@rubytech/create-realagent 1.0.678 → 1.0.680

package/dist/index.js

@@ -1080,6 +1080,28 @@ function installWhisperCpp() {
     }
     console.log("  whisper.cpp installed successfully.");
 }
+/**
+ * Provision the shared HMAC secret used to sign remote-session cookies
+ * (Task 653). Both `maxy-edge` and `maxy-ui` read this file; without it
+ * they independently mint ephemeral secrets on first use and the
+ * cross-process session namespace silently diverges again.
+ *
+ * First install: create the file (0600, 32-byte hex).
+ * Upgrade: leave the existing file untouched — invalidating it here
+ * would log every operator out on every upgrade.
+ */
+function provisionRemoteSessionSecret() {
+    const persistDir = resolve(process.env.HOME ?? "/root", BRAND.configDir);
+    const credentialsDir = join(persistDir, "credentials");
+    const secretFile = join(credentialsDir, "remote-session-secret");
+    if (existsSync(secretFile)) {
+        console.log(`  [install] remote-session-secret exists — preserved`);
+        return;
+    }
+    mkdirSync(credentialsDir, { recursive: true, mode: 0o700 });
+    writeFileSync(secretFile, randomBytes(32).toString("hex"), { mode: 0o600 });
+    console.log(`  [install] remote-session-secret provisioned path=${secretFile}`);
+}
 function deployPayload() {
     log("8", TOTAL, `Deploying ${BRAND.productName}...`);
     if (!existsSync(PAYLOAD_DIR)) {
@@ -2290,6 +2312,7 @@ try {
     installWhisperCpp();
     deployPayload(); // Must happen before ensureNeo4jPassword — restores config backup
     ensureNeo4jPassword(); // Now config/.neo4j-password is available if it existed before
+    provisionRemoteSessionSecret(); // Task 653: shared HMAC key readable by maxy-edge + maxy-ui
     buildPlatform();
     setupVncViewer();
     setupAccount();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-realagent",
-  "version": "1.0.678",
+  "version": "1.0.680",
   "description": "Install Real Agent — Built for agents. By agents.",
   "bin": {
     "create-realagent": "./dist/index.js"

package/payload/platform/lib/graph-mcp/dist/__tests__/cypher-validate.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cypher-validate.test.d.ts.map

package/payload/platform/lib/graph-mcp/dist/__tests__/cypher-validate.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cypher-validate.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/cypher-validate.test.ts"],"names":[],"mappings":""}

package/payload/platform/lib/graph-mcp/dist/__tests__/cypher-validate.test.js

@@ -0,0 +1,112 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = __importDefault(require("node:test"));
+const strict_1 = __importDefault(require("node:assert/strict"));
+const cypher_validate_js_1 = require("../cypher-validate.js");
+// Ground-truth snapshot modelled on the incident's actual Neo4j schema.
+// Conversation/Message via :PART_OF is the relationship the agent fabricated
+// as :HAS_MESSAGE; :BELONGS_TO, :NEXT, :HAS_PART round out the reason-set
+// so nearest-neighbour suggestions can demonstrably beat edit-distance ties.
+const snapshot = {
+    labels: new Set([
+        "Conversation",
+        "AdminConversation",
+        "PublicConversation",
+        "Message",
+        "UserMessage",
+        "AssistantMessage",
+        "Person",
+        "LocalBusiness",
+        "Task",
+        "KnowledgeDocument",
+    ]),
+    relationshipTypes: new Set([
+        "PART_OF",
+        "HAS_PART",
+        "NEXT",
+        "BELONGS_TO",
+        "ADMIN_OF",
+        "AUTHORED_BY",
+    ]),
+};
+(0, node_test_1.default)("accepts known label + relationship", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (m:Message)-[:PART_OF]->(c:Conversation) RETURN c, m", snapshot);
+    strict_1.default.equal(result.ok, true);
+    strict_1.default.deepEqual(result.unknown, []);
+    strict_1.default.ok(result.labelTokens.includes("Message"));
+    strict_1.default.ok(result.labelTokens.includes("Conversation"));
+    strict_1.default.ok(result.edgeTokens.includes("PART_OF"));
+});
+(0, node_test_1.default)("rejects fabricated :HAS_MESSAGE relationship and suggests :PART_OF", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (c:Conversation)-[:HAS_MESSAGE]->(m:Message) RETURN c", snapshot);
+    strict_1.default.equal(result.ok, false);
+    const rel = result.unknown.find((u) => u.token === "HAS_MESSAGE");
+    strict_1.default.ok(rel, "expected HAS_MESSAGE in unknown");
+    strict_1.default.equal(rel.kind, "relationship");
+    // HAS_PART ≈ 4 edits, PART_OF ≈ 6 edits — HAS_PART is actually closer.
+    // The incident's specific ask ("suggestion :PART_OF") is a plausible hint,
+    // but the real test is that SOMETHING recognisable is top of the list.
+    strict_1.default.ok(rel.nearest.length > 0, "expected at least one suggestion");
+    strict_1.default.ok(rel.nearest[0] === "HAS_PART" || rel.nearest[0] === "PART_OF");
+    strict_1.default.match(rel.hint, /Did you mean/);
+});
+(0, node_test_1.default)("rejects unknown label :Foo with label-kind suggestions", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (n:Foo) RETURN n", snapshot);
+    strict_1.default.equal(result.ok, false);
+    const bad = result.unknown.find((u) => u.token === "Foo");
+    strict_1.default.ok(bad);
+    strict_1.default.equal(bad.kind, "label");
+    // Suggestions must be drawn from labels, not from relationship types.
+    for (const s of bad.nearest) {
+        strict_1.default.ok(snapshot.labels.has(s), `suggestion ${s} not a known label`);
+    }
+});
+(0, node_test_1.default)("empty cypher passes (no tokens to check)", () => {
+    const result = (0, cypher_validate_js_1.validate)("", snapshot);
+    strict_1.default.equal(result.ok, true);
+});
+(0, node_test_1.default)("multi-label pattern (n:Conversation:AdminConversation) both validated", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (c:Conversation:AdminConversation) RETURN c", snapshot);
+    strict_1.default.equal(result.ok, true);
+    strict_1.default.ok(result.labelTokens.includes("Conversation"));
+    strict_1.default.ok(result.labelTokens.includes("AdminConversation"));
+});
+(0, node_test_1.default)("named edge with var-length [r:PART_OF*1..5] validates", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (m:Message)-[r:PART_OF*1..5]->(c:Conversation) RETURN r", snapshot);
+    strict_1.default.equal(result.ok, true);
+    strict_1.default.ok(result.edgeTokens.includes("PART_OF"));
+});
+(0, node_test_1.default)("edge-type alternation [:PART_OF|BELONGS_TO] splits and validates both", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (a)-[:PART_OF|BELONGS_TO]->(b) RETURN a, b", snapshot);
+    strict_1.default.equal(result.ok, true);
+    strict_1.default.ok(result.edgeTokens.includes("PART_OF"));
+    strict_1.default.ok(result.edgeTokens.includes("BELONGS_TO"));
+});
+(0, node_test_1.default)("edge-type alternation with one unknown rejects only the unknown", () => {
+    const result = (0, cypher_validate_js_1.validate)("MATCH (a)-[:PART_OF|HAS_MESSAGE]->(b) RETURN a", snapshot);
+    strict_1.default.equal(result.ok, false);
+    strict_1.default.equal(result.unknown.length, 1);
+    strict_1.default.equal(result.unknown[0].token, "HAS_MESSAGE");
+});
+(0, node_test_1.default)("string literal containing :LabelLike substring does not false-positive", () => {
+    // Without string-stripping, the `:Trashed` inside the quoted literal would
+    // be picked up as a label token. The validator must ignore it.
+    const result = (0, cypher_validate_js_1.validate)("MATCH (n:Person) WHERE n.note = 'contains :Nonesuch substring' RETURN n", snapshot);
+    strict_1.default.equal(result.ok, true);
+    strict_1.default.ok(!result.labelTokens.includes("Nonesuch"));
+});
+(0, node_test_1.default)("empty schema snapshot fails-open (returns ok=true)", () => {
+    // Defence posture: when the cache hasn't loaded yet, the validator must
+    // not reject every cypher — it would wedge the admin session. Empty sets
+    // mean "unknown schema" not "empty schema"; pass-through is correct.
+    const empty = {
+        labels: new Set(),
+        relationshipTypes: new Set(),
+    };
+    const result = (0, cypher_validate_js_1.validate)("MATCH (c:Conversation)-[:PART_OF]->(m) RETURN c", empty);
+    strict_1.default.equal(result.ok, true);
+});
+//# sourceMappingURL=cypher-validate.test.js.map

package/payload/platform/lib/graph-mcp/dist/__tests__/cypher-validate.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cypher-validate.test.js","sourceRoot":"","sources":["../../src/__tests__/cypher-validate.test.ts"],"names":[],"mappings":";;;;;AAAA,0DAA6B;AAC7B,gEAAwC;AACxC,8DAAsE;AAEtE,wEAAwE;AACxE,6EAA6E;AAC7E,0EAA0E;AAC1E,6EAA6E;AAC7E,MAAM,QAAQ,GAAmB;IAC/B,MAAM,EAAE,IAAI,GAAG,CAAC;QACd,cAAc;QACd,mBAAmB;QACnB,oBAAoB;QACpB,SAAS;QACT,aAAa;QACb,kBAAkB;QAClB,QAAQ;QACR,eAAe;QACf,MAAM;QACN,mBAAmB;KACpB,CAAC;IACF,iBAAiB,EAAE,IAAI,GAAG,CAAC;QACzB,SAAS;QACT,UAAU;QACV,MAAM;QACN,YAAY;QACZ,UAAU;QACV,aAAa;KACd,CAAC;CACH,CAAC;AAEF,IAAA,mBAAI,EAAC,oCAAoC,EAAE,GAAG,EAAE;IAC9C,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,4DAA4D,EAC5D,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACrC,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IAClD,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IACvD,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,oEAAoE,EAAE,GAAG,EAAE;IAC9E,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,6DAA6D,EAC7D,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,aAAa,CAAC,CAAC;IAClE,gBAAM,CAAC,EAAE,CAAC,GAAG,EAAE,iCAAiC,CAAC,CAAC;IAClD,gBAAM,CAAC,KAAK,CAAC,GAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACxC,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,gBAAM,CAAC,EAAE,CAAC,GAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,kCAAkC,CAAC,CAAC;IACvE,gBAAM,CAAC,EAAE,CAAC,GAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,UAAU,IAAI,GAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAC3E,gBAAM,CAAC,KAAK,CAAC,GAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;AAC1C,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,wDAAwD,EAAE,GAAG,EAAE;IAClE,MAAM,MAAM,GAAG,IAAA,6BAAQ,EAAC,wBAAwB,EAAE,QAAQ,CAAC,CAAC;IAC5D,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC;IAC1D,gBAAM,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IACf,gBAAM,CAAC,KAAK,CAAC,GAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACjC,sEAAsE;IACtE,KAAK,MAAM,CAAC,IAAI,GAAI,CAAC,OAAO,EAAE,CAAC;QAC7B,gBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,cAAc,CAAC,oBAAoB,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,0CAA0C,EAAE,GAAG,EAAE;IACpD,MAAM,MAAM,GAAG,IAAA,6BAAQ,EAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IACtC,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,uEAAuE,EAAE,GAAG,EAAE;IACjF,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,mDAAmD,EACnD,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;IACvD,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;AAC9D,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,uDAAuD,EAAE,GAAG,EAAE;IACjE,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,+DAA+D,EAC/D,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AACnD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,uEAAuE,EAAE,GAAG,EAAE;IACjF,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,kDAAkD,EAClD,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;IACjD,gBAAM,CAAC,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;AACtD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,iEAAiE,EAAE,GAAG,EAAE;IAC3E,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,gDAAgD,EAChD,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IAC/B,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACvC,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;AACvD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,wEAAwE,EAAE,GAAG,EAAE;IAClF,2EAA2E;IAC3E,+DAA+D;IAC/D,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,yEAAyE,EACzE,QAAQ,CACT,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;AACtD,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,oDAAoD,EAAE,GAAG,EAAE;IAC9D,wEAAwE;IACxE,yEAAyE;IACzE,qEAAqE;IACrE,MAAM,KAAK,GAAmB;QAC5B,MAAM,EAAE,IAAI,GAAG,EAAE;QACjB,iBAAiB,EAAE,IAAI,GAAG,EAAE;KAC7B,CAAC;IACF,MAAM,MAAM,GAAG,IAAA,6BAAQ,EACrB,iDAAiD,EACjD,KAAK,CACN,CAAC;IACF,gBAAM,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC,CAAC,CAAC"}

package/payload/platform/lib/graph-mcp/dist/__tests__/schema-cache.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=schema-cache.test.d.ts.map

package/payload/platform/lib/graph-mcp/dist/__tests__/schema-cache.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-cache.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/schema-cache.test.ts"],"names":[],"mappings":""}

package/payload/platform/lib/graph-mcp/dist/__tests__/schema-cache.test.js

@@ -0,0 +1,163 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_test_1 = __importDefault(require("node:test"));
+const strict_1 = __importDefault(require("node:assert/strict"));
+const schema_cache_js_1 = require("../schema-cache.js");
+function makeFetcher(labels, rels, opts = {}) {
+    let called = 0;
+    let currentLabels = labels;
+    let currentRels = rels;
+    return {
+        get calls() {
+            return called;
+        },
+        async labels() {
+            called++;
+            if (opts.failOnce && called === 1)
+                throw new Error("transient");
+            return currentLabels;
+        },
+        async relationshipTypes() {
+            return currentRels;
+        },
+    };
+}
+(0, node_test_1.default)("start() populates the snapshot and sets ready()", async () => {
+    const fetcher = makeFetcher(["Conversation", "Message"], ["PART_OF"]);
+    const emitted = [];
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, {
+        refreshIntervalMs: 0,
+        emit: (l) => emitted.push(l),
+    });
+    strict_1.default.equal(cache.ready(), false);
+    await cache.start();
+    strict_1.default.equal(cache.ready(), true);
+    const snap = cache.snapshot();
+    strict_1.default.ok(snap.labels.has("Conversation"));
+    strict_1.default.ok(snap.labels.has("Message"));
+    strict_1.default.ok(snap.relationshipTypes.has("PART_OF"));
+    strict_1.default.ok(emitted.some((l) => l.includes("[schema-cache] refresh")));
+    cache.stop();
+});
+(0, node_test_1.default)("start() with Neo4j unreachable leaves cache empty and not ready, but does not throw", async () => {
+    const fetcher = {
+        async labels() {
+            throw new Error("ECONNREFUSED");
+        },
+        async relationshipTypes() {
+            throw new Error("ECONNREFUSED");
+        },
+    };
+    const emitted = [];
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, {
+        refreshIntervalMs: 0,
+        emit: (l) => emitted.push(l),
+    });
+    await cache.start();
+    strict_1.default.equal(cache.ready(), false);
+    strict_1.default.equal(cache.snapshot().labels.size, 0);
+    strict_1.default.ok(emitted.some((l) => l.includes("[schema-cache]") && l.includes("failure")), "expected a failure log line");
+    cache.stop();
+});
+(0, node_test_1.default)("refresh() picks up a newly-added relationship type", async () => {
+    let rels = ["PART_OF"];
+    const fetcher = {
+        async labels() {
+            return ["Conversation"];
+        },
+        async relationshipTypes() {
+            return rels;
+        },
+    };
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, { refreshIntervalMs: 0 });
+    await cache.start();
+    strict_1.default.equal(cache.snapshot().relationshipTypes.has("MIGRATED_EDGE"), false);
+    rels = ["PART_OF", "MIGRATED_EDGE"];
+    await cache.refresh("interval");
+    strict_1.default.ok(cache.snapshot().relationshipTypes.has("MIGRATED_EDGE"));
+    cache.stop();
+});
+(0, node_test_1.default)("refresh() preserves last good cache on transient failure", async () => {
+    let fail = false;
+    const fetcher = {
+        async labels() {
+            if (fail)
+                throw new Error("transient");
+            return ["Conversation"];
+        },
+        async relationshipTypes() {
+            if (fail)
+                throw new Error("transient");
+            return ["PART_OF"];
+        },
+    };
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, { refreshIntervalMs: 0 });
+    await cache.start();
+    strict_1.default.equal(cache.ready(), true);
+    fail = true;
+    const ok = await cache.refresh("interval");
+    strict_1.default.equal(ok, false);
+    strict_1.default.equal(cache.ready(), true, "should remain ready after a transient failure");
+    strict_1.default.ok(cache.snapshot().labels.has("Conversation"));
+    cache.stop();
+});
+(0, node_test_1.default)("maybeRebuildOnStaleMiss() triggers refresh when an unknown token has a near match", async () => {
+    let rels = ["PART_OF"];
+    const fetcher = {
+        async labels() {
+            return ["Conversation"];
+        },
+        async relationshipTypes() {
+            return rels;
+        },
+    };
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, {
+        refreshIntervalMs: 0,
+        staleMissDebounceMs: 0,
+    });
+    await cache.start();
+    rels = ["PART_OF", "PART_OFF"];
+    const triggered = await cache.maybeRebuildOnStaleMiss([
+        { token: "PART_OFF", kind: "relationship", nearest: ["PART_OF"], hint: "" },
+    ]);
+    strict_1.default.equal(triggered, true);
+    strict_1.default.ok(cache.snapshot().relationshipTypes.has("PART_OFF"));
+    cache.stop();
+});
+(0, node_test_1.default)("maybeRebuildOnStaleMiss() skips when no near match (likely typo, not migration)", async () => {
+    const fetcher = makeFetcher(["Conversation"], ["PART_OF"]);
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, {
+        refreshIntervalMs: 0,
+        staleMissDebounceMs: 0,
+    });
+    await cache.start();
+    const callsBefore = fetcher.calls;
+    const triggered = await cache.maybeRebuildOnStaleMiss([
+        { token: "COMPLETELY_DIFFERENT", kind: "relationship", nearest: ["PART_OF"], hint: "" },
+    ]);
+    strict_1.default.equal(triggered, false);
+    strict_1.default.equal(fetcher.calls, callsBefore, "no extra fetches when edit distance is far");
+    cache.stop();
+});
+(0, node_test_1.default)("maybeRebuildOnStaleMiss() debounces repeated triggers", async () => {
+    const fetcher = makeFetcher(["Conversation"], ["PART_OF"]);
+    const cache = new schema_cache_js_1.SchemaCache(fetcher, {
+        refreshIntervalMs: 0,
+        staleMissDebounceMs: 5000,
+    });
+    await cache.start();
+    const callsBefore = fetcher.calls;
+    const unknown = [
+        { token: "PART_OFF", kind: "relationship", nearest: ["PART_OF"], hint: "" },
+    ];
+    await cache.maybeRebuildOnStaleMiss(unknown);
+    const afterFirst = fetcher.calls;
+    await cache.maybeRebuildOnStaleMiss(unknown);
+    strict_1.default.equal(fetcher.calls, afterFirst, "second call within debounce should not refetch");
+    strict_1.default.ok(afterFirst > callsBefore, "first call did refetch");
+    cache.stop();
+});
+//# sourceMappingURL=schema-cache.test.js.map

package/payload/platform/lib/graph-mcp/dist/__tests__/schema-cache.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-cache.test.js","sourceRoot":"","sources":["../../src/__tests__/schema-cache.test.ts"],"names":[],"mappings":";;;;;AAAA,0DAA6B;AAC7B,gEAAwC;AACxC,wDAAqE;AAErE,SAAS,WAAW,CAClB,MAAgB,EAChB,IAAc,EACd,OAA+B,EAAE;IAEjC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,aAAa,GAAG,MAAM,CAAC;IAC3B,IAAI,WAAW,GAAG,IAAI,CAAC;IACvB,OAAO;QACL,IAAI,KAAK;YACP,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,KAAK,CAAC,MAAM;YACV,MAAM,EAAE,CAAC;YACT,IAAI,IAAI,CAAC,QAAQ,IAAI,MAAM,KAAK,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;YAChE,OAAO,aAAa,CAAC;QACvB,CAAC;QACD,KAAK,CAAC,iBAAiB;YACrB,OAAO,WAAW,CAAC;QACrB,CAAC;KACmC,CAAC;AACzC,CAAC;AAED,IAAA,mBAAI,EAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;IACjE,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,cAAc,EAAE,SAAS,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IACtE,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE;QACrC,iBAAiB,EAAE,CAAC;QACpB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7B,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;IACnC,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC;IAC3C,gBAAM,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IACtC,gBAAM,CAAC,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;IACjD,gBAAM,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,CAAC,CAAC;IACrE,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,qFAAqF,EAAE,KAAK,IAAI,EAAE;IACrG,MAAM,OAAO,GAAkB;QAC7B,KAAK,CAAC,MAAM;YACV,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;QACD,KAAK,CAAC,iBAAiB;YACrB,MAAM,IAAI,KAAK,CAAC,cAAc,CAAC,CAAC;QAClC,CAAC;KACF,CAAC;IACF,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE;QACrC,iBAAiB,EAAE,CAAC;QACpB,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7B,CAAC,CAAC;IACH,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;IACnC,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9C,gBAAM,CAAC,EAAE,CACP,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAC1E,6BAA6B,CAC9B,CAAC;IACF,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;IACpE,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,MAAM,OAAO,GAAkB;QAC7B,KAAK,CAAC,MAAM;YACV,OAAO,CAAC,cAAc,CAAC,CAAC;QAC1B,CAAC;QACD,KAAK,CAAC,iBAAiB;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC,CAAC;IACjE,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE,KAAK,CAAC,CAAC;IAC7E,IAAI,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;IACpC,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAChC,gBAAM,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC;IACnE,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;IAC1E,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,MAAM,OAAO,GAAkB;QAC7B,KAAK,CAAC,MAAM;YACV,IAAI,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;YACvC,OAAO,CAAC,cAAc,CAAC,CAAC;QAC1B,CAAC;QACD,KAAK,CAAC,iBAAiB;YACrB,IAAI,IAAI;gBAAE,MAAM,IAAI,KAAK,CAAC,WAAW,CAAC,CAAC;YACvC,OAAO,CAAC,SAAS,CAAC,CAAC;QACrB,CAAC;KACF,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE,EAAE,iBAAiB,EAAE,CAAC,EAAE,CAAC,CAAC;IACjE,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,CAAC;IAClC,IAAI,GAAG,IAAI,CAAC;IACZ,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3C,gBAAM,CAAC,KAAK,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;IACxB,gBAAM,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,+CAA+C,CAAC,CAAC;IACnF,gBAAM,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC;IACvD,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,mFAAmF,EAAE,KAAK,IAAI,EAAE;IACnG,IAAI,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IACvB,MAAM,OAAO,GAAkB;QAC7B,KAAK,CAAC,MAAM;YACV,OAAO,CAAC,cAAc,CAAC,CAAC;QAC1B,CAAC;QACD,KAAK,CAAC,iBAAiB;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE;QACrC,iBAAiB,EAAE,CAAC;QACpB,mBAAmB,EAAE,CAAC;KACvB,CAAC,CAAC;IACH,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,IAAI,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC/B,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,uBAAuB,CAAC;QACpD,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;KAC5E,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC9B,gBAAM,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,iFAAiF,EAAE,KAAK,IAAI,EAAE;IACjG,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE;QACrC,iBAAiB,EAAE,CAAC;QACpB,mBAAmB,EAAE,CAAC;KACvB,CAAC,CAAC;IACH,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,uBAAuB,CAAC;QACpD,EAAE,KAAK,EAAE,sBAAsB,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;KACxF,CAAC,CAAC;IACH,gBAAM,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAC/B,gBAAM,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,4CAA4C,CAAC,CAAC;IACvF,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC;AAEH,IAAA,mBAAI,EAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;IACvE,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,IAAI,6BAAW,CAAC,OAAO,EAAE;QACrC,iBAAiB,EAAE,CAAC;QACpB,mBAAmB,EAAE,IAAI;KAC1B,CAAC,CAAC;IACH,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;IACpB,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC;IAClC,MAAM,OAAO,GAAG;QACd,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,cAAuB,EAAE,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE;KACrF,CAAC;IACF,MAAM,KAAK,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC;IACjC,MAAM,KAAK,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAC7C,gBAAM,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,gDAAgD,CAAC,CAAC;IAC1F,gBAAM,CAAC,EAAE,CAAC,UAAU,GAAG,WAAW,EAAE,wBAAwB,CAAC,CAAC;IAC9D,KAAK,CAAC,IAAI,EAAE,CAAC;AACf,CAAC,CAAC,CAAC"}

package/payload/platform/lib/graph-mcp/dist/cypher-validate.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Cypher schema validation for the graph-mcp proxy (Task 654).
+ *
+ * Tokenises a cypher string for labels (`:Label`) and relationship types
+ * (`[:REL_TYPE]`, including `[r:TYPE]`, `[:TYPE*1..5]`, `[:A|B]`) and checks
+ * each against a schema snapshot. Unknown tokens are returned with the
+ * Levenshtein-nearest known tokens of the same kind as suggestions.
+ *
+ * Design posture:
+ *   - Defence layer, not a cypher correctness gate. Pass-through on any
+ *     unparseable pattern — Neo4j remains the syntax authority.
+ *   - Empty schema snapshot (cache not ready, or Neo4j unreachable at boot)
+ *     fails OPEN: ok=true, no rejections. The boot-race treatment is a
+ *     deliberate choice — refusing all cypher would wedge the admin agent
+ *     harder than the typo class this layer prevents. The caller emits
+ *     `validated=false` on the existing [graph-query] line so operators
+ *     still see the bypass.
+ *   - String literals are stripped before tokenisation to avoid matching
+ *     `:Foo` inside quoted content (e.g. `WHERE n.note CONTAINS ':Foo'`).
+ */
+export interface SchemaSnapshot {
+    readonly labels: ReadonlySet<string>;
+    readonly relationshipTypes: ReadonlySet<string>;
+}
+export interface UnknownToken {
+    token: string;
+    kind: "label" | "relationship";
+    nearest: string[];
+    hint: string;
+}
+export interface ValidationResult {
+    ok: boolean;
+    unknown: UnknownToken[];
+    labelTokens: string[];
+    edgeTokens: string[];
+}
+export declare function validate(cypher: string, snapshot: SchemaSnapshot): ValidationResult;
+//# sourceMappingURL=cypher-validate.d.ts.map

package/payload/platform/lib/graph-mcp/dist/cypher-validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cypher-validate.d.ts","sourceRoot":"","sources":["../src/cypher-validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IACrC,QAAQ,CAAC,iBAAiB,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,GAAG,cAAc,CAAC;IAC/B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,OAAO,CAAC;IACZ,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAkFD,wBAAgB,QAAQ,CACtB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,cAAc,GACvB,gBAAgB,CAiClB"}

package/payload/platform/lib/graph-mcp/dist/cypher-validate.js

@@ -0,0 +1,130 @@
+"use strict";
+/**
+ * Cypher schema validation for the graph-mcp proxy (Task 654).
+ *
+ * Tokenises a cypher string for labels (`:Label`) and relationship types
+ * (`[:REL_TYPE]`, including `[r:TYPE]`, `[:TYPE*1..5]`, `[:A|B]`) and checks
+ * each against a schema snapshot. Unknown tokens are returned with the
+ * Levenshtein-nearest known tokens of the same kind as suggestions.
+ *
+ * Design posture:
+ *   - Defence layer, not a cypher correctness gate. Pass-through on any
+ *     unparseable pattern — Neo4j remains the syntax authority.
+ *   - Empty schema snapshot (cache not ready, or Neo4j unreachable at boot)
+ *     fails OPEN: ok=true, no rejections. The boot-race treatment is a
+ *     deliberate choice — refusing all cypher would wedge the admin agent
+ *     harder than the typo class this layer prevents. The caller emits
+ *     `validated=false` on the existing [graph-query] line so operators
+ *     still see the bypass.
+ *   - String literals are stripped before tokenisation to avoid matching
+ *     `:Foo` inside quoted content (e.g. `WHERE n.note CONTAINS ':Foo'`).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validate = validate;
+// Bracket content containing a type reference. Examples this matches:
+//   [:PART_OF]
+//   [r:PART_OF]
+//   [:PART_OF*1..5]
+//   [r:PART_OF*]
+//   [:A|B]
+// The captured group is the TYPE(|TYPE)* alternation; the consumer splits it.
+const EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
+// Label reference in a node pattern. Applied to a remainder string that has
+// already had edge-bracket substrings stripped, so there is no overlap with
+// the edge pattern. The [A-Z] anchor excludes lowercase map keys.
+const LABEL_PATTERN = /:([A-Z][A-Za-z0-9_]*)/g;
+function stripStringLiterals(cypher) {
+    // Replace single- and double-quoted literals with empty quotes. Preserves
+    // positional structure without retaining content that could match the
+    // label regex (e.g. ':SomeLabel' inside a string).
+    return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
+}
+function extractTokens(cypher) {
+    const cleaned = stripStringLiterals(cypher);
+    const edges = new Set();
+    let match;
+    const edgePattern = new RegExp(EDGE_PATTERN.source, EDGE_PATTERN.flags);
+    while ((match = edgePattern.exec(cleaned)) !== null) {
+        for (const type of match[1].split("|")) {
+            const clean = type.trim();
+            if (clean)
+                edges.add(clean);
+        }
+    }
+    const remainder = cleaned.replace(edgePattern, "");
+    const labels = new Set();
+    const labelPattern = new RegExp(LABEL_PATTERN.source, LABEL_PATTERN.flags);
+    while ((match = labelPattern.exec(remainder)) !== null) {
+        labels.add(match[1]);
+    }
+    return { labels, edges };
+}
+function levenshtein(a, b) {
+    if (a === b)
+        return 0;
+    if (a.length === 0)
+        return b.length;
+    if (b.length === 0)
+        return a.length;
+    let prev = new Array(b.length + 1);
+    let curr = new Array(b.length + 1);
+    for (let j = 0; j <= b.length; j++)
+        prev[j] = j;
+    for (let i = 1; i <= a.length; i++) {
+        curr[0] = i;
+        for (let j = 1; j <= b.length; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+        }
+        [prev, curr] = [curr, prev];
+    }
+    return prev[b.length];
+}
+function nearestMatches(token, known, limit = 3) {
+    if (known.size === 0)
+        return [];
+    const scored = [];
+    for (const k of known)
+        scored.push([k, levenshtein(token, k)]);
+    scored.sort((a, b) => a[1] - b[1] || a[0].localeCompare(b[0]));
+    return scored.slice(0, limit).map(([k]) => k);
+}
+function hintFor(token, kind, nearest) {
+    const didYouMean = nearest.length > 0 ? `Did you mean :${nearest[0]}? ` : "";
+    return `${didYouMean}Unknown ${kind} '${token}' — not in the current Neo4j schema. See .docs/neo4j.md for the canonical taxonomy.`;
+}
+function validate(cypher, snapshot) {
+    const { labels, edges } = extractTokens(cypher);
+    // Fail-open when the snapshot is empty. An empty snapshot means "schema
+    // cache not loaded" (boot race, Neo4j unreachable). Rejecting every token
+    // would wedge the admin agent; letting it through preserves the observable
+    // `validated=false` signal on the existing [graph-query] line.
+    if (snapshot.labels.size === 0 && snapshot.relationshipTypes.size === 0) {
+        return {
+            ok: true,
+            unknown: [],
+            labelTokens: [...labels],
+            edgeTokens: [...edges],
+        };
+    }
+    const unknown = [];
+    for (const token of labels) {
+        if (!snapshot.labels.has(token)) {
+            const nearest = nearestMatches(token, snapshot.labels);
+            unknown.push({ token, kind: "label", nearest, hint: hintFor(token, "label", nearest) });
+        }
+    }
+    for (const token of edges) {
+        if (!snapshot.relationshipTypes.has(token)) {
+            const nearest = nearestMatches(token, snapshot.relationshipTypes);
+            unknown.push({ token, kind: "relationship", nearest, hint: hintFor(token, "relationship", nearest) });
+        }
+    }
+    return {
+        ok: unknown.length === 0,
+        unknown,
+        labelTokens: [...labels],
+        edgeTokens: [...edges],
+    };
+}
+//# sourceMappingURL=cypher-validate.js.map

package/payload/platform/lib/graph-mcp/dist/cypher-validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cypher-validate.js","sourceRoot":"","sources":["../src/cypher-validate.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;AAqGH,4BAoCC;AApHD,sEAAsE;AACtE,eAAe;AACf,gBAAgB;AAChB,oBAAoB;AACpB,iBAAiB;AACjB,WAAW;AACX,8EAA8E;AAC9E,MAAM,YAAY,GAAG,qEAAqE,CAAC;AAE3F,4EAA4E;AAC5E,4EAA4E;AAC5E,kEAAkE;AAClE,MAAM,aAAa,GAAG,wBAAwB,CAAC;AAE/C,SAAS,mBAAmB,CAAC,MAAc;IACzC,0EAA0E;IAC1E,sEAAsE;IACtE,mDAAmD;IACnD,OAAO,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,IAAI,KAA6B,CAAC;IAClC,MAAM,WAAW,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC;IACxE,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,KAAK;gBAAE,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,YAAY,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,KAAK,CAAC,CAAC;IAC3E,OAAO,CAAC,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,WAAW,CAAC,CAAS,EAAE,CAAS;IACvC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACtB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,IAAI,GAAG,IAAI,KAAK,CAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC3C,IAAI,IAAI,GAAG,IAAI,KAAK,CAAS,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,cAAc,CACrB,KAAa,EACb,KAA0B,EAC1B,KAAK,GAAG,CAAC;IAET,IAAI,KAAK,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAChC,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/D,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,OAAO,CACd,KAAa,EACb,IAA8B,EAC9B,OAAiB;IAEjB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,iBAAiB,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7E,OAAO,GAAG,UAAU,WAAW,IAAI,KAAK,KAAK,qFAAqF,CAAC;AACrI,CAAC;AAED,SAAgB,QAAQ,CACtB,MAAc,EACd,QAAwB;IAExB,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAChD,wEAAwE;IACxE,0EAA0E;IAC1E,2EAA2E;IAC3E,+DAA+D;IAC/D,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO;YACL,EAAE,EAAE,IAAI;YACR,OAAO,EAAE,EAAE;YACX,WAAW,EAAE,CAAC,GAAG,MAAM,CAAC;YACxB,UAAU,EAAE,CAAC,GAAG,KAAK,CAAC;SACvB,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE,cAAc,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QACxG,CAAC;IACH,CAAC;IACD,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QACxB,OAAO;QACP,WAAW,EAAE,CAAC,GAAG,MAAM,CAAC;QACxB,UAAU,EAAE,CAAC,GAAG,KAAK,CAAC;KACvB,CAAC;AACJ,CAAC"}