@rubytech/create-realagent 1.0.775 → 1.0.791

package/dist/index.js

@@ -430,6 +430,18 @@ function installSystemDeps() {
                 console.log(`  Avahi host-name: ${HOSTNAME_FLAG} (updated avahi-daemon.conf)`);
             }
             catch { /* avahi-daemon.conf may not exist — non-critical */ }
+            // Restart avahi-daemon so the new hostname takes effect immediately
+            // and any stale "maxytest-2" auto-renamed records from a previous
+            // boot's hostname-conflict cycle are withdrawn. Without this,
+            // avahi-resolve -n <hostname>.local times out from the device itself
+            // because the daemon is still advertising the previous identity.
+            try {
+                console.log("  [privileged] systemctl restart avahi-daemon");
+                shell("systemctl", ["restart", "avahi-daemon"], { sudo: true });
+            }
+            catch (err) {
+                console.error(`  WARNING: avahi-daemon restart failed: ${err instanceof Error ? err.message : String(err)}`);
+            }
         }
         catch (err) {
             console.error(`  WARNING: Failed to set hostname to '${HOSTNAME_FLAG}': ${err instanceof Error ? err.message : String(err)}`);
@@ -1346,6 +1358,19 @@ function buildPlatform() {
     // server/package.json but NOT shipped as pre-built node_modules — npm pack silently
     // strips files from nested node_modules (e.g. rxjs/package.json), breaking require().
     // Install fresh on device to guarantee a complete dependency tree.
+    //
+    // On upgrade, wipe `node_modules` first so npm extracts a clean tree. Without
+    // this, an interrupted previous install (network blip, operator cancellation,
+    // power loss) can leave nested package.json files half-truncated — the most
+    // common manifestation is `Error: Invalid package config .../rxjs/package.json`
+    // at server startup, which loops the brand service indefinitely. The wipe
+    // adds ~30 s to upgrades but eliminates a class of unrecoverable customer
+    // states; reliability wins over speed for a one-shot install path.
+    const serverNodeModules = join(INSTALL_DIR, "server", "node_modules");
+    if (existsSync(serverNodeModules)) {
+        console.log("  Wiping previous server/node_modules for a clean reinstall...");
+        rmSync(serverNodeModules, { recursive: true, force: true });
+    }
     console.log(`  Installing server dependencies (${join(INSTALL_DIR, "server")})...`);
     shellRetry("npm", ["install", "--omit=dev", ...NPM_NET_FLAGS], { cwd: join(INSTALL_DIR, "server") }, 3, 15);
 }
@@ -1541,11 +1566,11 @@ function setupVncViewer() {
 }
 function setupAccount() {
     log("10", TOTAL, "Setting up...");
-    // Tasks 787 + 788 — both seed-neo4j.sh and embed-backfill.sh hard-exit
-    // without NEO4J_URI. The installer owns the brand-correct URI and password,
-    // so we derive them once and pass to both call sites. Missing password file
-    // is a hard error: ensureNeo4jPassword() ran upstream and would have thrown
-    // already if it couldn't reach the brand's Neo4j.
+    // Task 787 — seed-neo4j.sh hard-exits without NEO4J_URI. The installer
+    // owns the brand-correct URI and password, so we derive them once.
+    // Missing password file is a hard error: ensureNeo4jPassword() ran
+    // upstream and would have thrown already if it couldn't reach the
+    // brand's Neo4j.
     const passwordFile = join(INSTALL_DIR, "platform/config/.neo4j-password");
     if (!existsSync(passwordFile)) {
         throw new Error(`Neo4j password file missing at ${passwordFile} — required by setup step.`);
@@ -1559,40 +1584,6 @@ function setupAccount() {
         logFile(`  [neo4j] passing NEO4J_URI=${neo4jUri} to seed`);
         shell("bash", [seedScript], { cwd: INSTALL_DIR, env: neo4jEnv });
     }
-    // Task 748 — universal embedding coverage backfill. Run after seed so the
-    // entity_search index is in place and any pre-Task-748 nodes (e.g. the
-    // 5096 LinkedIn-imported Persons on existing Pis that bulk-import skipped
-    // embedding for) get a vector populated. Idempotent — instant no-op when
-    // nothing is pending, so re-running on every install is harmless.
-    //
-    // Failure-mode policy: WARN, do not abort. The fulltext index is already
-    // applied above, so BM25 search works end-to-end without embeddings; the
-    // only gap is vector ranking quality on legacy nodes. Aborting the
-    // installer on an Ollama hiccup would block every install for a
-    // strictly-degradable feature. The script's own loud-failure output
-    // tells the operator how to re-run.
-    const backfillScript = join(INSTALL_DIR, "platform/scripts/embed-backfill.sh");
-    if (existsSync(backfillScript)) {
-        const start = Date.now();
-        logFile(`> bash ${backfillScript} (warn-not-abort)`);
-        const result = spawnSync("bash", [backfillScript], {
-            stdio: "inherit",
-            timeout: 30 * 60_000,
-            cwd: INSTALL_DIR,
-            env: neo4jEnv,
-        });
-        const dur = ((Date.now() - start) / 1000).toFixed(1);
-        if (result.status !== 0 || result.signal) {
-            const reason = result.signal ? `signal=${result.signal}` : `exit=${result.status}`;
-            logFile(`  WARN: embed-backfill non-zero (${reason}) after ${dur}s`);
-            console.warn(`\n  WARNING: embed-backfill did not complete (${reason}) — BM25 search works,\n` +
-                `  but vector ranking on legacy nodes will be sparse until you re-run:\n` +
-                `    bash ${backfillScript}\n`);
-        }
-        else {
-            logFile(`  OK embed-backfill in ${dur}s`);
-        }
-    }
 }
 // ---------------------------------------------------------------------------
 // Tunnel script shortcuts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-realagent",
-  "version": "1.0.775",
+  "version": "1.0.791",
   "description": "Install Real Agent — Built for agents. By agents.",
   "bin": {
     "create-realagent": "./dist/index.js"

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -1557,6 +1557,7 @@ server.tool("api-key-verify", "Verify the stored Anthropic API key works by maki
  * anthropic-setup state machine (action-relay pattern)
  *
  * Call 1: anthropic-setup({})
+ *   ├─ no public endpoint   → { status: "not_needed" }   ← Phase 0 gate
  *   ├─ key stored + valid?  → { status: "complete" }
  *   ├─ key stored + billing → { status: "awaiting_credits" }
  *   ├─ key stored + error   → { status: "error" }
@@ -1630,20 +1631,92 @@ function anthropicResult(r) {
         ...(r.status === "error" ? { isError: true } : {}),
     };
 }
+/**
+ * Check whether a public-facing hostname is configured. The Anthropic API key
+ * powers the public agent only — admin runs on Claude OAuth — so without a
+ * public endpoint there is nothing for the key to power.
+ *
+ * Mirrors the runtime `isPublicHost(host)` predicate in
+ * `platform/ui/server/index.ts`: a host is public iff it starts with `public.`
+ * OR is listed in `~/{configDir}/alias-domains.json`. Step 7's form submit
+ * handler at `platform/ui/server/routes/admin/cloudflare.ts` writes secondary
+ * hostnames (apex + custom public labels) to `alias-domains.json` and skips
+ * `public.*` because the prefix itself is the signal — so the two predicates
+ * together cover every shape the form can produce.
+ *
+ * Returns true if any configured hostname satisfies either predicate.
+ */
+function hasPublicEndpointConfigured() {
+    const aliasPath = join(CONFIG_DIR, "alias-domains.json");
+    if (existsSync(aliasPath)) {
+        try {
+            const parsed = JSON.parse(readFileSync(aliasPath, "utf-8"));
+            if (Array.isArray(parsed)) {
+                const entries = parsed.filter((h) => typeof h === "string" && h.length > 0);
+                if (entries.length > 0) {
+                    return { has: true, reason: `alias-domains.json: ${entries.join(", ")}` };
+                }
+            }
+        }
+        catch {
+            // Malformed file — treat as empty; matches the server-side reader's tolerance.
+        }
+    }
+    const cfConfigPath = join(CONFIG_DIR, "cloudflared", "config.yml");
+    if (existsSync(cfConfigPath)) {
+        try {
+            const yaml = readFileSync(cfConfigPath, "utf-8");
+            const hostnames = [...yaml.matchAll(/^\s*-\s*hostname:\s*(\S+)/gm)].map((m) => m[1]);
+            const publicPrefixed = hostnames.find((h) => h.startsWith("public."));
+            if (publicPrefixed) {
+                return { has: true, reason: `cloudflared/config.yml ingress: ${publicPrefixed}` };
+            }
+        }
+        catch {
+            // Unreadable — treat as no public host.
+        }
+    }
+    return {
+        has: false,
+        reason: "no entries in alias-domains.json and no public.* hostname in cloudflared/config.yml",
+    };
+}
 server.tool("anthropic-setup", "Deterministic state machine for Anthropic API key acquisition. " +
     "Checks current state, advances as far as possible, and returns a structured JSON result. " +
-    "On first call (no consoleResult): checks if a valid key is already stored. If not, returns " +
-    "status 'awaiting_signin' with a browser_evaluate action — the agent must open the browser to " +
-    "platform.claude.com, run the action's function via browser_evaluate, and pass the string " +
-    "result back as consoleResult on the next call. " +
+    "On first call (no consoleResult): first verifies a public-facing endpoint is configured " +
+    "(the key only powers the public agent); if not, returns status 'not_needed'. Otherwise " +
+    "checks if a valid key is already stored. If not, returns status 'awaiting_signin' with " +
+    "a browser_evaluate action — the agent must open the browser to platform.claude.com, run " +
+    "the action's function via browser_evaluate, and pass the string result back as " +
+    "consoleResult on the next call. " +
     "On second call (with consoleResult): parses the Console API result, stores the key, " +
     "verifies it, and returns status 'complete'. " +
-    "Statuses: complete (key stored and verified), awaiting_signin (user must sign in to Console), " +
-    "awaiting_credits (signed in but no credits — user must add credits), error (fatal — relay message).", {
+    "Statuses: complete (key stored and verified), not_needed (no public endpoint configured — " +
+    "skip the step), awaiting_signin (user must sign in to Console), awaiting_credits (signed in " +
+    "but no credits — user must add credits), error (fatal — relay message).", {
     consoleResult: z.string().optional().describe("JSON string result from running the browser_evaluate action returned by a prior call. " +
         "Omit on the first call."),
 }, async ({ consoleResult }) => {
     const log = (msg) => console.error(`[anthropic-setup] ${msg}`);
+    // ── Phase 0: gate on public endpoint existence ─────────────
+    // The API key only powers the public-facing agent. If no public hostname
+    // is configured (operator skipped step 7, or completed it without a
+    // public/apex hostname) the key has no consumer — short-circuit before
+    // any Console interaction so we never create keys the operator cannot use.
+    if (!consoleResult) {
+        const publicCheck = hasPublicEndpointConfigured();
+        if (!publicCheck.has) {
+            log(`gate: no public endpoint (${publicCheck.reason}) — returning not_needed`);
+            return anthropicResult({
+                status: "not_needed",
+                message: "No public-facing endpoint is configured, so an Anthropic API key is not needed. " +
+                    "The key powers the public agent only — admin runs on your Claude OAuth session. " +
+                    "When you set up a public hostname via Cloudflare (or apex domain), come back and " +
+                    "ask to set up the API key then.",
+            });
+        }
+        log(`gate: public endpoint present (${publicCheck.reason})`);
+    }
     // ── Phase 1: check stored key ──────────────────────────────
     if (!consoleResult) {
         log("checking stored key");