@rubytech/create-realagent 1.0.628 → 1.0.631

package/payload/server/public/index.html

@@ -5,7 +5,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Real Agent</title>
   <link rel="icon" href="/favicon.ico">
-  <script type="module" crossorigin src="/assets/admin-CGIu9HnV.js"></script>
+  <script type="module" crossorigin src="/assets/admin-BntwbBs-.js"></script>
   <link rel="modulepreload" crossorigin href="/assets/chunk-Be6NvmcD.js">
   <link rel="modulepreload" crossorigin href="/assets/preload-helper-rov5CBGT.js">
   <link rel="modulepreload" crossorigin href="/assets/useVoiceRecorder-tbj4tUsl.js">

package/payload/server/server.js

@@ -3610,8 +3610,6 @@ function handleUpgrade(req, clientSocket, head, opts) {
   const qsIndex = url2.indexOf("?");
   const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
   if (pathname !== WS_PATH) {
-    vncLog("ws-upgrade", { decision: "rejected", reason: "wrong-path", path: pathname });
-    clientSocket.destroy();
     return;
   }
   const corrId = newCorrId();
@@ -3828,9 +3826,203 @@ Content-Length: 0\r
   socket.destroy();
 }
 
+// server/graph-proxy.ts
+import { createConnection as createConnection2 } from "net";
+var GRAPH_PREFIX = "/graph";
+var UPSTREAM_TIMEOUT_MS2 = 5e3;
+var HOP_BY_HOP2 = /* @__PURE__ */ new Set([
+  "connection",
+  "keep-alive",
+  "proxy-authenticate",
+  "proxy-authorization",
+  "te",
+  "trailer",
+  "transfer-encoding",
+  "upgrade"
+]);
+function resolveUpstreamPort() {
+  const uri = process.env.NEO4J_URI ?? "bolt://localhost:7687";
+  const m = uri.match(/:(\d+)$/);
+  const boltPort = m ? parseInt(m[1], 10) : 7687;
+  return boltPort - 213;
+}
+var UPSTREAM_HOST = "127.0.0.1";
+var UPSTREAM_PORT = resolveUpstreamPort();
+function attachGraphHttpRoutes(app2) {
+  const handler = async (c) => {
+    const raw2 = c.req.raw;
+    const url2 = new URL(raw2.url);
+    const pathAfterPrefix = url2.pathname.slice(GRAPH_PREFIX.length) || "/";
+    const upstreamUrl = `http://${UPSTREAM_HOST}:${UPSTREAM_PORT}${pathAfterPrefix}${url2.search}`;
+    const upstreamHeaders = new Headers(raw2.headers);
+    for (const h of HOP_BY_HOP2) upstreamHeaders.delete(h);
+    upstreamHeaders.set("host", `${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+    try {
+      const upstream = await fetch(upstreamUrl, {
+        method: raw2.method,
+        headers: upstreamHeaders,
+        body: raw2.body,
+        // `duplex: 'half'` is required when forwarding a streaming body; TS
+        // typings do not yet expose it but the undici runtime supports it.
+        ...raw2.body ? { duplex: "half" } : {},
+        redirect: "manual"
+      });
+      const resHeaders = new Headers(upstream.headers);
+      for (const h of HOP_BY_HOP2) resHeaders.delete(h);
+      return new Response(upstream.body, {
+        status: upstream.status,
+        statusText: upstream.statusText,
+        headers: resHeaders
+      });
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[graph-proxy] upstream fetch failed for ${upstreamUrl}: ${msg}`);
+      return c.text(`Graph proxy upstream unreachable: ${msg}`, 502);
+    }
+  };
+  app2.all(GRAPH_PREFIX, handler);
+  app2.all(`${GRAPH_PREFIX}/*`, handler);
+}
+function attachGraphWsProxy(server, opts) {
+  server.on("upgrade", (req, clientSocket, head) => {
+    try {
+      const url2 = req.url ?? "";
+      const qsIndex = url2.indexOf("?");
+      const pathname = qsIndex === -1 ? url2 : url2.slice(0, qsIndex);
+      const isGraphPath = pathname === GRAPH_PREFIX || pathname.startsWith(`${GRAPH_PREFIX}/`);
+      if (!isGraphPath) {
+        if (pathname !== "/websockify") {
+          clientSocket.destroy();
+        }
+        return;
+      }
+      const hostHeader = (req.headers.host ?? "").split(":")[0];
+      const remote = req.socket.remoteAddress;
+      const xff = headerString2(req.headers["x-forwarded-for"]);
+      const cookie = headerString2(req.headers.cookie);
+      const decision = opts.canAccessAdmin({
+        host: hostHeader,
+        remoteAddress: remote,
+        xForwardedFor: xff,
+        cookieHeader: cookie,
+        isPublicHost: opts.isPublicHost
+      });
+      if (!decision.allow) {
+        const status = decision.reason === "public-host" ? 404 : 401;
