@rubytech/create-maxy 1.0.885 → 1.0.887

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-maxy",
-  "version": "1.0.885",
+  "version": "1.0.887",
   "description": "Install Maxy — AI for Productive People",
   "bin": {
     "create-maxy": "./dist/index.js"

package/payload/platform/neo4j/schema.cypher

@@ -498,9 +498,16 @@ OPTIONS {
 CREATE CONSTRAINT message_id_unique IF NOT EXISTS
 FOR (m:Message) REQUIRE m.messageId IS UNIQUE;
 
+// Task 1007 — Message.sessionKey is the canonical conversation pointer.
+// The legacy m.conversationId index stays until follow-up Task 1011 (final
+// cutover, after the full code-rename slice lands and no path reads
+// m.conversationId).
 CREATE INDEX message_conversation IF NOT EXISTS
 FOR (m:Message) ON (m.conversationId);
 
+CREATE INDEX message_session_key IF NOT EXISTS
+FOR (m:Message) ON (m.sessionKey);
+
 CREATE VECTOR INDEX message_embedding IF NOT EXISTS
 FOR (m:Message) ON (m.embedding)
 OPTIONS {

package/payload/platform/plugins/admin/PLUGIN.md

@@ -52,7 +52,7 @@ Tools are available via the `admin` MCP server.
 
 `logs-read { type: "agent-stream" }` is the canonical name for the per-conversation tool-use/tool-result archive previously called `system`; both names work and the legacy alias is preserved.
 
-**Stream log is the primary diagnostic surface for an in-progress session.** Every stream log is named by sessionKey and exists from the first token. The parent-process console fan-out tee in [`platform/ui/app/lib/claude-agent/logging.ts`](../../ui/app/lib/claude-agent/logging.ts) appends every `[<tag>]`-prefixed `console.error` / `console.log` line to every active session's stream log alongside `server.log`. For diagnosing an in-session issue (WhatsApp inbound, Cloudflare action, persist write, baileys error), call `logs-read { sessionKey: "<…>" }` first — the stream log carries both the agent lifecycle AND the parent-process events that occurred during the session window. The `conversationId` parameter remains a legacy alias resolving to the same sessionKey-named file. `logs-read { type: "server" }` is the cross-session escape hatch for events outside any single session window.
+**Stream log is the primary diagnostic surface for an in-progress session.** Every stream log is named by sessionKey and the stream-log file exists from the first token. The first-token invariant is bound by `platform/scripts/__tests__/first-token-creates-stream-log.test.sh`: one operator turn, one token, `claude-agent-stream-<sessionKey>.log` exists and contains the token bytes after the byte returns to the operator. The parent-process console fan-out tee in [`platform/ui/app/lib/claude-agent/logging.ts`](../../ui/app/lib/claude-agent/logging.ts) appends every `[<tag>]`-prefixed `console.error` / `console.log` line to every active session's stream log alongside `server.log`. For diagnosing an in-session issue (WhatsApp inbound, Cloudflare action, persist write, baileys error), call `logs-read { sessionKey: "<…>" }` first — the stream log carries both the agent lifecycle AND the parent-process events that occurred during the session window. The `conversationId` parameter remains a legacy alias resolving to the same sessionKey-named file. `logs-read { type: "server" }` is the cross-session escape hatch for events outside any single session window.
 
 ## Skills
 

package/payload/platform/plugins/docs/references/troubleshooting.md

@@ -1,5 +1,13 @@
 # Troubleshooting
 
+## Stream-log file for a fresh session is absent or empty
+
+**Symptom:** Operator opens a new admin session, sends one turn, sees the agent reply, then `logs-read sessionKey=<…>` returns `file-not-found` or zero bytes.
+
+**Invariant:** For every new session, the stream-log file exists on disk and contains the token bytes from the moment the first token returns to the operator. The first-token invariant is bound by `platform/scripts/__tests__/first-token-creates-stream-log.test.sh`: one operator turn, one token, `claude-agent-stream-<sessionKey>.log` exists and contains the token bytes — pass iff file present and bytes present.
+
+**Diagnose if it ever recurs:** run `bash platform/scripts/__tests__/first-token-creates-stream-log.test.sh` from the install. Pass = invariant holds; any other exit = the writer-side existence contract is broken and one `[log-tee] missing-on-resolve sessionKey=<8> surface=<…>` line on `server.log` is the operator-visible signal (P0).
+
 ## Browser navigation to a local file (`file://`) used to time out for two minutes
 
