@rubytech/create-maxy 1.0.887 → 1.0.889

package/payload/server/maxy-edge.js

@@ -16,7 +16,7 @@ import {
   streamActionEvents,
   vncLog,
   websockifyLog
-} from "./chunk-MOAY7KG2.js";
+} from "./chunk-S65GGO53.js";
 import {
   LOG_DIR,
   WEBSOCKIFY_PORT

package/payload/server/server.js

@@ -42,7 +42,6 @@ import {
   load,
   logPath,
   pickComponentBytes,
-  readBundleSubPlugins,
   reconcileEnabledPlugins,
   recordFailedAttempt,
   render,
@@ -53,7 +52,6 @@ import {
   resolveBrowserTransport,
   resolveClientIp,
   resolveDefaultAgentSlug,
-  resolveEntitlement,
   resolveUserAccounts,
   safeJson,
   sanitizeClientCorrId,
@@ -75,8 +73,9 @@ import {
   verifyRemotePassword,
   vncLog,
   waitForExit,
+  walkPremiumBundles,
   writeChromiumWrapper
-} from "./chunk-MOAY7KG2.js";
+} from "./chunk-S65GGO53.js";
 import {
   CDP_PORT,
   COMMERCIAL_MODE,
@@ -664,8 +663,8 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync18, existsSync as existsSync24, watchFile } from "fs";
-import { resolve as resolve21, join as join12, basename as basename4 } from "path";
+import { readFileSync as readFileSync19, existsSync as existsSync25, watchFile } from "fs";
+import { resolve as resolve22, join as join12, basename as basename4 } from "path";
 import { homedir as homedir3 } from "os";
 
 // app/lib/agent-slug-pattern.ts
@@ -1309,7 +1308,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG3} draining credential save queue\u2026`);
   const timer2 = new Promise(
-    (resolve22) => setTimeout(() => resolve22("timeout"), timeoutMs)
+    (resolve23) => setTimeout(() => resolve23("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -1437,11 +1436,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve22, reject) => {
+  return new Promise((resolve23, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve22();
+        resolve23();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -1555,14 +1554,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise, timeoutMs) {
-  return new Promise((resolve22, reject) => {
+  return new Promise((resolve23, reject) => {
     const timer2 = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise.then(
       (value) => {
         clearTimeout(timer2);
-        resolve22(value);
+        resolve23(value);
       },
       (err) => {
         clearTimeout(timer2);
@@ -2097,8 +2096,8 @@ async function persistWhatsAppMessage(input) {
   const { givenName, familyName } = splitName(input.pushName);
   const prev = sessionWriteLocks.get(input.cacheKey);
   let release;
-  const mine = new Promise((resolve22) => {
-    release = resolve22;
+  const mine = new Promise((resolve23) => {
+    release = resolve23;
   });
   const chained = (prev ?? Promise.resolve()).then(() => mine);
   sessionWriteLocks.set(input.cacheKey, chained);
@@ -3135,11 +3134,11 @@ async function connectWithReconnect(conn) {
       console.error(
         `${TAG13} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve22) => {
-        const timer2 = setTimeout(resolve22, delay);
+      await new Promise((resolve23) => {
+        const timer2 = setTimeout(resolve23, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer2);
-          resolve22();
+          resolve23();
         }, { once: true });
       });
     }
@@ -3147,16 +3146,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve22) => {
+  return new Promise((resolve23) => {
     if (!conn.sock) {
-      resolve22();
+      resolve23();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve22();
+        resolve23();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -3418,8 +3417,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve22) => {
-      resolvePending = resolve22;
+    const sttPending = new Promise((resolve23) => {
+      resolvePending = resolve23;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -3540,20 +3539,20 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve22) => {
+  return new Promise((resolve23) => {
     const socket = createConnection(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve22(true);
+      resolve23(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve22(false);