+        writeStatusAndDestroy2(clientSocket, status, decision.reason === "public-host" ? "Not Found" : "Unauthorized");
+        return;
+      }
+      const originHeader = headerString2(req.headers.origin);
+      const originHost = parseOriginHost2(originHeader);
+      if (!originHost || originHost !== hostHeader || opts.isPublicHost(originHost)) {
+        writeStatusAndDestroy2(clientSocket, 403, "Forbidden");
+        return;
+      }
+      const rewrittenPath = pathname === GRAPH_PREFIX ? "/" : pathname.slice(GRAPH_PREFIX.length);
+      const rewrittenUrl = qsIndex === -1 ? rewrittenPath : rewrittenPath + url2.slice(qsIndex);
+      const upstream = createConnection2({ host: UPSTREAM_HOST, port: UPSTREAM_PORT });
+      upstream.setTimeout(UPSTREAM_TIMEOUT_MS2);
+      upstream.once("connect", () => {
+        upstream.setTimeout(0);
+        const lines = [];
+        lines.push(`${req.method ?? "GET"} ${rewrittenUrl} HTTP/${req.httpVersion}`);
+        lines.push(`host: ${UPSTREAM_HOST}:${UPSTREAM_PORT}`);
+        for (const [name, value] of Object.entries(req.headers)) {
+          if (name === "host") continue;
+          if (HOP_BY_HOP2.has(name)) continue;
+          if (value == null) continue;
+          if (Array.isArray(value)) {
+            for (const v of value) lines.push(`${name}: ${v}`);
+          } else {
+            lines.push(`${name}: ${value}`);
+          }
+        }
+        const upgradeHeader = headerString2(req.headers.upgrade);
+        const connectionHeader = headerString2(req.headers.connection);
+        if (upgradeHeader) lines.push(`upgrade: ${upgradeHeader}`);
+        if (connectionHeader) lines.push(`connection: ${connectionHeader}`);
+        upstream.write(lines.join("\r\n") + "\r\n\r\n");
+        if (head && head.length > 0) upstream.write(head);
+        clientSocket.pipe(upstream);
+        upstream.pipe(clientSocket);
+        const teardown = () => {
+          clientSocket.destroy();
+          upstream.destroy();
+        };
+        clientSocket.once("close", teardown);
+        upstream.once("close", teardown);
+        clientSocket.once("error", teardown);
+        upstream.once("error", teardown);
+      });
+      upstream.once("timeout", () => {
+        writeStatusAndDestroy2(clientSocket, 504, "Gateway Timeout");
+        upstream.destroy();
+      });
+      upstream.once("error", (err) => {
+        console.error(`[graph-proxy] ws upstream error: ${err.message}`);
+        writeStatusAndDestroy2(clientSocket, 502, "Bad Gateway");
+        upstream.destroy();
+      });
+    } catch (err) {
+      console.error(`[graph-proxy] upgrade handler exception: ${err.message}`);
+      clientSocket.destroy();
+    }
+  });
+}
+function graphAuthMiddleware(opts) {
+  return async (c, next) => {
+    const url2 = new URL(c.req.raw.url);
+    if (!url2.pathname.startsWith(GRAPH_PREFIX)) return next();
+    const hostHeader = (c.req.header("host") ?? "").split(":")[0];
+    const incoming = c.env?.incoming;
+    const remote = incoming?.socket?.remoteAddress;
+    const xff = c.req.header("x-forwarded-for");
+    const cookie = c.req.header("cookie");
+    const decision = opts.canAccessAdmin({
+      host: hostHeader,
+      remoteAddress: remote,
+      xForwardedFor: xff,
+      cookieHeader: cookie,
+      isPublicHost: opts.isPublicHost
+    });
+    if (!decision.allow) {
+      return c.text(
+        decision.reason === "public-host" ? "Not Found" : "Unauthorized",
+        decision.reason === "public-host" ? 404 : 401
+      );
+    }
+    return next();
+  };
+}
+function headerString2(value) {
+  if (value == null) return void 0;
+  return Array.isArray(value) ? value[0] : value;
+}
+function parseOriginHost2(origin) {
+  if (!origin) return null;
+  try {
+    return new URL(origin).hostname;
+  } catch {
+    return null;
+  }
+}
+function writeStatusAndDestroy2(socket, status, statusText) {
+  try {
+    socket.write(
+      `HTTP/1.1 ${status} ${statusText}\r
+Connection: close\r
+Content-Length: 0\r
+\r
+`
+    );
+  } catch {
+  }
+  socket.destroy();
+}
+
 // app/api/health/route.ts
 import { existsSync as existsSync11, readFileSync as readFileSync12 } from "fs";
-import { createConnection as createConnection3 } from "net";
+import { createConnection as createConnection4 } from "net";
 