 **Symptom:** Older versions of the platform's admin agent would attempt `browser_navigate file:///path/to.html`, hit Playwright's silent two-minute timeout, then guess fixed ports (8080 / 3000 / 8000 / 9000) and report `ERR_CONNECTION_REFUSED` for each before someone manually started a local HTTP server.

package/payload/platform/scripts/__tests__/first-token-creates-stream-log.test.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# Task 1011 — the binding test for the first-token invariant.
+#
+# Invariant: for every new session, at the moment the first token is
+# emitted, the stream-log file for that session exists on disk and contains
+# that token's bytes. Tasks 1006/1008/1010 each shipped a partial slice;
+# this test fixes the invariant itself to one assertion.
+#
+# The .test.sh entrypoint is the operator-facing surface — runnable from a
+# bash prompt, from boot smoke, and from any CI runner that has `node` on
+# PATH. The contract assertions live in the vitest spec at:
+#   platform/ui/server/routes/admin/__tests__/first-token-creates-stream-log.test.ts
+#
+# That spec exercises the live chat-route handler, the live appendFileSync
+# writer, and a live filesystem (mkdtempSync tmpdir). The only seams
+# substituted are upstream of the writer: the agent SDK invocation, the
+# session-store identity lookups, and the Neo4j createConversation
+# roundtrip. None of those are the writer the invariant binds.
+#
+# Exit codes:
+#   0  test passed — file present, token bytes present
+#   1  test failed — file absent OR token bytes absent
+#   2  vitest binary not resolvable from platform/ui
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+UI_DIR="$(cd "$SCRIPT_DIR/../../ui" && pwd)"
+SPEC_REL="server/routes/admin/__tests__/first-token-creates-stream-log.test.ts"
+
+if [[ ! -f "$UI_DIR/$SPEC_REL" ]]; then
+  echo "FATAL: vitest spec missing at $UI_DIR/$SPEC_REL" >&2
+  exit 2
+fi
+
+cd "$UI_DIR"
+exec npx --no-install vitest run "$SPEC_REL" --reporter=verbose