+      resolve23(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve22(false);
+      resolve23(false);
     });
   });
 }
@@ -5644,8 +5643,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve22, reject) => {
-    resolveQr = resolve22;
+  const qrPromise = new Promise((resolve23, reject) => {
+    resolveQr = resolve23;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -9557,8 +9556,8 @@ app23.get("/tunnels", requireAdminSession, async (c) => {
   if (!correlationId) return err("session", "No active conversation for session \u2014 refresh chat.");
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   const certPath = resolve13(homedir2(), brand.configDir, "cloudflared", "cert.pem");
-  const { existsSync: existsSync25 } = await import("fs");
-  if (!existsSync25(certPath)) {
+  const { existsSync: existsSync26 } = await import("fs");
+  if (!existsSync26(certPath)) {
     return err("cert", `Cloudflare origin certificate is not on disk yet (${certPath}). Complete the Cloudflare login first by submitting the form once \u2014 the OAuth flow writes cert.pem.`);
   }
   const result = await runFormSpawn({
@@ -12935,8 +12934,232 @@ function startGraphHealthTimer() {
   if (typeof timer.unref === "function") timer.unref();
 }
 
+// ../lib/entitlement/src/index.ts
+import { createPublicKey, createHash as createHash3, verify as cryptoVerify } from "crypto";
+import { existsSync as existsSync24, readFileSync as readFileSync18, statSync as statSync8 } from "fs";
+import { resolve as resolve21 } from "path";
+
+// ../lib/entitlement/src/canonicalize.ts
+function canonicalize(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "string") return JSON.stringify(value);
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) {
+      throw new Error(`canonicalize: non-finite number rejected (${value})`);
+    }
+    if (Object.is(value, -0)) {
+      throw new Error("canonicalize: negative zero rejected");
+    }
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map(canonicalize).join(",") + "]";
+  }
+  if (typeof value === "object") {
+    const keys = Object.keys(value).sort();
+    const parts = [];
+    for (const k of keys) {
+      parts.push(JSON.stringify(k) + ":" + canonicalize(value[k]));
+    }
+    return "{" + parts.join(",") + "}";
+  }
+  throw new Error(`canonicalize: unsupported value type ${typeof value}`);
+}
+
+// ../lib/entitlement/src/index.ts
+var PUBKEY_SHA256 = "8eee6bcb33545fd13b16d3199a5735ca5db5062834c7b49dfe4f23801d99db79";
+var GRACE_DAYS = 7;
+var GRACE_MS = GRACE_DAYS * 24 * 60 * 60 * 1e3;
+function pubkeyPath(brand) {
+  return resolve21(brand.platformRoot, "lib", "entitlement", "rubytech-pubkey.pem");
+}
+var memo = null;
+function memoKey(mtimeMs, account) {
+  const bucket = Math.floor(Date.now() / 6e4);
+  return `${mtimeMs}:${bucket}:${account.accountId}:${account.customerEmail ?? ""}`;
+}
+var VALID_TIERS = /* @__PURE__ */ new Set(["solo", "family", "pro"]);
+function resolveEntitlement(brand, account) {
+  if (brand.commercialMode !== true) {
+    return logResolved(implicitTrust(account), null);
+  }
+  const entitlementPath = resolve21(brand.configDir, "entitlement.json");
+  if (!existsSync24(entitlementPath)) {
+    return logResolved(anonymousFallback("missing"), { reason: "missing" });
+  }
+  const stat6 = statSync8(entitlementPath);
+  const key = memoKey(stat6.mtimeMs, account);
+  if (memo && memo.key === key) {
+    return memo.result;
+  }
+  const result = verifyAndResolve(brand, entitlementPath, account);
+  memo = { key, result };
+  return result;
+}
+function verifyAndResolve(brand, entitlementPath, account) {
+  let pubkeyPem;
+  try {
+    pubkeyPem = readFileSync18(pubkeyPath(brand), "utf-8");
+  } catch (err) {
+    return logResolved(anonymousFallback("pubkey-missing"), {
+      reason: "pubkey-missing"
+    });
+  }
+  const pubkeyHash = createHash3("sha256").update(pubkeyPem).digest("hex");
+  if (pubkeyHash !== PUBKEY_SHA256) {
+    return logResolved(anonymousFallback("pubkey-tamper"), {
+      reason: "pubkey-tamper"
+    });
+  }
+  let envelope;
+  try {
+    envelope = JSON.parse(readFileSync18(entitlementPath, "utf-8"));
+  } catch {
+    return logResolved(anonymousFallback("malformed"), { reason: "malformed" });