 // app/lib/claude-auth.ts
 import { readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "fs";
@@ -4167,7 +4359,7 @@ import { spawn as spawn2, spawnSync as spawnSync2 } from "child_process";
 import { randomUUID as randomUUID2 } from "crypto";
 import { resolve as resolve6, join as join4 } from "path";
 import { platform as osPlatform } from "os";
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, readdirSync as readdirSync2, existsSync as existsSync6, mkdirSync as mkdirSync4, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync2, cpSync, rmSync } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5, readdirSync as readdirSync2, existsSync as existsSync6, mkdirSync as mkdirSync4, createWriteStream, statSync as statSync3, unlinkSync as unlinkSync2, cpSync, rmSync, appendFileSync as appendFileSync2 } from "fs";
 import { lookup as dnsLookup } from "dns/promises";
 import { createConnection as netConnect } from "net";
 import { StringDecoder } from "string_decoder";
@@ -4187,7 +4379,7 @@ function contextWindow(model) {
 
 // app/lib/vnc.ts
 import { spawnSync, execFileSync } from "child_process";
-import { createConnection as createConnection2 } from "net";
+import { createConnection as createConnection3 } from "net";
 import { mkdirSync as mkdirSync3, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
 import { resolve as resolve4 } from "path";
 var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve4(process.cwd(), "..");
@@ -4282,7 +4474,7 @@ async function waitForPort(port2, timeoutMs = 12e3) {
   const deadline = Date.now() + timeoutMs;
   while (Date.now() < deadline) {
     const ready = await new Promise((res) => {
-      const socket = createConnection2(port2, "127.0.0.1");
+      const socket = createConnection3(port2, "127.0.0.1");
       socket.setTimeout(500);
       socket.once("connect", () => {
         socket.destroy();
@@ -6181,14 +6373,41 @@ function agentLogStream(name, accountDir, conversationId) {
   const logDir = resolve6(accountDir, "logs");
   mkdirSync4(logDir, { recursive: true });
   purgeOldLogs(logDir, `${name}-`);
-  return createWriteStream(resolve6(logDir, `${name}-${conversationId}.log`), { flags: "a" });
+  const logPath2 = resolve6(logDir, `${name}-${conversationId}.log`);
+  const stream = createWriteStream(logPath2, { flags: "a" });
+  registerStreamLog(stream, { path: logPath2, conversationId, name });
+  return stream;
 }
 function preConversationLogStream(name, accountDir) {
   const logDir = resolve6(accountDir, "logs");
   mkdirSync4(logDir, { recursive: true });
   const date5 = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
   purgeOldLogs(logDir, `preconversation-${name}-`);
-  return createWriteStream(resolve6(logDir, `preconversation-${name}-${date5}.log`), { flags: "a" });
+  const logPath2 = resolve6(logDir, `preconversation-${name}-${date5}.log`);
+  const stream = createWriteStream(logPath2, { flags: "a" });
+  registerStreamLog(stream, { path: logPath2, conversationId: null, name: `preconversation-${name}` });
+  return stream;
+}
+var openStreamLogs = /* @__PURE__ */ new Map();
+function registerStreamLog(stream, entry) {
+  openStreamLogs.set(stream, entry);
+  stream.once("close", () => {
+    openStreamLogs.delete(stream);
+  });
+}
+function sigtermFlushStreamLogs(reason, source) {
+  const ts = (/* @__PURE__ */ new Date()).toISOString();
+  for (const entry of openStreamLogs.values()) {
+    const convPart = entry.conversationId ? ` conversationId=${entry.conversationId}` : "";
+    const line = `[${ts}] [server-sigterm] reason=${reason}${convPart} name=${entry.name} source=${source}
+`;
+    try {
+      appendFileSync2(entry.path, line);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(`[server-sigterm-flush-err] path=${entry.path} reason=${msg}`);
+    }
+  }
 }
 function purgeOldLogs(logDir, prefix) {
   const cutoff = Date.now() - LOG_RETENTION_DAYS * 24 * 60 * 60 * 1e3;
@@ -7531,6 +7750,18 @@ function buildSpawnEnv(accountId, accountDir, conversationId) {
     STREAM_LOG_PATH: streamLogPath
   };
 }
+var cachedBrandHostname = null;
+function readBrandHostname() {
+  if (cachedBrandHostname !== null) return cachedBrandHostname;
+  try {
+    const brandPath3 = resolve6(PLATFORM_ROOT4, "config", "brand.json");
+    const parsed = JSON.parse(readFileSync7(brandPath3, "utf-8"));
+    cachedBrandHostname = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : "maxy";
+  } catch {
+    cachedBrandHostname = "maxy";
+  }
+  return cachedBrandHostname;
+}
 function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
   if (!conversationId) {
     throw new Error(`getMcpServers: conversationId is required (accountId=${accountId.slice(0, 8)})`);
@@ -7582,6 +7813,26 @@ function getMcpServers(accountId, conversationId, userId, enabledPlugins) {
     "plugin_playwright_playwright": {
       command: "npx",
       args: ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222", "--caps", "pdf"]
+    },
+    // Graph MCP shim (Task 557) — spawns upstream `uvx mcp-neo4j-cypher` locked
+    // into read-only mode and namespaced `maxy-graph`, wraps stderr with our
+    // tee, and emits one `[graph-query]` line per tool call. Credentials flow
+    // from the brand's own NEO4J_URI + config/.neo4j-password so a per-brand
+    // admin session only ever sees its own Neo4j instance (isolation is
+    // enforced upstream by the installer's process/port boundary per
+    // MAXY-PRD.md:627, not in any application-layer filter).
+    "graph": {
+      command: "node",
+      args: [resolve6(PLATFORM_ROOT4, "lib/graph-mcp/dist/index.js")],
+      env: {
+        ...baseEnv,
+        BRAND: readBrandHostname(),
+        NEO4J_URI: process.env.NEO4J_URI ?? "bolt://localhost:7687",
+        NEO4J_USERNAME: process.env.NEO4J_USERNAME ?? process.env.NEO4J_USER ?? "neo4j",
+        NEO4J_NAMESPACE: "maxy-graph",
+        NEO4J_READ_ONLY: "true",
+        NEO4J_RESPONSE_TOKEN_LIMIT: "20000"
+      }
     }
   };
   const tgConfig = resolveAccount()?.config?.telegram;
@@ -7645,6 +7896,12 @@ var ADMIN_CORE_TOOLS = [
   "Glob",
   "Grep",
   "Agent",
+  // Task 557 — upstream mcp-neo4j-cypher (namespaced maxy-graph, read-only).
+  // maxy-graph_write_neo4j_cypher is intentionally absent: writes go through
+  // the schema-aware memory-write tool, which validates labels, properties,
+  // and embeddings. Admin-only by virtue of not being in the public allow list.
+  "mcp__graph__maxy-graph_read_neo4j_cypher",
+  "mcp__graph__maxy-graph_get_neo4j_schema",
   "mcp__memory__memory-search",
   "mcp__memory__memory-rank",
   "mcp__memory__memory-write",
@@ -10217,6 +10474,15 @@ ${body}`;
 
