@rubytech/create-realagent 1.0.627 → 1.0.630

package/payload/server/server.js

@@ -2530,7 +2530,7 @@ var responseViaResponseObject = async (res, outgoing, options = {}) => {
         });
         if (!chunk) {
           if (i === 1) {
-            await new Promise((resolve28) => setTimeout(resolve28));
+            await new Promise((resolve29) => setTimeout(resolve29));
             maxReadCount = 3;
             continue;
           }
@@ -2897,7 +2897,7 @@ var serveStatic = (options = { root: "" }) => {
 
 // server/index.ts
 import { readFileSync as readFileSync26, existsSync as existsSync26, watchFile } from "fs";
-import { resolve as resolve27, join as join13, basename as basename6 } from "path";
+import { resolve as resolve28, join as join13, basename as basename6 } from "path";
 import { homedir as homedir4 } from "os";
 
 // app/lib/vnc-logger.ts
@@ -2971,10 +2971,10 @@ var SCRYPT_R = 8;
 var SCRYPT_P = 1;
 var SCRYPT_KEYLEN = 64;
 function scryptAsync(password, salt) {
-  return new Promise((resolve28, reject) => {
+  return new Promise((resolve29, reject) => {
     scrypt(password, salt, SCRYPT_KEYLEN, { N: SCRYPT_N, r: SCRYPT_R, p: SCRYPT_P }, (err, key) => {
       if (err) reject(err);
-      else resolve28(key);
+      else resolve29(key);
     });
   });
 }
@@ -3610,8 +3610,6 @@ function handleUpgrade(req, clientSocket, head, opts) {
   const qsIndex = url2.indexOf("?");
   const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
   if (pathname !== WS_PATH) {
-    vncLog("ws-upgrade", { decision: "rejected", reason: "wrong-path", path: pathname });
-    clientSocket.destroy();
     return;
   }
   const corrId = newCorrId();
@@ -3828,9 +3826,203 @@ Content-Length: 0\r
   socket.destroy();
 }
 
+// server/graph-proxy.ts
+import { createConnection as createConnection2 } from "net";
+var GRAPH_PREFIX = "/graph";
+var UPSTREAM_TIMEOUT_MS2 = 5e3;
+var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function resolveUpstreamPort() {
+  const uri = process.env.NEO4J_URI ?? "bolt://localhost:7687";
+  const m = uri.match(/:(\d+)$/);
+  const boltPort = m ? parseInt(m[1], 10) : 7687;
+  return boltPort - 213;
+}
+var UPSTREAM_HOST = "127.0.0.1";
+var UPSTREAM_PORT = resolveUpstreamPort();
+function attachGraphHttpRoutes(app2) {
+  const handler = async (c) => {
+    const raw2 = c.req.raw;
+    const url2 = new URL(raw2.url);
+    const pathAfterPrefix = url2.pathname.slice(GRAPH_PREFIX.length) || "/";
+    const upstreamUrl = `http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${pathAfterPrefix}${url2.search}`;
+    const upstreamHeaders = new Headers(raw2.headers);
+    for (const h of HOP_BY_HOP2) upstreamHeaders.delete(h);
+    upstreamHeaders.set("host", `${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+    try {
+      const upstream = await fetch(upstreamUrl, {
+        method: raw2.method,
+        headers: upstreamHeaders,
+        body: raw2.body,
+        // `duplex: 'half'` is required when forwarding a streaming body; TS
+        // typings do not yet expose it but the undici runtime supports it.
+        ...raw2.body ? { duplex: "half" } : {},
+        redirect: "manual"
+      });
+      const resHeaders = new Headers(upstream.headers);
+      for (const h of HOP_BY_HOP2) resHeaders.delete(h);
+      return new Response(upstream.body, {
+        status: upstream.status,
+        statusText: upstream.statusText,
+        headers: resHeaders
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[graph-proxy] upstream fetch failed for ${upstreamUrl}: ${msg}`);
+      return c.text(`Graph proxy upstream unreachable: ${msg}`, 502);
+    }
+  };
+  app2.all(GRAPH_PREFIX, handler);
+  app2.all(`${GRAPH_PREFIX}/*`, handler);
+}
+function attachGraphWsProxy(server, opts) {
+  server.on("upgrade", (req, clientSocket, head) => {
+    try {
+      const url2 = req.url ?? "";
+      const qsIndex = url2.indexOf("?");
+      const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
+      const isGraphPath = pathname === GRAPH_PREFIX || pathname.startsWith(`${GRAPH_PREFIX}/`);
+      if (!isGraphPath) {
+        if (pathname !== "/websockify") {
+          clientSocket.destroy();
+        }
+        return;
+      }
+      const hostHeader = (req.headers.host ?? "").split(":")[0];
+      const remote = req.socket.remoteAddress;
+      const xff = headerString2(req.headers["x-forwarded-for"]);
+      const cookie = headerString2(req.headers.cookie);
+      const decision = opts.canAccessAdmin({
+        host: hostHeader,
+        remoteAddress: remote,
+        xForwardedFor: xff,
+        cookieHeader: cookie,
+        isPublicHost: opts.isPublicHost
+      });
+      if (!decision.allow) {
+        const status = decision.reason === "public-host" ? 404 : 401;
+        writeStatusAndDestroy2(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
+        return;
+      }
+      const originHeader = headerString2(req.headers.origin);
+      const originHost = parseOriginHost2(originHeader);
+      if (!originHost || originHost !== hostHeader || opts.isPublicHost(originHost)) {
+        writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+        return;
+      }
+      const rewrittenPath = pathname === GRAPH_PREFIX ? "/" : pathname.slice(GRAPH_PREFIX.length);
+      const rewrittenUrl = qsIndex === -1 ? rewrittenPath : rewrittenPath + url2.slice(qsIndex);
+      const upstream = createConnection2({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
+      upstream.setTimeout(UPSTREAM_TIMEOUT_MS2);
+      upstream.once("connect", () => {
+        upstream.setTimeout(0);
+        const lines = [];
+        lines.push(`${req.method ?? "GET"} ${rewrittenUrl} HTTP/${req.httpVersion}`);
+        lines.push(`host: ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+        for (const [name, value] of Object.entries(req.headers)) {
+          if (name === "host") continue;
+          if (HOP_BY_HOP2.has(name)) continue;
+          if (value == null) continue;
+          if (Array.isArray(value)) {
+            for (const v of value) lines.push(`${name}: ${v}`);
+          } else {
+            lines.push(`${name}: ${value}`);
+          }
+        }
+        const upgradeHeader = headerString2(req.headers.upgrade);
+        const connectionHeader = headerString2(req.headers.connection);
+        if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
+        if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
+        upstream.write(lines.join("\r\n") + "\r\n\r\n");
+        if (head && head.length > 0) upstream.write(head);
+        clientSocket.pipe(upstream);
+        upstream.pipe(clientSocket);
+        const teardown = () => {
+          clientSocket.destroy();
+          upstream.destroy();
+        };
+        clientSocket.once("close", teardown);
+        upstream.once("close", teardown);
+        clientSocket.once("error", teardown);
+        upstream.once("error", teardown);
+      });
+      upstream.once("timeout", () => {
+        writeStatusAndDestroy2(clientSocket, 504, "Gateway Timeout");
+        upstream.destroy();
+      });
+      upstream.once("error", (err) => {
+        console.error(`[graph-proxy] ws upstream error: ${err.message}`);
+        writeStatusAndDestroy2(clientSocket, 502, "Bad Gateway");
+        upstream.destroy();
+      });
+    } catch (err) {
+      console.error(`[graph-proxy] upgrade handler exception: ${err.message}`);
+      clientSocket.destroy();
+    }
+  });
+}
+function graphAuthMiddleware(opts) {
+  return async (c, next) => {
+    const url2 = new URL(c.req.raw.url);
+    if (!url2.pathname.startsWith(GRAPH_PREFIX)) return next();
+    const hostHeader = (c.req.header("host") ?? "").split(":")[0];
+    const incoming = c.env?.incoming;
+    const remote = incoming?.socket?.remoteAddress;
+    const xff = c.req.header("x-forwarded-for");
+    const cookie = c.req.header("cookie");
+    const decision = opts.canAccessAdmin({
+      host: hostHeader,
+      remoteAddress: remote,
+      xForwardedFor: xff,
+      cookieHeader: cookie,
+      isPublicHost: opts.isPublicHost
+    });
+    if (!decision.allow) {
+      return c.text(
+        decision.reason === "public-host" ? "Not Found" : "Unauthorized",
+        decision.reason === "public-host" ? 404 : 401
+      );
+    }
+    return next();
+  };
+}
+function headerString2(value) {
+  if (value == null) return void 0;
+  return Array.isArray(value) ? value[0] : value;
+}
+function parseOriginHost2(origin) {
+  if (!origin) return null;
+  try {
+    return new URL(origin).hostname;
+  } catch {
+    return null;
+  }
+}
+function writeStatusAndDestroy2(socket, status, statusText) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${statusText}\r
+Connection: close\r
+Content-Length: 0\r
+\r
+`
+    );
+  } catch {
+  }
+  socket.destroy();
+}
+
 // app/api/health/route.ts
 import { existsSync as existsSync11, readFileSync as readFileSync12 } from "fs";
-import { createConnection as createConnection3 } from "net";
+import { createConnection as createConnection4 } from "net";
 
 // app/lib/claude-auth.ts
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
@@ -4187,7 +4379,7 @@ function contextWindow(model) {
 