+  }
+  if (typeof envelope !== "object" || envelope === null || typeof envelope.signature !== "string" || typeof envelope.payload !== "object" || envelope.payload === null) {
+    return logResolved(anonymousFallback("malformed"), { reason: "malformed" });
+  }
+  const payload = envelope.payload;
+  const signatureB64 = envelope.signature;
+  let pubkey;
+  try {
+    pubkey = createPublicKey(pubkeyPem);
+  } catch {
+    return logResolved(anonymousFallback("pubkey-malformed"), {
+      reason: "pubkey-malformed"
+    });
+  }
+  let canonical;
+  try {
+    canonical = canonicalize(payload);
+  } catch {
+    return logResolved(anonymousFallback("payload-shape"), {
+      reason: "payload-shape"
+    });
+  }
+  let sigBuf;
+  try {
+    sigBuf = Buffer.from(signatureB64, "base64");
+  } catch {
+    return logResolved(anonymousFallback("signature-encoding"), {
+      reason: "signature-encoding"
+    });
+  }
+  const ok = cryptoVerify(null, Buffer.from(canonical, "utf-8"), pubkey, sigBuf);
+  if (!ok) {
+    return logResolved(anonymousFallback("signature"), { reason: "signature" });
+  }
+  if (typeof payload.accountId !== "string" || payload.accountId !== account.accountId) {
+    return logResolved(anonymousFallback("binding-account"), {
+      reason: "binding-account"
+    });
+  }
+  const signedEmail = typeof payload.customerEmail === "string" ? payload.customerEmail : void 0;
+  if (signedEmail !== void 0 || account.customerEmail !== void 0) {
+    if (signedEmail !== account.customerEmail) {
+      return logResolved(anonymousFallback("binding-email"), {
+        reason: "binding-email"
+      });
+    }
+  }
+  const issuedRaw = payload.issued;
+  const expiresRaw = payload.expires;
+  if (typeof issuedRaw !== "string" || typeof expiresRaw !== "string") {
+    return logResolved(anonymousFallback("temporal-shape"), {
+      reason: "temporal-shape"
+    });
+  }
+  const issued = Date.parse(issuedRaw);
+  const expires = Date.parse(expiresRaw);
+  const now = Date.now();
+  if (Number.isNaN(issued) || Number.isNaN(expires)) {
+    return logResolved(anonymousFallback("temporal-shape"), {
+      reason: "temporal-shape"
+    });
+  }
+  if (issued > now) {
+    return logResolved(anonymousFallback("clock-skew"), {
+      reason: "clock-skew"
+    });
+  }
+  const tier = typeof payload.tier === "string" ? payload.tier : "";
+  if (!VALID_TIERS.has(tier)) {
+    return logResolved(anonymousFallback("tier-shape"), { reason: "tier-shape" });
+  }
+  const purchased = Array.isArray(payload.purchasedPlugins) ? payload.purchasedPlugins.filter((s) => typeof s === "string") : [];
+  if (now <= expires) {
+    return logResolved(
+      {
+        tier,
+        purchasedPlugins: purchased,
+        source: "signed",
+        issued: issuedRaw,
+        expires: expiresRaw
+      },
+      maybeTamperLine(account, tier)
+    );
+  }
+  if (now <= expires + GRACE_MS) {
+    return logResolved(
+      {
+        tier,
+        purchasedPlugins: purchased,
+        source: "signed-grace",
+        issued: issuedRaw,
+        expires: expiresRaw
+      },
+      maybeTamperLine(account, tier)
+    );
+  }
+  return logResolved(anonymousFallback("expired"), { reason: "expired" });
+}
+function implicitTrust(account) {
+  const tier = typeof account.tier === "string" ? account.tier : "";
+  const purchased = Array.isArray(account.purchasedPlugins) ? account.purchasedPlugins : [];
+  return {
+    tier,
+    purchasedPlugins: purchased,
+    source: "implicit-trust",
+    issued: null,
+    expires: null
+  };
+}
+function anonymousFallback(_reason) {
+  return {
+    tier: "solo",
+    purchasedPlugins: [],
+    source: "anonymous-fallback",
+    issued: null,
+    expires: null
+  };
+}
+function maybeTamperLine(account, signedTier) {
+  if (typeof account.tier === "string" && account.tier !== signedTier) {
+    return { reason: "tampered", diskTier: account.tier, signedTier };
+  }
+  return null;
+}
+function logResolved(result, detail) {
+  console.error(
+    `[entitlement] resolved: tier=${result.tier} plugins=${result.purchasedPlugins.length} source=${result.source} issued=${result.issued ?? "-"} expires=${result.expires ?? "-"}`
