@rubytech/create-realagent 1.0.712 → 1.0.713

package/payload/platform/lib/graph-search/src/index.ts

@@ -46,6 +46,12 @@ export interface SearchHit {
 
 export interface SearchResult extends SearchHit {
   related: Array<{
+    /**
+     * Task 747 — neighbour `elementId`. Required by the /graph canvas to
+     * render edges in pipeline-collapse mode (search response IS the canvas
+     * data). The MCP memory-search tool ignores it; the field is additive.
+     */
+    nodeId: string;
     relationship: string;
     direction: string;
     labels: string[];
@@ -71,10 +77,17 @@ export interface Bm25OnlyParams {
   agentSlug?: string;
   keywords?: string[];
   keywordMatch?: "any" | "all";
+  /**
+   * Task 747 — gate BM25 hits to nodes carrying at least one of these labels.
+   * Mirrors hybrid()'s vector-half label filter so the Ollama-down fallback
+   * honours the same gate the operator applied via /graph chips. Empty array
+   * is treated as "no gate" (matches hybrid's `labels && labels.length > 0`
+   * guard); admin route enforces non-empty `labels` as a precondition.
+   */
+  labels?: string[];
 }
 
 export interface HybridParams extends Bm25OnlyParams {
-  labels?: string[];
   expandHops?: number;
   keywordSubscriptions?: string[];
   /**
@@ -91,6 +104,14 @@ export interface HybridResponse {
   results: SearchResult[];
   /** Populated when degradeOnEmbedFailure fired. Caller logs it. */
   embedError?: string;
+  /**
+   * Task 747 — milliseconds spent on the batched expand round-trip alone
+   * (separate from embed + vector + BM25). The /graph admin route emits
+   * this as `expand-ms=N` so a regression on the post-Task-747 batching
+   * surfaces in server.log without needing a profiler. Zero when
+   * `expandHops === 0` or no merged results.
+   */
+  expandMs: number;
 }
 
 export type EmbedFn = (text: string) => Promise<number[]>;
@@ -170,13 +191,16 @@ export async function bm25Only(
   session: Session,
   params: Bm25OnlyParams,
 ): Promise<SearchHit[]> {
-  const { query, accountId, limit, allowedScopes, agentSlug, keywords, keywordMatch } = params;
+  const { query, accountId, limit, allowedScopes, agentSlug, keywords, keywordMatch, labels } = params;
   const scopeClause = allowedScopes
     ? "AND (node.scope IS NULL OR node.scope IN $allowedScopes)"
     : "";
   const agentClause = agentSlug
     ? "AND node.agents IS NOT NULL AND $agentSlug IN node.agents"
     : "";
+  const labelClause = labels && labels.length > 0
+    ? "AND any(l IN labels(node) WHERE l IN $labels)"
+    : "";
   const keywordFilter = buildKeywordFilter(keywords, keywordMatch);
   const kwClause = keywordFilter?.clause ?? "";
   const escaped = escapeLucene(query);
@@ -188,6 +212,7 @@ export async function bm25Only(
        WHERE node.accountId = $accountId
        ${scopeClause}
        ${agentClause}
+       ${labelClause}
        AND ${notTrashed("node")}
        ${kwClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
@@ -200,6 +225,7 @@ export async function bm25Only(
         limit: int(limit),
         ...(allowedScopes ? { allowedScopes } : {}),
         ...(agentSlug ? { agentSlug } : {}),
+        ...(labels && labels.length > 0 ? { labels } : {}),
         ...(keywordFilter?.params ?? {}),
       },
     );
@@ -270,7 +296,7 @@ export async function hybrid(
     const msg = err instanceof Error ? err.message : String(err);
     const bm25Hits = await bm25Only(session, params);
     const results: SearchResult[] = bm25Hits.map((h) => ({ ...h, related: [] }));
-    return { mode: "bm25", results, embedError: msg };
+    return { mode: "bm25", results, embedError: msg, expandMs: 0 };
   }
 
   const labelToIndex = await discoverIndexes(session);
@@ -288,7 +314,7 @@ export async function hybrid(
       .map((l) => labelToIndex.get(l))
       .filter((idx): idx is string => idx !== undefined);
     if (indexesToQuery.length === 0) {
-      return { mode: "hybrid", results: [] };
+      return { mode: "hybrid", results: [], expandMs: 0 };
     }
   } else {
     indexesToQuery = [...new Set(labelToIndex.values())];
@@ -418,50 +444,81 @@ export async function hybrid(
     .sort((a, b) => b.combinedScore - a.combinedScore)
     .slice(0, limit);
 
-  // --- Graph expand ---
-  const results: SearchResult[] = [];
-  for (const node of merged) {
-    const result: SearchResult = {
-      nodeId: node.nodeId,
-      labels: node.labels,
-      properties: node.properties,
-      score: node.combinedScore,
-      related: [],
-    };
-    if (expandHops > 0) {
-      const expandScopeClause = allowedScopes
-        ? "AND (related.scope IS NULL OR related.scope IN $allowedScopes)"
-        : "";
-      const expandAgentClause = agentSlug
-        ? "AND (related.agents IS NULL OR $agentSlug IN related.agents)"
-        : "";
-      const expandResult = await session.run(
-        `MATCH (n)-[r]-(related)
-         WHERE elementId(n) = $nodeId
-         AND ${notTrashed("related")}
-         ${expandScopeClause}
-         ${expandAgentClause}
-         RETURN type(r) AS relType,
-                CASE WHEN startNode(r) = n THEN 'outgoing' ELSE 'incoming' END AS direction,
-                labels(related) AS relatedLabels,
-                related
-         LIMIT 20`,
-        { nodeId: node.nodeId, ...scopeParams, ...agentParams },
-      );
-      for (const rec of expandResult.records) {
-        const related = rec.get("related") as { properties: Record<string, unknown> };
-        result.related.push({
-          relationship: rec.get("relType") as string,
-          direction: rec.get("direction") as string,
-          labels: rec.get("relatedLabels") as string[],
-          properties: plainProperties(related.properties),
+  // --- Graph expand (Task 747 — single batched round-trip) ---
+  //
+  // Pre-Task-747: one Cypher per merged node, in a JS for-loop. At the admin
+  // route's slider=2000 this produced 2000 driver round-trips per search.
+  //
+  // Post-Task-747: one UNWIND-driven query for all merged nodeIds. The
+  // `WITH nid, collect({...})[0..20]` clause preserves the per-result cap of
+  // 20 neighbours that the per-node query enforced via `LIMIT 20`. Slice
+  // notation is order-preserving over the rows it consumes (no upstream
+  // ORDER BY changes that), so canvas-edge density per hit is unchanged.
+  //
+  // Each `related` entry now carries `relatedNodeId` (the neighbour's
+  // elementId) so the /graph canvas can render edges in pipeline-collapse
+  // mode (search response IS the canvas data when `q` is set).
+  const results: SearchResult[] = merged.map((node) => ({
+    nodeId: node.nodeId,
+    labels: node.labels,
+    properties: node.properties,
+    score: node.combinedScore,
+    related: [],
+  }));
+
+  let expandMs = 0;
+  if (expandHops > 0 && results.length > 0) {
+    const expandScopeClause = allowedScopes
+      ? "AND (related.scope IS NULL OR related.scope IN $allowedScopes)"
+      : "";
+    const expandAgentClause = agentSlug
+      ? "AND (related.agents IS NULL OR $agentSlug IN related.agents)"
+      : "";
+    const expandStart = Date.now();
+    const expandResult = await session.run(
+      `UNWIND $nodeIds AS nid
+       MATCH (n)-[r]-(related)
+       WHERE elementId(n) = nid
+       AND ${notTrashed("related")}
+       ${expandScopeClause}
+       ${expandAgentClause}
+       WITH nid, n, r, related
+       WITH nid, collect({
+         relType: type(r),
+         direction: CASE WHEN startNode(r) = n THEN 'outgoing' ELSE 'incoming' END,
+         relatedNodeId: elementId(related),
+         relatedLabels: labels(related),
+         related: related
+       })[0..20] AS items
+       RETURN nid, items`,
+      { nodeIds: results.map((r) => r.nodeId), ...scopeParams, ...agentParams },
+    );
+    expandMs = Date.now() - expandStart;
+    const byNodeId = new Map<string, SearchResult>(results.map((r) => [r.nodeId, r]));
+    for (const rec of expandResult.records) {
+      const nid = rec.get("nid") as string;
+      const target = byNodeId.get(nid);
+      if (!target) continue;
+      const items = rec.get("items") as Array<{
+        relType: string;
+        direction: string;
+        relatedNodeId: string;
+        relatedLabels: string[];
+        related: { properties: Record<string, unknown> };
+      }>;
+      for (const item of items) {
+        target.related.push({
+          nodeId: item.relatedNodeId,
+          relationship: item.relType,
+          direction: item.direction,
+          labels: item.relatedLabels,
+          properties: plainProperties(item.related.properties),
         });
       }
     }
-    results.push(result);
   }
 
-  return { mode: "hybrid", results };
+  return { mode: "hybrid", results, expandMs };
 }
 
 function mergeBm25Hit(

package/payload/platform/plugins/docs/references/platform.md

@@ -17,7 +17,7 @@ The Pi runs the web interface, the AI agent, and all the plugin servers. When yo
 
 Maxy runs two agents simultaneously:
 
-**Admin agent (you)** — full access to all tools and plugins. This is the agent you interact with at your local or remote URL. It can read and write contacts, send Telegram messages, manage your account, and perform any task you have plugins for. Protected by your PIN.
+**Admin agent (you)** — full access to all tools and plugins. This is the agent you interact with at your local or remote URL. It can read and write contacts, send Telegram messages, manage your account, and perform any task you have plugins for. Protected by your PIN. Your admin agent runs through your own Claude Code OAuth session — it never bills the Anthropic API. Authentication and SDK details are documented in the developer doc `.docs/platform.md` admin-agent section.
 
 **Public agent (visitors)** — read-only access. Handles enquiries from people who reach your public URL. It can answer questions about your business and collect waitlist signups, but it cannot access your private data or take actions.
 
@@ -51,6 +51,8 @@ Maxy maintains a graph database (Neo4j) of everything you've told it. People, co
 
 The memory graph is stored on your Pi. It never leaves your network.
 
+The graph view (at `/graph`) lets you explore the memory directly. Pick a category from the filter, then type to search inside it — typing makes the canvas narrower, not wider. Drag the slider to control how many matches you see (1 to 2000). If the search shows a yellow banner saying "Vector ranking unavailable," it means the local AI ranking model is offline; results are still returned using keyword match, but ordering is less semantic until the ranker recovers.
+
 ## The Web Interface
 
 The web app runs on your Pi on port 19200. A small always-on front door (`maxy-edge`) owns that port and the remote terminal transport — so when the Software Update command restarts the app server, the browser-side terminal keeps streaming bytes exactly like an SSH session would. The edge also hosts the update flow's own routes (the sudo prompt, the action launcher, the SSE progress stream, the installed-version poll), so the Software Update modal's log panel does not go blank during the app-server restart window — it keeps receiving lines, heartbeats, and the final exit event unbroken. Login cookies are HMAC-signed with a shared key on disk, so both processes recognise the same session without any coordination and you do not have to log in again after an update. Every request is also classified as LAN or external based on the network shape it arrived on — LAN browsers reach admin directly; the remote password screen only appears on the tunnel-exposed admin domain. It provides:

package/payload/platform/scripts/check-sdk-oauth.mjs

@@ -0,0 +1,178 @@
+#!/usr/bin/env node
+// Task 746 — OAuth + wire-identity check for @anthropic-ai/claude-agent-sdk.
+//
+// One-shot spike. Pi-runnable. Intentionally orphan/standalone — not imported
+// by any production module, not wired into any cron, hook, or route. Task 606
+// owns SDK adoption in production; this script gates that adoption.
+//
+// Precondition (exact):
+//   ssh <pi>     # see memory/reference_device_ssh.md for hosts
+//   cd /tmp && mkdir -p sdk-spike && cd sdk-spike
+//   npm install @anthropic-ai/claude-agent-sdk@0.2.119   # pin matches static evidence
+//   cp <repo>/platform/scripts/check-sdk-oauth.mjs .
+//   unset ANTHROPIC_API_KEY
+//   node check-sdk-oauth.mjs 2>&1 | tee spike.log
+//
+// PASS condition: apiKeySource ∈ {'oauth', 'none'}. Both indicate OAuth-only mode:
+// 'oauth' = SDK supplied an OAuth-issued API key; 'none' = SDK supplied no key
+// at all and the claude binary's own ~/.claude/.credentials.json OAuth state is
+// in use. Cross-check with `claude --print --output-format json "Reply…"` to
+// confirm the same value: parity = SDK is faithfully proxying claude's auth.
+//
+// Verdict reasons (exit 1 unless PASS):
+//   env-set                       ANTHROPIC_API_KEY present (operator must `unset`)
+//   no-oauth-credentials          ~/.claude/.credentials.json unreadable, empty,
+//                                 or contains no OAuth-shaped fields (run `claude login`)
+//   exception:<msg>               SDK import or runtime error
+//   no-system-init                SDK never emitted system.init message
+//   wrong-api-key-source:<value>  apiKeySource ∉ {oauth, none} — value verbatim;
+//                                 MISSING-FIELD if SDK message shape drifted
+//                                 (raw msg dumped on next line)
+//   assistant-error:<value>       SDK reported assistant error: authentication_failed |
+//                                 billing_error | rate_limit | invalid_request |
+//                                 server_error | unknown | max_output_tokens
+//   no-response                   no assistant message arrived
+//   empty-response                assistant arrived, no text content
+//   timeout                       60s elapsed waiting for response
+//
+// Wire-identity (mitmproxy header diff vs `claude -p`) and subscription-billing
+// (VNC dashboard) are operator-manual per Task 746 brief — not script-side.
+// .docs/platform.md captures the consolidated verdict (script + mitm + VNC).
+
+import { accessSync, readFileSync, constants as FS } from 'node:fs'
+import { homedir } from 'node:os'
+import { join } from 'node:path'
+
+const TIMEOUT_MS = 60_000
+const PROMPT = 'Reply with the literal string OK and nothing else.'
+// Claude Code emits apiKeySource='none' when the SDK supplies no API key and
+// the claude binary uses its own OAuth credentials at ~/.claude/.credentials.json.
+// Brief assumed 'oauth' based on stale type-defs; runtime-correct OAuth-only
+// indicator on Claude Code 2.1.x is 'none'. Both accepted; cross-check with
+// `claude --print --output-format json` to confirm parity.
+const OAUTH_API_KEY_SOURCES = new Set(['oauth', 'none'])
+
+const log = (line) => process.stdout.write(line + '\n')
+const safeStringify = (v) => { try { return JSON.stringify(v) } catch { return '<unstringifiable>' } }
+
+let verdictEmitted = false
+const fail = (reason) => {
+  if (verdictEmitted) return
+  verdictEmitted = true
+  log(`[sdk-spike] verdict: FAIL reason=${reason}`)
+  process.exit(1)
+}
+const pass = (note) => {
+  if (verdictEmitted) return
+  verdictEmitted = true
+  log(`[sdk-spike] verdict: PASS${note ? ` ${note}` : ''}`)
+  process.exit(0)
+}
+
+async function main() {
+  const envState = process.env.ANTHROPIC_API_KEY ? 'set' : 'unset'
+  log(`[sdk-spike] env: ANTHROPIC_API_KEY=${envState}`)
+  if (envState === 'set') fail('env-set')
+
+  const credsPath = join(homedir(), '.claude', '.credentials.json')
+  try { accessSync(credsPath, FS.R_OK) }
+  catch { fail('no-oauth-credentials') }
+
+  let credsSize = 0
+  let credsHasOauthFields = false
+  let credsTopKeys = []
+  try {
+    const credsRaw = readFileSync(credsPath, 'utf8')
+    credsSize = credsRaw.length
+    const credsObj = JSON.parse(credsRaw)
+    credsTopKeys = Object.keys(credsObj).sort()
+    credsHasOauthFields = credsTopKeys.some((k) => /oauth|access|refresh|bearer/i.test(k)) ||
+      Object.values(credsObj).some((v) => v && typeof v === 'object' &&
+        Object.keys(v).some((k) => /oauth|access|refresh|bearer/i.test(k)))
+  } catch { /* malformed creds file — surface in log, fail with no-oauth-credentials below */ }
+  log(`[sdk-spike] creds: size=${credsSize} topKeys=${credsTopKeys.join(',')} hasOauthFields=${credsHasOauthFields}`)
+  if (credsSize === 0 || !credsHasOauthFields) fail('no-oauth-credentials')
+
+  let query
+  try {
+    ({ query } = await import('@anthropic-ai/claude-agent-sdk'))
+  } catch (err) {
+    fail(`exception:${String(err?.message ?? err).slice(0, 200)}`)
+  }
+
+  let sdkVersion = '<unknown>'
+  try {
+    const pkgPath = join(process.cwd(), 'node_modules', '@anthropic-ai', 'claude-agent-sdk', 'package.json')
+    sdkVersion = JSON.parse(readFileSync(pkgPath, 'utf8')).version
+  } catch { /* leave as <unknown> — diagnostic, not load-bearing */ }
+  log(`[sdk-spike] sdk-version: ${sdkVersion}`)
+
+  let gotInit = false
+  let apiKeySource = ''
+  let apiProvider = ''
+  let model = ''
+  let sessionId = ''
+  let claudeCodeVersion = ''
+  let gotAssistant = false
+  let assistantError = ''
+  let responseText = ''
+
+  const result = query({ prompt: PROMPT })
+
+  let timeoutId
+  const timer = new Promise((_, reject) => {
+    timeoutId = setTimeout(() => reject(new Error(`timeout after ${TIMEOUT_MS}ms`)), TIMEOUT_MS)
+  })
+
+  const consume = (async () => {
+    for await (const msg of result) {
+      if (msg?.type === 'system' && msg?.subtype === 'init') {
+        gotInit = true
+        // apiKeySource is required (sdk.d.ts:3286 — non-optional). MISSING-FIELD here = SDK shape drift, dump raw.
+        apiKeySource = msg.apiKeySource ?? msg.api_key_source ?? 'MISSING-FIELD'
+        // apiProvider is optional (sdk.d.ts:32 declares `?:`); absent on Claude Code 2.1.119. <absent> ≠ defect.
+        apiProvider = msg.apiProvider ?? msg.api_provider ?? '<absent>'
+        model = msg.model ?? '<unknown>'
+        sessionId = msg.session_id ?? msg.sessionId ?? '<unknown>'
+        claudeCodeVersion = msg.claude_code_version ?? '<unknown>'
+        log(`[sdk-spike] system-init: apiKeySource=${apiKeySource} apiProvider=${apiProvider} model=${model} sessionId=${sessionId} claudeCodeVersion=${claudeCodeVersion}`)
+        if (apiKeySource === 'MISSING-FIELD') {
+          log(`[sdk-spike] system-init-raw: ${safeStringify(msg)}`)
+        }
+      } else if (msg?.type === 'assistant') {
+        gotAssistant = true
+        if (msg.error && !assistantError) assistantError = msg.error
+        const blocks = msg.message?.content ?? []
+        for (const block of blocks) {
+          if (block?.type === 'text' && typeof block.text === 'string') {
+            responseText += block.text
+          }
+        }
+      }
+    }
+  })()
+
+  try {
+    await Promise.race([consume, timer])
+  } catch (err) {
+    try { Promise.resolve(result.return?.()).catch(() => {}) } catch { /* best-effort cleanup */ }
+    if (String(err?.message ?? '').startsWith('timeout after')) fail('timeout')
+    fail(`exception:${String(err?.message ?? err).slice(0, 200)}`)
+  } finally {
+    clearTimeout(timeoutId)
+    try { Promise.resolve(result.return?.()).catch(() => {}) } catch { /* best-effort cleanup */ }
+  }
+
+  log(`[sdk-spike] response: ${responseText}`)
+
+  if (!gotInit) fail('no-system-init')
+  if (!OAUTH_API_KEY_SOURCES.has(apiKeySource)) fail(`wrong-api-key-source:${apiKeySource}`)
+  if (assistantError) fail(`assistant-error:${assistantError}`)
+  if (!gotAssistant) fail('no-response')
+  if (responseText.trim() === '') fail('empty-response')
+  pass(`apiKeySource=${apiKeySource} apiProvider=${apiProvider} sdk=${sdkVersion} cli=${claudeCodeVersion}`)
+}
+
+main().catch((err) => {
+  fail(`exception:${String(err?.message ?? err).slice(0, 200)}`)
+})

package/payload/server/public/assets/{Checkbox-CjbS9JcG.js → Checkbox-Dr9MqNdk.js}

@@ -1 +1 @@
-import{t as e}from"./jsx-runtime-BUs3sHtV.js";var t=e();function n({checked:e,onChange:n,label:r,disabled:i}){return(0,t.jsxs)(`label`,{className:`maxy-checkbox${i?` maxy-checkbox--disabled`:``}`,children:[(0,t.jsx)(`input`,{type:`checkbox`,checked:e,onChange:e=>n(e.target.checked),disabled:i}),(0,t.jsx)(`span`,{className:`maxy-checkbox__box`,children:`✱`}),r&&(0,t.jsx)(`span`,{className:`maxy-checkbox__label`,children:r})]})}export{n as t};
+import{t as e}from"./jsx-runtime-BKpb2FvO.js";var t=e();function n({checked:e,onChange:n,label:r,disabled:i}){return(0,t.jsxs)(`label`,{className:`maxy-checkbox${i?` maxy-checkbox--disabled`:``}`,children:[(0,t.jsx)(`input`,{type:`checkbox`,checked:e,onChange:e=>n(e.target.checked),disabled:i}),(0,t.jsx)(`span`,{className:`maxy-checkbox__box`,children:`✱`}),r&&(0,t.jsx)(`span`,{className:`maxy-checkbox__label`,children:r})]})}export{n as t};