 // app/lib/vnc.ts
 import { spawnSync, execFileSync } from "child_process";
-import { createConnection as createConnection2 } from "net";
+import { createConnection as createConnection3 } from "net";
 import { mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve4 } from "path";
 var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve4(process.cwd(), "..");
@@ -4282,7 +4474,7 @@ async function waitForPort(port2, timeoutMs = 12e3) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const ready = await new Promise((res) => {
-      const socket = createConnection2(port2, "127.0.0.1");
+      const socket = createConnection3(port2, "127.0.0.1");
       socket.setTimeout(500);
       socket.once("connect", () => {
         socket.destroy();
@@ -5146,7 +5338,7 @@ ${userContent}`;
     "dontAsk",
     prompt
   ];
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     let stdout = "";
     let stderr = "";
     const spawnFn = _spawnOverride ?? spawn;
@@ -5164,35 +5356,35 @@ ${userContent}`;
     const timer = setTimeout(() => {
       proc.kill("SIGTERM");
       console.error("[persist] autoLabel: haiku subprocess timed out");
-      resolve28(null);
+      resolve29(null);
     }, SESSION_LABEL_TIMEOUT_MS);
     proc.on("error", (err) => {
       clearTimeout(timer);
       console.error(`[persist] autoLabel: subprocess error \u2014 ${err.message}`);
-      resolve28(null);
+      resolve29(null);
     });
     proc.on("close", (code) => {
       clearTimeout(timer);
       if (code !== 0) {
         console.error(`[persist] autoLabel: subprocess exited code=${code}${stderr ? ` stderr=${stderr.trim().slice(0, 200)}` : ""}`);
-        resolve28(null);
+        resolve29(null);
         return;
       }
       const text = stdout.trim();
       if (!text) {
         console.error("[persist] autoLabel: haiku returned empty response");
-        resolve28(null);
+        resolve29(null);
         return;
       }
       if (text === "SKIP") {
         console.error("[persist] autoLabel: haiku returned SKIP \u2014 messages too vague");
-        resolve28(null);
+        resolve29(null);
         return;
       }
       const words = text.split(/\s+/).slice(0, SESSION_LABEL_MAX_WORDS);
       const label = words.join(" ");
       console.error(`[persist] autoLabel: haiku response="${label}"`);
-      resolve28(label);
+      resolve29(label);
     });
   });
 }
@@ -7512,12 +7704,42 @@ function consumeStalledSubagents(sessionKey) {
   delete session.stalledSubagents;
   return stalls && stalls.length > 0 ? stalls : void 0;
 }
+function streamLogPathFor(accountId, conversationId) {
+  const logDir = resolve6(ACCOUNTS_DIR, accountId, "logs");
+  const streamLogPath = resolve6(logDir, `claude-agent-stream-${conversationId}.log`);
+  return { logDir, streamLogPath };
+}
+function buildSpawnEnv(accountId, accountDir, conversationId) {
+  if (!conversationId) {
+    throw new Error(`buildSpawnEnv: conversationId is required (accountId=${accountId.slice(0, 8)})`);
+  }
+  const { logDir, streamLogPath } = streamLogPathFor(accountId, conversationId);
+  return {
+    ...process.env,
+    PLATFORM_ROOT: PLATFORM_ROOT4,
+    ACCOUNT_DIR: accountDir,
+    ACCOUNT_ID: accountId,
+    LOG_DIR: logDir,
+    STREAM_LOG_PATH: streamLogPath
+  };
+}
+var cachedBrandHostname = null;
+function readBrandHostname() {
+  if (cachedBrandHostname !== null) return cachedBrandHostname;
+  try {
+    const brandPath3 = resolve6(PLATFORM_ROOT4, "config", "brand.json");
+    const parsed = JSON.parse(readFileSync7(brandPath3, "utf-8"));
+    cachedBrandHostname = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : "maxy";
+  } catch {
+    cachedBrandHostname = "maxy";
+  }
+  return cachedBrandHostname;
+}
 function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   if (!conversationId) {
     throw new Error(`getMcpServers: conversationId is required (accountId=${accountId.slice(0, 8)})`);
   }
-  const LOG_DIR2 = resolve6(ACCOUNTS_DIR, accountId, "logs");
-  const STREAM_LOG_PATH = resolve6(LOG_DIR2, `claude-agent-stream-${conversationId}.log`);
+  const { logDir: LOG_DIR2, streamLogPath: STREAM_LOG_PATH } = streamLogPathFor(accountId, conversationId);
   const baseEnv = { ACCOUNT_ID: accountId, PLATFORM_ROOT: PLATFORM_ROOT4, LOG_DIR: LOG_DIR2, STREAM_LOG_PATH };
   const servers = {
     "memory": {
@@ -7564,6 +7786,26 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
     "plugin_playwright_playwright": {
       command: "npx",
       args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222", "--caps", "pdf"]
+    },
+    // Graph MCP shim (Task 557) — spawns upstream `uvx mcp-neo4j-cypher` locked
+    // into read-only mode and namespaced `maxy-graph`, wraps stderr with our
+    // tee, and emits one `[graph-query]` line per tool call. Credentials flow
+    // from the brand's own NEO4J_URI + config/.neo4j-password so a per-brand
+    // admin session only ever sees its own Neo4j instance (isolation is
+    // enforced upstream by the installer's process/port boundary per
+    // MAXY-PRD.md:627, not in any application-layer filter).
+    "graph": {
+      command: "node",
+      args: [resolve6(PLATFORM_ROOT4, "lib/graph-mcp/dist/index.js")],
+      env: {
+        ...baseEnv,
+        BRAND: readBrandHostname(),
+        NEO4J_URI: process.env.NEO4J_URI ?? "bolt://localhost:7687",
+        NEO4J_USERNAME: process.env.NEO4J_USERNAME ?? process.env.NEO4J_USER ?? "neo4j",
+        NEO4J_NAMESPACE: "maxy-graph",
+        NEO4J_READ_ONLY: "true",
+        NEO4J_RESPONSE_TOKEN_LIMIT: "20000"
+      }
     }
   };
   const tgConfig = resolveAccount()?.config?.telegram;
@@ -7627,6 +7869,12 @@ var ADMIN_CORE_TOOLS = [
   "Glob",
   "Grep",
   "Agent",
+  // Task 557 — upstream mcp-neo4j-cypher (namespaced maxy-graph, read-only).
+  // maxy-graph_write_neo4j_cypher is intentionally absent: writes go through
+  // the schema-aware memory-write tool, which validates labels, properties,
+  // and embeddings. Admin-only by virtue of not being in the public allow list.
+  "mcp__graph__maxy-graph_read_neo4j_cypher",
+  "mcp__graph__maxy-graph_get_neo4j_schema",
   "mcp__memory__memory-search",
   "mcp__memory__memory-rank",
   "mcp__memory__memory-write",
@@ -7846,7 +8094,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
     return null;
   }
   const startMs = Date.now();
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     const proc = spawn2(process.execPath, [serverPath], {
       env: {
         ...process.env,
@@ -7875,7 +8123,7 @@ async function fetchMemoryContext(accountId, query, sessionKey, options) {
       } else {
         console.error(`[fetchMemoryContext] failed: ${reason} (${elapsed}ms)${stderrBuf ? ` stderr: ${stderrBuf.slice(0, 500)}` : ""}`);
       }
-      resolve28(value);
+      resolve29(value);
     };
     proc.stdout.on("data", (chunk) => {
       buffer += chunk.toString();
@@ -8286,15 +8534,10 @@ async function* runCompactionTurn(accountDir, accountId, systemPrompt, resumeSes
   const proc = spawn2("claude", args, {
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
-    env: {
-      ...process.env,
-      PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir
-      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
-      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
-      // a no-op that misled future readers. The [subproc-debug-unavailable]
-      // line below records the source-of-silence explicitly.
-    }
+    // Task 556: STREAM_LOG_PATH is inherited by every Bash-tool subprocess
+    // the Claude CLI spawns; opt-in shell scripts tee their cloudflared/etc.
+    // output into the same per-conversation stream log the agent writes to.
+    env: buildSpawnEnv(accountId, accountDir, conversationId)
   });
   const stderrLog = agentLogStream("claude-agent-compaction-stderr", accountDir, conversationId);
   stderrLog.on("error", () => {
@@ -8305,6 +8548,8 @@ async function* runCompactionTurn(accountDir, accountId, systemPrompt, resumeSes
   });
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${conversationId} site=compaction
 `);
   streamLog.write(`[${isoTs()}] [compaction-start] resumeSessionId=${resumeSessionId}
 `);
@@ -9176,15 +9421,8 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
   const proc = spawn2("claude", args, {
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
-    env: {
-      ...process.env,
-      PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir
-      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
-      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
-      // a no-op that misled future readers. The [subproc-debug-unavailable]
-      // line below records the source-of-silence explicitly.
-    }
+    // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
+    env: buildSpawnEnv(accountId, accountDir, spawnConvId)
   });
   const stderrLog = agentLogStream("claude-agent-stderr", accountDir, spawnConvId);
   stderrLog.on("error", () => {
@@ -9195,6 +9433,8 @@ async function* invokeAdminAgent(message, systemPrompt, accountDir, accountId, a
   });
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${spawnConvId} site=admin
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -9520,15 +9760,8 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
   const proc = spawn2("claude", args, {
     cwd: accountDir,
     stdio: ["ignore", "pipe", "pipe"],
-    env: {
-      ...process.env,
-      PLATFORM_ROOT: PLATFORM_ROOT4,
-      ACCOUNT_DIR: accountDir
-      // Task 535: NODE_DEBUG removed. The Claude Code CLI is a bundled Bun
-      // binary and Bun ignores Node's NODE_DEBUG flag, so setting it here was
-      // a no-op that misled future readers. The [subproc-debug-unavailable]
-      // line below records the source-of-silence explicitly.
-    }
+    // Task 556: STREAM_LOG_PATH inherited by Bash-tool subprocesses.
+    env: buildSpawnEnv(accountId, accountDir, managedConvId)
   });
   const stderrLog = agentLogStream("claude-agent-stderr", accountDir, managedConvId);
   stderrLog.on("error", () => {
@@ -9536,6 +9769,8 @@ async function* invokeManagedAdminAgent(message, systemPrompt, accountDir, accou
   proc.stderr?.pipe(stderrLog);
   teeProcStderrToStreamLog(proc, streamLog);
   streamLog.write(`[${isoTs()}] [subproc-debug-unavailable] reason=bundled-bun-binary-ignores-node-debug pid=${proc.pid} cli=claude
+`);
+  streamLog.write(`[${isoTs()}] [spawn-env] STREAM_LOG_PATH=set pid=${proc.pid} conversationId=${managedConvId} site=managed
 `);
   if (sessionKey) {
     const prev = activeProcesses.get(sessionKey);
@@ -10212,6 +10447,15 @@ ${body}`;
 