+  );
+  if (detail && "diskTier" in detail) {
+    console.error(
+      `[entitlement] tampered: tier-on-disk=${detail.diskTier} signed=${detail.signedTier} action=using-signed`
+    );
+  } else if (detail && result.source === "anonymous-fallback") {
+    const action = detail.reason === "expired" || detail.reason === "missing" ? "lock" : "degrade";
+    console.error(
+      `[entitlement] verify-failed: reason=${detail.reason} action=${action}`
+    );
+  }
+  return result;
+}
+
 // server/index.ts
-import { existsSync as existsSyncBoot } from "fs";
+import { existsSync as existsSyncBoot, readFileSync as readFileSyncBoot, writeFileSync as writeFileSyncBoot } from "fs";
 import { resolve as resolveBoot } from "path";
 function requestIsTlsTerminated(c) {
   const remote = c.env?.incoming?.socket?.remoteAddress ?? "";
@@ -12954,12 +13177,12 @@ function clientFrom(c) {
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
 var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join12(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync25(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync19(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -12981,8 +13204,8 @@ var brandLoginOpts = {
 var ALIAS_DOMAINS_PATH2 = join12(homedir3(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync24(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync18(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync25(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync19(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -13356,20 +13579,20 @@ app39.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve21(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve21(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve22(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve22(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync25(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync18(filePath);
+  const body = readFileSync19(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -13386,20 +13609,20 @@ app39.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve21(account.accountDir, "generated", filename);
-  const expectedDir = resolve21(account.accountDir, "generated");
+  const filePath = resolve22(account.accountDir, "generated", filename);
+  const expectedDir = resolve22(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync25(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync18(filePath);
+  const body = readFileSync19(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -13409,9 +13632,9 @@ app39.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync25(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync19(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -13429,8 +13652,8 @@ function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
     const versionFile = join12(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync24(versionFile)) return "unknown";
-    const content = readFileSync18(versionFile, "utf-8").trim();
+    if (!existsSync25(versionFile)) return "unknown";
+    const content = readFileSync19(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -13471,7 +13694,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync18(resolve21(process.cwd(), "public", file), "utf-8");
+    html = readFileSync19(resolve22(process.cwd(), "public", file), "utf-8");
     const productNameEsc = escapeHtml(BRAND.productName);
     html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -13490,13 +13713,13 @@ function loadBrandingCache(agentSlug) {
   const configDir2 = join12(homedir3(), BRAND.configDir);
   try {
     const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
+    if (!existsSync25(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync19(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
     const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync24(cachePath)) return null;
-    return JSON.parse(readFileSync18(cachePath, "utf-8"));
+    if (!existsSync25(cachePath)) return null;
+    return JSON.parse(readFileSync19(cachePath, "utf-8"));
   } catch {
     return null;
   }