package/payload/platform/scripts/__tests__/logs-read-prefix.sh

@@ -172,12 +172,63 @@ case_every_per_session_type() {
   return 0
 }
 
+# Task 1010 — sk_<hex16> writer-side format from Task 1008 must resolve via
+# the underscore-bearing regex `^[a-zA-Z0-9_-]+$`. Pre-1010 the regex
+# rejected `_`, leaving every post-1008 stream log unretrievable.
+case_sk_underscore_prefix_resolves() {
+  local root="/tmp/maxy-prefix-test-7-$$"
+  local script
+  script=$(setup_install_tree "$root")
+  local logdir="$root/data/accounts/acct-test/logs"
+  local sk="sk_16e0eeb035cf52ef"
+  echo "sentinel-sk" > "$logdir/claude-agent-stream-${sk}.log"
+
+  local rc=0
+  local stdout
+  stdout=$("$script" "sk_16e0e" agent-stream 2>/dev/null) || rc=$?
+  cleanup_install_tree "$root"
+
+  [[ $rc -eq 0 ]] || { echo "  expected exit 0, got $rc"; return 1; }
+  [[ "$stdout" == *"sentinel-sk"* ]] || { echo "  missing sentinel"; return 1; }
+  return 0
+}
+
+# Task 1010 — shell metacharacters must still be rejected. The regex widen
+# adds `_` only; `;`, `*`, `$`, `?`, `[` etc. must still hit the reject path
+# and exit 2, otherwise user input would escape literal matching in the glob.
+# Also asserts the `[logs-read] regex-rejected` observability line lands in
+# server.log so the adherence runner can see writer/reader divergence.
+case_shell_metachar_still_rejected() {
+  local root="/tmp/maxy-prefix-test-8-$$"
+  local script
+  script=$(setup_install_tree "$root")
+  local server_log="$HOME/.$(basename "$root")/logs/server.log"
+  : > "$server_log"
+
+  local rc=0
+  "$script" "abc;rm" agent-stream >/dev/null 2>/tmp/prefix-stderr-8-$$ || rc=$?
+  local stderr
+  stderr=$(cat /tmp/prefix-stderr-8-$$)
+  rm -f /tmp/prefix-stderr-8-$$
+  local server_log_contents
+  server_log_contents=$(cat "$server_log" 2>/dev/null || echo "")
+  cleanup_install_tree "$root"
+
+  [[ $rc -eq 2 ]] || { echo "  expected exit 2, got $rc"; return 1; }
+  [[ "$stderr" == *"invalid characters"* ]] || { echo "  stderr missing 'invalid characters': $stderr"; return 1; }
+  [[ "$server_log_contents" == *"[logs-read] regex-rejected"* ]] || { echo "  server.log missing regex-rejected line: $server_log_contents"; return 1; }
+  [[ "$server_log_contents" == *"sample=;"* ]] || { echo "  server.log missing sample=;: $server_log_contents"; return 1; }
+  return 0
+}
+
 run_case "8-char prefix resolves full sessionKey file"   case_8char_prefix_resolves_full
 run_case "ambiguous prefix refuses to pick"              case_ambiguous_prefix_refuses
 run_case "more-specific prefix disambiguates"            case_more_specific_prefix_resolves
 run_case "zero matches → file-not-found"                 case_zero_match_miss
 run_case "full 36-char sessionKey resolves"              case_full_sessionkey_resolves
 run_case "every per-session type resolves"               case_every_per_session_type
+run_case "Task 1010: sk_ underscore prefix resolves"     case_sk_underscore_prefix_resolves
+run_case "Task 1010: shell metacharacter still rejected" case_shell_metachar_still_rejected
 
 echo ""
 echo "================================================"

