npm - @rubytech/create-realagent - Versions diffs - 1.0.616 → 1.0.618 - Mend

@rubytech/create-realagent 1.0.616 → 1.0.618

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

package/payload/server/public/index.html CHANGED Viewed

@@ -5,7 +5,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Real Agent</title>
   <link rel="icon" href="/favicon.ico">
-  <script type="module" crossorigin src="/assets/admin-Df1liz4Y.js"></script>
+  <script type="module" crossorigin src="/assets/admin-D7LRdkYB.js"></script>
   <link rel="modulepreload" crossorigin href="/assets/chunk-Be6NvmcD.js">
   <link rel="modulepreload" crossorigin href="/assets/preload-helper-rov5CBGT.js">
   <link rel="modulepreload" crossorigin href="/assets/useVoiceRecorder-OB_Gtr0e.js">

package/payload/server/server.js CHANGED Viewed

@@ -6211,14 +6211,22 @@ function purgeOldLogs(logDir, prefix) {
   }
 }
 function teeProcStderrToStreamLog(proc, streamLog) {
+  const pid = proc.pid;
   if (!proc.stderr) {
-    streamLog.write(`[${isoTs()}] [subproc-stderr-skip] reason=no-stderr
+    streamLog.write(`[${isoTs()}] [subproc-stderr-skip] reason=no-stderr pid=${pid}
 `);
     return;
   }
+  if (!streamLog.destroyed && !streamLog.writableEnded) {
+    streamLog.write(`[${isoTs()}] [subproc-stderr-tee-attached] pid=${pid}
+`);
+  }
   const utf8 = new StringDecoder("utf8");
   let buffer = "";
+  let bytesSeen = 0;
+  let linesEmitted = 0;
   proc.stderr.on("data", (chunk) => {
+    bytesSeen += typeof chunk === "string" ? Buffer.byteLength(chunk, "utf8") : chunk.length;
     const text = typeof chunk === "string" ? chunk : utf8.write(chunk);
     buffer += text;
     let idx;
@@ -6229,12 +6237,18 @@ function teeProcStderrToStreamLog(proc, streamLog) {
       if (streamLog.destroyed || streamLog.writableEnded) continue;
       streamLog.write(`[${isoTs()}] [subproc-stderr] ${line}
 `);
+      linesEmitted++;
     }
   });
   proc.stderr.on("end", () => {
     const tail = (buffer + utf8.end()).trim();
     if (tail.length > 0 && !streamLog.destroyed && !streamLog.writableEnded) {
       streamLog.write(`[${isoTs()}] [subproc-stderr] ${tail}
+`);
+      linesEmitted++;
+    }
+    if (!streamLog.destroyed && !streamLog.writableEnded) {
+      streamLog.write(`[${isoTs()}] [subproc-stderr-tee-detached] pid=${pid} bytes=${bytesSeen} lines=${linesEmitted}
 `);
     }
     buffer = "";
@@ -7678,6 +7692,7 @@ var ADMIN_CORE_TOOLS = [
   "mcp__cloudflare__tunnel-status",
   "mcp__cloudflare__tunnel-install",
   "mcp__cloudflare__tunnel-login",
+  "mcp__cloudflare__tunnel-create",
   "mcp__cloudflare__tunnel-enable",
   "mcp__cloudflare__tunnel-disable",
   "mcp__cloudflare__tunnel-add-hostname",
@@ -8283,10 +8298,11 @@ async function* runCompactionTurn(accountDir, accountId, systemPrompt, resumeSes
     env: {
       ...process.env,
       PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir,
-      // Task 532: network traces on the compaction subprocess too — its tool
-      // calls are part of the same conversation's record.
-      NODE_DEBUG: "http,http2,net,tls,undici,dns"
+      ACCOUNT_DIR: accountDir
+      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
+      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
+      // a no-op that misled future readers. The [subproc-debug-unavailable]
+      // line below records the source-of-silence explicitly.
     }
   });
   const stderrLog = agentLogStream("claude-agent-compaction-stderr", accountDir, conversationId);
@@ -8297,6 +8313,8 @@ async function* runCompactionTurn(accountDir, accountId, systemPrompt, resumeSes
   streamLog.on("error", () => {
   });
   teeProcStderrToStreamLog(proc, streamLog);
+  streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
   streamLog.write(`[${isoTs()}] [compaction-start] resumeSessionId=${resumeSessionId}
 `);
   proc.on("error", (err) => {
@@ -9170,11 +9188,11 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
     env: {
       ...process.env,
       PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir,
-      // Task 532: tee subprocess network activity into the per-conversation
-      // stream log via the existing stderr pipe. Closes the Claude Code
-      // "what was the tool actually doing?" black box during tool waits.
-      NODE_DEBUG: "http,http2,net,tls,undici,dns"
+      ACCOUNT_DIR: accountDir
+      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
+      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
+      // a no-op that misled future readers. The [subproc-debug-unavailable]
+      // line below records the source-of-silence explicitly.
     }
   });
   const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnConvId);
@@ -9185,6 +9203,8 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
   streamLog.on("error", () => {
   });
   teeProcStderrToStreamLog(proc, streamLog);
+  streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
     if (prev) {
@@ -9512,10 +9532,11 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
     env: {
       ...process.env,
       PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir,
-      // Task 532: tee subprocess network traces into the per-conversation
-      // stream log via the stderr pipe + dual-consume listener.
-      NODE_DEBUG: "http,http2,net,tls,undici,dns"
+      ACCOUNT_DIR: accountDir
+      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
+      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
+      // a no-op that misled future readers. The [subproc-debug-unavailable]
+      // line below records the source-of-silence explicitly.
     }
   });
   const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedConvId);
@@ -9523,6 +9544,8 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
   });
   proc.stderr?.pipe(stderrLog);
   teeProcStderrToStreamLog(proc, streamLog);
+  streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
     if (prev) {
@@ -10479,6 +10502,26 @@ function defaultRules() {
       scope: "session",
       suggestedAction: "A tool call has been pending for 30 seconds without a result. Read the adjacent [tool-wait-diag] and [tool-wait-proc] lines in the conversation's stream log to determine whether the network remained healthy, the subprocess held active sockets, and the HTTP request reached the wire. If diag shows a healthy network but the subprocess has no [subproc-stderr] UNDICI/HTTP activity during the wait window, the tool's internal pipeline is stalled \u2014 do not retry the same request against the same target without a change in approach."
     },
+    {
+      // Task 536: detect agents ignoring the WEBFETCH_CANNOT_READ_JS_SPA
+      // structured failure. A single SPA short-circuit per conversation is
+      // expected — the hook is doing its job. Two or more in the same
+      // conversation within 5 minutes means either (a) the agent retried
+      // WebFetch on the same SPA URL despite the directive, or (b) the
+      // owner is asking about multiple SPA URLs in one session and the
+      // pattern needs surfacing as a recurring class. Both signal that the
+      // IDENTITY.md "Tool Failure Discipline" guidance is not landing in the
+      // prompt — revise the copy rather than add mechanical enforcement.
+      id: "webfetch-spa-short-circuit-recurring",
+      name: "WebFetch JS-SPA short-circuit fired repeatedly in conversation",
+      type: "repeated-error",
+      logSource: "system",
+      pattern: "WEBFETCH_CANNOT_READ_JS_SPA",
+      thresholdCount: 2,
+      thresholdWindowMinutes: 5,
+      scope: "session",
+      suggestedAction: "The WebFetch SPA preflight has fired more than once in this conversation. Either the agent is ignoring the loud-failure directive (retrying WebFetch after seeing WEBFETCH_CANNOT_READ_JS_SPA), or multiple SPA URLs are being asked about. Read the conversation's stream log for the [tool-use] / [tool-result] sequence around each occurrence \u2014 if the agent dispatched WebFetch on the same URL or substituted Playwright silently, revisit the IDENTITY.md `Tool Failure Discipline` paragraph that names structured-error handling."
+    },
     {
       // Task 533: surface every Cloudflare-plugin refusal. The plugin emits
       // exactly one [cloudflare:refuse] line per refusal with a structured
@@ -31171,18 +31214,23 @@ async function GET9(request) {
   const accountLogDir2 = account ? resolve19(account.accountDir, "logs") : null;
   if (fileParam) {
     const safe = basename5(fileParam);
+    const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
       const filePath = resolve19(dir, safe);
+      searched.push(filePath);
       try {
         const content = readFileSync20(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${safe}"`;
         return new Response(content, { headers });
-      } catch {
+      } catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        console.debug(`[admin/logs] miss dir=${dir} name=${safe} reason=${reason}`);
       }
     }
-    return Response.json({ error: `File not found: ${safe}` }, { status: 404 });
+    console.warn(`[admin/logs] not-found name=${safe} searched=[${searched.join(",")}]`);
+    return Response.json({ error: `File not found: ${safe}`, code: "NOT_FOUND" }, { status: 404 });
   }
   if (typeParam) {
     const prefixMap = {
@@ -31194,24 +31242,37 @@ async function GET9(request) {
     };
     const prefix = prefixMap[typeParam];
     if (!prefix) {
-      return Response.json({ error: `Unknown type: ${typeParam}. Valid: stream, error, session, sse, public` }, { status: 400 });
+      console.warn(`[admin/logs] rejected reason=unknown-type type=${typeParam}`);
+      return Response.json(
+        { error: `Unknown type: ${typeParam}. Valid: stream, error, session, sse, public`, code: "UNKNOWN_TYPE" },
+        { status: 400 }
+      );
     }
     if (!conversationIdParam) {
-      return Response.json({ error: `type=${typeParam} requires conversationId (per-conversation log files, no daily fallback)` }, { status: 400 });
+      console.warn(`[admin/logs] rejected type=${typeParam} reason=no-conversationId`);
+      return Response.json(
+        { error: `type=${typeParam} requires conversationId (per-conversation log files, no daily fallback)`, code: "CONVERSATION_ID_REQUIRED" },
+        { status: 400 }
+      );
     }
     const fileName = `${prefix}-${conversationIdParam}.log`;
+    const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
       const filePath = resolve19(dir, fileName);
+      searched.push(filePath);
       try {
         const content = readFileSync20(filePath, "utf-8");
         const headers = { "Content-Type": "text/plain; charset=utf-8" };
         if (download) headers["Content-Disposition"] = `attachment; filename="${fileName}"`;
         return new Response(content, { headers });
-      } catch {
+      } catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        console.debug(`[admin/logs] miss dir=${dir} name=${fileName} reason=${reason}`);
       }
     }
-    return Response.json({ error: `Log not found: ${fileName}` }, { status: 404 });
+    console.warn(`[admin/logs] not-found name=${fileName} searched=[${searched.join(",")}]`);
+    return Response.json({ error: `Log not found: ${fileName}`, code: "NOT_FOUND" }, { status: 404 });
   }
   const seen = /* @__PURE__ */ new Set();
   const logs = {};
@@ -31220,7 +31281,9 @@ async function GET9(request) {
     let files;
     try {
       files = readdirSync5(dir).filter((f) => f.endsWith(".log"));
-    } catch {
+    } catch (err) {
+      const reason = err instanceof Error ? err.message : String(err);
+      console.warn(`[admin/logs] readdir-fail dir=${dir} reason=${reason}`);
       continue;
     }
     files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync7(resolve19(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
@@ -31229,8 +31292,10 @@ async function GET9(request) {
         const content = readFileSync20(resolve19(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
-      } catch {
-        logs[name] = "(unreadable)";
+      } catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        console.debug(`[admin/logs] read-fail name=${name} reason=${reason}`);
+        logs[name] = `(unreadable: ${reason})`;
       }
     });
   }

package/payload/platform/plugins/cloudflare/mcp/__tests__/brand-load.test.ts DELETED Viewed

@@ -1,81 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import { _resetBrandCache, loadBrand } from "../src/lib/cloudflared.js";
-// loadBrand() reads PLATFORM_ROOT/config/brand.json. We point PLATFORM_ROOT at
-// a fresh tmpdir per test, write the brand.json shape we want, reset the
-// module-level cache, then assert load behaviour.
-let tmpRoot: string;
-beforeEach(() => {
-  tmpRoot = mkdtempSync(join(tmpdir(), "maxy-cf-brand-"));
-  process.env.PLATFORM_ROOT = tmpRoot;
-  _resetBrandCache();
-});
-afterEach(() => {
-  rmSync(tmpRoot, { recursive: true, force: true });
-  delete process.env.PLATFORM_ROOT;
-});
-function writeBrand(content: object): void {
-  const dir = join(tmpRoot, "config");
-  mkdirSync(dir, { recursive: true });
-  writeFileSync(join(dir, "brand.json"), JSON.stringify(content));
-}
-describe("loadBrand cloudflare.zones validation", () => {
-  it("loads when cloudflare.zones is present", () => {
-    writeBrand({
-      productName: "Maxy",
-      configDir: ".maxy",
-      cloudflare: { zones: ["maxy.bot", "maxy.chat"] },
-    });
-    const brand = loadBrand();
-    expect(brand.cloudflare.zones).toEqual(["maxy.bot", "maxy.chat"]);
-  });
-  it("hard-fails when cloudflare key is absent", () => {
-    writeBrand({ productName: "Maxy", configDir: ".maxy" });
-    expect(() => loadBrand()).toThrow(/cloudflare\.zones/);
-  });
-  it("hard-fails when cloudflare.zones is empty", () => {
-    writeBrand({
-      productName: "Maxy",
-      configDir: ".maxy",
-      cloudflare: { zones: [] },
-    });
-    expect(() => loadBrand()).toThrow(/cloudflare\.zones/);
-  });
-  it("hard-fails when cloudflare.zones is not an array", () => {
-    writeBrand({
-      productName: "Maxy",
-      configDir: ".maxy",
-      cloudflare: { zones: "maxy.bot" },
-    });
-    expect(() => loadBrand()).toThrow(/cloudflare\.zones/);
-  });
-  it("hard-fails when cloudflare.zones contains a non-string", () => {
-    writeBrand({
-      productName: "Maxy",
-      configDir: ".maxy",
-      cloudflare: { zones: ["maxy.bot", 42] },
-    });
-    expect(() => loadBrand()).toThrow(/invalid cloudflare\.zones entry/);
-  });
-  it("hard-fails when PLATFORM_ROOT is unset", () => {
-    delete process.env.PLATFORM_ROOT;
-    expect(() => loadBrand()).toThrow(/PLATFORM_ROOT/);
-  });
-  it("hard-fails when brand.json is absent at the configured path", () => {
-    expect(() => loadBrand()).toThrow(/brand\.json not found/);
-  });
-});

package/payload/platform/plugins/cloudflare/mcp/__tests__/manifest-scope.test.ts DELETED Viewed

@@ -1,65 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { matchManifestZone } from "../src/lib/cloudflared.js";
-// Pure function — no fs, no network. Tests the registrable-parent suffix-match
-// against an explicit declared-zone list. The whole point of declarative zones
-// is that we never need a PSL lookup or a "last two labels" heuristic.
-describe("matchManifestZone", () => {
-  const zones = ["maxy.bot", "maxy.chat", "example.co.uk"];
-  it("matches a hostname whose registrable parent is in the zone list", () => {
-    const r = matchManifestZone("admin.maxy.bot", zones);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("maxy.bot");
-  });
-  it("matches the zone itself (no subdomain)", () => {
-    const r = matchManifestZone("maxy.bot", zones);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("maxy.bot");
-  });
-  it("matches deeper subdomains", () => {
-    const r = matchManifestZone("foo.bar.maxy.bot", zones);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("maxy.bot");
-  });
-  it("matches case-insensitively", () => {
-    const r = matchManifestZone("Admin.MAXY.BOT", zones);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("maxy.bot");
-  });
-  it("refuses hostnames outside the zone list", () => {
-    const r = matchManifestZone("admin.example.org", zones);
-    expect(r.ok).toBe(false);
-    expect(r.matchedZone).toBeNull();
-    expect(r.declaredZones).toEqual(zones);
-  });
-  it("does not partial-match — admin.notmaxy.bot must not match maxy.bot", () => {
-    // The leading-dot boundary is what prevents this.
-    const r = matchManifestZone("admin.notmaxy.bot", zones);
-    expect(r.ok).toBe(false);
-  });
-  it("handles multi-label TLDs (.co.uk) when declared", () => {
-    const r = matchManifestZone("admin.example.co.uk", zones);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("example.co.uk");
-  });
-  it("prefers the longest match when zones overlap", () => {
-    const overlap = ["bot", "maxy.bot"];
-    const r = matchManifestZone("admin.maxy.bot", overlap);
-    expect(r.ok).toBe(true);
-    expect(r.matchedZone).toBe("maxy.bot");
-  });
-  it("refuses against an empty zone list", () => {
-    const r = matchManifestZone("admin.maxy.bot", []);
-    expect(r.ok).toBe(false);
-  });
-});

package/payload/platform/plugins/cloudflare/mcp/__tests__/verify-scenario-0.test.ts DELETED Viewed

@@ -1,70 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import {
-  _resetBrandCache,
-  cfVerifyCore,
-  liveScopeContext,
-} from "../src/lib/cloudflared.js";
-// Scenario 0 (per task spec): fresh install — no cert.pem, no binding,
-// no tunnels, no config.yml. cf-verify must return zero OUT-OF-SCOPE,
-// every declared zone tagged MISSING, no throws. Proves the audit runs
-// before any login completes.
-let tmpRoot: string;
-let homeRoot: string;
-let originalHome: string | undefined;
-beforeEach(() => {
-  tmpRoot = mkdtempSync(join(tmpdir(), "maxy-cf-verify-"));
-  homeRoot = mkdtempSync(join(tmpdir(), "maxy-cf-home-"));
-  originalHome = process.env.HOME;
-  process.env.HOME = homeRoot;
-  process.env.PLATFORM_ROOT = tmpRoot;
-  _resetBrandCache();
-  const cfg = join(tmpRoot, "config");
-  mkdirSync(cfg, { recursive: true });
-  writeFileSync(
-    join(cfg, "brand.json"),
-    JSON.stringify({
-      productName: "Maxy",
-      configDir: ".maxy",
-      cloudflare: { zones: ["b.test", "c.test"] },
-    }),
-  );
-});
-afterEach(() => {
-  if (originalHome !== undefined) process.env.HOME = originalHome;
-  else delete process.env.HOME;
-  delete process.env.PLATFORM_ROOT;
-  rmSync(tmpRoot, { recursive: true, force: true });
-  rmSync(homeRoot, { recursive: true, force: true });
-});
-describe("cfVerifyCore — Scenario 0 (fresh install, no login)", () => {
-  it("runs without throwing and reports everything as MISSING", async () => {
-    const ctx = liveScopeContext();
-    const report = await cfVerifyCore(ctx);
-    expect(report.brand).toBe("Maxy");
-    expect(report.declaredZones).toEqual(["b.test", "c.test"]);
-    expect(report.bindingPresent).toBe(false);
-    expect(report.bindingMatchesCert).toBe(false);
-    expect(report.certPresent).toBe(false);
-    // No OUT-OF-SCOPE artefacts on a clean fresh device.
-    expect(report.counts.outOfScope).toBe(0);
-    // Cert, binding, tunnel.state, and each declared zone all MISSING.
-    const missingTypes = report.artefacts
-      .filter((a) => a.tag === "missing")
-      .map((a) => a.type);
-    expect(missingTypes).toContain("cert.pem");
-    expect(missingTypes).toContain("binding");
-    expect(missingTypes).toContain("tunnel.state");
-    expect(missingTypes.filter((t) => t === "declared-zone").length).toBe(2);
-  });
-});

package/payload/platform/plugins/cloudflare/mcp/__tests__/verify-scenario-B.test.ts DELETED Viewed

@@ -1,124 +0,0 @@
-import { afterEach, beforeEach, describe, expect, it } from "vitest";
-import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from "node:fs";
-import { tmpdir } from "node:os";
-import { join } from "node:path";
-import {
-  _resetBrandCache,
-  cfVerifyCore,
-  writeAccountBinding,
-  type ScopeContext,
-} from "../src/lib/cloudflared.js";
-// Scenario B (per task spec): stale tunnel state. Brand declares
-// cloudflare.zones=["b.test"]. cert.pem and binding agree on account Y.
-// But tunnel.state references a deleted tunnel, config.yml names a
-// hostname under a zone NOT in declared scope, and alias-domains.json
-// has an entry for removed.test (also out of scope).
-//
-// We bypass the SDK (no live calls) by passing a ScopeContext with
-// client=null. The local-artefact analysis runs in full; the account-side
-// analysis surfaces declared zones as MISSING (no client = nothing to
-// enumerate), which is correct behaviour for this audit-only test.
-let tmpRoot: string;
-let homeRoot: string;
-let originalHome: string | undefined;
-const CONFIG_DIR = ".maxy";
-function home(...p: string[]): string {
-  return join(homeRoot, ...p);
-}
-function writeCertPem(accountId: string, apiToken: string): void {
-  const certDir = home(CONFIG_DIR, "cloudflared");
-  mkdirSync(certDir, { recursive: true });
-  const tokenJson = JSON.stringify({ APIToken: apiToken, AccountTag: accountId });
-  const b64 = Buffer.from(tokenJson, "utf-8").toString("base64");
-  const pem = `-----BEGIN ARGO TUNNEL TOKEN-----
-${b64}
------END ARGO TUNNEL TOKEN-----
-`;
-  writeFileSync(join(certDir, "cert.pem"), pem);
-}
-beforeEach(() => {
-  tmpRoot = mkdtempSync(join(tmpdir(), "maxy-cf-verifyB-"));
-  homeRoot = mkdtempSync(join(tmpdir(), "maxy-cf-home-"));
-  originalHome = process.env.HOME;
-  process.env.HOME = homeRoot;
-  process.env.PLATFORM_ROOT = tmpRoot;
-  _resetBrandCache();
-  const cfg = join(tmpRoot, "config");
-  mkdirSync(cfg, { recursive: true });
-  writeFileSync(
-    join(cfg, "brand.json"),
-    JSON.stringify({
-      productName: "Maxy",
-      configDir: CONFIG_DIR,
-      cloudflare: { zones: ["b.test"] },
-    }),
-  );
-});
-afterEach(() => {
-  if (originalHome !== undefined) process.env.HOME = originalHome;
-  else delete process.env.HOME;
-  delete process.env.PLATFORM_ROOT;
-  rmSync(tmpRoot, { recursive: true, force: true });
-  rmSync(homeRoot, { recursive: true, force: true });
-});
-describe("cfVerifyCore — Scenario B (stale tunnel state)", () => {
-  it("tags out-of-scope local artefacts even without a live SDK client", async () => {
-    writeCertPem("acct-Y", "cfut_dummy");
-    writeAccountBinding("acct-Y");
-    // Stale tunnel.state pointing at a deleted tunnel + off-scope hostname.
-    const cloudflaredDir = home(CONFIG_DIR, "cloudflared");
-    mkdirSync(cloudflaredDir, { recursive: true });
-    const configYmlPath = join(cloudflaredDir, "config.yml");
-    writeFileSync(configYmlPath, "tunnel: stale\n");
-    writeFileSync(
-      join(cloudflaredDir, "tunnel.state"),
-      JSON.stringify({
-        tunnelId: "stale-tunnel-id",
-        tunnelName: "stale",
-        domain: "removed.test", // NOT in brand.cloudflare.zones
-        configPath: configYmlPath,
-        credentialsPath: join(cloudflaredDir, "stale-tunnel-id.json"),
-        adminHostname: "admin.removed.test", // off-scope
-        publicHostname: null,
-        pid: null,
-        startedAt: null,
-      }),
-    );
-    // alias-domains entry for an off-scope hostname.
-    writeFileSync(
-      home(CONFIG_DIR, "alias-domains.json"),
-      JSON.stringify(["removed.test"]),
-    );
-    // Bypass the SDK — pass a ScopeContext with client=null. The audit
-    // tags every declared zone as MISSING (cannot enumerate without
-    // client) but completes the local-artefact analysis in full.
-    const ctx: ScopeContext = {
-      declaredZones: ["b.test"],
-      binding: { accountId: "acct-Y", boundAt: new Date().toISOString() },
-      client: null,
-    };
-    const report = await cfVerifyCore(ctx);
-    const tunnelState = report.artefacts.find((a) => a.type === "tunnel.state");
-    expect(tunnelState?.tag).toBe("out-of-scope");
-    expect(tunnelState?.reason).toContain("hostnames outside declared scope");
-    const aliasEntry = report.artefacts.find(
-      (a) => a.type === "alias-domain" && a.id === "removed.test",
-    );
-    expect(aliasEntry?.tag).toBe("out-of-scope");
-    // Counts: at least the two out-of-scope local artefacts identified above.
-    expect(report.counts.outOfScope).toBeGreaterThanOrEqual(2);
-  });
-});