@rubytech/create-realagent-code 0.1.248 → 0.1.250

package/payload/server/server.js

@@ -52,6 +52,7 @@ import {
   getUserNameForSession,
   getUserTimezone,
   httpLog,
+  isActiveAgentSlug,
   isPasswordValid,
   isRemoteAuthConfigured,
   linkConversationTranscript,
@@ -92,7 +93,7 @@ import {
   vncLog,
   walkPremiumBundles,
   writeAdminUserAndPerson
-} from "./chunk-UEIA5YUG.js";
+} from "./chunk-BE7O7KZ5.js";
 import {
   __commonJS,
   __toESM
@@ -4201,7 +4202,7 @@ async function managerSpawn(opts) {
     );
     return { error: "claude-auth-dead", status: 503 };
   }
-  const res = await fetch(`${managerBase()}/spawn`, {
+  const res = await fetch(`${managerBase()}/public-spawn`, {
     method: "POST",
     headers: { "content-type": "application/json" },
     body: JSON.stringify({
@@ -4216,7 +4217,8 @@ async function managerSpawn(opts) {
       activePlugins: opts.activePlugins,
       specialistDomains: opts.specialistDomains,
       sliceToken: opts.sliceToken,
-      personId: opts.personId
+      personId: opts.personId,
+      name: opts.name
     })
   }).catch((err) => ({ __throw: err instanceof Error ? err.message : String(err) }));
   if ("__throw" in res) {
@@ -4226,6 +4228,32 @@ async function managerSpawn(opts) {
   if (!r.ok) return { error: `manager-status-${r.status}`, status: r.status };
   return await r.json();
 }
+async function managerRcSpawn(opts) {
+  const auth = await ensureAuth();
+  if (auth.status === "dead" || auth.status === "missing") {
+    console.log(`[channel-pty-bridge] rc-spawn-refused reason=auth-${auth.status} ${opts.logContext}`);
+    return { error: "claude-auth-dead", status: 503 };
+  }
+  const res = await fetch(`${managerBase()}/rc-spawn`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      sessionId: opts.sessionId,
+      name: opts.name,
+      initialMessage: opts.initialMessage,
+      closeAfterTurn: opts.closeAfterTurn,
+      sliceToken: opts.sliceToken,
+      personId: opts.personId
+    })
+  }).catch((err) => ({ __throw: err instanceof Error ? err.message : String(err) }));
+  if ("__throw" in res) {
+    return { error: res.__throw, status: 0 };
+  }
+  const r = res;
+  if (!r.ok) return { error: `manager-status-${r.status}`, status: r.status };
+  const out = await r.json();
+  return { sessionId: out.sessionId ?? opts.sessionId, pid: out.spawnedPid ?? null };
+}
 async function managerWriteInput(sessionId, text) {
   const res = await fetch(`${managerBase()}/${sessionId}/input`, {
     method: "POST",
@@ -4247,7 +4275,19 @@ function managerLogFollowUrl(sessionId) {
   return `${managerBase()}/${sessionId}/log?follow=1`;
 }
 
+// app/lib/channel-pty-bridge/admin-session-id.ts
+import { createHash } from "crypto";
+function adminSessionIdFor(accountId, senderId) {
+  const b = createHash("sha256").update(`${accountId}:admin:${senderId}`).digest().subarray(0, 16);
+  const v = Buffer.from(b);
+  v[6] = v[6] & 15 | 64;
+  v[8] = v[8] & 63 | 128;
+  const h = v.toString("hex");
+  return `${h.slice(0, 8)}-${h.slice(8, 12)}-${h.slice(12, 16)}-${h.slice(16, 20)}-${h.slice(20, 32)}`;
+}
+
 // app/lib/channel-pty-bridge/public-session-end-review.ts
+import { randomUUID as randomUUID4 } from "crypto";
 var TAG14 = "[public-session-review]";
 var CONSUMED_CAP = 500;
 var consumed = /* @__PURE__ */ new Set();
@@ -4335,30 +4375,20 @@ function composeInitialMessage(input) {
   ].join("\n");
 }
 async function dispatchReviewer(input, initialMessage) {
-  try {
-    const res = await fetch(`${managerBase2()}/spawn`, {
-      method: "POST",
-      headers: { "content-type": "application/json" },
-      body: JSON.stringify({
-        senderId: `public-session-reviewer-${input.sessionId}`,
-        role: "admin",
-        channel: "webchat",
-        accountId: input.accountId,
-        specialist: "public-session-reviewer",
-        hidden: true,
-        initialMessage,
-        sliceToken: input.sliceToken,
-        personId: input.personId ?? void 0
-      })
-    });
-    if (!res.ok) {
-      return { ok: false, reason: `spawn-status-${res.status}` };
-    }
-    const body = await res.json();
-    return { ok: true, managerSessionId: body.sessionId ?? "unknown" };
-  } catch (err) {
-    return { ok: false, reason: `spawn-threw-${err instanceof Error ? err.message : String(err)}` };
+  const sessionId = randomUUID4();
+  console.log(`${TAG14} route target=rc-spawn sessionId=${sessionId.slice(0, 8)} sourceSession=${input.sessionId.slice(0, 8)}`);
+  const spawned = await managerRcSpawn({
+    sessionId,
+    initialMessage,
+    closeAfterTurn: true,
+    sliceToken: input.sliceToken,
+    personId: input.personId ?? void 0,
+    logContext: `public-session-end sourceSession=${input.sessionId.slice(0, 8)}`
+  });
+  if ("error" in spawned) {
+    return { ok: false, reason: `rc-spawn-${spawned.status}-${spawned.error}` };
   }
+  return { ok: true, managerSessionId: spawned.sessionId };
 }
 async function firePublicSessionEndReview(input) {
   const sliceShort = input.sliceToken.slice(0, 8);
@@ -4527,7 +4557,7 @@ function tagFor(channel) {
   return `[${channel}-adaptor]`;
 }
 function publicIdleMs() {
-  return Number(process.env.CHANNEL_PTY_IDLE_MS ?? String(30 * 6e4));
+  return Number(process.env.CHANNEL_PTY_IDLE_MS ?? String(5 * 6e4));
 }
 var index = /* @__PURE__ */ new Map();
 function indexKey(accountId, agentSlug, senderId, sliceToken = "") {
@@ -4538,6 +4568,7 @@ async function ensureEntry(input) {
   startReaper();
   const sliceTokenValue = input.sliceToken ?? "";
   const personIdValue = input.personId ?? null;
+  const nameValue = input.name ?? null;
   const key = indexKey(input.accountId, input.agentSlug, input.senderId, sliceTokenValue);
   const existing = index.get(key);
   const tag = tagFor(input.channel);
@@ -4554,17 +4585,30 @@ async function ensureEntry(input) {
     }
     return existing;
   }
-  const attachmentDir = input.role === "public" ? resolve4(ATTACHMENTS_ROOT, "public", input.senderId) : void 0;
-  const spawned = await managerSpawn({
-    senderId: input.senderId,
-    role: input.role,
-    channel: input.channel,
-    accountId: input.accountId,
-    agentSlug: input.agentSlug,
-    attachmentDir,
-    sliceToken: sliceTokenValue.length > 0 ? sliceTokenValue : void 0,
-    personId: personIdValue ?? void 0
-  });
+  let spawned;
+  if (input.role === "admin") {
+    const adminSessionId = adminSessionIdFor(input.accountId, input.senderId);
+    console.error(`${tag} route role=admin target=rc-spawn senderId=${input.senderId}`);
+    spawned = await managerRcSpawn({
+      sessionId: adminSessionId,
+      name: nameValue ?? void 0,
+      logContext: `channel=${input.channel} senderId=${input.senderId}`
+    });
+  } else {
+    console.error(`${tag} route role=${input.role} target=public-spawn senderId=${input.senderId}`);
+    const attachmentDir = resolve4(ATTACHMENTS_ROOT, "public", input.senderId);
+    spawned = await managerSpawn({
+      senderId: input.senderId,
+      role: input.role,
+      channel: input.channel,
+      accountId: input.accountId,
+      agentSlug: input.agentSlug,
+      attachmentDir,
+      sliceToken: sliceTokenValue.length > 0 ? sliceTokenValue : void 0,
+      personId: personIdValue ?? void 0,
+      name: nameValue ?? void 0
+    });
+  }
   if ("error" in spawned) {
     if (spawned.error !== "claude-auth-dead") {
       console.error(
@@ -4587,7 +4631,8 @@ async function ensureEntry(input) {
     followerAbort: null,
     followerRunning: false,
     sliceToken: sliceTokenValue,
-    personId: personIdValue
+    personId: personIdValue,
+    name: nameValue
   };
   entry.followerAbort = startFollower({
     entry,
@@ -4632,7 +4677,8 @@ async function writeInput(entry, text) {
           channel: entry.channel,
           agentSlug: entry.agentSlug,
           sliceToken: entry.sliceToken.length > 0 ? entry.sliceToken : void 0,
-          personId: entry.personId
+          personId: entry.personId,
+          name: entry.name
         });
         if (!respawned) return false;
         for (const cb of entry.subscribers) respawned.subscribers.add(cb);
@@ -4671,7 +4717,8 @@ async function dispatchOnce(input) {
     channel: input.channel,
     agentSlug: input.agentSlug,
     sliceToken: input.sliceToken,
-    personId: input.personId
+    personId: input.personId,
+    name: input.name
   });
   if (!entry) return { error: "spawn-failed" };
   entry.lastInboundAt = Date.now();
@@ -4774,10 +4821,10 @@ function handlePublicSessionExit(sessionId) {
 }
 
 // app/lib/access-session-store.ts
-import { randomUUID as randomUUID4 } from "crypto";
+import { randomUUID as randomUUID5 } from "crypto";
 var sessions = /* @__PURE__ */ new Map();
 function createAccessSession(input) {
-  const sessionId = randomUUID4();
+  const sessionId = randomUUID5();
   const session = {
     ...input,
     sessionId,
@@ -4800,6 +4847,16 @@ function evictAccessSessionsByGrant(grantId) {
   return dropped;
 }
 
+// app/lib/public-session-title.ts
+function composePublicSessionTitle(input) {
+  const sid = input.senderId.slice(0, 8);
+  const ts = input.spawnedAt.toISOString().slice(0, 16).replace("T", " ");
+  const segments = ["Web", sid];
+  if (input.personId) segments.push(input.personId);
+  segments.push(ts);
+  return segments.join(" \xB7 ");
+}
+
 // server/routes/chat.ts
 var WEBCHAT_TAG = "[webchat-adaptor]";
 var SESSION_KEY_RE = /^[A-Za-z0-9][A-Za-z0-9_-]{7,127}$/;
@@ -4921,7 +4978,7 @@ app2.post("/", async (c) => {
   let agentSlug;
   let resolveSource;
   if (requestedSlug) {
-    const active = validateAgentSlug(requestedSlug) && resolveAgentConfig(account.accountDir, requestedSlug).status === "active";
+    const active = validateAgentSlug(requestedSlug) && isActiveAgentSlug(account.accountDir, requestedSlug);
     agentSlug = active ? requestedSlug : null;
     resolveSource = active ? "slug" : "none";
   } else {
@@ -4969,6 +5026,11 @@ app2.post("/", async (c) => {
   const readable = new ReadableStream({
     async start(controller) {
       try {
+        const publicTitle = composePublicSessionTitle({
+          senderId: session_key,
+          personId,
+          spawnedAt: /* @__PURE__ */ new Date()
+        });
         const result = await dispatchOnce({
           accountId: account.accountId,
           senderId: session_key,
@@ -4977,6 +5039,7 @@ app2.post("/", async (c) => {
           agentSlug,
           sliceToken,
           personId,
+          name: publicTitle,
           text: fullMessage,
           timeoutMs: webchatTurnTimeoutMs()
         });
@@ -5028,7 +5091,7 @@ import { readFile, stat as stat2 } from "fs/promises";
 import { realpathSync as realpathSync2, readdirSync as readdirSync2, readFileSync as readFileSync6, existsSync as existsSync4 } from "fs";
 
 // app/lib/whatsapp/login.ts
-import { randomUUID as randomUUID5 } from "crypto";
+import { randomUUID as randomUUID6 } from "crypto";
 var TAG15 = "[whatsapp:login]";
 var ACTIVE_LOGIN_TTL_MS = 3 * 6e4;
 var activeLogins = /* @__PURE__ */ new Map();
@@ -5167,7 +5230,7 @@ async function startLogin(opts) {
   const login = {
     accountId,
     authDir,
-    id: randomUUID5(),
+    id: randomUUID6(),
     sock,
     startedAt: Date.now(),
     connected: false
@@ -6169,7 +6232,7 @@ var whatsapp_default = app3;
 // server/routes/onboarding.ts
 import { spawn, spawnSync as spawnSync2, execFileSync as execFileSync2 } from "child_process";
 import { openSync, closeSync, writeFileSync as writeFileSync5, writeSync, existsSync as existsSync6, readFileSync as readFileSync8, unlinkSync } from "fs";
-import { createHash, randomUUID as randomUUID6 } from "crypto";
+import { createHash as createHash2, randomUUID as randomUUID7 } from "crypto";
 
 // ../lib/admins-write/src/index.ts
 import { existsSync as existsSync5, readFileSync as readFileSync7, writeFileSync as writeFileSync4, renameSync, mkdirSync as mkdirSync2, readdirSync as readdirSync3, statSync as statSync2 } from "fs";
@@ -6317,7 +6380,7 @@ function checkAdminAuthInvariant(input) {
 
 // server/routes/onboarding.ts
 function hashPin(pin) {
-  return createHash("sha256").update(pin).digest("hex");
+  return createHash2("sha256").update(pin).digest("hex");
 }
 function readUsersFile() {
   if (!existsSync6(USERS_FILE)) return null;
@@ -6445,7 +6508,7 @@ app4.post("/set-pin", async (c) => {
   const hash = hashPin(body.pin);
   const account = resolveAccount();
   const existingOwnerUserId = account?.config.admins?.find((a) => a.role === "owner")?.userId;
-  const userId = existingOwnerUserId ?? randomUUID6();
+  const userId = existingOwnerUserId ?? randomUUID7();
   if (existingOwnerUserId) {
     console.log(`[set-pin] reusing existing owner userId=${userId.slice(0, 8)}\u2026 (change-PIN preserves identity)`);
   } else {
@@ -6716,14 +6779,14 @@ app5.post("/", async (c) => {
 var client_error_default = app5;
 
 // server/routes/admin/session.ts
-import { randomUUID as randomUUID7 } from "crypto";
+import { randomUUID as randomUUID8 } from "crypto";
 
 // app/lib/admin-identity/pin-validator.ts
-import { createHash as createHash2 } from "crypto";
+import { createHash as createHash3 } from "crypto";
 import { existsSync as existsSync8, readFileSync as readFileSync9, readdirSync as readdirSync4, statSync as statSync4 } from "fs";
 import { join as join8 } from "path";
 function hashPin2(pin) {
-  return createHash2("sha256").update(pin).digest("hex");
+  return createHash3("sha256").update(pin).digest("hex");
 }
 function readUsersFile2(usersFilePath) {
   if (!existsSync8(usersFilePath)) return null;
@@ -6790,7 +6853,7 @@ async function resolveUserIdentity(accountId, userId) {
 async function createAdminSession(accountId, thinkingView, userId, userName, role, avatar) {
   const account = resolveAccount();
   const effectiveThinkingView = thinkingView ?? account?.config.thinkingView ?? "default";
-  const signedSessionToken = randomUUID7();
+  const signedSessionToken = randomUUID8();
   const cacheKey = fingerprintSessionKey(signedSessionToken);
   registerSession(cacheKey, "admin", accountId, void 0, userId, userName, role);
   if (userId) setWantsPriorConversation(cacheKey);
@@ -8283,7 +8346,6 @@ function managerBase3() {
   return `http://127.0.0.1:${port2}`;
 }
 var app12 = new Hono();
-var UUID_PATTERN = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
 async function performSpawnWithInitialMessage(args) {
   const ownerStart = Date.now();
   const aboutOwner = await resolveOwnerProfileBlock(args.senderId, args.userId);
@@ -8323,7 +8385,7 @@ async function performSpawnWithInitialMessage(args) {
   });
   console.log(`${TAG18} forward-spawn-start managerBase=${managerBase3()} bytes=${upstreamPayload.length} hidden=${args.hidden} specialist=${args.specialist ?? "none"}`);
   const forwardStart = Date.now();
-  const upstream = await fetch(`${managerBase3()}/spawn`, {
+  const upstream = await fetch(`${managerBase3()}/public-spawn`, {
     method: "POST",
     headers: { "content-type": "application/json" },
     body: upstreamPayload
@@ -8360,16 +8422,7 @@ function mintTranscriptEdge(sessionId, claudeSessionId, accountId) {
   if (!sessionId || !claudeSessionId) return;
   void linkConversationTranscript(sessionId, claudeSessionId, accountId);
 }
-var requireAdminSessionUnlessLoopbackSpawn = async (c, next) => {
-  const remoteAddr = c.env?.incoming?.socket?.remoteAddress ?? "";
-  const isLoopback = remoteAddr === "127.0.0.1" || remoteAddr === "::1" || remoteAddr === "::ffff:127.0.0.1";
-  const hasForwardedFor = !!c.req.header("x-forwarded-for");
-  if (isLoopback && !hasForwardedFor && c.req.method === "POST" && c.req.path === "/api/admin/claude-sessions") {
-    return next();
-  }
-  return requireAdminSession(c, next);
-};
-app12.use("*", requireAdminSessionUnlessLoopbackSpawn);
+app12.use("*", requireAdminSession);
 app12.post("/", async (c) => {
   const routeStart = Date.now();
   const cacheKey = c.get("cacheKey") ?? "";
@@ -8380,46 +8433,18 @@ app12.post("/", async (c) => {
   }
   const refusal = await refuseIfClaudeAuthDead(c, "spawn", null);
   if (refusal) return refusal;
-  let senderId;
-  let userId;
-  let authSurface;
-  if (cacheKey) {
-    authSurface = "cookie";
-    senderId = getAccountIdForSession(cacheKey) ?? "";
-    if (!senderId) {
-      console.error(`${TAG18} reject reason=no-account-id cacheKey-prefix=${cacheKey.slice(0, 8)}`);
-      return c.json({ error: "admin-account-not-resolved" }, 500);
-    }
-    userId = getUserIdForSession(cacheKey) ?? void 0;
-  } else {
-    authSurface = "loopback";
-    if (typeof body.adminSessionId !== "string" || !UUID_PATTERN.test(body.adminSessionId)) {
-      return c.json({ error: "admin-session-id-required" }, 400);
-    }
-    const lookupSessionId = body.adminSessionId;
-    const operatorMeta = await fetch(
-      `${managerBase3()}/${encodeURIComponent(lookupSessionId)}/meta`
-    ).then((r) => r.ok ? r.json() : null).catch((err) => {
-      console.error(`${TAG18} fetch-failed op=operator-meta-lookup message=${err instanceof Error ? err.message : String(err)}`);
-      return null;
-    });
-    const metaSenderId = operatorMeta && typeof operatorMeta.senderId === "string" && operatorMeta.senderId.length > 0 ? operatorMeta.senderId : null;
-    const bodyAccountId = typeof body.accountId === "string" && UUID_PATTERN.test(body.accountId) ? body.accountId : null;
-    const operatorSenderId = metaSenderId ?? bodyAccountId;
-    if (!operatorSenderId) {
-      console.error(`${TAG18} reject reason=no-sender-id adminSessionId=${lookupSessionId.slice(0, 8)} metaSenderId=${metaSenderId ? "present" : "absent"} bodyAccountId=${bodyAccountId ? "present" : "absent"}`);
-      return c.json({ error: "admin-session-not-found" }, 404);
-    }
-    console.log(`${TAG18} loopback-sender-resolved source=${metaSenderId ? "meta" : "body-accountId"} accountId=${operatorSenderId.slice(0, 8)}`);
-    senderId = operatorSenderId;
-    userId = void 0;
+  const senderId = getAccountIdForSession(cacheKey) ?? "";
+  if (!senderId) {
+    console.error(`${TAG18} reject reason=no-account-id cacheKey-prefix=${cacheKey.slice(0, 8)}`);
+    return c.json({ error: "admin-account-not-resolved" }, 500);
   }
+  const userId = getUserIdForSession(cacheKey) ?? void 0;
   const channel = typeof body.channel === "string" ? body.channel : "browser";
   const initialMessage = typeof body.initialMessage === "string" && body.initialMessage.trim() ? body.initialMessage : null;
   const permissionMode = typeof body.permissionMode === "string" ? body.permissionMode : void 0;
   const specialist = typeof body.specialist === "string" && /^[A-Za-z0-9_-]{1,64}$/.test(body.specialist) ? body.specialist : void 0;
   const model = typeof body.model === "string" && /^[A-Za-z0-9._-]{1,64}$/.test(body.model) ? body.model : void 0;
-  console.log(`${TAG18} spawn-request-in surface=${authSurface} accountId=${senderId.slice(0, 8)} userId=${userId ? userId.slice(0, 8) : "absent"} channel=${channel} permissionMode=${permissionMode ?? "default"} specialist=${specialist ?? "none"} model=${model ?? "default"} initialMessage=${initialMessage ? "yes" : "no"}`);
+  console.log(`${TAG18} spawn-request-in surface=cookie accountId=${senderId.slice(0, 8)} userId=${userId ? userId.slice(0, 8) : "absent"} channel=${channel} permissionMode=${permissionMode ?? "default"} specialist=${specialist ?? "none"} model=${model ?? "default"} initialMessage=${initialMessage ? "yes" : "no"}`);
   const conversationNodeId = cacheKey ? getSessionIdForSession(cacheKey) : void 0;
   const { response, claudeSessionId } = await performSpawnWithInitialMessage({
     senderId,
@@ -8438,7 +8463,7 @@ app12.post("/", async (c) => {
     claudeSessionId,
     senderId
   );
-  console.log(`${TAG18} route-done surface=${authSurface} status=${response.status} route-ms=${Date.now() - routeStart}`);
+  console.log(`${TAG18} route-done surface=cookie status=${response.status} route-ms=${Date.now() - routeStart}`);
   return response;
 });
 var claude_sessions_default = app12;
@@ -9770,7 +9795,7 @@ function applyBacklinkBoost(hits) {
 }
 
 // ../lib/graph-search/src/dedup.ts
-import { createHash as createHash3 } from "crypto";
+import { createHash as createHash4 } from "crypto";
 var DEFAULT_LAYERS = [
   "nodeId",
   "slug",
@@ -9797,7 +9822,7 @@ function readContentHash(props) {
   const content = props["content"];
   const source = typeof compiled === "string" && compiled.length > 0 ? compiled : typeof content === "string" && content.length > 0 ? content : null;
   if (source === null) return null;
-  return createHash3("sha256").update(source).digest("hex").slice(0, 16);
+  return createHash4("sha256").update(source).digest("hex").slice(0, 16);
 }
 function dedup(hits, layers = DEFAULT_LAYERS) {
   const sorted = [...hits].sort((a, b) => b.score - a.score);
@@ -12542,6 +12567,7 @@ app27.get("/", async (c) => {
 var health_default2 = app27;
 
 // server/routes/admin/linkedin-ingest.ts
+import { randomUUID as randomUUID9 } from "crypto";
 var TAG20 = "[linkedin-ingest-route]";
 var UUID = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;
 var ISO = /^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d{1,3})?(?:Z|[+-]\d{2}:\d{2})$/;
@@ -12584,11 +12610,14 @@ function buildInitialMessage(env) {
     "sourceUrl=" + env.pageUrl,
     "capturedAt=" + env.capturedAt
   ].join(" \xB7 ");
+  const delegation = "Dispatch `database-operator` via the Task tool to carry out the ingestion described below \u2014 it owns every graph write. Do not call memory-write, memory-update, or any graph tool directly.";
   if (env.kind === "profile" && env.profile) {
     const p = env.profile;
     return [
       header,
       "",
+      delegation,
+      "",
       "Surface: LinkedIn profile. Run the document-ingest skill in document mode against the body below, anchored to a Person subject for this profile.",
       "",
       "Conservative-extraction rules apply (see Task 234 spec):",
@@ -12617,6 +12646,8 @@ function buildInitialMessage(env) {
     return [
       header,
       "",
+      delegation,
+      "",
       "Surface: LinkedIn DM thread. Run the document-ingest skill in document mode against the transcript below.",
       "",
       "Conservative-extraction rules apply (see Task 234 spec):",
@@ -12656,39 +12687,30 @@ app28.post("/", requireAdminSession, async (c) => {
     console.error(TAG20 + " rejected status=500 reason=admin-account-not-resolved");
     return c.json({ ok: false, error: "admin-account-not-resolved" }, 500);
   }
-  const userId = getUserIdForSession(cacheKey) ?? void 0;
   const payloadBytes = JSON.stringify(envelope).length;
   console.log(
     TAG20 + " received kind=" + envelope.kind + " account=" + senderId.slice(0, 8) + " pageUrl=" + envelope.pageUrl + " dispatchId=" + envelope.dispatchId + " payloadBytes=" + payloadBytes
   );
   const initialMessage = buildInitialMessage(envelope);
   const spawnStart = Date.now();
-  const { response, claudeSessionId } = await performSpawnWithInitialMessage({
-    senderId,
-    userId,
-    role: "admin",
-    channel: "linkedin-extension",
-    permissionMode: void 0,
-    hidden: true,
-    specialist: "database-operator",
-    model: void 0,
+  const sessionId = randomUUID9();
+  console.log(TAG20 + " route target=rc-spawn dispatchId=" + envelope.dispatchId + " sessionId=" + sessionId.slice(0, 8));
+  const spawned = await managerRcSpawn({
+    sessionId,
     initialMessage,
-    // Task 382 — LinkedIn ingest is a hidden autonomous spawn with no
-    // parent admin conversation; the database-operator threads
-    // `producedByTaskId` via work-create instead. Leave undefined.
-    conversationNodeId: void 0
+    closeAfterTurn: true,
+    logContext: "linkedin-ingest dispatchId=" + envelope.dispatchId
   });
-  if (!response.ok) {
-    const detail = await response.text().catch(() => "");
+  if ("error" in spawned) {
     console.error(
-      TAG20 + " dispatch-failed dispatchId=" + envelope.dispatchId + " status=" + response.status + " ms=" + (Date.now() - spawnStart) + " detail=" + detail.slice(0, 200)
+      TAG20 + " dispatch-failed dispatchId=" + envelope.dispatchId + " status=" + spawned.status + " ms=" + (Date.now() - spawnStart) + " message=" + spawned.error
     );
-    return c.json({ ok: false, error: "dispatch-failed", upstreamStatus: response.status, detail: detail.slice(0, 500) }, 502);
+    return c.json({ ok: false, error: "dispatch-failed", upstreamStatus: spawned.status, detail: spawned.error }, 502);
   }
   console.log(
-    TAG20 + " dispatched dispatchId=" + envelope.dispatchId + " taskId=" + (claudeSessionId ?? "unknown") + " ms=" + (Date.now() - spawnStart)
+    TAG20 + " dispatched dispatchId=" + envelope.dispatchId + " taskId=" + spawned.sessionId + " ms=" + (Date.now() - spawnStart)
   );
-  return c.json({ ok: true, dispatchId: envelope.dispatchId, taskId: claudeSessionId }, 202);
+  return c.json({ ok: true, dispatchId: envelope.dispatchId, taskId: spawned.sessionId }, 202);
 });
 var linkedin_ingest_default = app28;
 
@@ -13056,7 +13078,7 @@ var admin_default = app34;
 import neo4j4 from "neo4j-driver";
 import { readFileSync as readFileSync17 } from "fs";
 import { resolve as resolve19 } from "path";
-import { randomUUID as randomUUID8 } from "crypto";
+import { randomUUID as randomUUID10 } from "crypto";
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT ?? resolve19(process.cwd(), "..");
 var driver = null;
 function readPassword() {
@@ -13239,7 +13261,7 @@ async function consumeMagicTokenAndActivate(grantId) {
   }
 }
 async function generateNewMagicToken(grantId) {
-  const token = randomUUID8();
+  const token = randomUUID10();
   const session = getSession3();
   try {
     const result = await session.run(
@@ -14280,6 +14302,10 @@ app42.post("/", async (c) => {
     if (!validateAgentSlug(body.agent)) {
       return c.json({ error: "Invalid agent name" }, 400);
     }
+    if (!account || !isActiveAgentSlug(account.accountDir, body.agent)) {
+      console.error(`[session] op=reject agent=${body.agent} reason=not-active`);
+      return c.json({ error: "no-agent-for-address" }, 404);
+    }
     agentSlug = body.agent;
   } else {
     agentSlug = account ? resolveDefaultAgentSlug(account.accountDir) : null;
@@ -14691,7 +14717,7 @@ function broadcastAdminShutdown(reason) {
 }
 
 // ../lib/entitlement/src/index.ts
-import { createPublicKey, createHash as createHash4, verify as cryptoVerify } from "crypto";
+import { createPublicKey, createHash as createHash5, verify as cryptoVerify } from "crypto";
 import { existsSync as existsSync22, readFileSync as readFileSync21, statSync as statSync9 } from "fs";
 import { resolve as resolve24 } from "path";
 
@@ -14762,7 +14788,7 @@ function verifyAndResolve(brand, entitlementPath, account) {
       reason: "pubkey-missing"
     });
   }
-  const pubkeyHash = createHash4("sha256").update(pubkeyPem).digest("hex");
+  const pubkeyHash = createHash5("sha256").update(pubkeyPem).digest("hex");
   if (pubkeyHash !== PUBKEY_SHA256) {
     return logResolved(anonymousFallback("pubkey-tamper"), {
       reason: "pubkey-tamper"
@@ -15491,6 +15517,9 @@ function brandedPublicHtml(agentSlug) {
 function escapeHtml(s) {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
+function agentUnavailableHtml() {
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><title>${escapeHtml(BRAND.productName)}</title></head><body style="font-family:system-ui,sans-serif;max-width:32rem;margin:4rem auto;padding:0 1.5rem;color:#222"><h1 style="font-size:1.25rem">Agent unavailable</h1><p>This agent isn't available right now. If you reached this page from a saved link, the agent may have been turned off.</p></body></html>`;
+}
 app43.get("/", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) {
@@ -15587,6 +15616,11 @@ app43.get("/data", (c) => {
 app43.get("/:slug", async (c, next) => {
   const slug = c.req.param("slug");
   if (AGENT_SLUG_PATTERN.test(`/${slug}`)) {
+    const account = resolveAccount();
+    if (!account || !validateAgentSlug(slug) || !isActiveAgentSlug(account.accountDir, slug)) {
+      console.error(`[public-catchall] op=reject path=/${slug} slug=${slug} reason=not-reachable`);
+      return c.html(agentUnavailableHtml(), 404);
+    }
     const branding = loadBrandingCache(slug);
     console.error(`[public-catchall] served path=/${slug} slug=${slug} branding=${branding ? "hit" : "miss"}`);
     return c.html(brandedPublicHtml(slug));