@rubytech/create-realagent 1.0.771 → 1.0.773

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-realagent",
-  "version": "1.0.771",
+  "version": "1.0.773",
   "description": "Install Real Agent — Built for agents. By agents.",
   "bin": {
     "create-realagent": "./dist/index.js"

package/payload/platform/plugins/admin/PLUGIN.md

@@ -1,6 +1,6 @@
 ---
 name: admin
-description: "Platform administration plugin. Provides system-status, brand-settings, account-manage, account-update, admin-add, admin-remove, admin-list, agent-list, agent-config-read, logs-read, plugin-read, render-component, session-reset, session-resume, file-attach, wifi, review-cadence tools (review-rules-list, review-rules-suppress, review-rules-unsuppress, review-rules-add, review-rules-remove, review-alerts-recent), adherence-read (attention-weighted adherence ledger), and action-approval tools (action-pending, action-approve, action-reject, action-edit) for managing the Maxy platform."
+description: "Platform administration plugin. Provides system-status, brand-settings, account-manage, account-update, admin-add, admin-remove, admin-list, admin-update-pin, agent-list, agent-config-read, logs-read, plugin-read, render-component, session-reset, session-resume, file-attach, wifi, review-cadence tools (review-rules-list, review-rules-suppress, review-rules-unsuppress, review-rules-add, review-rules-remove, review-alerts-recent), adherence-read (attention-weighted adherence ledger), and action-approval tools (action-pending, action-approve, action-reject, action-edit) for managing the Maxy platform."
 tools:
   - system-status
   - brand-settings
@@ -9,6 +9,7 @@ tools:
   - admin-add
   - admin-remove
   - admin-list
+  - admin-update-pin
   - agent-list
   - agent-config-read
   - logs-read

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -545,9 +545,9 @@ server.tool("account-update", "Update a user-configurable setting in account.jso
 // ===================================================================
 // Admin user management tools
 // ===================================================================
-server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). Generates a unique 4-digit PIN unless one is specified. Returns the userId and PIN to share with the new admin.", {
-    name: z.string().describe("Display name for the new admin"),
-    pin: z.string().optional().describe("Optional 4-digit PIN. If omitted, a unique PIN is generated."),
+server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). PIN must be at least 4 digits. If no PIN is provided, a unique 4-digit PIN is generated. Returns the userId and PIN to share with the new admin.", {
+    name: z.string().describe("Display name for the new admin (stored on the AdminUser node in Neo4j)."),
+    pin: z.string().optional().describe("Optional PIN (minimum 4 digits). If omitted, a unique 4-digit PIN is generated."),
 }, async ({ name, pin: rawPin }) => {
     const TAG = "[admin]";
     if (!name.trim()) {
@@ -577,7 +577,7 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     }
     // Resolve the calling user's identity from the session environment
     const callerUserId = process.env.USER_ID;
-    // PIN: use provided or generate
+    // PIN: use provided or generate. Constraint: minimum 4 digits, no upper bound.
     let plaintextPin;
     if (rawPin) {
         if (rawPin.length < 4) {
@@ -599,8 +599,9 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     }
     const pinHash = hashPin(plaintextPin);
     const userId = crypto.randomUUID();
-    // 1. Write to users.json (device-level)
-    users.push({ userId, name: name.trim(), pin: pinHash });
+    // 1. Write to users.json (device-level). Auth fields only — `name` lives
+    //    on the AdminUser node in Neo4j (Task 829).
+    users.push({ userId, pin: pinHash });
     try {
         writeUsersJson(users);
     }
@@ -622,20 +623,58 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         console.error(`${TAG} account.json write failed: ${err instanceof Error ? err.message : String(err)}`);
         return { content: [{ type: "text", text: `${TAG} User created in users.json but failed to add to account: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
     }
-    // 3. Write to Neo4j (graph-level) — partial failure is a warning, not an error
+    // 3. Write to Neo4j (graph-level): AdminUser + Person + OWNS atomically,
+    //    plus ADMIN_OF edge to the LocalBusiness for this account.
+    //    Task 830 — deterministic identity creation: never delegate node
+    //    creation to the LLM. Person reuse rule mirrors writeAdminUserAndPerson
+    //    in platform/ui/app/lib/neo4j-store.ts (case-insensitive exact match
+    //    on givenName + familyName; partial-name ambiguity does NOT match —
+    //    rationalisation is a separate agent-mediated concern).
     let neo4jWarning = "";
+    let personReused = false;
     try {
         const session = getSession();
         try {
             const createdAt = new Date().toISOString();
             const trimmedName = name.trim();
-            await session.run(`MERGE (au:AdminUser {userId: $userId})
+            const firstSpace = trimmedName.search(/\s/);
+            const givenName = firstSpace === -1 ? trimmedName : trimmedName.slice(0, firstSpace).trim();
+            const familyName = firstSpace === -1 ? null : (trimmedName.slice(firstSpace + 1).trim() || null);
+            const result = await session.run(`MERGE (au:AdminUser {userId: $userId})
            ON CREATE SET au.name = $name, au.createdAt = $createdAt
-           ON MATCH SET au.name = $name
+           ON MATCH SET au.name = $name, au.updatedAt = $createdAt
            WITH au
            MATCH (b:LocalBusiness {accountId: $accountId})
            MERGE (au)-[r:ADMIN_OF]->(b)
-           ON CREATE SET r.role = 'admin', r.grantedAt = $createdAt`, { userId, name: trimmedName, createdAt, accountId: ACCOUNT_ID });
+           ON CREATE SET r.role = 'admin', r.grantedAt = $createdAt
+           WITH au
+           OPTIONAL MATCH (existingPerson:Person {accountId: $accountId})
+           WHERE toLower(existingPerson.givenName) = toLower($givenName)
+             AND coalesce(toLower(existingPerson.familyName), '') = coalesce(toLower($familyName), '')
+           WITH au, existingPerson
+           CALL {
+             WITH au, existingPerson
+             WITH au, existingPerson WHERE existingPerson IS NOT NULL
+             MERGE (au)-[:OWNS]->(existingPerson)
+             RETURN true AS reused
+             UNION
+             WITH au, existingPerson
+             WITH au WHERE existingPerson IS NULL
+             CREATE (newPerson:Person {
+               accountId: $accountId,
+               givenName: $givenName,
+               familyName: $familyName,
+               role: 'admin-personal',
+               scope: 'admin',
+               createdAt: $createdAt
+             })
+             MERGE (au)-[:OWNS]->(newPerson)
+             RETURN false AS reused
+           }
+           RETURN reused`, { userId, name: trimmedName, createdAt, accountId: ACCOUNT_ID, givenName, familyName });
+            if (result.records.length > 0) {
+                personReused = result.records[0].get("reused");
+            }
         }
         finally {
             await session.close();
@@ -646,6 +685,7 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         console.error(`${TAG} Neo4j sync failed during admin-add: userId=${userId} error=${errMsg} — files written, graph pending`);
         neo4jWarning = ` Note: Neo4j sync failed (${errMsg}) — the admin user is functional but the graph will need reconciliation on next seed.`;
     }
+    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userId.slice(0, 8)} name=${name.trim()} personReused=${personReused}`);
     console.error(`${TAG} admin added: userId=${userId} userName=${name.trim()} accountId=${ACCOUNT_ID} role=admin addedBy=${callerUserId ?? "unknown"}`);
     return {
         content: [{
@@ -676,13 +716,22 @@ server.tool("admin-remove", "Remove an admin from this account. Removes them fro
     if (admins.length <= 1) {
         return { content: [{ type: "text", text: `${TAG} Cannot remove the last admin. At least one admin must remain on the account.` }], isError: true };
     }
-    // Resolve the admin's name for the confirmation message
+    // Resolve the admin's name from Neo4j (canonical) for the confirmation
+    // message. Best-effort — fall back to userId if the graph is unreachable.
     let removedName = userId;
     try {
-        const users = readUsersJson();
-        const user = users.find(u => u.userId === userId);
-        if (user)
-            removedName = user.name;
+        const session = getSession();
+        try {
+            const result = await session.run(`MATCH (au:AdminUser {userId: $userId}) RETURN au.name AS name LIMIT 1`, { userId });
+            if (result.records.length > 0) {
+                const name = result.records[0].get("name");
+                if (name && name.trim())
+                    removedName = name.trim();
+            }
+        }
+        finally {
+            await session.close();
+        }
     }
     catch { /* name lookup is best-effort */ }
     // 1. Remove from account.json
@@ -733,13 +782,27 @@ server.tool("admin-list", "List all admins for this account with their names and
     if (admins.length === 0) {
         return { content: [{ type: "text", text: `${TAG} No admins configured for this account.` }] };
     }
-    // Enrich with names from users.json
-    let users = [];
+    // Enrich with names from Neo4j AdminUser (canonical, Task 829). Best
+    // effort — render "(unknown)" for any userId without a graph entry.
+    const userMap = new Map();
     try {
-        users = readUsersJson();
+        const session = getSession();
+        try {
+            const result = await session.run(`UNWIND $userIds AS uid
+           MATCH (au:AdminUser {userId: uid})
+           RETURN au.userId AS userId, au.name AS name`, { userIds: admins.map(a => a.userId) });
+            for (const record of result.records) {
+                const uid = record.get("userId");
+                const name = record.get("name");
+                if (name && name.trim())
+                    userMap.set(uid, name.trim());
+            }
+        }
+        finally {
+            await session.close();
+        }
     }
-    catch { /* name lookup is best-effort — show userIds if users.json is unavailable */ }
-    const userMap = new Map(users.map(u => [u.userId, u.name]));
+    catch { /* name lookup is best-effort — userIds shown when graph is unreachable */ }
     const lines = admins.map(a => {
         const name = userMap.get(a.userId) ?? "(unknown)";
         return `- **${name}** — role: ${a.role}, userId: ${a.userId}`;
@@ -748,6 +811,54 @@ server.tool("admin-list", "List all admins for this account with their names and
         content: [{ type: "text", text: `Admins for this account:\n\n${lines.join("\n")}` }],
     };
 });
+server.tool("admin-update-pin", "Update an existing admin user's PIN. Defaults to the calling admin if no userId is given. PIN must be at least 4 digits and unique across all users on the device. PINs are device-level: updating another admin's PIN does not require shared account membership — any admin on the device can rotate any other admin's PIN, matching the existing trust model used by admin-remove.", {
+    userId: z.string().optional().describe("The userId of the admin whose PIN to update. Defaults to the caller (the admin invoking this tool)."),
+    newPin: z.string().describe("The new PIN. Minimum 4 digits, no upper bound."),
+}, async ({ userId: targetUserId, newPin }) => {
+    const TAG = "[admin-update-pin]";
+    const callerUserId = process.env.USER_ID;
+    const userId = targetUserId ?? callerUserId;
+    const userIdLabel = userId ? userId.slice(0, 8) : "unknown";
+    if (!userId) {
+        console.error(`${TAG} userId=${userIdLabel} result=user-not-found reason=no-caller-context`);
+        return { content: [{ type: "text", text: `${TAG} No userId supplied and no caller context — cannot update.` }], isError: true };
+    }
+    if (newPin.length < 4) {
+        console.error(`${TAG} userId=${userIdLabel} result=too-short`);
+        return { content: [{ type: "text", text: `${TAG} PIN must be at least 4 digits.` }], isError: true };
+    }
+    let users;
+    try {
+        users = readUsersJson();
+    }
+    catch (err) {
+        console.error(`${TAG} userId=${userIdLabel} result=user-not-found reason=users-json-read-failed`);
+        return { content: [{ type: "text", text: `${TAG} ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+    }
+    const targetIndex = users.findIndex(u => u.userId === userId);
+    if (targetIndex === -1) {
+        console.error(`${TAG} userId=${userIdLabel} result=user-not-found`);
+        return { content: [{ type: "text", text: `${TAG} User ${userId} not found in users.json.` }], isError: true };
+    }
+    const newHash = hashPin(newPin);
+    const collidesWithOther = users.some((u, i) => i !== targetIndex && u.pin === newHash);
+    if (collidesWithOther) {
+        console.error(`${TAG} userId=${userIdLabel} result=collision`);
+        return { content: [{ type: "text", text: `${TAG} That PIN is already in use by another user. Choose a different PIN.` }], isError: true };
+    }
+    users[targetIndex].pin = newHash;
+    try {
+        writeUsersJson(users);
+    }
+    catch (err) {
+        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+    }
+    console.error(`${TAG} userId=${userIdLabel} result=ok`);
+    const self = userId === callerUserId;
+    return {
+        content: [{ type: "text", text: `PIN updated${self ? "" : ` for userId ${userId}`}. The new PIN takes effect on the next login.` }],
+    };
+});
 server.tool("agent-image", "Upload, update, or remove an agent's image. action=set: copy the file at filePath to the agent's assets directory and update config.json with image URL and shape. action=remove: delete the image file and clear the image fields from config.json. imageShape: 'circle' for avatars/icons, 'rounded' for logos.", {
     agentSlug: z.string().describe("Agent slug (e.g. 'coaching', 'sales')"),
     action: z.enum(["set", "remove"]),