package/payload/platform/scripts/check-no-conversation-id-leaks.mjs

@@ -0,0 +1,165 @@
+#!/usr/bin/env node
+// Task 1007 build-time gate: prevents NEW files from gaining a `conversationId` /
+// `sessionId` reference while the 146-file rename slice is in progress.
+//
+// The legacy identifiers are being collapsed into the single canonical
+// `sessionKey`. This sprint shipped the schema-side load-bearing pieces
+// (backfill, new index, boot-time adherence probe) plus the core lib rename.
+// The mechanical tail (routes, MCP plugin parameters, UI props, WhatsApp,
+// tests, specialist templates) is split across follow-up tasks 1009 and 1010.
+//
+// During the transition window, every file currently containing the legacy
+// identifiers is named in `conversation-id-allowlist.txt`. Each follow-up
+// rename PR removes file paths from the allowlist as those files are migrated.
+// This gate fails if:
+//   (a) a file NOT in the allowlist contains any of the four legacy tokens, or
+//   (b) the allowlist references a path that no longer exists (stale entry).
+//
+// Once tasks 1009 and 1010 land, the allowlist is empty; the gate then enforces
+// the task's outcome contract (zero hits anywhere outside .tasks/archive/).
+
+import { readFileSync, readdirSync, statSync, existsSync } from 'node:fs'
+import { dirname, join, relative, basename } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const SCRIPT_DIR = dirname(fileURLToPath(import.meta.url))
+const REPO_ROOT = join(SCRIPT_DIR, '..', '..')
+const ALLOWLIST_PATH = join(SCRIPT_DIR, 'conversation-id-allowlist.txt')
+
+const SCAN_ROOTS = [
+  join(REPO_ROOT, 'platform'),
+  join(REPO_ROOT, 'packages'),
+  join(REPO_ROOT, 'brands'),
+  join(REPO_ROOT, '.docs'),
+  join(REPO_ROOT, '.claude', 'skills'),
+]
+
+const ALLOWED_EXTS = new Set([
+  '.sh', '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
+  '.md', '.cypher', '.json',
+])
+const SKIP_DIR_NAMES = new Set([
+  'node_modules', 'dist', 'build', '.next', 'payload',
+])
+const SKIP_PATH_FRAGMENTS = ['.tasks/archive/']
+
+// Whole-word matches only — avoids hits inside longer identifiers like
+// `agentSessionId` (Claude Agent SDK per-process session, intentionally kept)
+// and `conversationIdentity` (ConversationArchive hash key, unrelated).
+const LEGACY_TOKEN_RE = /\b(?:conversationId|sessionId|CONVERSATION_ID|SESSION_ID)\b/
+
+// Comment-line skip — matches the convention in check-no-task-id-leaks.mjs.
+// Comments that *describe* the legacy field (inside the migration code itself,
+// or inline docstrings explaining the rename) are not new executing code
+// introducing the token, so they don't trip the gate.
+function isCommentLine(line) {
+  const trimmed = line.replace(/^\s+/, '')
+  if (trimmed.startsWith('#')) return true
+  if (trimmed.startsWith('//')) return true
+  if (trimmed.startsWith('/*')) return true
+  if (trimmed.startsWith('*')) return true
+  if (trimmed.startsWith('{/*')) return true
+  return false
+}
+
+function loadAllowlist() {
+  if (!existsSync(ALLOWLIST_PATH)) return new Set()
+  const text = readFileSync(ALLOWLIST_PATH, 'utf-8')
+  return new Set(
+    text.split('\n')
+      .map(l => l.trim())
+      .filter(l => l && !l.startsWith('#'))
+  )
+}
+
+function shouldScanFile(filePath) {
+  const name = basename(filePath)
+  const ext = name.includes('.') ? '.' + name.split('.').pop() : ''
+  if (!ALLOWED_EXTS.has(ext)) return false
+  const rel = relative(REPO_ROOT, filePath)
+  for (const frag of SKIP_PATH_FRAGMENTS) {
+    if (rel.includes(frag)) return false
+  }
+  return true
+}
+
+function* walk(root) {
+  let entries
+  try { entries = readdirSync(root) } catch { return }
+  for (const name of entries) {
+    if (SKIP_DIR_NAMES.has(name)) continue
+    const full = join(root, name)
+    let st
+    try { st = statSync(full) } catch { continue }
+    if (st.isDirectory()) {
+      yield* walk(full)
+    } else if (st.isFile()) {
+      yield full
+    }
+  }
+}
+
+const allowlist = loadAllowlist()
+const newLeaks = []
+const hitFiles = new Set()
+
+for (const root of SCAN_ROOTS) {
+  if (!existsSync(root)) continue
+  for (const file of walk(root)) {
+    if (!shouldScanFile(file)) continue
+    let content
+    try { content = readFileSync(file, 'utf-8') } catch { continue }
+    if (!LEGACY_TOKEN_RE.test(content)) continue
+    const rel = relative(REPO_ROOT, file)
+    const lines = content.split('\n')
+    // For non-allowlisted files: only flag hits in non-comment lines. For
+    // allowlisted files: any hit counts (so the allowlist accurately tracks
+    // the surface still using the legacy name, comments and code alike).
+    if (allowlist.has(rel)) {
+      hitFiles.add(rel)
+      continue
+    }
+    let firstLine = 0, firstText = ''
+    for (let i = 0; i < lines.length; i++) {
+      if (!LEGACY_TOKEN_RE.test(lines[i])) continue
+      if (isCommentLine(lines[i])) continue
+      firstLine = i + 1
+      firstText = lines[i].trim().slice(0, 120)
+      break
+    }
+    if (firstLine > 0) {
+      newLeaks.push({ file: rel, line: firstLine, content: firstText })
+    }
+  }
+}
+
+// Stale allowlist entries: files in the allowlist that no longer have a hit
+// (renamed already, or no longer exist) — remove them.
+const staleAllowlistEntries = [...allowlist].filter(p => !hitFiles.has(p))
+
+let failed = false
+
+if (newLeaks.length > 0) {
+  failed = true
+  console.error(`check-no-conversation-id-leaks: ${newLeaks.length} NEW file(s) introduced legacy identifier(s):`)
+  for (const leak of newLeaks) {
+    console.error(`  ${leak.file}:${leak.line}: ${leak.content}`)
+  }
+  console.error('')
+  console.error('The single canonical identifier is `sessionKey`. New code must use it.')
+  console.error('Legacy tokens: conversationId, sessionId, CONVERSATION_ID, SESSION_ID.')
+  console.error('Follow-up tasks 1009 + 1010 are migrating existing files off the allowlist.')
+}
+
+if (staleAllowlistEntries.length > 0) {
+  failed = true
+  console.error('')
+  console.error(`check-no-conversation-id-leaks: ${staleAllowlistEntries.length} stale allowlist entry(ies) — remove from platform/scripts/conversation-id-allowlist.txt:`)
+  for (const entry of staleAllowlistEntries) {
+    console.error(`  ${entry}`)
+  }
+}
+
+if (failed) process.exit(1)
+
+console.error(`check-no-conversation-id-leaks: ok (${allowlist.size} files in transition allowlist; 0 new leaks)`)

package/payload/platform/scripts/conversation-id-allowlist.txt

@@ -0,0 +1,151 @@
+.docs/agents.md
+.docs/conversation-archive.md
+.docs/deployment.md
+.docs/mcp-servers.md
+.docs/neo4j.md
+.docs/observability.md
+.docs/platform.md
+.docs/web-chat.md
+.docs/whatsapp.md
+platform/lib/graph-mcp/src/index.ts
+platform/lib/graph-trash/src/index.ts
+platform/lib/graph-write/src/__tests__/audit.test.ts
+platform/lib/graph-write/src/audit.ts
+platform/neo4j/schema.cypher
+platform/plugins/admin/PLUGIN.md
+platform/plugins/admin/hooks/__tests__/archive-ingest-surface-gate.test.sh
+platform/plugins/admin/mcp/src/index.ts
+platform/plugins/admin/skills/onboarding/SKILL.md
+platform/plugins/admin/skills/stream-log-review/SKILL.md
+platform/plugins/admin/skills/stream-log-review/references/analysis-patterns.md
+platform/plugins/business-assistant/references/profiling.md
+platform/plugins/contacts/mcp/src/index.ts
+platform/plugins/contacts/mcp/src/tools/contact-erase.ts
+platform/plugins/contacts/mcp/src/tools/contact-export.ts
+platform/plugins/contacts/mcp/src/tools/group-create.ts
+platform/plugins/contacts/mcp/src/tools/group-manage.ts
+platform/plugins/docs/references/admin-session.md
+platform/plugins/docs/references/contacts-guide.md
+platform/plugins/docs/references/internals.md
+platform/plugins/docs/references/platform.md
+platform/plugins/docs/references/plugins-guide.md
+platform/plugins/docs/references/troubleshooting.md
+platform/plugins/linkedin-import/skills/linkedin-import/SKILL.md
+platform/plugins/linkedin-import/skills/linkedin-import/references/connections.md
+platform/plugins/memory/bin/conversation-archive-ingest.mjs
+platform/plugins/memory/bin/conversation-archive-ingest.sh
+platform/plugins/memory/mcp/scripts/boot-smoke.sh
+platform/plugins/memory/mcp/scripts/graph/fixture.cypher
+platform/plugins/memory/mcp/src/index.ts
+platform/plugins/memory/mcp/src/lib/graph-prune.ts
+platform/plugins/memory/mcp/src/tools/conversation-archive-derive-insights.ts
+platform/plugins/memory/mcp/src/tools/conversation-archive-enrich-rejection.ts
+platform/plugins/memory/mcp/src/tools/conversation-memory-expunge.ts
+platform/plugins/memory/mcp/src/tools/memory-archive-write.ts
+platform/plugins/memory/mcp/src/tools/memory-find-candidates.ts
+platform/plugins/memory/mcp/src/tools/memory-ingest.ts
+platform/plugins/memory/mcp/src/tools/profile-update.ts
+platform/plugins/memory/references/graph-primitives.md
+platform/plugins/memory/references/schema-base.md
+platform/plugins/memory/skills/conversation-archive/SKILL.md
+platform/plugins/memory/skills/conversational-memory/SKILL.md
+platform/plugins/memory/skills/document-ingest/SKILL.md
+platform/plugins/scheduling/mcp/src/index.ts
+platform/plugins/tasks/.mcp.json
+platform/plugins/tasks/mcp/src/index.ts
+platform/plugins/tasks/mcp/src/tools/project-create.ts
+platform/plugins/tasks/mcp/src/tools/session-list.ts
+platform/plugins/waitlist/mcp/src/index.ts
+platform/plugins/waitlist/mcp/src/tools/__tests__/waitlist-persist.test.ts
+platform/plugins/waitlist/mcp/src/tools/waitlist-heal.ts
+platform/plugins/waitlist/mcp/src/tools/waitlist-list.ts
+platform/plugins/waitlist/mcp/src/tools/waitlist-persist.ts
+platform/plugins/waitlist/mcp/src/tools/waitlist-scan.ts
+platform/plugins/waitlist/mcp/src/tools/waitlist-setup.ts
+platform/plugins/whatsapp/PLUGIN.md
+platform/plugins/whatsapp/mcp/src/index.ts
+platform/plugins/workflows/mcp/src/index.ts
+platform/scripts/__tests__/admin-persist-audit.test.ts
+platform/scripts/admin-conversation-recover.mjs
+platform/scripts/admin-persist-audit.ts
+platform/scripts/check-no-conversation-id-leaks.mjs
+platform/scripts/check-sdk-oauth.mjs
+platform/scripts/component-knowledgedoc-backfill.ts
+platform/scripts/seed-neo4j.sh