 ${manifest}`;
     }
+    const graphRefPath = resolve6(PLATFORM_ROOT4, "plugins/memory/references/graph-primitives.md");
+    try {
+      const graphRef = readFileSync7(graphRefPath, "utf-8");
+      baseSystemPrompt += `
+
+${graphRef}`;
+    } catch (err) {
+      console.error(`[graph-primitives] reference missing at ${graphRefPath} \u2014 admin session will have no Cypher cookbook: ${err instanceof Error ? err.message : String(err)}`);
+    }
   }
   if (agentConfig?.budget) {
     const pluginTokens = embeddedPlugins.reduce((sum, p) => sum + estimateTokens(p.body), 0);
@@ -11102,7 +11368,7 @@ function sourceKey(file2) {
 }
 
 // app/lib/review-detector/writer.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync9, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync8, renameSync as renameSync3, statSync as statSync6 } from "fs";
+import { appendFileSync as appendFileSync3, existsSync as existsSync9, mkdirSync as mkdirSync7, readFileSync as readFileSync10, writeFileSync as writeFileSync8, renameSync as renameSync3, statSync as statSync6 } from "fs";
 import { resolve as resolve9, dirname as dirname4 } from "path";
 import { randomUUID as randomUUID3 } from "crypto";
 function reviewLogPath(configDir2) {
@@ -11119,7 +11385,7 @@ function reviewLog(configDir2, event) {
       typeof event.ts === "number" ? event.ts : Date.now()
     ).toISOString()} [review] ${JSON.stringify(event)}
 `;
-    appendFileSync2(path2, line, "utf-8");
+    appendFileSync3(path2, line, "utf-8");
   } catch (err) {
     console.error(`[review] failed to write review log at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -11233,7 +11499,7 @@ function queueAlert(configDir2, accountId, match2) {
   try {
     mkdirSync7(dirname4(path2), { recursive: true });
     const line = JSON.stringify({ accountId, match: match2 }) + "\n";
-    appendFileSync2(path2, line, "utf-8");
+    appendFileSync3(path2, line, "utf-8");
   } catch (err) {
     console.error(`[review] failed to queue alert at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -27923,7 +28189,7 @@ async function probeApiKey() {
 }
 function checkPort(port2, timeoutMs = 500) {
   return new Promise((resolve29) => {
-    const socket = createConnection3(port2, "127.0.0.1");
+    const socket = createConnection4(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
@@ -31304,6 +31570,40 @@ function startScriptStreamTailer(opts) {
   };
 }
 
+// app/lib/admin-sse-registry.ts
+var activeAdminSSEControllers = /* @__PURE__ */ new Set();
+function registerAdminSSE(entry) {
+  activeAdminSSEControllers.add(entry);
+}
+function unregisterAdminSSE(entry) {
+  activeAdminSSEControllers.delete(entry);
+}
+function broadcastAdminShutdown(reason) {
+  const encoder = new TextEncoder();
+  const payload = JSON.stringify({ type: "server_shutdown", reason });
+  const frame = encoder.encode(`data: ${payload}
+
+`);
+  const done = encoder.encode(`data: [DONE]
+
+`);
+  for (const entry of activeAdminSSEControllers) {
+    try {
+      entry.controller.enqueue(frame);
+    } catch {
+    }
+    try {
+      entry.controller.enqueue(done);
+    } catch {
+    }
+    try {
+      entry.controller.close();
+    } catch {
+    }
+  }
+  activeAdminSSEControllers.clear();
+}
+
 // app/api/admin/chat/route.ts
 function isComponentDone(parsed) {
   return typeof parsed === "object" && parsed !== null && parsed._componentDone === true && typeof parsed.component === "string" && typeof parsed.payload === "string";
@@ -31499,29 +31799,31 @@ async function POST21(req) {
   const readable = new ReadableStream({
     async start(controller) {
       let controllerOpen = true;
-      if (sseConvId) {
-        const streamLogPath = resolve19(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
-        tailer = startScriptStreamTailer({
-          path: streamLogPath,
-          onEvent: (event) => {
-            if (!controllerOpen) return;
-            const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
-            sseLog.write(`[${ts}] [${sk}] admin: ${JSON.stringify(event)}
+      const sseEntry = { controller, conversationId: sseConvId ?? null, sessionKey: session_key };
+      try {
+        registerAdminSSE(sseEntry);
+        if (sseConvId) {
+          const streamLogPath = resolve19(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
+          tailer = startScriptStreamTailer({
+            path: streamLogPath,
+            onEvent: (event) => {
+              if (!controllerOpen) return;
+              const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
+              sseLog.write(`[${ts}] [${sk}] admin: ${JSON.stringify(event)}
 `);
-            try {
-              controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}
+              try {
+                controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}
 
 `));
-            } catch {
-              controllerOpen = false;
+              } catch {
+                controllerOpen = false;
+              }
+            },
+            onError: (err) => {
+              console.error(`[script-stream-tailer] ${streamLogPath}: ${err.message}`);
             }
-          },
-          onError: (err) => {
-            console.error(`[script-stream-tailer] ${streamLogPath}: ${err.message}`);
-          }
-        });
-      }
-      try {
+          });
+        }
         for await (const event of invokeAgent(
           { type: "admin", skipTopicCheck },
           message,
@@ -31580,6 +31882,7 @@ async function POST21(req) {
           controller.close();
         } catch {
         }
+        unregisterAdminSSE(sseEntry);
       }
     }
   });
@@ -33202,6 +33505,9 @@ app.get("/:slug", async (c, next) => {
   }
   await next();
 });
+app.use("/graph/*", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+app.use("/graph", graphAuthMiddleware({ isPublicHost, canAccessAdmin }));
+attachGraphHttpRoutes(app);
 app.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.PORT ?? "19200", 10);
 var hostname3 = process.env.HOSTNAME ?? "0.0.0.0";
@@ -33211,6 +33517,7 @@ attachVncWsProxy(httpServer, {
   upstreamHost: "127.0.0.1",
   upstreamPort: 6080
 });
+attachGraphWsProxy(httpServer, { isPublicHost, canAccessAdmin });
 console.log(`${BRAND.productName} listening on http://${hostname3}:${port}`);
 (async () => {
   try {
@@ -33355,6 +33662,17 @@ process.on("SIGTERM", async () => {
   }
   shuttingDown = true;
   console.error("[server] SIGTERM received \u2014 starting graceful shutdown");
+  try {
+    sigtermFlushStreamLogs("systemd-stop", "server-index");
+  } catch (err) {
+    console.error(`[server] sigterm flush error: ${String(err)}`);
+  }
+  try {
+    broadcastAdminShutdown("systemd-stop");
+  } catch (err) {
+    console.error(`[server] sigterm broadcast error: ${String(err)}`);
+  }
+  await new Promise((res) => setImmediate(res));
   try {
     await shutdown();
   } catch (err) {