@rubytech/create-realagent 1.0.772 → 1.0.775

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -10,6 +10,7 @@ import { appendFileSync, cpSync, existsSync, mkdirSync, readdirSync, readFileSyn
 import { writeKey, validateKey, hasKey, keyFilePath, deleteKey } from "../../../../lib/anthropic-key/dist/index.js";
 import { deviceUrlBlock } from "../../../../lib/device-url/dist/index.js";
 import { substituteBrandPlaceholders } from "../../../../lib/brand-templating/dist/index.js";
+import { resolveEntitlement } from "../../../../lib/entitlement/dist/index.js";
 import { createHash, randomInt, randomUUID } from "node:crypto";
 import { createConnection } from "node:net";
 import { homedir, hostname as osHostname } from "node:os";
@@ -30,7 +31,10 @@ const PLATFORM_PORT = process.env.PLATFORM_PORT;
 if (!PLATFORM_PORT) {
     throw new Error("PLATFORM_PORT environment variable is required — set by getMcpServers() in claude-agent.ts");
 }
-// Brand-aware config — reads configDir and productName from brand.json stamped at install time.
+// Brand-aware config — reads configDir, productName, and commercialMode from
+// brand.json stamped at install time. commercialMode (Task 831) gates the
+// entitlement verifier: false (default) preserves personal-mode installs;
+// true requires a Rubytech-signed entitlement.json or the install runs locked.
 // No fallback: if brand.json is missing or incomplete, the platform wasn't properly installed.
 function resolveBrandConfig() {
     const brandPath = resolve(PLATFORM_ROOT, "config", "brand.json");
@@ -45,7 +49,11 @@ function resolveBrandConfig() {
         if (!brand.productName) {
             throw new Error(`brand.json at ${brandPath} is missing the productName field`);
         }
-        return { configDir: brand.configDir, productName: brand.productName };
+        return {
+            configDir: brand.configDir,
+            productName: brand.productName,
+            commercialMode: brand.commercialMode === true,
+        };
     }
     catch (err) {
         if (err instanceof SyntaxError) {
@@ -57,6 +65,27 @@ function resolveBrandConfig() {
 const BRAND_CONFIG = resolveBrandConfig();
 const CONFIG_DIR = resolve(homedir(), BRAND_CONFIG.configDir);
 const BRAND_NAME = BRAND_CONFIG.productName;
+// Entitlement input shape for the verifier. configDir is rooted under $HOME
+// (where entitlement.json is delivered post-purchase). platformRoot is needed
+// because the verifier runs in two bundle contexts (CJS dist for MCP, ESM tsup
+// bundle for UI) — caller passes the root rather than the verifier guessing.
+const ENTITLEMENT_BRAND = {
+    configDir: CONFIG_DIR,
+    platformRoot: PLATFORM_ROOT,
+    commercialMode: BRAND_CONFIG.commercialMode,
+};
+/** Resolve current effective entitlement. Memoized inside the verifier. */
+async function currentEntitlement() {
+    const config = await readAccountConfig();
+    return resolveEntitlement(ENTITLEMENT_BRAND, {
+        accountId: typeof config.accountId === "string" ? config.accountId : "",
+        customerEmail: typeof config.customerEmail === "string" ? config.customerEmail : undefined,
+        tier: typeof config.tier === "string" ? config.tier : undefined,
+        purchasedPlugins: Array.isArray(config.purchasedPlugins)
+            ? config.purchasedPlugins
+            : undefined,
+    });
+}
 const REMOTE_PASSWORD_FILE = resolve(CONFIG_DIR, ".remote-password");
 // Resolve account directory
 function getAccountDir() {
@@ -542,6 +571,53 @@ server.tool("account-update", "Update a user-configurable setting in account.jso
         };
     }
 });
+// Plugin enable/disable: deterministic write to account.json.enabledPlugins.
+// The pre-tool-use hook denies the agent's direct Edit on account.json (Task 831),
+// so the agent can no longer toggle enablement by hand-editing the file. This
+// tool is the legitimate path: validates the plugin name, refuses core plugins,
+// confirms the plugin directory exists, and atomically updates the array.
+// Entitlement-bearing fields (tier, purchasedPlugins) are NOT writable here.