+platform/templates/agents/admin/IDENTITY.md
+platform/templates/specialists/agents/database-operator.md
+platform/ui/__tests__/form-spawn-tailer.test.ts
+platform/ui/app/AdminModals.tsx
+platform/ui/app/ChatActionsMenu.tsx
+platform/ui/app/ChatFooter.tsx
+platform/ui/app/ConversationRowActions.tsx
+platform/ui/app/Sidebar.tsx
+platform/ui/app/__tests__/buildSessionLogsUrl.test.ts
+platform/ui/app/admin/components/CloudflareSetupForm.tsx
+platform/ui/app/graph/__tests__/display-helpers.test.ts
+platform/ui/app/graph/__tests__/zoom-tier-colour-stability.test.ts
+platform/ui/app/graph/display-helpers.ts
+platform/ui/app/lib/__tests__/admin-conversation-create.test.ts
+platform/ui/app/lib/__tests__/admin-persist-observability.test.ts
+platform/ui/app/lib/__tests__/claude-agent-loop-stop.test.ts
+platform/ui/app/lib/__tests__/conversation-deferred-persistence.test.ts
+platform/ui/app/lib/__tests__/ensure-conversation-handled-by.test.ts
+platform/ui/app/lib/__tests__/graph-trash-conversation-cascade.test.ts
+platform/ui/app/lib/__tests__/jsonl-replay.test.ts
+platform/ui/app/lib/__tests__/load-user-profile-sparse.test.ts
+platform/ui/app/lib/__tests__/neo4j-store-autolabel.test.ts
+platform/ui/app/lib/__tests__/neo4j-store-persist-message.test.ts
+platform/ui/app/lib/admin-sse-registry.ts
+platform/ui/app/lib/attachments.ts
+platform/ui/app/lib/claude-agent/admin-agent.ts
+platform/ui/app/lib/claude-agent/compaction.ts
+platform/ui/app/lib/claude-agent/dispatcher.ts
+platform/ui/app/lib/claude-agent/jsonl-replay.ts
+platform/ui/app/lib/claude-agent/logging.ts
+platform/ui/app/lib/claude-agent/memory-context.ts
+platform/ui/app/lib/claude-agent/public-agent.ts
+platform/ui/app/lib/claude-agent/session-store.ts
+platform/ui/app/lib/claude-agent/spawn-env.ts
+platform/ui/app/lib/claude-agent/stream-parser.ts
+platform/ui/app/lib/client-event.ts
+platform/ui/app/lib/cloudflare-setup-types.ts
+platform/ui/app/lib/cloudflare-task-tracker.ts
+platform/ui/app/lib/logs-read-resolve.ts
+platform/ui/app/lib/neo4j-store.ts
+platform/ui/app/lib/paths.ts
+platform/ui/app/lib/useConversationRename.ts
+platform/ui/app/lib/useLogsPopover.ts
+platform/ui/app/lib/vnc.ts
+platform/ui/app/lib/whatsapp/__tests__/ensure-conversation.test.ts
+platform/ui/app/lib/whatsapp/__tests__/persist-message.test.ts
+platform/ui/app/lib/whatsapp/ensure-conversation.ts
+platform/ui/app/lib/whatsapp/manager.ts
+platform/ui/app/lib/whatsapp/persist-message.ts
+platform/ui/app/page.tsx
+platform/ui/app/public/MessageList.tsx
+platform/ui/app/public/page.tsx
+platform/ui/app/public/types.ts
+platform/ui/app/public/useSession.ts
+platform/ui/app/useAdminAuth.ts
+platform/ui/app/useAdminChat.ts
+platform/ui/server/index.ts
+platform/ui/server/routes/__tests__/whatsapp-conversation-graph-state.test.ts
+platform/ui/server/routes/_helpers.ts
+platform/ui/server/routes/admin/__tests__/browser-iframe-route.test.ts
+platform/ui/server/routes/admin/__tests__/chat-stream-log-path.test.ts
+platform/ui/server/routes/admin/__tests__/cloudflare-tunnels-zero.test.ts
+platform/ui/server/routes/admin/__tests__/graph-search.test.ts
+platform/ui/server/routes/admin/__tests__/graph-subgraph.test.ts
+platform/ui/server/routes/admin/__tests__/logs.test.ts
+platform/ui/server/routes/admin/__tests__/sessions.test.ts
+platform/ui/server/routes/admin/browser-iframe.ts
+platform/ui/server/routes/admin/chat-failure.ts
+platform/ui/server/routes/admin/chat.ts
+platform/ui/server/routes/admin/cloudflare.ts
+platform/ui/server/routes/admin/graph-subgraph.ts
+platform/ui/server/routes/admin/logs.ts
+platform/ui/server/routes/admin/session.ts
+platform/ui/server/routes/admin/sessions.ts
+platform/ui/server/routes/group.ts
+platform/ui/server/routes/session.ts
+platform/ui/server/routes/whatsapp.ts

package/payload/platform/scripts/logs-read.sh

@@ -118,6 +118,16 @@ is_per_conversation_type() {
 SEARCH_TYPES="agent-stream error session public server mcp vnc"
 VALID_TYPES="agent-stream, system, session, error, heartbeat, public, server, mcp, vnc"
 
+# Authoritative sessionKey character set.
+# Writer-side (Task 1008) emits `sk_<hex16>` filenames; the underscore must
+# stay in this regex or every post-1008 file becomes unretrievable
+# (Task 1010). UUID v4 sessionKeys (legacy and current alternate format)
+# also pass. Widening past this set is unsafe: session_key is concatenated
+# into a glob below (`${prefix}${session_key}*.log`), so any character bash
+# treats as a metacharacter (`*`, `?`, `[`, `;`, `$`, etc.) would escape
+# literal matching.
+SESSIONKEY_REGEX='^[a-zA-Z0-9_-]+$'
+
 usage() {
   cat >&2 <<EOF
 Usage:
@@ -172,10 +182,20 @@ per_conversation_mode() {
   fi
 
   # Reject shell metacharacters in session_key — the prefix-match glob below
-  # would otherwise turn user input into a shell pattern. SessionKeys only
-  # contain [a-zA-Z0-9-].
-  if [[ ! "$session_key" =~ ^[a-zA-Z0-9-]+$ ]]; then
-    echo "Error: sessionKey contains invalid characters (allowed: a-z, A-Z, 0-9, -)" >&2
+  # would otherwise turn user input into a shell pattern. SessionKeys are
+  # `sk_<hex16>` (Task 1008) or UUID v4; both fit $SESSIONKEY_REGEX defined
+  # near the top of the script. Task 1010 widened this from `[a-zA-Z0-9-]`
+  # after the Task 1008 underscore-bearing format made every post-1008
+  # session unretrievable.
+  if [[ ! "$session_key" =~ $SESSIONKEY_REGEX ]]; then
+    # Observability: surface the rejection before the operator-visible error
+    # so the adherence runner can prove writer/reader divergence.
+    # Best-effort append; mirrors the missing-on-resolve idiom below.
+    local rej_ts bad_char
+    rej_ts="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+    bad_char=$(printf '%s' "$session_key" | tr -d 'a-zA-Z0-9_-' | head -c 1)
+    echo "${rej_ts} [logs-read] regex-rejected sessionKey-prefix=${session_key:0:12} regex=${SESSIONKEY_REGEX} sample=${bad_char}" >> "$SERVER_LOG" 2>/dev/null || true
+    echo "Error: sessionKey contains invalid characters (allowed: a-z, A-Z, 0-9, _, -)" >&2
     exit 2
   fi
 

package/payload/platform/scripts/seed-neo4j.sh

@@ -490,6 +490,52 @@ fi
 
 echo "$SCHEMA_CYPHER" | "$CYPHER_SHELL" -u "$NEO4J_USER" -p "$NEO4J_PASSWORD" -a "$NEO4J_URI"
 
+# ------------------------------------------------------------------
+# Task 1007 — sessionKey backfill (idempotent, runs every seed pass).
+#
+# Conversation and Message rows minted before Task 985 carry only
+# `conversationId`. The new canonical identifier is `sessionKey` (same
+# UUID shape). This block copies conversationId → sessionKey on every
+# row where sessionKey is still null, leaving rows that already carry
+# sessionKey untouched. Re-runs are no-ops. The legacy
+# `conversation_id_unique` constraint and `m.conversationId` index
+# stay until the full code-rename slice lands and no path reads the
+# legacy field; the drop happens in Task 1007's open completion scope.
+# ------------------------------------------------------------------
+echo "==> Backfilling sessionKey on :Conversation and :Message..."
+BACKFILL_RESULT=$("$CYPHER_SHELL" -u "$NEO4J_USER" -p "$NEO4J_PASSWORD" -a "$NEO4J_URI" --format plain << 'BACKFILL_EOF'
+MATCH (c:Conversation)
+WHERE c.sessionKey IS NULL AND c.conversationId IS NOT NULL
+SET c.sessionKey = c.conversationId
+RETURN count(c) AS conversations_backfilled;
+MATCH (m:Message)
+WHERE m.sessionKey IS NULL AND m.conversationId IS NOT NULL
+SET m.sessionKey = m.conversationId
+RETURN count(m) AS messages_backfilled;
+MATCH (c:Conversation) WHERE c.sessionKey IS NULL RETURN count(c) AS conversations_null_after;
+MATCH (m:Message) WHERE m.sessionKey IS NULL RETURN count(m) AS messages_null_after;
+BACKFILL_EOF
+)
+# Emit the migration-1007 adherence lines on stderr so they land in server.log
+# the same as every other log line. Non-zero null counts after backfill are P0:
+# they indicate orphan rows that carry neither identifier and need operator
+# attention before the constraint flip in Task 1011.
+echo "$BACKFILL_RESULT" | python3 -c "
+import sys, re
+rows = [r.strip() for r in sys.stdin.read().splitlines() if r.strip() and not r.strip().startswith(('conversations_', 'messages_'))]
+nums = [int(r) for r in rows if re.fullmatch(r'\d+', r)]
+if len(nums) >= 4:
+    conv_bf, msg_bf, conv_null, msg_null = nums[0], nums[1], nums[2], nums[3]
+    print(f'[migration-1007] conversation-row-backfill rows={conv_bf} outcome=ok', file=sys.stderr)
+    print(f'[migration-1007] message-row-backfill rows={msg_bf} outcome=ok', file=sys.stderr)
+    print(f'[migration-1007] adherence-check label=Conversation rows-with-null-sessionkey={conv_null}', file=sys.stderr)
+    print(f'[migration-1007] adherence-check label=Message rows-with-null-sessionkey={msg_null}', file=sys.stderr)
+    if conv_null > 0 or msg_null > 0:
+        print(f'[migration-1007] adherence-check P0=true reason=null-sessionkey-after-backfill', file=sys.stderr)
+else:
+    print(f'[migration-1007] backfill output unparseable rows={len(nums)}', file=sys.stderr)
+"
+
 # ------------------------------------------------------------------
 # 3. Create AdminUser node + ADMIN_OF relationship
 # ------------------------------------------------------------------