storeStalledSubagent,
+  consumeStalledSubagents,
+  setPendingCommitmentOffers,
+  getAgentTypeForSession,
+  clearMessageHistory,
+  clearAgentSessionId,
+  evictPool,
+  storeRecoveryHandoff,
+  consumeRecoveryHandoff,
+  getLastClearReason,
+  clearLastClearReason,
+  storeStallResume,
+  consumeStallResume,
+  isoTs,
+  isBrowserTool,
+  runFailureDiagnostic,
+  agentLogStream,
+  emitMissingOnResolve,
+  sigtermFlushStreamLogs,
+  acquireClient,
+  pushUserMessage,
+  pushUserToolResult,
+  setInflight,
+  recordCachedTokens,
+  getActiveClient,
+  interruptClient,
+  evictClient,
+  acquireOneShotClient,
+  recordCrash,
+  startIdleEvictTick,
+  stopIdleEvictTick,
+  _poolSnapshotForTest,
+  _evictAllForTest
+};