@rubytech/create-realagent 1.0.772 → 1.0.775

package/payload/platform/plugins/admin/skills/onboarding/SKILL.md

@@ -203,13 +203,12 @@ Invoke the `business-profile` skill. Follow its first-run path: create the `Admi
 
 ### `personal`
 
-Personal mode does not register a `LocalBusiness`. Instead, bootstrap the operator's profile so the graph-write gate is satisfied without a business node:
+Personal mode does not register a `LocalBusiness`. The `AdminUser` and personal-profile `Person` nodes were written deterministically at PIN setup time (Task 830 — `writeAdminUserAndPerson`), so this step only enriches the existing Person with an email:
 
-1. **Ask the user for their email** in one short conversational message — {{productName}} needs an email or phone number on the personal-profile node, and email is the more useful signal for downstream features.
-2. **Read the admin's `userId` and `name` from `admin-identity` in your system prompt.** Split `name` into `givenName` (first token) and `familyName` (remainder, or empty if a single token).
-3. **Write the `AdminUser` node.** Call `memory-write` with `labels: ["AdminUser"]`, `properties: { userId, name }`, `scope: "admin"`, `relationships: [{ type: "HAS_ACCOUNT_SCOPE", direction: "outgoing", targetNodeId: "<account-anchor>" }]` — or whatever adjacency convention the current schema requires (grep `AdminUser` in the codebase for a live example if unsure).
-4. **Write the personal-profile `Person` node.** Call `memory-write` with `labels: ["Person"]`, `properties: { givenName, familyName, email, role: "admin-personal" }`, `scope: "admin"`, `relationships: [{ type: "OWNS", direction: "incoming", targetNodeId: "<AdminUser-elementId>" }]`. The `role: "admin-personal"` property is what the graph-write gate looks for in lieu of a `LocalBusiness`.
-5. **Mark step 9 complete.** Call `onboarding-complete-step` with step 9.
+1. **Ask the user for their email** in one short conversational message — {{productName}} needs an email or phone number on the personal-profile node for downstream features (notifications, contact-method matching).
+2. **Locate the personal-profile `Person`.** Call `memory-search` with the user's name from `admin-identity` plus `role: "admin-personal"` to find the existing node bound to the `AdminUser` via `OWNS`.
+3. **Attach the email.** Call `memory-update` on that Person with `properties: { email }`. Do NOT create a new Person — the set-pin path already created and bound it.
+4. **Mark step 9 complete.** Call `onboarding-complete-step` with step 9.
 
 After step 9 completes in personal mode, tell the user that {{productName}} is configured for personal use — their employer (if any) is not registered here. If they later become the operator for a business of their own, they can ask {{productName}} to set up a business profile, which invokes the `business-profile` skill directly.
 

package/payload/platform/plugins/admin/skills/plugin-management/SKILL.md

@@ -20,10 +20,9 @@ External Claude Code plugins (Stripe, Playground):
 
 Built-in plugins under `$PLATFORM_ROOT/plugins/`:
 
-- Enable: read `account.json` via `account-manage`, add the plugin name to the `enabledPlugins` array, write back via `Edit`. Activates the plugin's behaviour embed and MCP server from the next session. Plugins with scheduled behaviour (declared via `lifecycle` in PLUGIN.md frontmatter) are activated automatically by the platform heartbeat within one minute — no separate setup command needed.
-- Disable: same process, remove the name from the `enabledPlugins` array. Deactivates from the next session. Any scheduled Events owned by the plugin (`sourcePlugin` field) are cancelled automatically by the platform heartbeat.
-- Core plugins (admin, memory, docs, cloudflare, anthropic) cannot be disabled — they are always active.
-- Validate: before enabling, confirm the plugin directory exists under `$PLATFORM_ROOT/plugins/` and its PLUGIN.md has `optional: true` in `metadata.platform`.
+- Enable: call `plugin-toggle-enabled` with `pluginName` and `action: "enable"`. Activates the plugin's behaviour embed and MCP server from the next session. Plugins with scheduled behaviour (declared via `lifecycle` in PLUGIN.md frontmatter) are activated automatically by the platform heartbeat within one minute — no separate setup command needed.
+- Disable: call `plugin-toggle-enabled` with `pluginName` and `action: "disable"`. Deactivates from the next session. Any scheduled Events owned by the plugin (`sourcePlugin` field) are cancelled automatically by the platform heartbeat.
+- The tool refuses core plugins (admin, memory, docs, cloudflare, anthropic) and refuses plugins not installed under `$PLATFORM_ROOT/plugins/`. Direct `Edit` of `account.json` is denied by the pre-tool-use hook (Task 831) — `plugin-toggle-enabled` is the only legitimate path.
 
 ## Premium Plugins
 
@@ -39,7 +38,13 @@ When the user asks about a specific premium plugin (e.g., "tell me about the tea
 
 ### Recording a purchase
 
-When the user states they have purchased a premium plugin, validate the plugin name, then confirm the plugin exists in the staging directory. Read `account.json` via `account-manage`, add the plugin name to the `purchasedPlugins` array (if not already present), and write back via `Edit`. Then proceed to delivery.
+`purchasedPlugins` is an entitlement-bearing field (Task 831): the effective list derives from the Rubytech-signed entitlement payload, not from raw `account.json`. The pre-tool-use hook denies any agent write to `account.json`. Direct purchase recording is therefore unavailable to the agent.
+
+- **Production path:** Task 832 — Rubytech-side issuance endpoint signs an updated entitlement payload after a Stripe purchase event and delivers it to `~/<configDir>/entitlement.json`. The verifier picks up the new payload at the next session start.
+- **Pre-launch / dev path:** the founder runs `node platform/scripts/generate-entitlement-fixture.mjs sign --account-id <id> --email <e> --tier <t> --plugins a,b,c --out ~/<configDir>/entitlement.json` to produce a signed test payload. The agent does not invoke this script.
+- **Personal-mode installs (`brand.json.commercialMode: false`, the default today):** purchasedPlugins is read from raw `account.json` via implicit-trust mode. Pre-launch the agent has no way to add purchases without operator intervention; this is intentional during the gap before Task 832 ships.
+
+If the user asks the agent to record a purchase, explain that their purchase is processed by Rubytech billing and the entitlement payload arrives on their device automatically — no agent action is required.
 