@@ -13505,8 +13728,8 @@ function resolveDefaultSlug() {
   try {
     const configDir2 = join12(homedir3(), BRAND.configDir);
     const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
+    if (!existsSync25(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync19(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -13579,7 +13802,7 @@ app39.use("/vnc-popout.html", logViewerFetch);
 app39.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync18(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync19(resolve22(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -13685,8 +13908,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync24(USERS_FILE)) {
-      const users = JSON.parse(readFileSync18(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync25(USERS_FILE)) {
+      const users = JSON.parse(readFileSync19(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);
@@ -13703,8 +13926,8 @@ try {
 })();
 (async () => {
   try {
-    if (!existsSync24(USERS_FILE)) return;
-    const usersRaw = readFileSync18(USERS_FILE, "utf-8").trim();
+    if (!existsSync25(USERS_FILE)) return;
+    const usersRaw = readFileSync19(USERS_FILE, "utf-8").trim();
     if (!usersRaw) return;
     const users = JSON.parse(usersRaw);
     const userId = users[0]?.userId;
@@ -13742,25 +13965,31 @@ var configDirForWhatsApp = basename4(MAXY_DIR) || ".maxy";
 var bootAccount = resolveAccount();
 var bootAccountConfig = bootAccount?.config;
 var bootPublicAgent = bootAccount ? resolvePublicAgent(bootAccount.accountDir, { accountId: bootAccount.accountId })?.slug ?? null : null;
+if (bootAccount) {
+  const accountJsonPath = resolveBoot(bootAccount.accountDir, "account.json");
+  if (existsSyncBoot(accountJsonPath)) {
+    try {
+      const parsed = JSON.parse(readFileSyncBoot(accountJsonPath, "utf-8"));
+      if ("purchasedPlugins" in parsed) {
+        delete parsed.purchasedPlugins;
+        writeFileSyncBoot(accountJsonPath, JSON.stringify(parsed, null, 2) + "\n");
+        console.log(`[account-scrub] removed-purchasedPlugins=true accountId=${bootAccount.accountId}`);
+      }
+    } catch (err) {
+      console.error(`[account-scrub] read/write failed accountId=${bootAccount.accountId} \u2014 ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+}
 var bootEntitlement = bootAccountConfig ? resolveEntitlement(
   { configDir: MAXY_DIR, platformRoot: PLATFORM_ROOT, commercialMode: COMMERCIAL_MODE },
   {
     accountId: typeof bootAccountConfig.accountId === "string" ? bootAccountConfig.accountId : "",
     customerEmail: typeof bootAccountConfig.customerEmail === "string" ? bootAccountConfig.customerEmail : void 0,
-    tier: typeof bootAccountConfig.tier === "string" ? bootAccountConfig.tier : void 0,
-    purchasedPlugins: Array.isArray(bootAccountConfig.purchasedPlugins) ? bootAccountConfig.purchasedPlugins : void 0
+    tier: typeof bootAccountConfig.tier === "string" ? bootAccountConfig.tier : void 0
   }
 ) : null;
-autoDeliverPremiumPlugins(
-  bootEntitlement?.purchasedPlugins ?? void 0,
-  bootAccount?.accountDir,
-  bootAccount?.config
-);
-reconcileEnabledPlugins(
-  bootAccount?.accountDir,
-  bootAccount?.config,
-  bootEntitlement?.purchasedPlugins ?? void 0
-);
+autoDeliverPremiumPlugins();
+reconcileEnabledPlugins(bootAccount?.accountDir, bootAccount?.config);
 (async () => {
   if (!bootAccount) return;
   try {
@@ -13806,11 +14035,11 @@ for (const dir of bootEnabled) {
   bootDelivered.push(dir);
 }
 var bootEnabledNotDelivered = [];
-if (bootEntitlement?.purchasedPlugins?.length) {
+var bootBundles = walkPremiumBundles();
+if (bootBundles.length > 0) {
   const enabledSet = new Set(bootEnabled);
-  for (const purchased of bootEntitlement.purchasedPlugins) {
-    const bundlePath = resolveBoot(PLATFORM_ROOT, "..", "premium-plugins", purchased, "BUNDLE.md");
-    for (const sub of readBundleSubPlugins(bundlePath)) {
+  for (const { subs } of bootBundles) {
+    for (const sub of subs) {
       if (!enabledSet.has(sub)) bootEnabledNotDelivered.push(sub);
     }
   }
@@ -13824,7 +14053,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
+  platformRoot: resolve22(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {