@rubytech/create-realagent 1.0.627 → 1.0.630

package/payload/platform/plugins/cloudflare/scripts/reset-tunnel.sh

@@ -19,6 +19,20 @@
 
 set -euo pipefail
 
+# --------------------------------------------------------------------------
+# Shared stream-log helpers (require STREAM_LOG_PATH, phase_line, tee_subprocess).
+# Task 556: any cloudflared subprocess this script spawns is teed line-by-line
+# into the per-conversation stream log so the chat UI tailer renders live
+# progress — same contract as setup-tunnel.sh.
+# --------------------------------------------------------------------------
+
+# shellcheck source=_stream-log.sh
+# Resolve symlinks before dirname — ~/reset-tunnel.sh is installed as a symlink
+# (see packages/create-maxy/src/index.ts:installTunnelScripts), so the raw
+# BASH_SOURCE[0] points at $HOME, not the scripts directory where _stream-log.sh lives.
+source "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")/_stream-log.sh"
+require_stream_log_path reset-tunnel
+
 if [ "$#" -lt 1 ]; then
   echo "Usage: $0 <brand>" >&2
   exit 2
@@ -28,28 +42,54 @@ BRAND="$1"
 CFG_DIR="${HOME}/.${BRAND}/cloudflared"
 CERT="${CFG_DIR}/cert.pem"
 
+phase_line reset-tunnel step=start brand="${BRAND}" cfg_dir="${CFG_DIR}"
+
 if [ ! -f "${CERT}" ]; then
+  phase_line reset-tunnel step=no-cert cfg_dir="${CFG_DIR}"
   echo "No cert.pem at ${CERT} — nothing to delete via CLI."
   echo "Removing ${CFG_DIR} if present."
   rm -rf "${CFG_DIR}"
+  phase_line reset-tunnel step=done result=wiped-no-cert
   exit 0
 fi
 
 # Delete every tunnel on the account (the cert is per-account for tunnel CRUD).
-NAMES="$(cloudflared --origincert "${CERT}" tunnel list --output json 2>/dev/null \
-  | jq -r '.[]?.name' | sort -u)"
+# cloudflared's list/delete output is teed into STREAM_LOG_PATH; the `list`
+# call uses tee_subprocess_capture so NAMES_TMP receives the JSON for jq to
+# parse. Using the non-capture variant here would strand the JSON in stderr
+# and leave NAMES_TMP empty — every tunnel would silently survive reset.
+phase_line reset-tunnel step=list-tunnels
+NAMES_TMP="$(mktemp -t maxy-reset-tunnel-list.XXXXXX)"
+# shellcheck disable=SC2064
+trap "rm -f '${NAMES_TMP}'" EXIT
+if ! tee_subprocess_capture reset-tunnel:cloudflared -- \
+      cloudflared --origincert "${CERT}" tunnel list --output json \
+      > "${NAMES_TMP}"; then
+  phase_line reset-tunnel step=list-tunnels result=error reason=cloudflared-list-failed
+  echo "ERROR: cloudflared tunnel list failed. See stream log for detail." >&2
+  exit 1
+fi
+NAMES="$(jq -r '.[]?.name' "${NAMES_TMP}" 2>/dev/null | sort -u || true)"
 if [ -z "${NAMES}" ]; then
+  phase_line reset-tunnel step=list-tunnels result=empty
   echo "No tunnels to delete on this brand's account."
 else
   while IFS= read -r NAME; do
     [ -z "${NAME}" ] && continue
+    phase_line reset-tunnel step=delete-tunnel name="${NAME}"
     echo "Deleting tunnel: ${NAME}"
-    cloudflared --origincert "${CERT}" tunnel delete "${NAME}"
+    if ! tee_subprocess reset-tunnel:cloudflared -- \
+          cloudflared --origincert "${CERT}" tunnel delete "${NAME}"; then
+      phase_line reset-tunnel step=delete-tunnel result=error name="${NAME}"
+      echo "ERROR: cloudflared tunnel delete failed for ${NAME}. See stream log." >&2
+      exit 1
+    fi
   done <<< "${NAMES}"
 fi
 
 # Wipe the brand-scoped cloudflared state directory.
 rm -rf "${CFG_DIR}"
+phase_line reset-tunnel step=wipe-cfg-dir path="${CFG_DIR}"
 echo "Removed ${CFG_DIR}"
 
 echo ""
@@ -63,3 +103,5 @@ echo "The platform service (${BRAND}.service) was not touched. To release any"
 echo "running cloudflared connector started by ${BRAND}.service's ExecStartPre,"
 echo "either restart the service (which will no-op on resume since tunnel.state"
 echo "is gone) or leave it running until you re-run setup-tunnel.sh."
+
+phase_line reset-tunnel step=done result=ok brand="${BRAND}"

package/payload/platform/plugins/cloudflare/scripts/setup-tunnel.sh

@@ -13,9 +13,28 @@
 # via `cloudflared tunnel route dns` — see manual-setup.md §Step 4 Apex
 # hostnames. The script writes the ingress rule for them but prints an
 # explicit ACTION REQUIRED message naming the manual dashboard step.
+#
+# Task 556: Step 1 owns the browser-spawn deterministically. Instead of
+# delegating to cloudflared's xdg-open (which silently degrades to "print
+# URL and wait"), the script drives Chromium on :99 via CDP `PUT /json/new?<url>`
+# on http://127.0.0.1:9222 — the same mechanism
+# /api/admin/device-browser/navigate uses. cloudflared's stdout+stderr is
+# teed line-by-line into STREAM_LOG_PATH so the chat UI's server-side
+# tailer renders live progress in-turn.
 
 set -euo pipefail
 
+# --------------------------------------------------------------------------
+# Shared stream-log helpers (require STREAM_LOG_PATH, phase_line, …).
+# --------------------------------------------------------------------------
+
+# shellcheck source=_stream-log.sh
+# Resolve symlinks before dirname — ~/setup-tunnel.sh is installed as a symlink
+# (see packages/create-maxy/src/index.ts:installTunnelScripts), so the raw
+# BASH_SOURCE[0] points at $HOME, not the scripts directory where _stream-log.sh lives.
+source "$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")/_stream-log.sh"
+require_stream_log_path setup-tunnel
+
 # --------------------------------------------------------------------------
 # Args
 # --------------------------------------------------------------------------
@@ -31,6 +50,8 @@ PORT="$2"
 shift 2
 HOSTNAMES=("$@")
 
+phase_line setup-tunnel step=start brand="${BRAND}" port="${PORT}" hostnames="${HOSTNAMES[*]}"
+
 # --------------------------------------------------------------------------
 # Step 0: Set brand context (paths + dirs). Corresponds to runbook Step 0.
 # --------------------------------------------------------------------------
@@ -40,24 +61,144 @@ mkdir -p "${CFG_DIR}"
 
 # --------------------------------------------------------------------------
 # Step 1: OAuth login (only if cert.pem missing). Corresponds to runbook Step 1.
-# cloudflared always writes cert.pem to ~/.cloudflared/cert.pem regardless
-# of --origincert — mv it into the brand-scoped path on fresh login.
+#
+# Control flow, rewritten per Task 556:
+#   1. CDP precheck on 127.0.0.1:9222 — loud failure if Chromium isn't up.
+#   2. Spawn cloudflared with stdout+stderr teed line-by-line to
+#      $STREAM_LOG_PATH with prefix [setup-tunnel:cloudflared].
+#   3. Extract the authorize URL with a tolerant regex as it streams.
+#   4. Drive the VNC Chromium to that URL via CDP `PUT /json/new?<url>`.
+#   5. Wait for ~/.cloudflared/cert.pem to land with bounded timeout.
+#   6. Move cert.pem into the brand-scoped path.
+#
+# Every branch exits 1 loudly naming the failure — no silent retries,
+# no xdg-open race, no cloudflared-internal browser-spawn path.
 # --------------------------------------------------------------------------
 