 ### Delivering a premium plugin
 

package/payload/platform/scripts/generate-entitlement-fixture.mjs

@@ -0,0 +1,152 @@
+#!/usr/bin/env node
+/**
+ * One-shot Rubytech-side entitlement fixture generator.
+ *
+ * RUN BY FOUNDER ONCE; NEVER ON CUSTOMER DEVICES.
+ *
+ * Produces:
+ *   - platform/lib/entitlement/rubytech-pubkey.pem      (vendored, committed)
+ *   - platform/lib/entitlement/PUBKEY-HASH.txt          (sha256 of pubkey, committed)
+ *   - .secrets/rubytech-private-key.pem                  (LOCAL ONLY — never commit)
+ *   - <out-dir>/entitlement.json                         (signed payload fixture)
+ *
+ * Usage:
+ *   node platform/scripts/generate-entitlement-fixture.mjs init
+ *     → generates a fresh keypair + writes the pubkey + hash
+ *
+ *   node platform/scripts/generate-entitlement-fixture.mjs sign \
+ *        --account-id <id> --email <email> --tier <solo|family|pro> \
+ *        --plugins <comma-list> --days <n> --out <path>
+ *     → signs a payload using the existing private key
+ *
+ * The verifier at platform/lib/entitlement/src/index.ts has PUBKEY_SHA256
+ * baked into source. After running `init` the script prints the new hash —
+ * paste it into the verifier and rebuild.
+ *
+ * For Task 832 (Rubytech-side issuance endpoint), this script will be
+ * replaced by a server-side equivalent. Until then, it stands in.
+ */
+
+import {
+  generateKeyPairSync,
+  createPublicKey,
+  createPrivateKey,
+  createHash,
+  sign as cryptoSign,
+} from "node:crypto";
+import { writeFileSync, readFileSync, existsSync, mkdirSync } from "node:fs";
+import { resolve, dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PLATFORM_ROOT = resolve(__dirname, "..");
+const REPO_ROOT = resolve(PLATFORM_ROOT, "..");
+const PUBKEY_PATH = resolve(PLATFORM_ROOT, "lib", "entitlement", "rubytech-pubkey.pem");
+const HASH_PATH = resolve(PLATFORM_ROOT, "lib", "entitlement", "PUBKEY-HASH.txt");
+const SECRET_DIR = resolve(REPO_ROOT, ".secrets");
+const PRIVKEY_PATH = resolve(SECRET_DIR, "rubytech-private-key.pem");
+
+function canonicalize(value) {
+  if (value === null) return "null";
+  if (typeof value === "boolean") return value ? "true" : "false";
+  if (typeof value === "string") return JSON.stringify(value);
+  if (typeof value === "number") {
+    if (!Number.isFinite(value)) throw new Error("non-finite number");
+    if (Object.is(value, -0)) throw new Error("negative zero");
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) return "[" + value.map(canonicalize).join(",") + "]";
+  if (typeof value === "object") {
+    const keys = Object.keys(value).sort();
+    return "{" + keys.map((k) => JSON.stringify(k) + ":" + canonicalize(value[k])).join(",") + "}";
+  }
+  throw new Error(`unsupported value type ${typeof value}`);
+}
+
+function init() {
+  if (existsSync(PRIVKEY_PATH)) {
+    console.error(`ABORT: private key already exists at ${PRIVKEY_PATH}.`);
+    console.error("Delete it manually if you really want to regenerate (ALL EXISTING SIGNED PAYLOADS WILL BREAK).");
+    process.exit(1);
+  }
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+  const pubPem = publicKey.export({ type: "spki", format: "pem" });
+  const privPem = privateKey.export({ type: "pkcs8", format: "pem" });
+
+  if (!existsSync(SECRET_DIR)) mkdirSync(SECRET_DIR, { recursive: true });
+  writeFileSync(PRIVKEY_PATH, privPem, { mode: 0o600 });
+  writeFileSync(PUBKEY_PATH, pubPem, "utf-8");
+
+  const hash = createHash("sha256").update(pubPem).digest("hex");
+  writeFileSync(HASH_PATH, hash + "\n", "utf-8");
+
+  console.log(`Generated keypair.`);
+  console.log(`  Public key  : ${PUBKEY_PATH}`);
+  console.log(`  Hash file   : ${HASH_PATH}  (${hash})`);
+  console.log(`  Private key : ${PRIVKEY_PATH}  (DO NOT COMMIT — verify .gitignore)`);
+  console.log("");
+  console.log(`NEXT: paste the hash into platform/lib/entitlement/src/index.ts:`);
+  console.log(`  export const PUBKEY_SHA256 = "${hash}";`);
+  console.log(`Then run npm --prefix platform run build:lib`);
+}
+
+function parseArgs(argv) {
+  const out = {};
+  for (let i = 0; i < argv.length; i += 2) {
+    const key = argv[i].replace(/^--/, "");
+    out[key] = argv[i + 1];
+  }
+  return out;
+}
+
+function sign(args) {
+  const required = ["account-id", "email", "tier", "out"];
+  for (const k of required) {
+    if (!args[k]) {
+      console.error(`Missing --${k}`);
+      process.exit(1);
+    }
+  }
+  if (!existsSync(PRIVKEY_PATH)) {
+    console.error(`Private key missing at ${PRIVKEY_PATH}. Run 'init' first.`);
+    process.exit(1);
+  }
+  const days = Number(args.days ?? "365");
+  const plugins = (args.plugins ?? "")
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  const now = Date.now();
+  const issued = new Date(now).toISOString();
+  const expires = new Date(now + days * 86400 * 1000).toISOString();
+
+  const payload = {
+    accountId: args["account-id"],
+    customerEmail: args.email,
+    tier: args.tier,
+    purchasedPlugins: plugins,
+    issued,
+    expires,
+  };
+  const canonical = canonicalize(payload);
+  const privKey = createPrivateKey(readFileSync(PRIVKEY_PATH, "utf-8"));
+  const sigBuf = cryptoSign(null, Buffer.from(canonical, "utf-8"), privKey);
+  const envelope = { payload, signature: sigBuf.toString("base64") };
+  writeFileSync(args.out, JSON.stringify(envelope, null, 2) + "\n", "utf-8");
+  console.log(`Signed payload written to ${args.out}`);
+  console.log(`  tier=${payload.tier} plugins=${plugins.length} expires=${expires}`);
+}
+
+const cmd = process.argv[2];
+if (cmd === "init") {
+  init();
+} else if (cmd === "sign") {
+  sign(parseArgs(process.argv.slice(3)));
+} else {
+  console.error("Usage:");
+  console.error("  generate-entitlement-fixture.mjs init");
+  console.error("  generate-entitlement-fixture.mjs sign --account-id <id> --email <e> --tier <t> [--plugins a,b] [--days N] --out <path>");
+  process.exit(1);
+}