 ${manifest}`;
     }
+    const graphRefPath = resolve6(PLATFORM_ROOT4, "plugins/memory/references/graph-primitives.md");
+    try {
+      const graphRef = readFileSync7(graphRefPath, "utf-8");
+      baseSystemPrompt += `
+
+${graphRef}`;
+    } catch (err) {
+      console.error(`[graph-primitives] reference missing at ${graphRefPath} \u2014 admin session will have no Cypher cookbook: ${err instanceof Error ? err.message : String(err)}`);
+    }
   }
   if (agentConfig?.budget) {
     const pluginTokens = embeddedPlugins.reduce((sum, p) => sum + estimateTokens(p.body), 0);
@@ -26125,7 +26369,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG4} draining credential save queue\u2026`);
   const timer = new Promise(
-    (resolve28) => setTimeout(() => resolve28("timeout"), timeoutMs)
+    (resolve29) => setTimeout(() => resolve29("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -26253,11 +26497,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve28, reject) => {
+  return new Promise((resolve29, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve28();
+        resolve29();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -26371,14 +26615,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise2, timeoutMs) {
-  return new Promise((resolve28, reject) => {
+  return new Promise((resolve29, reject) => {
     const timer = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise2.then(
       (value) => {
         clearTimeout(timer);
-        resolve28(value);
+        resolve29(value);
       },
       (err) => {
         clearTimeout(timer);
@@ -27578,11 +27822,11 @@ async function connectWithReconnect(conn) {
       console.error(
         `${TAG12} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve28) => {
-        const timer = setTimeout(resolve28, delay);
+      await new Promise((resolve29) => {
+        const timer = setTimeout(resolve29, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer);
-          resolve28();
+          resolve29();
         }, { once: true });
       });
     }
@@ -27590,16 +27834,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve28) => {
+  return new Promise((resolve29) => {
     if (!conn.sock) {
-      resolve28();
+      resolve29();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve28();
+        resolve29();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -27809,8 +28053,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve28) => {
-      resolvePending = resolve28;
+    const sttPending = new Promise((resolve29) => {
+      resolvePending = resolve29;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -27917,20 +28161,20 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve28) => {
-    const socket = createConnection3(port2, "127.0.0.1");
+  return new Promise((resolve29) => {
+    const socket = createConnection4(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve28(true);
+      resolve29(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve28(false);
+      resolve29(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve28(false);
+      resolve29(false);
     });
   });
 }
@@ -30121,8 +30365,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve28, reject) => {
-    resolveQr = resolve28;
+  const qrPromise = new Promise((resolve29, reject) => {
+    resolveQr = resolve29;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -31199,6 +31443,106 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
   });
 }
 
+// app/api/admin/chat/route.ts
+import { resolve as resolve19 } from "path";
+
+// app/lib/script-stream-tailer.ts
+import { createReadStream as createReadStream2, statSync as statSync7 } from "fs";
+import { StringDecoder as StringDecoder2 } from "string_decoder";
+var SCRIPT_STREAM_RE = /^\[([^\]]+)\] \[(setup-tunnel|reset-tunnel)((?::[^\]]+)?)\] (.*)$/;
+function parseLine(line) {
+  const m = line.match(SCRIPT_STREAM_RE);
+  if (!m) return void 0;
+  const [, timestamp, scope, tagSuffix, rest] = m;
+  return {
+    type: "script_stream",
+    source: scope + (tagSuffix ?? ""),
+    timestamp,
+    line: rest
+  };
+}
+function startScriptStreamTailer(opts) {
+  const { path: path2, onEvent, onError } = opts;
+  let offset;
+  try {
+    offset = statSync7(path2).size;
+  } catch {
+    offset = 0;
+  }
+  const utf8 = new StringDecoder2("utf8");
+  let buffer = "";
+  let stopped = false;
+  let pendingRead = false;
+  let timer;
+  const processLine = (line) => {
+    const event = parseLine(line);
+    if (event) onEvent(event);
+  };
+  const readDelta = async () => {
+    if (pendingRead) return;
+    pendingRead = true;
+    try {
+      let size;
+      try {
+        size = statSync7(path2).size;
+      } catch {
+        return;
+      }
+      if (size === offset) return;
+      if (size < offset) {
+        offset = 0;
+        buffer = "";
+      }
+      await new Promise((res, rej) => {
+        const stream = createReadStream2(path2, { start: offset, end: size - 1 });
+        stream.on("data", (chunk) => {
+          buffer += typeof chunk === "string" ? chunk : utf8.write(chunk);
+          let idx;
+          while ((idx = buffer.indexOf("\n")) !== -1) {
+            const line = buffer.slice(0, idx);
+            buffer = buffer.slice(idx + 1);
+            if (line.length > 0) processLine(line);
+          }
+        });
+        stream.on("end", () => {
+          offset = size;
+          res();
+        });
+        stream.on("error", rej);
+      });
+    } catch (err) {
+      if (onError) onError(err instanceof Error ? err : new Error(String(err)));
+    } finally {
+      pendingRead = false;
+    }
+  };
+  const tick = () => {
+    if (stopped) return;
+    readDelta().catch(() => {
+    }).finally(() => {
+      if (!stopped) timer = setTimeout(tick, 200);
+    });
+  };
+  timer = setTimeout(tick, 0);
+  return {
+    async stop() {
+      if (stopped) return;
+      stopped = true;
+      if (timer) clearTimeout(timer);
+      while (pendingRead) {
+        await new Promise((r) => setImmediate(r));
+      }
+      await readDelta();
+      buffer += utf8.end();
+      if (buffer.length > 0) {
+        const event = parseLine(buffer);
+        if (event) onEvent(event);
+        buffer = "";
+      }
+    }
+  };
+}
+
 // app/api/admin/chat/route.ts
 function isComponentDone(parsed) {
   return typeof parsed === "object" && parsed !== null && parsed._componentDone === true && typeof parsed.component === "string" && typeof parsed.payload === "string";
@@ -31390,8 +31734,32 @@ async function POST21(req) {
   const sseConvId = getConversationIdForSession(session_key);
   const sseLog = sseConvId ? agentLogStream("sse-events", account.accountDir, sseConvId) : preConversationLogStream("sse-events", account.accountDir);
   const sk = sseConvId?.slice(0, 8) ?? session_key.slice(0, 8);
+  let tailer = null;
   const readable = new ReadableStream({
     async start(controller) {
+      let controllerOpen = true;
+      if (sseConvId) {
+        const streamLogPath = resolve19(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
+        tailer = startScriptStreamTailer({
+          path: streamLogPath,
+          onEvent: (event) => {
+            if (!controllerOpen) return;
+            const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
+            sseLog.write(`[${ts}] [${sk}] admin: ${JSON.stringify(event)}
+`);
+            try {
+              controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}
+
+`));
+            } catch {
+              controllerOpen = false;
+            }
+          },
+          onError: (err) => {
+            console.error(`[script-stream-tailer] ${streamLogPath}: ${err.message}`);
+          }
+        });
+      }
       try {
         for await (const event of invokeAgent(
           { type: "admin", skipTopicCheck },
@@ -31439,6 +31807,13 @@ async function POST21(req) {
           }
         }
       } finally {
+        if (tailer) {
+          try {
+            await tailer.stop();
+          } catch {
+          }
+        }
+        controllerOpen = false;
         sseLog.end();
         try {
           controller.close();
@@ -31498,8 +31873,8 @@ async function POST22(req) {
 }
 