 if [ ! -f "${CFG_DIR}/cert.pem" ]; then
-  echo "No cert.pem at ${CFG_DIR}/cert.pem — starting OAuth login (DISPLAY=${DISPLAY:-:99})"
-  DISPLAY="${DISPLAY:-:99}" cloudflared --origincert "${CFG_DIR}/cert.pem" tunnel login &
-  LOGIN_PID=$!
-  # cloudflared login writes to ~/.cloudflared/cert.pem regardless of --origincert
+  phase_line setup-tunnel step=oauth-login cert_path="${CFG_DIR}/cert.pem" display="${DISPLAY:-:99}"
+
+  # CDP precheck — fail loudly if Chromium DevTools is not answering.
+  if ! curl -sf --max-time 2 "http://127.0.0.1:9222/json/version" > /dev/null 2>&1; then
+    phase_line setup-tunnel step=oauth-login result=error reason=cdp-unreachable \
+      endpoint=http://127.0.0.1:9222 hint="run ~/vnc.sh restart"
+    echo "ERROR: Chromium CDP on 127.0.0.1:9222 is not reachable." >&2
+    echo "       The script needs CDP to drive the authorize URL on the VNC browser." >&2
+    echo "       Fix: run 'vnc.sh restart' to bring Chromium up on :99." >&2
+    exit 1
+  fi
+  phase_line setup-tunnel step=oauth-login cdp=ok
+
+  URL_FILE="$(mktemp -t maxy-setup-tunnel-url.XXXXXX)"
+  LAST_LINE_FILE="$(mktemp -t maxy-setup-tunnel-last.XXXXXX)"
+  : > "${URL_FILE}"
+  : > "${LAST_LINE_FILE}"
+  # Track the cloudflared pipeline PID so the EXIT trap can kill it on any
+  # failure path — including ones that `exit 1` without an explicit kill.
+  # Missing this trap leaks a cloudflared subshell waiting for the OAuth
+  # callback forever; subsequent setup-tunnel runs see a stale cert.pem
+  # landing asynchronously and race against the new URL-extraction pass.
+  CF_PIPELINE_PID=""
+  cleanup_oauth() {
+    [ -n "${CF_PIPELINE_PID}" ] && kill "${CF_PIPELINE_PID}" 2>/dev/null || true
+    rm -f "${URL_FILE}" "${LAST_LINE_FILE}"
+  }
+  trap cleanup_oauth EXIT
+
+  # cloudflared is line-buffered (stdbuf), teed to the stream log, URL
+  # extracted as it streams. The subshell holds the whole pipeline so
+  # PIPESTATUS[0] (cloudflared's exit code) is reachable later.
+  (
+    DISPLAY="${DISPLAY:-:99}" stdbuf -oL -eL cloudflared \
+      --origincert "${CFG_DIR}/cert.pem" tunnel login 2>&1 |
+      while IFS= read -r line; do
+        ts="$(stream_log_ts)"
+        printf '[%s] [setup-tunnel:cloudflared] %s\n' "${ts}" "${line}" >> "${STREAM_LOG_PATH}"
+        printf '%s\n' "${line}" >&2
+        printf '%s\n' "${line}" > "${LAST_LINE_FILE}"
+        if [ ! -s "${URL_FILE}" ]; then
+          url="$(printf '%s' "${line}" | grep -oE 'https://dash\.cloudflare\.com/argotunnel\?[^ ]+' | head -1 || true)"
+          if [ -n "${url}" ]; then
+            printf '%s' "${url}" > "${URL_FILE}"
+          fi
+        fi
+      done
+  ) &
+  CF_PIPELINE_PID=$!
+
+  # Wait up to ~15s for the URL to surface in cloudflared's output.
+  URL_WAIT=0
+  while [ ! -s "${URL_FILE}" ] && [ "${URL_WAIT}" -lt 30 ]; do
+    if ! kill -0 "${CF_PIPELINE_PID}" 2>/dev/null; then
+      phase_line setup-tunnel step=oauth-login result=error \
+        reason=cloudflared-exited-before-url \
+        last_line="$(cat "${LAST_LINE_FILE}" 2>/dev/null || echo none)"
+      echo "ERROR: cloudflared exited before printing the authorize URL." >&2
+      exit 1
+    fi
+    sleep 0.5
+    URL_WAIT=$((URL_WAIT + 1))
+  done
+
+  if [ ! -s "${URL_FILE}" ]; then
+    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
+    phase_line setup-tunnel step=oauth-login result=error \
+      reason=url-not-extracted waited=15s \
+      last_line="$(cat "${LAST_LINE_FILE}" 2>/dev/null || echo none)"
+    echo "ERROR: cloudflared ran for ~15s without emitting a dash.cloudflare.com/argotunnel URL." >&2
+    echo "       cloudflared output-format may have changed. Check the stream log tail for the raw lines." >&2
+    exit 1
+  fi
+
+  AUTH_URL="$(cat "${URL_FILE}")"
+  phase_line setup-tunnel step=browser-drive url_extracted=1
+
+  # Drive CDP. Same PUT /json/new?<url> contract as
+  # platform/ui/app/lib/cdp-client.ts (which uses encodeURIComponent on
+  # the URL). Without percent-encoding, CDP's URL parser splits on the
+  # inner `?` and `&` in the argotunnel URL and drops the callback/token
+  # query params — Chromium lands on a bare argotunnel page and the
+  # consent screen is never reached. `jq -sRr @uri` percent-encodes a raw
+  # string, matching the TS client exactly.
+  AUTH_URL_ENC="$(printf '%s' "${AUTH_URL}" | jq -sRr @uri)"
+  CDP_RESP="$(curl -sf --max-time 5 -X PUT "http://127.0.0.1:9222/json/new?${AUTH_URL_ENC}" 2>&1 || true)"
+  if [ -z "${CDP_RESP}" ]; then
+    kill "${CF_PIPELINE_PID}" 2>/dev/null || true
+    phase_line setup-tunnel step=browser-drive result=error reason=cdp-put-failed
+    echo "ERROR: CDP PUT /json/new?<url> returned empty — Chromium rejected the navigate." >&2
+    exit 1
+  fi
+  phase_line setup-tunnel step=browser-drive result=accepted
+
+  # Wait for cert.pem to land — cloudflared writes to ~/.cloudflared/cert.pem
+  # regardless of --origincert, so watch the canonical location.
+  LOGIN_TIMEOUT="${SETUP_TUNNEL_LOGIN_TIMEOUT:-180}"
+  LOGIN_WAIT=0
   while [ ! -f "${HOME}/.cloudflared/cert.pem" ]; do
-    if ! kill -0 "${LOGIN_PID}" 2>/dev/null; then
-      echo "ERROR: cloudflared tunnel login exited before cert.pem landed" >&2
+    if ! kill -0 "${CF_PIPELINE_PID}" 2>/dev/null; then
+      # Pipeline exited — one more cert.pem probe in case it landed right before exit.
+      if [ -f "${HOME}/.cloudflared/cert.pem" ]; then break; fi
+      phase_line setup-tunnel step=oauth-login result=error \
+        reason=cloudflared-exited-no-cert \
+        last_line="$(cat "${LAST_LINE_FILE}" 2>/dev/null || echo none)"
+      echo "ERROR: cloudflared exited before cert.pem landed." >&2
       exit 1
     fi
-    sleep 2
+    if [ "${LOGIN_WAIT}" -ge "${LOGIN_TIMEOUT}" ]; then
+      kill "${CF_PIPELINE_PID}" 2>/dev/null || true
+      phase_line setup-tunnel step=oauth-login result=error \
+        reason=timeout-waiting-cert waited="${LOGIN_WAIT}s" \
+        last_line="$(cat "${LAST_LINE_FILE}" 2>/dev/null || echo none)"
+      echo "ERROR: Timed out after ${LOGIN_WAIT}s waiting for cert.pem to land." >&2
+      exit 1
+    fi
+    sleep 1
+    LOGIN_WAIT=$((LOGIN_WAIT + 1))
   done
+
   mv "${HOME}/.cloudflared/cert.pem" "${CFG_DIR}/cert.pem"
-  echo "cert.pem moved to ${CFG_DIR}/cert.pem"
+  phase_line setup-tunnel step=oauth-login result=cert-received \
+    path="${CFG_DIR}/cert.pem" waited="${LOGIN_WAIT}s"
 fi
 
 # --------------------------------------------------------------------------

package/payload/platform/plugins/docs/references/memory-guide.md

@@ -80,6 +80,14 @@ Ask naturally:
 - "What did I last discuss about the Acme proposal?"
 - "Who have I met from the fintech conference?"
 
+## Listing and counting (Task 557)
+
+Maxy answers relational questions — "list all my people", "how many tasks do I have", "find the person with email X", "show me the 20 most recently created nodes" — via direct read-only Cypher against your Neo4j. This is faster and more precise than semantic search when the question is "the exact set where", not "things similar to".
+
+You can also open the Neo4j Browser at any time from the burger menu → **Graph**. Sign in with your Neo4j username (`neo4j`) and password (stored in `config/.neo4j-password` on the device). Run `MATCH (n) RETURN n LIMIT 25` for a visual overview of your graph, or write your own Cypher for ad-hoc exploration.
+
+The browser reaches only your own brand's Neo4j — a Maxy device and a Real Agent device share no graph state even when on the same laptop.
+
 ## Privacy
 
 All memory is stored on your local Raspberry Pi. The Neo4j database never leaves your network. Maxy does not sync memory to any cloud service or third party.

package/payload/platform/plugins/docs/references/plugins-guide.md

@@ -103,6 +103,8 @@ After this, every `console.error("[your-tool] ...")` from any tool in the plugin
 
 **How the tee decides which file to write to (Task 532):** the platform sets `STREAM_LOG_PATH` as an environment variable on every MCP server spawn, pointing to the conversation-scoped stream log. The MCP server does not know about conversations — it just trusts `STREAM_LOG_PATH`. Multiple concurrent conversations produce multiple concurrent MCP server processes, each teeing to its own file; no cross-conversation leakage.
 
+**`STREAM_LOG_PATH` reaches every Claude Code child (Task 556).** The platform now sets `STREAM_LOG_PATH` on the parent `claude` spawn env itself (not only on MCP server envs), so the bundled Bun runtime inherits it and every Bash-tool subprocess the CLI spawns sees it too. Opt-in shell scripts — currently `setup-tunnel.sh` and `reset-tunnel.sh` under `platform/plugins/cloudflare/scripts/` — read the variable, guard against a missing value with a loud exit, and tee subprocess output line-by-line into the same per-conversation file. Each spawn writes one `[spawn-env] STREAM_LOG_PATH=set pid=… conversationId=… site=…` line so the env-propagation is auditable per session. The chat UI tails the same file for lines matching `^\[[^]]+\] \[(setup-tunnel|reset-tunnel)(:[^]]+)?\] ` and emits them as `script_stream` SSE events; see `.docs/web-chat.md` for the contract.
+
 **Retrieve MCP diagnostic lines for a conversation:**
 
 - All servers: `logs-read { type: "system", conversationId: "..." }` → grep `[mcp:<name>]` on the returned stream log.

package/payload/platform/plugins/memory/mcp/scripts/graph/accept.sh

@@ -0,0 +1,129 @@
+#!/usr/bin/env bash
+# Task 557 acceptance harness for the graph MCP integration.
+#
+# Spawns the graph shim, drives it as a JSON-RPC client over stdio, runs
+# one query per acceptance class, prints PASS/FAIL per check, and exits
+# non-zero if any check fails. Assumes the brand's Neo4j is running and
+# the fixture in fixture.cypher has been seeded.
+#
+# Usage:
+#   PLATFORM_ROOT=~/.maxy/platform bash accept.sh           # infers NEO4J_URI from env
+#   PLATFORM_ROOT=~/.maxy/platform NEO4J_URI=bolt://localhost:7687 bash accept.sh
+#
+# Dependencies: node, python3 (for JSON-RPC framing), uvx (via the shim).
+#
+# Exit codes:
+#   0  all PASS
+#   1  one or more FAIL
+#   2  setup error (shim missing, uvx missing, etc.)
+
+set -euo pipefail
+
+PLATFORM_ROOT="${PLATFORM_ROOT:-$(cd "$(dirname "$0")/../../../../.." && pwd)}"
+SHIM="${PLATFORM_ROOT}/lib/graph-mcp/dist/index.js"
+
+if [[ ! -f "$SHIM" ]]; then
+  echo "FAIL: shim not built at $SHIM — run 'npm run build:lib' in $PLATFORM_ROOT" >&2
+  exit 2
+fi
+
+if ! command -v uvx >/dev/null 2>&1; then
+  echo "FAIL: uvx not on PATH — run: curl -LsSf https://astral.sh/uv/install.sh | sh -s -- -y" >&2
+  exit 2
+fi
+
+PASS=0
+FAIL=0
+TOTAL=0
+
+run_check() {
+  local label="$1"
+  local query="$2"
+  local tool="${3:-maxy-graph_read_neo4j_cypher}"
+  TOTAL=$(( TOTAL + 1 ))
+
+  # Drive the shim via a short Node inline client. Exits 0 with the response
+  # body on stdout when the tool call succeeds; exits 1 on any RPC error.
+  if out=$(
+    node -e "
+      const { spawn } = require('node:child_process');
+      const shim = process.env.SHIM;
+      const tool = process.env.TOOL;
+      const query = process.env.QUERY;
+      const proc = spawn('node', [shim], { stdio: ['pipe', 'pipe', 'inherit'] });
+      let buf = '';
+      proc.stdout.on('data', (chunk) => { buf += chunk.toString('utf8'); });
+      const send = (obj) => proc.stdin.write(JSON.stringify(obj) + '\n');
+      send({ jsonrpc: '2.0', id: 1, method: 'initialize',
+             params: { protocolVersion: '2024-11-05', capabilities: {}, clientInfo: { name: 'accept.sh', version: '1.0' } } });
+      setTimeout(() => {
+        send({ jsonrpc: '2.0', method: 'notifications/initialized' });
+        const params = tool === 'maxy-graph_get_neo4j_schema' ? {} : { query };
+        send({ jsonrpc: '2.0', id: 2, method: 'tools/call', params: { name: tool, arguments: params } });
+      }, 1500);
+      setTimeout(() => {
+        proc.kill('SIGTERM');
+        // Look for id:2 response in the buffer
+        const lines = buf.split('\n').filter(Boolean);
+        for (const line of lines) {
+          try { const m = JSON.parse(line); if (m.id === 2) {
+            if (m.error) { console.error('RPC_ERROR: ' + JSON.stringify(m.error)); process.exit(1); }
+            const text = m.result && m.result.content && m.result.content[0] && m.result.content[0].text || '';
+            process.stdout.write(text);
+            process.exit(0);
+          } } catch (_) {}
+        }
+        console.error('NO_RESPONSE');
+        process.exit(1);
+      }, 10000);
+    " 2>/dev/null
+  ); then
+    if [[ -n "$out" ]]; then
+      echo "PASS: ${label} (response ${#out}b)"
+      PASS=$(( PASS + 1 ))
+    else
+      echo "FAIL: ${label} (empty response)"
+      FAIL=$(( FAIL + 1 ))
+    fi
+  else
+    echo "FAIL: ${label} (RPC error or timeout)"
+    FAIL=$(( FAIL + 1 ))
+  fi
+}
+
+# Exported env used by the inline Node client above.
+export SHIM
+export PLATFORM_ROOT
+
+export TOOL="maxy-graph_get_neo4j_schema"
+export QUERY=""
+run_check "get_neo4j_schema returns labels" ""
+
+export TOOL="maxy-graph_read_neo4j_cypher"
+
+export QUERY="MATCH (n) RETURN labels(n)[0] AS type, count(*) AS n ORDER BY n DESC LIMIT 20"
+run_check "enumerate by label" "$QUERY"
+
+export QUERY="MATCH (n:Task) RETURN count(n) AS total"
+run_check "count Tasks" "$QUERY"
+
+export QUERY="MATCH (p:Person {email: 'graph-accept@test.maxy.local'}) RETURN elementId(p) AS id, p.givenName, p.email LIMIT 1"
+run_check "find person by email" "$QUERY"
+
+export QUERY="MATCH (p:Person {email: 'graph-accept@test.maxy.local'})-[r]-(m) RETURN type(r) AS rel, labels(m)[0] AS neighbourType LIMIT 10"
+run_check "neighbours of fixture person" "$QUERY"
+
+export QUERY="MATCH (n) WHERE n.createdAt IS NOT NULL RETURN labels(n)[0] AS type, toString(n.createdAt) AS createdAt ORDER BY n.createdAt DESC LIMIT 5"
+run_check "recent nodes projection" "$QUERY"
+
+export QUERY="CALL db.labels() YIELD label RETURN label ORDER BY label"
+run_check "db.labels() schema introspection" "$QUERY"
+
+echo ""
+if [[ $FAIL -eq 0 ]]; then
+  echo "ALL PASS — ${PASS}/${TOTAL}"
+  exit 0
+else
+  echo "FAIL — ${PASS}/${TOTAL} passed, ${FAIL} failed"
+  exit 1
+fi

package/payload/platform/plugins/memory/mcp/scripts/graph/fixture.cypher

@@ -0,0 +1,59 @@
+// Task 557 — acceptance fixture for the graph MCP integration.
+// Seeds one node per primary label so accept.sh can verify enumerate,
+// count, find, neighbours, recent, and schema queries end-to-end.
+// Safe to re-run: MERGE on a synthetic accountId prefix + deterministic ids.
+
+MERGE (p:Person {email: 'graph-accept@test.maxy.local'})
+  ON CREATE SET p.givenName = 'Graph',
+                p.familyName = 'Accept',
+                p.telephone = '+440000557001',
+                p.status = 'active',
+                p.accountId = 'accept-557',
+                p.createdAt = datetime()
+MERGE (b:LocalBusiness {accountId: 'accept-557'})
+  ON CREATE SET b.name = 'Accept Corp',
+                b.businessType = 'test-fixture',
+                b.createdAt = datetime()
+MERGE (s:Service {serviceId: 'accept-557-service-1'})
+  ON CREATE SET s.name = 'Test Service',
+                s.accountId = 'accept-557',
+                s.createdAt = datetime()
+MERGE (t:Task {taskId: 'accept-557-task-1'})
+  ON CREATE SET t.title = 'Acceptance task',
+                t.status = 'open',
+                t.priority = 'P2',
+                t.accountId = 'accept-557',
+                t.createdAt = datetime()
+MERGE (e:Event {eventId: 'accept-557-event-1'})
+  ON CREATE SET e.name = 'Acceptance event',
+                e.status = 'scheduled',
+                e.startDate = datetime(),
+                e.accountId = 'accept-557',
+                e.createdAt = datetime()
+MERGE (c:Conversation {conversationId: 'accept-557-conv-1'})
+  ON CREATE SET c.name = 'Acceptance conversation',
+                c.agentType = 'admin',
+                c.accountId = 'accept-557',
+                c.createdAt = datetime()
+MERGE (m:Message {messageId: 'accept-557-msg-1'})
+  ON CREATE SET m.role = 'user',
+                m.content = 'Acceptance test message',
+                m.accountId = 'accept-557',
+                m.createdAt = datetime()
+MERGE (kd:KnowledgeDocument {attachmentId: 'accept-557-doc-1'})
+  ON CREATE SET kd.name = 'Acceptance document',
+                kd.accountId = 'accept-557',
+                kd.createdAt = datetime()
+MERGE (sec:Section {sectionId: 'accept-557-sec-1'})
+  ON CREATE SET sec.title = 'Section one',
+                sec.accountId = 'accept-557',
+                sec.createdAt = datetime()
+MERGE (ch:Chunk {chunkId: 'accept-557-chk-1'})
+  ON CREATE SET ch.text = 'Chunk text for acceptance.',
+                ch.accountId = 'accept-557',
+                ch.createdAt = datetime()
+MERGE (p)-[:WORKS_FOR]->(b)
+MERGE (b)-[:OFFERS]->(s)
+MERGE (kd)-[:HAS_SECTION]->(sec)
+MERGE (sec)-[:HAS_CHUNK]->(ch)
+MERGE (c)-[:HAS_MESSAGE]->(m);