@rubytech/create-realagent 1.0.663 → 1.0.665

package/payload/server/server.js

@@ -1201,14 +1201,14 @@ var Hono = class _Hono {
    * app.route("/api", app2) // GET /api/user
    * ```
    */
-  route(path2, app35) {
+  route(path2, app36) {
     const subApp = this.basePath(path2);
-    app35.routes.map((r) => {
+    app36.routes.map((r) => {
       let handler;
-      if (app35.errorHandler === errorHandler) {
+      if (app36.errorHandler === errorHandler) {
         handler = r.handler;
       } else {
-        handler = async (c, next) => (await compose([], app35.errorHandler)(c, () => r.handler(c, next))).res;
+        handler = async (c, next) => (await compose([], app36.errorHandler)(c, () => r.handler(c, next))).res;
         handler[COMPOSED_HANDLER] = r.handler;
       }
       subApp.#addRoute(r.method, r.path, handler);
@@ -4501,6 +4501,7 @@ function resolveBrowserTransport(req, remoteAddress) {
   return transport;
 }
 var currentCdpDisplay = null;
+var currentTerminalDisplay = null;
 function discoverNativeDisplay() {
   const fallback = { sessionType: "x11", display: ":0", waylandDisplay: "" };
   try {
@@ -4671,6 +4672,73 @@ async function ensureCdp(transport = "vnc") {
 function killChromium() {
   spawnSync("pkill", ["-f", "chromium"], { stdio: "pipe" });
 }
+function terminalAlive() {
+  const result = spawnSync("bash", [VNC_SCRIPT, "status-terminal"], {
+    stdio: "pipe",
+    timeout: 2e3
+  });
+  return result.status === 0;
+}
+async function ensureTerminal(transport = "vnc") {
+  const targetSentinel = transport === "native" ? "native" : ":99";
+  if (terminalAlive()) {
+    if (currentTerminalDisplay !== null && currentTerminalDisplay !== targetSentinel) {
+      console.error(`[ensureTerminal] Display switch: ${currentTerminalDisplay} \u2192 ${targetSentinel}`);
+      vncLog("ensure-terminal", {
+        action: "display-switch",
+        transport,
+        from_display: currentTerminalDisplay,
+        to_display: targetSentinel
+      });
+      killTerminal();
+      await sleep(500);
+    } else {
+      if (currentTerminalDisplay === null) {
+        currentTerminalDisplay = targetSentinel;
+      }
+      vncLog("ensure-terminal", { action: "already-running", transport });
+      return true;
+    }
+  }
+  const vncCommand = transport === "native" ? "start-terminal-native" : "start-terminal";
+  if (transport === "vnc") {
+    const xAlive = await waitForPort(5900, 1e3);
+    if (!xAlive) {
+      console.error("[ensureTerminal] X server down on :5900 \u2014 escalating to full VNC restart");
+      vncLog("ensure-terminal", { action: "escalate-vnc-restart", reason: "x-down", transport });
+      const vncOk = await ensureVnc();
+      if (!vncOk) {
+        console.error("[ensureTerminal] Full VNC restart failed \u2014 terminal degraded");
+        vncLog("ensure-terminal", { action: "degraded", reason: "vnc-restart-failed", transport });
+        return false;
+      }
+    }
+  }
+  if (transport === "native") {
+    const nativeInfo = discoverNativeDisplay();
+    vncLog("ensure-terminal", {
+      action: "native-display-resolved",
+      transport,
+      session_type: nativeInfo.sessionType,
+      display: nativeInfo.display
+    });
+  }
+  console.error(`[ensureTerminal] Launching terminal (${vncCommand}) for transport=${transport}`);
+  vncLog("ensure-terminal", { action: `launch-${vncCommand}`, transport });
+  try {
+    execFileSync("bash", [VNC_SCRIPT, vncCommand], { timeout: 1e4 });
+  } catch (err) {
+    vncLog("ensure-terminal", { action: "launch-failed", transport, err: err.message });
+    return false;
+  }
+  currentTerminalDisplay = targetSentinel;
+  vncLog("ensure-terminal", { action: "launch-complete", transport, sentinel: targetSentinel });
+  return true;
+}
+function killTerminal() {
+  spawnSync("bash", [VNC_SCRIPT, "kill-terminal"], { stdio: "pipe", timeout: 5e3 });
+  currentTerminalDisplay = null;
+}
 function writeChromiumWrapper() {
   mkdirSync4(BIN_DIR, { recursive: true });
   const wrapperPath = resolve5(BIN_DIR, "chromium");
@@ -5212,9 +5280,11 @@ async function persistToolCall(record) {
     await session.close();
   }
 }
+var SUMMARY_MAX_LEN = 200;
 async function persistMessage(conversationId, role, content, accountId, tokens, createdAt, sender) {
   if (!content) return null;
   const messageId = randomUUID();
+  const summary = role === "user" ? content.slice(0, SUMMARY_MAX_LEN).trim() : "";
   let embedding = null;
   try {
     embedding = await embed(content);
@@ -5223,8 +5293,17 @@ async function persistMessage(conversationId, role, content, accountId, tokens,
   }
   const session = getSession();
   try {
-    await session.run(
-      `CREATE (m:Message {
+    const result = await session.run(
+      `MATCH (c:Conversation {conversationId: $conversationId})
+       OPTIONAL MATCH (tail:Message)-[:PART_OF]->(c)
+         WHERE NOT (tail)-[:NEXT]->(:Message)
+       // Capture whether THIS write's guard will fire. Read c.summary
+       // before the SET so the boolean reflects the pre-state, not the
+       // post-state \u2014 a false positive otherwise when a new user message
+       // happens to equal an already-set summary (verbatim retry, short
+       // catchphrase) and fooled a post-state equality check.
+       WITH c, tail, (c.summary IS NULL AND $role = 'user' AND $summary <> '') AS summarySetThisWrite
+       CREATE (m:Message {
          messageId: $messageId,
          conversationId: $conversationId,
          accountId: $accountId,
@@ -5238,16 +5317,24 @@ async function persistMessage(conversationId, role, content, accountId, tokens,
          ${tokens?.cacheReadTokens != null ? ", cacheReadTokens: $cacheReadTokens" : ""}
          ${tokens?.cacheCreationTokens != null ? ", cacheCreationTokens: $cacheCreationTokens" : ""}
        })
-       WITH m
-       MATCH (c:Conversation {conversationId: $conversationId})
        SET c.updatedAt = datetime()
-       CREATE (m)-[:PART_OF]->(c)`,
+       CREATE (m)-[:PART_OF]->(c)
+       FOREACH (prev IN CASE WHEN tail IS NULL THEN [] ELSE [tail] END |
+         CREATE (prev)-[:NEXT]->(m)
+       )
+       FOREACH (_ IN CASE WHEN summarySetThisWrite THEN [1] ELSE [] END |
+         SET c.summary = $summary
+       )
+       RETURN tail.messageId AS prevMessageId,
+              summarySetThisWrite,
+              size([(m2:Message)-[:PART_OF]->(c) | m2]) AS chainLen`,
       {
         messageId,
         conversationId,
         accountId,
         role,
         content,
+        summary,
         ...createdAt ? { createdAt } : {},
         ...embedding ? { embedding } : {},
         ...sender ? { senderVisitorId: sender.visitorId, senderName: sender.displayName } : {},
@@ -5257,6 +5344,19 @@ async function persistMessage(conversationId, role, content, accountId, tokens,
         ...tokens?.cacheCreationTokens != null ? { cacheCreationTokens: neo4j.int(tokens.cacheCreationTokens) } : {}
       }
     );
+    if (result.records.length === 0) {
+      console.error(`[persist] Neo4j write skipped \u2014 conversation not found: ${conversationId.slice(0, 8)}\u2026`);
+      return null;
+    }
+    const record = result.records[0];
+    const prevMessageId = record.get("prevMessageId") ?? null;
+    const summarySetThisWrite = record.get("summarySetThisWrite") === true;
+    const chainLenRaw = record.get("chainLen");
+    const chainLen = typeof chainLenRaw === "bigint" ? Number(chainLenRaw) : typeof chainLenRaw?.toNumber === "function" ? chainLenRaw.toNumber() : Number(chainLenRaw ?? 0);
+    console.error(`[neo4j-store] append-message conversationId=${conversationId.slice(0, 8)}\u2026 messageId=${messageId.slice(0, 8)}\u2026 prev=${prevMessageId ? prevMessageId.slice(0, 8) + "\u2026" : "null"} chainLen=${chainLen}`);
+    if (summarySetThisWrite) {
+      console.error(`[neo4j-store] conversation-summary-set conversationId=${conversationId.slice(0, 8)}\u2026 len=${summary.length}`);
+    }
     console.error(`[persist] ${(/* @__PURE__ */ new Date()).toISOString()} conversationId=${conversationId.slice(0, 8)}\u2026 role=${role} len=${content.length}${sender ? ` sender=${sender.displayName}` : ""}`);
     return messageId;
   } catch (err) {
@@ -18461,7 +18561,16 @@ app9.post("/", async (c) => {
     return c.text("Invalid JSON", 400);
   }
   const kindRaw = typeof body.kind === "string" ? body.kind : "unknown";
-  const allowedKinds = /* @__PURE__ */ new Set(["uncaught", "unhandled-rejection", "subresource", "test", "unknown"]);
+  const allowedKinds = /* @__PURE__ */ new Set([
+    "uncaught",
+    "unhandled-rejection",
+    "subresource",
+    "test",
+    "unknown",
+    "graph-labels-in-graph",
+    "graph-default-view",
+    "graph-neighbourhood-pivot"
+  ]);
   const kind = allowedKinds.has(kindRaw) ? kindRaw : "unknown";
   const msg = truncate2(body.msg, MAX_MSG_LEN);
   const url = truncate2(body.url, MAX_URL_LEN);
@@ -18550,6 +18659,41 @@ async function createAdminSession(accountId, thinkingView, userId, userName) {
   };
 }
 var app10 = new Hono2();
+app10.get("/", async (c) => {
+  const sessionKey = c.req.query("session_key");
+  if (!sessionKey || !validateSession(sessionKey, "admin")) {
+    return c.json({ error: "Invalid or expired admin session" }, 401);
+  }
+  const accountId = getAccountIdForSession(sessionKey);
+  if (!accountId) {
+    return c.json({ error: "Session has no account binding" }, 401);
+  }
+  const account = resolveAccount();
+  const thinkingView = account?.config.thinkingView ?? "default";
+  let onboardingComplete = true;
+  try {
+    const step = await loadOnboardingStep(accountId);
+    onboardingComplete = step === null || step >= 8;
+  } catch (err) {
+    console.error(`[session] restore onboarding query failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  let businessName;
+  try {
+    const branding = await fetchBranding(accountId);
+    businessName = branding?.name || void 0;
+  } catch {
+  }
+  return c.json({
+    session_key: sessionKey,
+    agent_id: "admin",
+    userId: getUserIdForSession(sessionKey),
+    userName: getUserNameForSession(sessionKey),
+    thinkingView,
+    onboardingComplete,
+    businessName,
+    conversationId: getConversationIdForSession(sessionKey) ?? null
+  });
+});
 app10.post("/", async (c) => {
   let body;
   try {
@@ -19721,6 +19865,44 @@ app20.post("/launch", async (c) => {
 });
 var browser_default = app20;
 
+// server/routes/admin/terminal.ts
+var app21 = new Hono2();
+app21.post("/launch", async (c) => {
+  try {
+    const transport = resolveBrowserTransport(c.req.raw, c.env?.incoming?.socket?.remoteAddress);
+    if (transport === "vnc") {
+      const vncOk = await ensureVnc();
+      if (!vncOk) {
+        return c.json({ ok: false, error: "VNC failed to start" }, 502);
+      }
+    }
+    const terminalOk = await ensureTerminal(transport);
+    if (!terminalOk) {
+      return c.json({ ok: false, error: "Terminal failed to start" }, 502);
+    }
+    return c.json({ ok: true, transport });
+  } catch (err) {
+    console.error("[admin/terminal/launch] Failed to start terminal:", err);
+    return c.json(
+      { ok: false, error: err instanceof Error ? err.message : "Unknown error" },
+      500
+    );
+  }
+});
+app21.post("/close", (c) => {
+  try {
+    killTerminal();
+    return c.json({ ok: true });
+  } catch (err) {
+    console.error("[admin/terminal/close] kill failed:", err);
+    return c.json(
+      { ok: false, error: err instanceof Error ? err.message : "Unknown error" },
+      500
+    );
+  }
+});
+var terminal_default = app21;
+
 // app/lib/cdp-client.ts
 var CDP_HOST = "127.0.0.1";
 var CDP_PORT = 9222;
@@ -19762,8 +19944,8 @@ async function cdpNavigateNewTab(url, opts = {}) {
 }
 
 // server/routes/admin/device-browser.ts
-var app21 = new Hono2();
-app21.post("/navigate", async (c) => {
+var app22 = new Hono2();
+app22.post("/navigate", async (c) => {
   const TAG19 = "[device-url:click]";
   let body;
   try {
@@ -19850,7 +20032,7 @@ app21.post("/navigate", async (c) => {
     targetId: outcome.targetId
   });
 });
-var device_browser_default = app21;
+var device_browser_default = app22;
 
 // server/routes/admin/events.ts
 var ALLOWED_EVENTS = /* @__PURE__ */ new Set([
@@ -19859,8 +20041,8 @@ var ALLOWED_EVENTS = /* @__PURE__ */ new Set([
   "device-url:vnc-surface-shown",
   "device-url:malformed"
 ]);
-var app22 = new Hono2();
-app22.post("/", async (c) => {
+var app23 = new Hono2();
+app23.post("/", async (c) => {
   const TAG19 = "[admin:events]";
   let body;
   try {
@@ -19891,7 +20073,7 @@ app22.post("/", async (c) => {
   console.error(`[${event}] ${formatted}`);
   return c.json({ ok: true });
 });
-var events_default = app22;
+var events_default = app23;
 
 // server/routes/admin/cloudflare.ts
 import { homedir as homedir4 } from "os";
@@ -19984,7 +20166,7 @@ function validateBody(body) {
   }
   return null;
 }
-var app23 = new Hono2();
+var app24 = new Hono2();
 function fieldFromReason(reason) {
   switch (reason) {
     case "not-signed-in":
@@ -20001,7 +20183,7 @@ function fieldFromReason(reason) {
       return "script";
   }
 }
-app23.get("/domains", requireAdminSession, async (c) => {
+app24.get("/domains", requireAdminSession, async (c) => {
   const started = Date.now();
   const sessionKey = c.var.sessionKey;
   let correlationId;
@@ -20094,7 +20276,7 @@ ${result.stderr}` : ""}`;
   );
   return c.json(success, 200);
 });
-app23.post("/setup", requireAdminSession, async (c) => {
+app24.post("/setup", requireAdminSession, async (c) => {
   const started = Date.now();
   const sessionKey = c.var.sessionKey;
   let correlationId;
@@ -20232,7 +20414,7 @@ ${result.stderr}` : ""}`;
   log2(`phase=response-sent`);
   return resp;
 });
-var cloudflare_default = app23;
+var cloudflare_default = app24;
 
 // server/routes/admin/files.ts
 import { createReadStream as createReadStream3 } from "fs";
@@ -20584,8 +20766,8 @@ function buildDisplayPath(relPath, accountNames) {
     return dn ? { name: seg, displayName: dn } : { name: seg };
   });
 }
-var app24 = new Hono2();
-app24.get("/", requireAdminSession, async (c) => {
+var app25 = new Hono2();
+app25.get("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   if (!getAccountIdForSession(sessionKey)) {
     console.error(`[data] auth-rejected endpoint="/api/admin/files" reason="no account for session"`);
@@ -20646,7 +20828,7 @@ app24.get("/", requireAdminSession, async (c) => {
     return c.json({ error: message }, 500);
   }
 });
-app24.get("/download", requireAdminSession, async (c) => {
+app25.get("/download", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   if (!getAccountIdForSession(sessionKey)) {
     console.error(`[data] auth-rejected endpoint="/api/admin/files/download" reason="no account for session"`);
@@ -20694,7 +20876,7 @@ app24.get("/download", requireAdminSession, async (c) => {
     return c.json({ error: message }, 500);
   }
 });
-app24.post("/upload", requireAdminSession, async (c) => {
+app25.post("/upload", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -20752,7 +20934,7 @@ app24.post("/upload", requireAdminSession, async (c) => {
     mimeType: file.type
   });
 });
-app24.delete("/", requireAdminSession, async (c) => {
+app25.delete("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -20819,13 +21001,13 @@ app24.delete("/", requireAdminSession, async (c) => {
     return c.json({ error: message }, 500);
   }
 });
-var files_default = app24;
+var files_default = app25;
 
 // server/routes/admin/graph-search.ts
 var DEFAULT_LIMIT = 20;
 var MAX_LIMIT = 100;
-var app25 = new Hono2();
-app25.get("/", requireAdminSession, async (c) => {
+var app26 = new Hono2();
+app26.get("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const q = (c.req.query("q") ?? "").trim();
   const rawLimit = c.req.query("limit");
@@ -20850,7 +21032,10 @@ app25.get("/", requireAdminSession, async (c) => {
     return c.json({ error: `Graph search unavailable: ${message}` }, 503);
   }
 });
-var graph_search_default = app25;
+var graph_search_default = app26;
+
+// server/routes/admin/graph-subgraph.ts
+import neo4j3 from "neo4j-driver";
 
 // app/lib/graph-labels.ts
 var GRAPH_LABEL_COLOURS = {
@@ -20893,7 +21078,13 @@ var GRAPH_LABEL_COLOURS = {
   OnboardingState: "#8B5CF6",
   // Email
   Email: "#65A30D",
-  EmailAccount: "#84CC16"
+  EmailAccount: "#84CC16",
+  // Review signals (Task 626 — previously written by review-detector but
+  // unregistered here, producing an `unknown label` 400 whenever the
+  // filter popover advertised the label. Registry reconciled so every
+  // label written anywhere in the codebase has a colour + a 200 from
+  // graph-subgraph default mode).
+  ReviewAlert: "#DC2626"
 };
 var ALL_GRAPH_LABELS = Object.freeze(
   Object.keys(GRAPH_LABEL_COLOURS)
@@ -20901,6 +21092,9 @@ var ALL_GRAPH_LABELS = Object.freeze(
 var HIDDEN_BY_DEFAULT_LABELS = Object.freeze(
   /* @__PURE__ */ new Set(["Chunk", "GraphPreference"])
 );
+var FILTER_EXCLUDED_LABELS = Object.freeze(
+  /* @__PURE__ */ new Set(["ToolCall", "WorkflowRun", "WorkflowStep", "ReviewAlert"])
+);
 function isKnownLabel(label) {
   return Object.prototype.hasOwnProperty.call(GRAPH_LABEL_COLOURS, label);
 }
@@ -20917,8 +21111,8 @@ var STRIPPED_PROPERTIES = /* @__PURE__ */ new Set([
   "otpCode",
   "sessionKey"
 ]);
-var app26 = new Hono2();
-app26.get("/", requireAdminSession, async (c) => {
+var app27 = new Hono2();
+app27.get("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -21143,22 +21337,31 @@ var NEIGHBOURHOOD_CYPHER = `
     [x IN windowNodes | {id: elementId(x), labels: labels(x), properties: properties(x)}] AS nodes,
     [e IN rawEdges WHERE e IS NOT NULL] AS edges
 `;
+function convertNeo4jValue(value) {
+  if (neo4j3.isDateTime(value) || neo4j3.isDate(value) || neo4j3.isLocalDateTime(value) || neo4j3.isLocalTime(value) || neo4j3.isTime(value) || neo4j3.isDuration(value)) {
+    return value.toString();
+  }
+  if (neo4j3.isInt(value)) {
+    return value.inSafeRange() ? value.toNumber() : value.toString();
+  }
+  return value;
+}
 function pruneNode(node) {
   const properties = {};
   for (const [key, value] of Object.entries(node.properties ?? {})) {
     if (STRIPPED_PROPERTIES.has(key)) continue;
-    properties[key] = value;
+    properties[key] = convertNeo4jValue(value);
   }
   const trashed = (node.labels ?? []).includes("Trashed");
   const labels = (node.labels ?? []).filter((l) => l !== "Trashed");
   return trashed ? { id: node.id, labels, properties, trashed: true } : { id: node.id, labels, properties };
 }
-var graph_subgraph_default = app26;
+var graph_subgraph_default = app27;
 
 // server/routes/admin/graph-delete.ts
 var ALLOWED_BY = ["graph-page", "graph-drag-trash"];
-var app27 = new Hono2();
-app27.post("/", requireAdminSession, async (c) => {
+var app28 = new Hono2();
+app28.post("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -21229,11 +21432,11 @@ app27.post("/", requireAdminSession, async (c) => {
     }
   }
 });
-var graph_delete_default = app27;
+var graph_delete_default = app28;
 
 // server/routes/admin/graph-restore.ts
-var app28 = new Hono2();
-app28.post("/", requireAdminSession, async (c) => {
+var app29 = new Hono2();
+app29.post("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -21297,11 +21500,11 @@ app28.post("/", requireAdminSession, async (c) => {
     }
   }
 });
-var graph_restore_default = app28;
+var graph_restore_default = app29;
 
 // server/routes/admin/graph-labels-in-graph.ts
-var app29 = new Hono2();
-app29.get("/", requireAdminSession, async (c) => {
+var app30 = new Hono2();
+app30.get("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
@@ -21311,16 +21514,23 @@ app29.get("/", requireAdminSession, async (c) => {
   const started = Date.now();
   const session = getSession();
   try {
-    const hidden = [...HIDDEN_BY_DEFAULT_LABELS];
+    const excluded = [...HIDDEN_BY_DEFAULT_LABELS, ...FILTER_EXCLUDED_LABELS];
     const result = await session.executeRead(async (tx) => {
-      return await tx.run(LABELS_IN_GRAPH_CYPHER, { accountId, hidden });
+      return await tx.run(LABELS_IN_GRAPH_CYPHER, { accountId, excluded });
+    });
+    const labels = result.records.map((r) => ({
+      label: String(r.get("label")),
+      nodeCount: toNumber(r.get("nodeCount")),
+      relDegree: toNumber(r.get("relDegree")),
+      childOnly: toBool(r.get("childOnly"))
+    })).filter((row) => row.nodeCount > 0).sort((a, b) => {
+      if (b.relDegree !== a.relDegree) return b.relDegree - a.relDegree;
+      return a.label.localeCompare(b.label);
     });
-    const record = result.records[0];
-    const rawLabels = record?.get("labels") ?? [];
-    const labels = [...new Set(rawLabels)].sort();
     const elapsed = Date.now() - started;
+    const summary = labels.map((l) => `${l.label}:${l.nodeCount}:${l.relDegree}:${l.childOnly ? 1 : 0}`).join(",");
     console.error(
-      `[graph-page] labels-in-graph account=${accountId} labels=${labels.join(",")} ms=${elapsed}`
+      `[graph-page] labels-in-graph account=${accountId} labels=${summary} ms=${elapsed}`
     );
     return c.json({ labels });
   } catch (err) {
@@ -21337,21 +21547,44 @@ app29.get("/", requireAdminSession, async (c) => {
     }
   }
 });
+function toNumber(v) {
+  if (typeof v === "bigint") return Number(v);
+  if (typeof v === "number") return v;
+  return Number(v ?? 0);
+}
+function toBool(v) {
+  return v === true;
+}
 var LABELS_IN_GRAPH_CYPHER = `
   MATCH (n)
   WHERE n.accountId = $accountId
     AND NOT n:Trashed
     AND n.deletedAt IS NULL
-  UNWIND labels(n) AS lbl
-  WITH DISTINCT lbl
-  WHERE NOT lbl IN $hidden
-  RETURN collect(lbl) AS labels
+  WITH n,
+       [l IN labels(n) WHERE NOT l IN $excluded] AS keptLabels,
+       size([(n)--() | 1]) AS halfEdges
+  UNWIND keptLabels AS label
+  WITH label, n, halfEdges,
+       EXISTS {
+         MATCH (other)-[]->(n)
+         WHERE NOT other:Trashed
+           AND other.deletedAt IS NULL
+           AND NONE(ol IN labels(other) WHERE ol = label)
+       } AS hasNonSelfInbound
+  WITH label,
+       count(DISTINCT n) AS nodeCount,
+       sum(halfEdges) AS relDegree,
+       count(DISTINCT CASE WHEN hasNonSelfInbound THEN n END) AS qualifyingCount
+  RETURN label,
+         nodeCount,
+         relDegree,
+         (nodeCount > 0 AND qualifyingCount = nodeCount) AS childOnly
 `;
-var graph_labels_in_graph_default = app29;
+var graph_labels_in_graph_default = app30;
 
 // server/routes/admin/graph-default-view.ts
-var app30 = new Hono2();
-app30.get("/", requireAdminSession, async (c) => {
+var app31 = new Hono2();
+app31.get("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   const userId = getUserIdForSession(sessionKey);
@@ -21389,7 +21622,7 @@ app30.get("/", requireAdminSession, async (c) => {
     }
   }
 });
-app30.put("/", requireAdminSession, async (c) => {
+app31.put("/", requireAdminSession, async (c) => {
   const sessionKey = c.var.sessionKey;
   const accountId = getAccountIdForSession(sessionKey);
   const userId = getUserIdForSession(sessionKey);
@@ -21471,11 +21704,11 @@ var WRITE_CYPHER = `
       p.updatedAt = $updatedAt
   RETURN p.labels AS labels
 `;
-var graph_default_view_default = app30;
+var graph_default_view_default = app31;
 
 // server/routes/admin/file-attach.ts
-var app31 = new Hono2();
-app31.post("/", async (c) => {
+var app32 = new Hono2();
+app32.post("/", async (c) => {
   try {
     const body = await c.req.json();
     const { filePath, accountId } = body;
@@ -21498,11 +21731,11 @@ app31.post("/", async (c) => {
     return c.json({ error: message }, 500);
   }
 });
-var file_attach_default = app31;
+var file_attach_default = app32;
 
 // server/routes/admin/adherence.ts
-var app32 = new Hono2();
-app32.get("/", requireAdminSession, async (c) => {
+var app33 = new Hono2();
+app33.get("/", requireAdminSession, async (c) => {
   const agent = c.req.query("agent") ?? "admin";
   const includeBlock = c.req.query("block") === "1";
   const account = resolveAccount();
@@ -21523,34 +21756,35 @@ app32.get("/", requireAdminSession, async (c) => {
     return c.json({ error: "Failed to read adherence ledger", agent }, 500);
   }
 });
-var adherence_default = app32;
+var adherence_default = app33;
 
 // server/routes/admin/index.ts
-var app33 = new Hono2();
-app33.route("/session", session_default2);
-app33.route("/chat", chat_default2);
-app33.route("/compact", compact_default);
-app33.route("/logs", logs_default);
-app33.route("/claude-info", claude_info_default);
-app33.route("/attachment", attachment_default);
-app33.route("/account", account_default);
-app33.route("/agents", agents_default);
-app33.route("/version", version_default);
-app33.route("/sessions", sessions_default);
-app33.route("/browser", browser_default);
-app33.route("/device-browser", device_browser_default);
-app33.route("/events", events_default);
-app33.route("/cloudflare", cloudflare_default);
-app33.route("/files", files_default);
-app33.route("/graph-search", graph_search_default);
-app33.route("/graph-subgraph", graph_subgraph_default);
-app33.route("/graph-delete", graph_delete_default);
-app33.route("/graph-restore", graph_restore_default);
-app33.route("/graph-labels-in-graph", graph_labels_in_graph_default);
-app33.route("/graph-default-view", graph_default_view_default);
-app33.route("/file-attach", file_attach_default);
-app33.route("/adherence", adherence_default);
-var admin_default = app33;
+var app34 = new Hono2();
+app34.route("/session", session_default2);
+app34.route("/chat", chat_default2);
+app34.route("/compact", compact_default);
+app34.route("/logs", logs_default);
+app34.route("/claude-info", claude_info_default);
+app34.route("/attachment", attachment_default);
+app34.route("/account", account_default);
+app34.route("/agents", agents_default);
+app34.route("/version", version_default);
+app34.route("/sessions", sessions_default);
+app34.route("/browser", browser_default);
+app34.route("/terminal", terminal_default);
+app34.route("/device-browser", device_browser_default);
+app34.route("/events", events_default);
+app34.route("/cloudflare", cloudflare_default);
+app34.route("/files", files_default);
+app34.route("/graph-search", graph_search_default);
+app34.route("/graph-subgraph", graph_subgraph_default);
+app34.route("/graph-delete", graph_delete_default);
+app34.route("/graph-restore", graph_restore_default);
+app34.route("/graph-labels-in-graph", graph_labels_in_graph_default);
+app34.route("/graph-default-view", graph_default_view_default);
+app34.route("/file-attach", file_attach_default);
+app34.route("/adherence", adherence_default);
+var admin_default = app34;
 
 // server/index.ts
 var PLATFORM_ROOT11 = process.env.MAXY_PLATFORM_ROOT || "";
@@ -21608,9 +21842,9 @@ watchFile(ALIAS_DOMAINS_PATH2, { interval: 2e3 }, () => {
 function isPublicHost(host) {
   return host.startsWith("public.") || aliasDomains.has(host);
 }
-var app34 = new Hono2();
-app34.use("*", clientIpMiddleware);
-app34.use("*", async (c, next) => {
+var app35 = new Hono2();
+app35.use("*", clientIpMiddleware);
+app35.use("*", async (c, next) => {
   await next();
   c.header("X-Content-Type-Options", "nosniff");
   c.header("Referrer-Policy", "strict-origin-when-cross-origin");
@@ -21633,7 +21867,7 @@ var PUBLIC_ALLOWED_PREFIXES = [
   "/g/"
 ];
 var PUBLIC_ALLOWED_EXACT = ["/favicon.ico"];
-app34.use("*", async (c, next) => {
+app35.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (!isPublicHost(host)) {
     await next();
@@ -21673,7 +21907,7 @@ function resolveRemoteAuthOpts() {
   return brandLoginOpts;
 }
 var MAX_LOGIN_BODY = 8 * 1024;
-app34.post("/__remote-auth/login", async (c) => {
+app35.post("/__remote-auth/login", async (c) => {
   const clientIp = c.var.clientIp || "unknown";
   const rateLimited = checkRateLimit(clientIp);
   if (rateLimited) {
@@ -21709,7 +21943,7 @@ app34.post("/__remote-auth/login", async (c) => {
     }
   });
 });
-app34.get("/__remote-auth/logout", (c) => {
+app35.get("/__remote-auth/logout", (c) => {
   const cookieHeader = c.req.header("cookie");
   const token = parseCookie(cookieHeader, "__remote_session");
   if (token) invalidateRemoteSession(token);
@@ -21722,7 +21956,7 @@ app34.get("/__remote-auth/logout", (c) => {
     }
   });
 });
-app34.post("/__remote-auth/change-password", async (c) => {
+app35.post("/__remote-auth/change-password", async (c) => {
   const clientIp = c.var.clientIp || "unknown";
   const rateLimited = checkRateLimit(clientIp);
   if (rateLimited) {
@@ -21771,13 +22005,13 @@ app34.post("/__remote-auth/change-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "change", changeError: "Failed to save password", redirect }), 200);
   }
 });
-app34.get("/__remote-auth/setup", (c) => {
+app35.get("/__remote-auth/setup", (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
   return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup" }), 200);
 });
-app34.post("/__remote-auth/set-initial-password", async (c) => {
+app35.post("/__remote-auth/set-initial-password", async (c) => {
   if (isRemoteAuthConfigured()) {
     return c.redirect("/");
   }
@@ -21813,10 +22047,10 @@ app34.post("/__remote-auth/set-initial-password", async (c) => {
     return c.html(renderLoginPage({ ...resolveRemoteAuthOpts(), mode: "setup", setupError: "Failed to save password. Please try again." }), 200);
   }
 });
-app34.get("/api/remote-auth/status", (c) => {
+app35.get("/api/remote-auth/status", (c) => {
   return c.json({ configured: isRemoteAuthConfigured() });
 });
-app34.post("/api/remote-auth/set-password", async (c) => {
+app35.post("/api/remote-auth/set-password", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -21846,9 +22080,9 @@ app34.post("/api/remote-auth/set-password", async (c) => {
     return c.json({ error: "Failed to save password" }, 500);
   }
 });
-app34.route("/api/_client-error", client_error_default);
+app35.route("/api/_client-error", client_error_default);
 console.log("[client-error-route] mounted");
-app34.use("*", async (c, next) => {
+app35.use("*", async (c, next) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   const path2 = c.req.path;
   if (path2 === "/favicon.ico" || path2.startsWith("/assets/") || path2.startsWith("/brand/")) {
@@ -21888,15 +22122,15 @@ function parseCookie(cookieHeader, name) {
     return null;
   }
 }
-app34.route("/api/health", health_default);
-app34.route("/api/session", session_default);
-app34.route("/api/chat", chat_default);
-app34.route("/api/group", group_default);
-app34.route("/api/access", access_default);
-app34.route("/api/telegram", telegram_default);
-app34.route("/api/whatsapp", whatsapp_default);
-app34.route("/api/onboarding", onboarding_default);
-app34.route("/api/admin", admin_default);
+app35.route("/api/health", health_default);
+app35.route("/api/session", session_default);
+app35.route("/api/chat", chat_default);
+app35.route("/api/group", group_default);
+app35.route("/api/access", access_default);
+app35.route("/api/telegram", telegram_default);
+app35.route("/api/whatsapp", whatsapp_default);
+app35.route("/api/onboarding", onboarding_default);
+app35.route("/api/admin", admin_default);
 var SAFE_SLUG_RE = /^[a-z][a-z0-9-]{2,49}$/;
 var SAFE_FILENAME_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var IMAGE_MIME = {
@@ -21908,7 +22142,7 @@ var IMAGE_MIME = {
   ".svg": "image/svg+xml",
   ".ico": "image/x-icon"
 };
-app34.get("/agent-assets/:slug/:filename", (c) => {
+app35.get("/agent-assets/:slug/:filename", (c) => {
   const slug = c.req.param("slug");
   const filename = c.req.param("filename");
   if (!SAFE_SLUG_RE.test(slug)) {
@@ -21943,7 +22177,7 @@ app34.get("/agent-assets/:slug/:filename", (c) => {
     "Cache-Control": "public, max-age=3600"
   });
 });
-app34.get("/generated/:filename", (c) => {
+app35.get("/generated/:filename", (c) => {
   const filename = c.req.param("filename");
   if (!SAFE_FILENAME_RE.test(filename) || filename.includes("..")) {
     console.error(`[generated] serve file=${filename} status=403`);
@@ -22108,7 +22342,7 @@ function brandedPublicHtml(agentSlug) {
 function escapeHtml2(s) {
   return s.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
 }
-app34.get("/", (c) => {
+app35.get("/", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) {
     const defaultSlug = resolveDefaultSlug();
@@ -22116,12 +22350,12 @@ app34.get("/", (c) => {
   }
   return c.html(cachedHtml("index.html"));
 });
-app34.get("/public", (c) => {
+app35.get("/public", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
 });
-app34.get("/chat", (c) => {
+app35.get("/chat", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("public.html"));
@@ -22140,9 +22374,9 @@ async function logViewerFetch(c, next) {
     duration_ms: Date.now() - start
   });
 }
-app34.use("/vnc-viewer.html", logViewerFetch);
-app34.use("/vnc-popout.html", logViewerFetch);
-app34.get("/vnc-popout.html", (c) => {
+app35.use("/vnc-viewer.html", logViewerFetch);
+app35.use("/vnc-popout.html", logViewerFetch);
+app35.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
     html = readFileSync26(resolve30(process.cwd(), "public", "vnc-popout.html"), "utf-8");
@@ -22155,7 +22389,7 @@ app34.get("/vnc-popout.html", (c) => {
   }
   return c.html(html);
 });
-app34.post("/api/vnc/client-event", async (c) => {
+app35.post("/api/vnc/client-event", async (c) => {
   let body;
   try {
     body = await c.req.json();
@@ -22176,20 +22410,20 @@ app34.post("/api/vnc/client-event", async (c) => {
   });
   return c.json({ ok: true });
 });
-app34.get("/g/:slug", (c) => {
+app35.get("/g/:slug", (c) => {
   return c.html(brandedPublicHtml());
 });
-app34.get("/graph", (c) => {
+app35.get("/graph", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("graph.html"));
 });
-app34.get("/data", (c) => {
+app35.get("/data", (c) => {
   const host = (c.req.header("host") ?? "").split(":")[0];
   if (isPublicHost(host)) return c.text("Not found", 404);
   return c.html(cachedHtml("data.html"));
 });
-app34.get("/:slug", async (c, next) => {
+app35.get("/:slug", async (c, next) => {
   const slug = c.req.param("slug");
   if (AGENT_SLUG_PATTERN.test(`/${slug}`)) {
     const branding = loadBrandingCache(slug);
@@ -22198,10 +22432,10 @@ app34.get("/:slug", async (c, next) => {
   }
   await next();
 });
-app34.use("/*", serveStatic({ root: "./public" }));
+app35.use("/*", serveStatic({ root: "./public" }));
 var port = parseInt(process.env.PORT ?? "19200", 10);
 var hostname = process.env.HOSTNAME ?? "0.0.0.0";
-var httpServer = serve({ fetch: app34.fetch, port, hostname });
+var httpServer = serve({ fetch: app35.fetch, port, hostname });
 attachVncWsProxy(httpServer, {
   isPublicHost,
   upstreamHost: "127.0.0.1",
@@ -22247,7 +22481,7 @@ for (const m of SUBAPP_MANIFEST) {
 }
 try {
   const registered = [];
-  for (const r of app34.routes ?? []) {
+  for (const r of app35.routes ?? []) {
     if (typeof r.path !== "string" || r.path.includes(":") || r.path.includes("*")) continue;
     if (AGENT_SLUG_PATTERN.test(r.path)) {
       registered.push({ method: (r.method ?? "ALL").toUpperCase(), path: r.path });