+server.tool("plugin-toggle-enabled", "Enable or disable a plugin in this account by adding/removing its name from account.json's enabledPlugins array. Validates the plugin exists under platform/plugins/, refuses to disable core plugins (admin, memory, docs, cloudflare, anthropic), and writes atomically. Takes effect on next session start. Does NOT change purchasedPlugins or tier — those derive from the signed entitlement payload.", {
+    pluginName: z.string().describe("Plugin slug (lowercase a-z0-9-)."),
+    action: z.enum(["enable", "disable"]).describe("enable adds to enabledPlugins; disable removes."),
+}, async ({ pluginName, action }) => {
+    const TAG = "[admin:plugin-toggle-enabled]";
+    if (!VALID_PLUGIN_NAME.test(pluginName)) {
+        return { content: [{ type: "text", text: `${TAG} Invalid plugin name "${pluginName}". Must match ${VALID_PLUGIN_NAME}.` }], isError: true };
+    }
+    if (CORE_PLUGINS.includes(pluginName)) {
+        return { content: [{ type: "text", text: `${TAG} "${pluginName}" is a core plugin and cannot be toggled.` }], isError: true };
+    }
+    const pluginDir = resolve(PLUGINS_DIR, pluginName);
+    if (!existsSync(pluginDir) || !existsSync(join(pluginDir, "PLUGIN.md"))) {
+        return { content: [{ type: "text", text: `${TAG} Plugin "${pluginName}" not installed at ${pluginDir} (no PLUGIN.md). Install via premium-deliver or platform release.` }], isError: true };
+    }
+    try {
+        const configPath = join(getAccountDir(), "account.json");
+        const config = await readAccountConfig();
+        const current = Array.isArray(config.enabledPlugins) ? config.enabledPlugins : [];
+        let next;
+        if (action === "enable") {
+            if (current.includes(pluginName)) {
+                return { content: [{ type: "text", text: `${TAG} "${pluginName}" is already enabled.` }] };
+            }
+            next = [...current, pluginName];
+        }
+        else {
+            if (!current.includes(pluginName)) {
+                return { content: [{ type: "text", text: `${TAG} "${pluginName}" is not enabled — nothing to disable.` }] };
+            }
+            next = current.filter((n) => n !== pluginName);
+        }
+        config.enabledPlugins = next;
+        await writeFile(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+        console.error(`${TAG} ${action}d plugin=${pluginName} path=${configPath}`);
+        return { content: [{ type: "text", text: `Plugin "${pluginName}" ${action}d. Takes effect on next session.` }] };
+    }
+    catch (err) {
+        return { content: [{ type: "text", text: `${TAG} Failed: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+    }
+});
 // ===================================================================
 // Admin user management tools
 // ===================================================================
@@ -560,11 +636,15 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     catch (err) {
         return { content: [{ type: "text", text: `${TAG} ${err instanceof Error ? err.message : String(err)}` }], isError: true };
     }
-    // Enforce per-tier admin limit
+    // Enforce per-tier admin limit. Effective tier comes from the signed
+    // entitlement payload (Task 831) — editing account.json.tier directly
+    // has no effect; the verifier uses the signed value and emits a
+    // [entitlement] tampered: line if disk and signed diverge.
     try {
         const config = await readAccountConfig();
         const currentAdmins = (config.admins ?? []);
-        const tier = typeof config.tier === "string" ? config.tier : "";
+        const entitlement = await currentEntitlement();
+        const tier = entitlement.tier;
         const maxAdmins = MAX_ADMINS_BY_TIER[tier] ?? MAX_ADMINS_DEFAULT;
         if (currentAdmins.length >= maxAdmins) {
             return { content: [{ type: "text", text: `${TAG} Admin limit reached (${maxAdmins} for ${tier || "this"} tier). Remove an existing admin before adding a new one.` }], isError: true };
@@ -623,20 +703,58 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         console.error(`${TAG} account.json write failed: ${err instanceof Error ? err.message : String(err)}`);
         return { content: [{ type: "text", text: `${TAG} User created in users.json but failed to add to account: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
     }
-    // 3. Write to Neo4j (graph-level) — partial failure is a warning, not an error
+    // 3. Write to Neo4j (graph-level): AdminUser + Person + OWNS atomically,
+    //    plus ADMIN_OF edge to the LocalBusiness for this account.
+    //    Task 830 — deterministic identity creation: never delegate node
+    //    creation to the LLM. Person reuse rule mirrors writeAdminUserAndPerson
+    //    in platform/ui/app/lib/neo4j-store.ts (case-insensitive exact match
+    //    on givenName + familyName; partial-name ambiguity does NOT match —
+    //    rationalisation is a separate agent-mediated concern).
     let neo4jWarning = "";
+    let personReused = false;
     try {
         const session = getSession();
         try {
             const createdAt = new Date().toISOString();
             const trimmedName = name.trim();
-            await session.run(`MERGE (au:AdminUser {userId: $userId})
+            const firstSpace = trimmedName.search(/\s/);
+            const givenName = firstSpace === -1 ? trimmedName : trimmedName.slice(0, firstSpace).trim();
+            const familyName = firstSpace === -1 ? null : (trimmedName.slice(firstSpace + 1).trim() || null);
+            const result = await session.run(`MERGE (au:AdminUser {userId: $userId})
            ON CREATE SET au.name = $name, au.createdAt = $createdAt
-           ON MATCH SET au.name = $name
+           ON MATCH SET au.name = $name, au.updatedAt = $createdAt
            WITH au
            MATCH (b:LocalBusiness {accountId: $accountId})
            MERGE (au)-[r:ADMIN_OF]->(b)
-           ON CREATE SET r.role = 'admin', r.grantedAt = $createdAt`, { userId, name: trimmedName, createdAt, accountId: ACCOUNT_ID });
+           ON CREATE SET r.role = 'admin', r.grantedAt = $createdAt
+           WITH au
+           OPTIONAL MATCH (existingPerson:Person {accountId: $accountId})
+           WHERE toLower(existingPerson.givenName) = toLower($givenName)
+             AND coalesce(toLower(existingPerson.familyName), '') = coalesce(toLower($familyName), '')
+           WITH au, existingPerson
+           CALL {
+             WITH au, existingPerson
+             WITH au, existingPerson WHERE existingPerson IS NOT NULL
+             MERGE (au)-[:OWNS]->(existingPerson)
+             RETURN true AS reused
+             UNION
+             WITH au, existingPerson
+             WITH au WHERE existingPerson IS NULL
+             CREATE (newPerson:Person {
+               accountId: $accountId,
+               givenName: $givenName,
+               familyName: $familyName,
+               role: 'admin-personal',
+               scope: 'admin',
+               createdAt: $createdAt
+             })
+             MERGE (au)-[:OWNS]->(newPerson)
+             RETURN false AS reused
+           }
+           RETURN reused`, { userId, name: trimmedName, createdAt, accountId: ACCOUNT_ID, givenName, familyName });
+            if (result.records.length > 0) {
+                personReused = result.records[0].get("reused");
+            }
         }
         finally {
             await session.close();
@@ -647,6 +765,7 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         console.error(`${TAG} Neo4j sync failed during admin-add: userId=${userId} error=${errMsg} — files written, graph pending`);
         neo4jWarning = ` Note: Neo4j sync failed (${errMsg}) — the admin user is functional but the graph will need reconciliation on next seed.`;
     }
+    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userId.slice(0, 8)} name=${name.trim()} personReused=${personReused}`);
     console.error(`${TAG} admin added: userId=${userId} userName=${name.trim()} accountId=${ACCOUNT_ID} role=admin addedBy=${callerUserId ?? "unknown"}`);
     return {
         content: [{
@@ -2140,7 +2259,9 @@ server.tool("premium-list", "List available premium plugins and their delivery s
             };
         }
         const config = await readAccountConfig();
-        const purchased = Array.isArray(config.purchasedPlugins) ? config.purchasedPlugins : [];
+        // Effective purchasedPlugins from signed entitlement (Task 831).
+        const entitlement = await currentEntitlement();
+        const purchased = entitlement.purchasedPlugins;
         const enabled = Array.isArray(config.enabledPlugins) ? config.enabledPlugins : [];
         const entries = readdirSync(STAGING_ROOT, { withFileTypes: true })
             .filter(e => e.isDirectory())
@@ -2245,7 +2366,16 @@ server.tool("premium-deliver", "Deliver a purchased premium plugin. Copies plugi
             isError: true,
         };
     }
-    const purchased = Array.isArray(config.purchasedPlugins) ? config.purchasedPlugins : [];
+    // Effective purchasedPlugins from signed entitlement (Task 831). The
+    // raw account.json value is ignored on commercial installs; verifier
+    // returns the signed list (or [] on anonymous-fallback).
+    const entitlement = await resolveEntitlement(ENTITLEMENT_BRAND, {
+        accountId: typeof config.accountId === "string" ? config.accountId : "",
+        customerEmail: typeof config.customerEmail === "string" ? config.customerEmail : undefined,
+        tier: typeof config.tier === "string" ? config.tier : undefined,
+        purchasedPlugins: Array.isArray(config.purchasedPlugins) ? config.purchasedPlugins : undefined,
+    });
+    const purchased = entitlement.purchasedPlugins;
     // --- Check purchase status ---
     if (!purchased.includes(pluginName)) {
         return {