 // app/api/admin/logs/route.ts
-import { existsSync as existsSync19, readdirSync as readdirSync5, readFileSync as readFileSync20, statSync as statSync7 } from "fs";
-import { resolve as resolve19, basename as basename5 } from "path";
+import { existsSync as existsSync19, readdirSync as readdirSync5, readFileSync as readFileSync20, statSync as statSync8 } from "fs";
+import { resolve as resolve20, basename as basename5 } from "path";
 var TAIL_BYTES = 8192;
 async function GET9(request) {
   const { searchParams } = new URL(request.url);
@@ -31508,13 +31883,13 @@ async function GET9(request) {
   const conversationIdParam = searchParams.get("conversationId");
   const download = searchParams.get("download") === "1";
   const account = resolveAccount();
-  const accountLogDir2 = account ? resolve19(account.accountDir, "logs") : null;
+  const accountLogDir2 = account ? resolve20(account.accountDir, "logs") : null;
   if (fileParam) {
     const safe = basename5(fileParam);
     const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve19(dir, safe);
+      const filePath = resolve20(dir, safe);
       searched.push(filePath);
       try {
         const content = readFileSync20(filePath, "utf-8");
@@ -31556,7 +31931,7 @@ async function GET9(request) {
     const searched = [];
     for (const dir of [accountLogDir2, LOG_DIR]) {
       if (!dir) continue;
-      const filePath = resolve19(dir, fileName);
+      const filePath = resolve20(dir, fileName);
       searched.push(filePath);
       try {
         const content = readFileSync20(filePath, "utf-8");
@@ -31583,10 +31958,10 @@ async function GET9(request) {
       console.warn(`[admin/logs] readdir-fail dir=${dir} reason=${reason}`);
       continue;
     }
-    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync7(resolve19(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
+    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync8(resolve20(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
       seen.add(name);
       try {
-        const content = readFileSync20(resolve19(dir, name));
+        const content = readFileSync20(resolve20(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
       } catch (err) {
@@ -31624,7 +31999,7 @@ async function GET10() {
 // app/api/admin/attachment/[attachmentId]/route.ts
 import { readFile as readFile3, readdir } from "fs/promises";
 import { existsSync as existsSync20 } from "fs";
-import { resolve as resolve20 } from "path";
+import { resolve as resolve21 } from "path";
 async function GET11(req, attachmentId) {
   const sessionKey = new URL(req.url).searchParams.get("session_key") ?? "";
   if (!validateSession(sessionKey, "admin")) {
@@ -31637,11 +32012,11 @@ async function GET11(req, attachmentId) {
   if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.test(attachmentId)) {
     return new Response("Not found", { status: 404 });
   }
-  const dir = resolve20(ATTACHMENTS_ROOT, accountId, attachmentId);
+  const dir = resolve21(ATTACHMENTS_ROOT, accountId, attachmentId);
   if (!existsSync20(dir)) {
     return new Response("Not found", { status: 404 });
   }
-  const metaPath = resolve20(dir, `${attachmentId}.meta.json`);
+  const metaPath = resolve21(dir, `${attachmentId}.meta.json`);
   if (!existsSync20(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
@@ -31656,7 +32031,7 @@ async function GET11(req, attachmentId) {
   if (!dataFile) {
     return new Response("Not found", { status: 404 });
   }
-  const filePath = resolve20(dir, dataFile);
+  const filePath = resolve21(dir, dataFile);
   const buffer = await readFile3(filePath);
   return new Response(buffer, {
     headers: {
@@ -31669,7 +32044,7 @@ async function GET11(req, attachmentId) {
 
 // app/api/admin/account/route.ts
 import { readFileSync as readFileSync21, writeFileSync as writeFileSync15 } from "fs";
-import { resolve as resolve21 } from "path";
+import { resolve as resolve22 } from "path";
 var VALID_CONTEXT_MODES = ["managed", "claude-code"];
 async function PATCH(req) {
   let body;
@@ -31692,7 +32067,7 @@ async function PATCH(req) {
   if (!account) {
     return Response.json({ error: "No account configured" }, { status: 500 });
   }
-  const configPath2 = resolve21(account.accountDir, "account.json");
+  const configPath2 = resolve22(account.accountDir, "account.json");
   try {
     const raw2 = readFileSync21(configPath2, "utf-8");
     const config2 = JSON.parse(raw2);
@@ -31707,14 +32082,14 @@ async function PATCH(req) {
 }
 
 // app/api/admin/agents/route.ts
-import { resolve as resolve22 } from "path";
+import { resolve as resolve23 } from "path";
 import { readdirSync as readdirSync6, readFileSync as readFileSync22, existsSync as existsSync21 } from "fs";
 async function GET12() {
   const account = resolveAccount();
   if (!account) {
     return Response.json({ agents: [] });
   }
-  const agentsDir = resolve22(account.accountDir, "agents");
+  const agentsDir = resolve23(account.accountDir, "agents");
   if (!existsSync21(agentsDir)) {
     return Response.json({ agents: [] });
   }
@@ -31724,7 +32099,7 @@ async function GET12() {
     for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
-      const configPath2 = resolve22(agentsDir, entry.name, "config.json");
+      const configPath2 = resolve23(agentsDir, entry.name, "config.json");
       if (!existsSync21(configPath2)) continue;
       try {
         const config2 = JSON.parse(readFileSync22(configPath2, "utf-8"));
@@ -31745,7 +32120,7 @@ async function GET12() {
 }
 
 // app/api/admin/agents/[slug]/route.ts
-import { resolve as resolve23 } from "path";
+import { resolve as resolve24 } from "path";
 import { existsSync as existsSync22, rmSync as rmSync2 } from "fs";
 async function DELETE2(_req, { params }) {
   const { slug } = await params;
@@ -31759,7 +32134,7 @@ async function DELETE2(_req, { params }) {
   if (slug.includes("/") || slug.includes("..") || slug.includes("\\")) {
     return Response.json({ error: "Invalid agent slug" }, { status: 400 });
   }
-  const agentDir = resolve23(account.accountDir, "agents", slug);
+  const agentDir = resolve24(account.accountDir, "agents", slug);
   if (!existsSync22(agentDir)) {
     return Response.json({ error: "Agent not found" }, { status: 404 });
   }
@@ -31775,8 +32150,8 @@ async function DELETE2(_req, { params }) {
 
 // app/api/admin/version/route.ts
 import { readFileSync as readFileSync23, existsSync as existsSync23 } from "fs";
-import { resolve as resolve24, join as join10 } from "path";
-var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve24(process.cwd(), "..");
+import { resolve as resolve25, join as join10 } from "path";
+var PLATFORM_ROOT9 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "..");
 var brandHostname = "maxy";
 var brandNpmPackage = "@rubytech/create-maxy";
 var brandJsonPath = join10(PLATFORM_ROOT9, "config", "brand.json");
@@ -31788,7 +32163,7 @@ if (existsSync23(brandJsonPath)) {
   } catch {
   }
 }
-var VERSION_FILE = resolve24(PLATFORM_ROOT9, `config/.${brandHostname}-version`);
+var VERSION_FILE = resolve25(PLATFORM_ROOT9, `config/.${brandHostname}-version`);
 var NPM_PACKAGE = brandNpmPackage;
 var REGISTRY_URL = `https://registry.npmjs.org/${NPM_PACKAGE}/latest`;
 var FETCH_TIMEOUT_MS = 5e3;
@@ -31845,9 +32220,9 @@ async function GET13() {
 
 // app/api/admin/version/upgrade/route.ts
 import { spawn as spawn4 } from "child_process";
-import { existsSync as existsSync24, statSync as statSync8, writeFileSync as writeFileSync16, readFileSync as readFileSync24, openSync as openSync4, closeSync as closeSync4 } from "fs";
-import { resolve as resolve25, join as join11 } from "path";
-var PLATFORM_ROOT10 = process.env.MAXY_PLATFORM_ROOT ?? resolve25(process.cwd(), "..");
+import { existsSync as existsSync24, statSync as statSync9, writeFileSync as writeFileSync16, readFileSync as readFileSync24, openSync as openSync4, closeSync as closeSync4 } from "fs";
+import { resolve as resolve26, join as join11 } from "path";
+var PLATFORM_ROOT10 = process.env.MAXY_PLATFORM_ROOT ?? resolve26(process.cwd(), "..");
 var upgradePkg = "@rubytech/create-maxy";
 var upgradeHostname = "maxy";
 var brandPath = join11(PLATFORM_ROOT10, "config", "brand.json");
@@ -31865,7 +32240,7 @@ var LOCK_MAX_AGE_MS = 20 * 60 * 1e3;
 function isLockFresh() {
   if (!existsSync24(LOCK_FILE)) return false;
   try {
-    const stat4 = statSync8(LOCK_FILE);
+    const stat4 = statSync9(LOCK_FILE);
     return Date.now() - stat4.mtimeMs < LOCK_MAX_AGE_MS;
   } catch {
     return false;
@@ -31907,7 +32282,7 @@ async function POST23(req) {
       detached: true,
       stdio: ["ignore", logFd, logFd],
       env: { ...process.env, npm_config_yes: "true" },
-      cwd: resolve25(process.cwd(), "..")
+      cwd: resolve26(process.cwd(), "..")
     });
     child.unref();
     closeSync4(logFd);
@@ -31924,8 +32299,8 @@ async function POST23(req) {
 
 // app/api/admin/version/upgrade/progress/route.ts
 import { existsSync as existsSync25, readFileSync as readFileSync25 } from "fs";
-import { resolve as resolve26, join as join12 } from "path";
-var PLATFORM_ROOT11 = process.env.MAXY_PLATFORM_ROOT ?? resolve26(process.cwd(), "..");
+import { resolve as resolve27, join as join12 } from "path";
+var PLATFORM_ROOT11 = process.env.MAXY_PLATFORM_ROOT ?? resolve27(process.cwd(), "..");
 var upgradeHostname2 = "maxy";
 var brandPath2 = join12(PLATFORM_ROOT11, "config", "brand.json");
 if (existsSync25(brandPath2)) {
@@ -32851,8 +33226,8 @@ app.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve27(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve27(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve28(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve28(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
@@ -32881,8 +33256,8 @@ app.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve27(account.accountDir, "generated", filename);
-  const expectedDir = resolve27(account.accountDir, "generated");
+  const filePath = resolve28(account.accountDir, "generated", filename);
+  const expectedDir = resolve28(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
@@ -32922,7 +33297,7 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function cachedHtml(file2) {
   let html = htmlCache.get(file2);
   if (!html) {
-    html = readFileSync26(resolve27(process.cwd(), "public", file2), "utf-8");
+    html = readFileSync26(resolve28(process.cwd(), "public", file2), "utf-8");
     html = html.replace("<title>Maxy</title>", `<title>${escapeHtml2(BRAND.productName)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml2(brandFaviconPath)}"`);
     html = html.replace("</head>", `${brandScript}
@@ -33025,7 +33400,7 @@ app.use("/vnc-popout.html", logViewerFetch);
 app.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync26(resolve27(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync26(resolve28(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml2(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -33066,6 +33441,9 @@ app.get("/:slug", async (c, next) => {
   }
   await next();
 });
+app.use("/graph/*", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+app.use("/graph", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+attachGraphHttpRoutes(app);
 app.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.PORT ?? "19200", 10);
 var hostname3 = process.env.HOSTNAME ?? "0.0.0.0";
@@ -33075,6 +33453,7 @@ attachVncWsProxy(httpServer, {
   upstreamHost: "127.0.0.1",
   upstreamPort: 6080
 });
+attachGraphWsProxy(httpServer, { isPublicHost, canAccessAdmin });
 console.log(`${BRAND.productName} listening on http://${hostname3}:${port}`);
 (async () => {
   try {
@@ -33106,7 +33485,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve27(process.env.MAXY_PLATFORM_ROOT ?? join13(__dirname, "..")),
+  platformRoot: resolve28(process.env.MAXY_PLATFORM_ROOT ?? join13(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {