@rubytech/create-realagent 1.0.794 → 1.0.797

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-realagent",
-  "version": "1.0.794",
+  "version": "1.0.797",
   "description": "Install Real Agent — Built for agents. By agents.",
   "bin": {
     "create-realagent": "./dist/index.js"

package/payload/platform/neo4j/migrations/003-person-name-eradicate.cypher

@@ -0,0 +1,24 @@
+// ============================================================
+// Migration 003 — Person.name eradication (Task 849)
+//
+// Removes the denormalised `name` property from every Person node.
+// `Person.name` is forbidden by schema-base.md "Forbidden Properties":
+// the canonical fields are `givenName` + `familyName`, composed at
+// read time by display-helpers.ts. Persisted `name` was a divergence
+// trap — LLM extraction emitted `name = givenName` ("Dan") alongside
+// the structured pair, so the canvas rendered "Dan" instead of
+// "Dan Brett".
+//
+// Idempotent: subsequent runs find no Persons with `name` set and
+// return removed=0.
+//
+// Applied at boot by platform/ui/app/lib/neo4j-migrations.ts. Safe to
+// run manually:
+//   cypher-shell -u neo4j -p <password> -a $NEO4J_URI \
+//     -f platform/neo4j/migrations/003-person-name-eradicate.cypher
+// ============================================================
+
+MATCH (p:Person)
+WHERE p.name IS NOT NULL
+REMOVE p.name
+RETURN count(p) AS removed

package/payload/platform/plugins/admin/PLUGIN.md

@@ -51,6 +51,10 @@ Platform management tools for both the admin and public agents. The `plugin-read
 
 Tools are available via the `admin` MCP server.
 
+**Three-store admin auth invariant (Task 850).** `admin-add` writes to all three identity stores (`users.json` PIN auth, `account.json` `admins[]` role, Neo4j `:AdminUser`/`:Person` graph identity) with per-leg `[admin-auth-store]` log lines and returns `is_error: true` on any leg failure naming what's already written. `admin-update-pin` writes `users.json` only and emits the same line. Direct `Edit`/`Write` on `account.json` is blocked at the `pre-tool-use` hook — mutations go through `account-update`, `plugin-toggle-enabled`, or the `admin-*` tools. See `.docs/agents.md` § "Three-store admin auth invariant" for the full contract.
+
+`logs-read { type: "agent-stream" }` (Task 850) is the canonical name for the per-conversation tool-use/tool-result archive previously called `system`; both names work and the legacy alias is preserved.
+
 ## Skills
 
 | Task | When to use | Reference |

package/payload/platform/plugins/admin/hooks/__tests__/archive-ingest-gate.test.sh

@@ -0,0 +1,166 @@
+#!/usr/bin/env bash
+# Regression test for archive-ingest-gate.sh (Task 846).
+#
+# Six cases cover the contract:
+#   1. Edit on /platform/plugins/<x>/lib/* is BLOCKED (exit 2).
+#   2. Edit on a benign path is ALLOWED (exit 0).
+#   3. Bash with `npx vitest` is BLOCKED.
+#   4. PostToolUse on whatsapp-export-parse with isError:true sets the flag.
+#   5. Subsequent PreToolUse on ANY tool is BLOCKED (post-parse-error gate).
+#   6. UserPromptSubmit clears the flag, restoring normal allow behavior.
+#
+# Tests use ARCHIVE_INGEST_GATE_STATE_DIR to point at a tmp dir so they run
+# without a real account layout.
+
+set -u
+
+HOOK="$(cd "$(dirname "$0")/.." && pwd)/archive-ingest-gate.sh"
+if [[ ! -x "$HOOK" ]]; then
+  echo "FAIL: $HOOK not executable" >&2
+  exit 1
+fi
+
+# Per-run isolated state dir
+STATE_DIR=$(mktemp -d)
+export ARCHIVE_INGEST_GATE_STATE_DIR="$STATE_DIR"
+FLAG_FILE="$STATE_DIR/archive-ingest-parse-error.flag"
+
+cleanup() { rm -rf "$STATE_DIR"; }
+trap cleanup EXIT
+
+PASS=0
+FAIL=0
+
+run_case() {
+  local name="$1" stdin="$2" expected_exit="$3"
+  local actual_exit
+  printf '%s' "$stdin" | bash "$HOOK" >/dev/null 2>/dev/null
+  actual_exit=$?
+  if [[ "$actual_exit" -eq "$expected_exit" ]]; then
+    echo "PASS: $name (exit=$actual_exit)"
+    PASS=$((PASS + 1))
+  else
+    echo "FAIL: $name (expected exit=$expected_exit, got=$actual_exit)" >&2
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+# Case 1 — Edit on plugin lib path: BLOCKED
+run_case "Edit on platform/plugins/whatsapp-import/lib/src/parse-export.ts → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/platform/plugins/whatsapp-import/lib/src/parse-export.ts","old_string":"a","new_string":"b"}}' \
+  2
+
+# Case 2 — Edit on a benign path: ALLOWED
+run_case "Edit on README.md → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/README.md","old_string":"a","new_string":"b"}}' \
+  0
+
+# Case 3 — Bash with `npx vitest`: BLOCKED
+run_case "Bash 'npx vitest run parse-export.test.ts' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npx vitest run parse-export.test.ts"}}' \
+  2
+
+# Case 3b — Bash with benign command: ALLOWED
+run_case "Bash 'ls -la' → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"ls -la"}}' \
+  0
+
+# Case 3c — Bash with `bun test`: BLOCKED
+run_case "Bash 'bun test' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"bun test"}}' \
+  2
+
+# Case 3d — Bash with `npm test`: BLOCKED
+run_case "Bash 'npm test' → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npm test"}}' \
+  2
+
+# Make sure flag is absent before parse-error simulation
+rm -f "$FLAG_FILE"
+
+# Case 4 — PostToolUse on whatsapp-export-parse with isError:true sets flag
+run_case "PostToolUse parse-error sets flag (exit 0, flag side-effect)" \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":true,"content":[{"type":"text","text":"parse-error file=_chat.txt line=1 reason=not-a-_chat.txt"}]}}' \
+  0
+
+if [[ -f "$FLAG_FILE" ]]; then
+  echo "PASS: parse-error flag created at $FLAG_FILE"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: parse-error flag NOT created at $FLAG_FILE" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 5 — Subsequent PreToolUse on ANY tool BLOCKED while flag is fresh
+run_case "PreToolUse Read after parse-error → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  2
+
+run_case "PreToolUse Bash after parse-error → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"echo hi"}}' \
+  2
+
+# Case 6 — UserPromptSubmit clears flag
+run_case "UserPromptSubmit clears flag (exit 0)" \
+  '{"hook_event_name":"UserPromptSubmit","prompt":"retry"}' \
+  0
+
+if [[ ! -f "$FLAG_FILE" ]]; then
+  echo "PASS: UserPromptSubmit cleared flag"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: UserPromptSubmit did NOT clear flag" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 7 — After clearance, normal allow resumes
+run_case "PreToolUse Read after clearance → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  0
+
+# Case 8 — PostToolUse with isError:false does NOT set flag
+rm -f "$FLAG_FILE"
+run_case "PostToolUse parse-success (isError:false) does NOT set flag" \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":false,"content":[{"type":"text","text":"{\"parsedLines\":[]}"}]}}' \
+  0
+
+if [[ ! -f "$FLAG_FILE" ]]; then
+  echo "PASS: parse-success leaves flag absent"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: parse-success incorrectly created flag" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+# Case 9 — Stale flag (>600s) auto-clears + allows
+PAST=$(( $(date -u +%s) - 700 ))
+echo "$PAST" > "$FLAG_FILE"
+run_case "Stale flag auto-clears, PreToolUse Read → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' \
+  0
+
+# Case 10 — No stdin (terminal) fails closed
+echo "Probing fail-closed behaviour (no stdin)..."
+bash "$HOOK" </dev/null >/dev/null 2>/dev/null
+ACTUAL=$?
+# /dev/null IS a stdin — the `[ -t 0 ]` check tests for terminal, not file.
+# A file/pipe stdin reads as empty, which produces empty hook_event_name and
+# falls through to default `exit 0` (allow). The terminal-only fail-closed
+# branch can't be tested non-interactively; verify the script reads `[ -t 0 ]`.
+if grep -q '\[ -t 0 \]' "$HOOK"; then
+  echo "PASS: fail-closed terminal check is present"
+  PASS=$((PASS + 1))
+else
+  echo "FAIL: fail-closed terminal check missing" >&2
+  FAIL=$((FAIL + 1))
+fi
+
+echo
+echo "──────── archive-ingest-gate test summary ────────"
+echo "PASS: $PASS"
+echo "FAIL: $FAIL"
+
+if [[ "$FAIL" -gt 0 ]]; then
+  exit 1
+fi
+exit 0

package/payload/platform/plugins/admin/hooks/archive-ingest-gate.sh

@@ -0,0 +1,147 @@
+#!/usr/bin/env bash
+# Archive-ingest gate (Task 846).
+#
+# Three enforcements, one script — phase decided by `hook_event_name` on stdin:
+#
+# 1. PreToolUse Edit/Write/NotebookEdit: deny writes under
+#    `*platform/plugins/*/lib/*` (parser/CSV-shape source for any *-import or
+#    *-export plugin). The database-operator subagent has Read+Bash but not
+#    Edit/Write per its `tools:` frontmatter — yet it can still mutate files
+#    via Bash heredoc. The path block applies to every tool that takes a
+#    `file_path` and has been observed as the improvisation surface.
+#
+# 2. PreToolUse Bash: deny commands invoking JavaScript test runners
+#    (vitest|bun test|npm test|npx jest|node .*vitest). The reproducer
+#    incident (conv 47c6a590) saw the operator run all four variants in
+#    sequence after parse-export returned isError.
+#
+# 3. Parse-error gate: PostToolUse on any `mcp__*__*-export-parse` /
+#    `mcp__*__*-import-parse` tool whose `tool_response.isError == true`
+#    writes a flag file. Subsequent PreToolUse on ANY tool blocks until
+#    UserPromptSubmit clears the flag (semantics: "subagent's next action
+#    must be a user-facing message; further tool calls blocked"). A 600s
+#    TTL is the cross-session safety net.
+#
+# Exit codes follow Claude Code hook protocol: 0 = allow, 2 = block (stderr
+# message shown to the agent). Fail-closed on stdin read failure to match
+# pre-tool-use.sh.
+
+set -uo pipefail
+
+# Read stdin — fail closed if unavailable
+if [ -t 0 ]; then
+  echo "Blocked: archive-ingest-gate received no stdin (cannot inspect tool call). Failing closed." >&2
+  exit 2
+fi
+INPUT=$(cat)
+
+# ----- Resolve account dir for state file ----------------------------------
+# Mirrors pre-tool-use.sh lines 100-107: walk from this hook's location to
+# platform/, then `../data/accounts/<single-account>/`. Phase 0 has exactly
+# one account directory.
+HOOK_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)"
+PLATFORM_ROOT_RESOLVED="${HOOK_DIR}/../../.."
+ACCOUNTS_DIR="${PLATFORM_ROOT_RESOLVED}/../data/accounts"
+ACCOUNT_DIR=""
+if [ -d "$ACCOUNTS_DIR" ]; then
+  ACCOUNT_DIR=$(find "$ACCOUNTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | head -1)
+fi
+# Test harness override — tests pass `ARCHIVE_INGEST_GATE_STATE_DIR` to point
+# at a tmp dir without needing a real account layout.
+STATE_DIR="${ARCHIVE_INGEST_GATE_STATE_DIR:-${ACCOUNT_DIR}/state}"
+FLAG_FILE="${STATE_DIR}/archive-ingest-parse-error.flag"
+TTL_SECONDS=600
+
+# ----- Parse fields from stdin ---------------------------------------------
+# Hook protocol: every event includes `hook_event_name`. PreToolUse +
+# PostToolUse include `tool_name`. PostToolUse adds `tool_response`.
+# UserPromptSubmit has neither. Use grep/sed against the JSON envelope —
+# no jq dependency to match the rest of the hook fleet.
+HOOK_EVENT=$(printf '%s' "$INPUT" | grep -o '"hook_event_name"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+TOOL_NAME=$(printf '%s' "$INPUT" | grep -o '"tool_name"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+
+# ============================================================================
+# UserPromptSubmit — clear the parse-error flag.
+# ============================================================================
+if [ "$HOOK_EVENT" = "UserPromptSubmit" ]; then
+  if [ -f "$FLAG_FILE" ]; then
+    rm -f "$FLAG_FILE" 2>/dev/null
+    echo "[archive-ingest-gate] cleared reason=user-prompt-submit" >&2
+  fi
+  exit 0
+fi
+
+# ============================================================================
+# PostToolUse — record parse-error from any *-export-parse / *-import-parse.
+# ============================================================================
+if [ "$HOOK_EVENT" = "PostToolUse" ]; then
+  case "$TOOL_NAME" in
+    mcp__*__*-export-parse|mcp__*__*-import-parse)
+      # Inspect tool_response for isError true. Body is a JSON object; match
+      # `"isError":true` with optional whitespace.
+      if printf '%s' "$INPUT" | grep -Eq '"isError"[[:space:]]*:[[:space:]]*true'; then
+        mkdir -p "$STATE_DIR" 2>/dev/null
+        date -u +%s > "$FLAG_FILE" 2>/dev/null
+        echo "[archive-ingest-gate] surfaced reason=parse-error tool=${TOOL_NAME}" >&2
+      fi
+      ;;
+  esac
+  # PostToolUse must always allow the tool result through.
+  exit 0
+fi
+
+# ============================================================================
+# PreToolUse — three independent blocks.
+# ============================================================================
+if [ "$HOOK_EVENT" != "PreToolUse" ]; then
+  # Unknown event, or hook fired in a context without an event name. Allow.
+  exit 0
+fi
+
+# --- Block 1: post-parse-error gate (applies to ALL tools) -----------------
+if [ -f "$FLAG_FILE" ]; then
+  FLAG_TS=$(cat "$FLAG_FILE" 2>/dev/null | head -1)
+  NOW=$(date -u +%s)
+  if [ -n "$FLAG_TS" ] && [ "$FLAG_TS" -gt 0 ] 2>/dev/null; then
+    AGE=$(( NOW - FLAG_TS ))
+    if [ "$AGE" -lt "$TTL_SECONDS" ]; then
+      echo "[archive-ingest-gate] block tool=${TOOL_NAME} reason=post-parse-error age_s=${AGE}" >&2
+      echo "Blocked: an archive-parser MCP tool returned isError=true earlier in this turn. The subagent's next action must be a user-facing message naming the parse-error and yielding back to the operator. Further tool calls are blocked until the operator submits a new prompt." >&2
+      exit 2
+    fi
+    # Stale flag — clean up so we don't keep blocking on a corpse.
+    rm -f "$FLAG_FILE" 2>/dev/null
+  else
+    # Unparseable flag — remove rather than block on garbage.
+    rm -f "$FLAG_FILE" 2>/dev/null
+  fi
+fi
+
+# --- Block 2: plugin-source path block (Edit/Write/NotebookEdit) -----------
+case "$TOOL_NAME" in
+  Edit|Write|NotebookEdit)
+    FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+    case "$FILE_PATH" in
+      */platform/plugins/*/lib/*|platform/plugins/*/lib/*)
+        echo "[archive-ingest-gate] block tool=${TOOL_NAME} reason=plugin-source-edit path=${FILE_PATH}" >&2
+        echo "Blocked: ${TOOL_NAME} on ${FILE_PATH} is a platform plugin lib/ path. The database-operator subagent does not own plugin source; if a parser is broken, surface the parse-error to the operator and let them dispatch a code-edit task instead." >&2
+        exit 2
+        ;;
+    esac
+    ;;
+esac
+
+# --- Block 3: shell test-runner block (Bash) -------------------------------
+if [ "$TOOL_NAME" = "Bash" ]; then
+  COMMAND=$(printf '%s' "$INPUT" | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
+  # Match any of: `vitest`, `bun test`, `npm test`, `npx jest`, `node ... vitest`.
+  # Word-boundary checks via grep -E with explicit token boundaries — POSIX
+  # `[[:space:]]` covers leading-token edge cases, end-of-string covers tail.
+  if printf '%s' "$COMMAND" | grep -Eq '(^|[[:space:]/])vitest($|[[:space:]])|(^|[[:space:]])bun[[:space:]]+test($|[[:space:]])|(^|[[:space:]])npm[[:space:]]+test($|[[:space:]])|(^|[[:space:]])npx[[:space:]]+jest($|[[:space:]])|node[[:space:]].*vitest'; then
+    echo "[archive-ingest-gate] block tool=Bash reason=test-runner command=${COMMAND}" >&2
+    echo "Blocked: Bash command invokes a JavaScript test runner (vitest/bun test/npm test/npx jest). The database-operator subagent does not run plugin tests; surface the parse-error to the operator." >&2
+    exit 2
+  fi
+fi
+
+exit 0

package/payload/platform/plugins/admin/hooks/pre-tool-use.sh

@@ -47,11 +47,15 @@ if [ "$AGENT_TYPE" = "admin" ]; then
           echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=entitlement-file" >&2
           exit 2
           ;;
-        # account.json (Task 831) — agent must use the account-update MCP tool
-        # (or plugin-toggle-enabled for enabledPlugins changes), which whitelists
-        # editable fields server-side. Direct Edit/Write bypasses that whitelist;
-        # deny unconditionally including cwd-relative paths.
-        */data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|account.json)
+        # account.json (Task 831 + Task 850) — agent must use the account-update
+        # MCP tool (or plugin-toggle-enabled for enabledPlugins changes), which
+        # whitelists editable fields server-side. Direct Edit/Write bypasses
+        # that whitelist; deny unconditionally including cwd-relative paths.
+        # Task 850 adds */account.json and *account.json as a backstop so any
+        # layout the named patterns miss is still caught — the Adam Mackay
+        # incident showed a tier upgrade via raw Edit on account.json reach
+        # the disk, exactly the failure mode this hook exists to prevent.
+        */data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|*/account.json|*account.json|account.json)
           echo "Blocked: Admin agent cannot edit account.json directly. Use the account-update or plugin-toggle-enabled MCP tools — they whitelist editable fields server-side and exclude tier and purchasedPlugins by design." >&2
           echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=account-json" >&2
           exit 2

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -621,7 +621,7 @@ server.tool("plugin-toggle-enabled", "Enable or disable a plugin in this account
 // ===================================================================
 // Admin user management tools
 // ===================================================================
-server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). PIN must be at least 4 digits. If no PIN is provided, a unique 4-digit PIN is generated. Returns the userId and PIN to share with the new admin.", {
+server.tool("admin-add", "Add a new admin user to this account. Creates a device-level user entry (users.json) and adds them to this account's admins list (account.json). PIN must be at least 4 digits. If no PIN is provided, a unique 4-digit PIN is generated. Returns the userId and PIN to share with the new admin.\n\nIMPORTANT — retry behaviour: if the user already stated a specific PIN earlier in the conversation and a first admin-add call failed (e.g. tier cap reached, PIN collision), every retry MUST re-pass that PIN as the `pin` parameter. Omitting `pin` on the retry auto-generates a different 4-digit PIN, silently substituting what the user asked for.", {
     name: z.string().describe("Display name for the new admin (stored on the AdminUser node in Neo4j)."),
     pin: z.string().optional().describe("Optional PIN (minimum 4 digits). If omitted, a unique 4-digit PIN is generated."),
 }, async ({ name, pin: rawPin }) => {
@@ -679,14 +679,25 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     }
     const pinHash = hashPin(plaintextPin);
     const userId = crypto.randomUUID();
+    // Three-store admin auth invariant (Task 850): users.json (device-level
+    // PIN auth), account.json admins[] (account-level role), Neo4j AdminUser
+    // (display + graph identity). Each leg emits a [admin-auth-store] line so
+    // a future incident can grep one log to know which leg failed; any leg
+    // failing makes the tool result is_error: true with a cause line citing
+    // what's already been written. No automatic rollback — the cause line is
+    // the manual-recovery diagnostic.
+    const userIdShort = userId.slice(0, 8);
     // 1. Write to users.json (device-level). Auth fields only — `name` lives
     //    on the AdminUser node in Neo4j (Task 829).
     users.push({ userId, pin: pinHash });
     try {
         writeUsersJson(users);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=users`);
     }
     catch (err) {
-        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${errMsg}` }], isError: true };
     }
     // 2. Write to account.json (account-level)
     try {
@@ -698,10 +709,12 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
             const configPath = join(getAccountDir(), "account.json");
             await writeFile(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
         }
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=account`);
     }
     catch (err) {
-        console.error(`${TAG} account.json write failed: ${err instanceof Error ? err.message : String(err)}`);
-        return { content: [{ type: "text", text: `${TAG} User created in users.json but failed to add to account: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=account error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} users.json updated; account.json write FAILED — manual reconciliation needed: ${errMsg}` }], isError: true };
     }
     // 3. Write to Neo4j (graph-level): AdminUser + Person + OWNS atomically,
     //    plus ADMIN_OF edge to the LocalBusiness for this account.
@@ -710,7 +723,12 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
     //    in platform/ui/app/lib/neo4j-store.ts (case-insensitive exact match
     //    on givenName + familyName; partial-name ambiguity does NOT match —
     //    rationalisation is a separate agent-mediated concern).
-    let neo4jWarning = "";
+    //    Task 850 — Neo4j-leg failure now returns is_error: true with the
+    //    [admin-auth-store] line; previously it set a soft warning string and
+    //    returned success, which is what hid the Adam Mackay incident from
+    //    the recovery agent. The user is still functional via users.json +
+    //    account.json, but the graph state is divergent and the operator
+    //    must know.
     let personReused = false;
     try {
         const session = getSession();
@@ -759,18 +777,25 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
         finally {
             await session.close();
         }
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=neo4j personReused=${personReused}`);
     }
     catch (err) {
         const errMsg = err instanceof Error ? err.message : String(err);
-        console.error(`${TAG} Neo4j sync failed during admin-add: userId=${userId} error=${errMsg} — files written, graph pending`);
-        neo4jWarning = ` Note: Neo4j sync failed (${errMsg}) — the admin user is functional but the graph will need reconciliation on next seed.`;
+        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=fail store=neo4j error=${errMsg}`);
+        return {
+            content: [{
+                    type: "text",
+                    text: `${TAG} users.json + account.json updated for userId ${userId} (PIN: ${plaintextPin}); Neo4j sync FAILED — manual reconciliation needed: ${errMsg}`,
+                }],
+            isError: true,
+        };
     }
-    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userId.slice(0, 8)} name=${name.trim()} personReused=${personReused}`);
+    console.error(`${TAG} [admin-identity] adminuser-bound userId=${userIdShort} name=${name.trim()} personReused=${personReused}`);
     console.error(`${TAG} admin added: userId=${userId} userName=${name.trim()} accountId=${ACCOUNT_ID} role=admin addedBy=${callerUserId ?? "unknown"}`);
     return {
         content: [{
                 type: "text",
-                text: `Admin added successfully.\n\n- **Name:** ${name.trim()}\n- **userId:** ${userId}\n- **PIN:** ${plaintextPin}\n- **Role:** admin\n\nShare the PIN with ${name.trim()} so they can log in.${neo4jWarning}`,
+                text: `Admin added successfully.\n\n- **Name:** ${name.trim()}\n- **userId:** ${userId}\n- **PIN:** ${plaintextPin}\n- **Role:** admin\n\nShare the PIN with ${name.trim()} so they can log in.`,
             }],
     };
 });
@@ -912,18 +937,22 @@ server.tool("admin-update-pin", "Update an existing admin user's PIN. Defaults t
         users = readUsersJson();
     }
     catch (err) {
+        const errMsg = err instanceof Error ? err.message : String(err);
         console.error(`${TAG} userId=${userIdLabel} result=user-not-found reason=users-json-read-failed`);
-        return { content: [{ type: "text", text: `${TAG} ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} ${errMsg}` }], isError: true };
     }
     const targetIndex = users.findIndex(u => u.userId === userId);
     if (targetIndex === -1) {
         console.error(`${TAG} userId=${userIdLabel} result=user-not-found`);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=user-not-found`);
         return { content: [{ type: "text", text: `${TAG} User ${userId} not found in users.json.` }], isError: true };
     }
     const newHash = hashPin(newPin);
     const collidesWithOther = users.some((u, i) => i !== targetIndex && u.pin === newHash);
     if (collidesWithOther) {
         console.error(`${TAG} userId=${userIdLabel} result=collision`);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=pin-collision`);
         return { content: [{ type: "text", text: `${TAG} That PIN is already in use by another user. Choose a different PIN.` }], isError: true };
     }
     users[targetIndex].pin = newHash;
@@ -931,9 +960,12 @@ server.tool("admin-update-pin", "Update an existing admin user's PIN. Defaults t
         writeUsersJson(users);
     }
     catch (err) {
-        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${err instanceof Error ? err.message : String(err)}` }], isError: true };
+        const errMsg = err instanceof Error ? err.message : String(err);
+        console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=fail store=users error=${errMsg}`);
+        return { content: [{ type: "text", text: `${TAG} Failed to write users.json: ${errMsg}` }], isError: true };
     }
     console.error(`${TAG} userId=${userIdLabel} result=ok`);
+    console.error(`[admin-auth-store] action=update-pin userId=${userIdLabel} result=ok store=users`);
     const self = userId === callerUserId;
     return {
         content: [{ type: "text", text: `PIN updated${self ? "" : ` for userId ${userId}`}. The new PIN takes effect on the next login.` }],
@@ -1147,8 +1179,8 @@ server.tool("agent-list", "List all public (non-admin) agents with their full co
         };
     }
 });
-server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=system/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=system: raw Claude stream-json + agent events + [tool-wait]/[tool-wait-diag]/[tool-wait-proc] telemetry + MCP server stderr via tee. type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in system via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. type=review: log-review detector decisions. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
-    type: z.enum(["system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc", "review"]).optional(),
+server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agent-stream/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=agent-stream: per-conversation tool-use/tool-result archive (every `[tool-use]` and `[tool-result]` pair with full input + output JSON, plus raw Claude stream-json, agent events, and MCP server stderr via tee). USE THIS when investigating what an agent ACTUALLY did with its tools — server.log only carries `[persist] tool-call persisted` markers, not bodies. (`type=system` is a backwards-compatible alias for the same archive.) type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in agent-stream via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. type=review: log-review detector decisions. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
+    type: z.enum(["agent-stream", "system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc", "review"]).optional(),
     lines: z.number().optional(),
     sessionKey: z.string().optional(),
     conversationId: z.string().optional(),
@@ -1181,16 +1213,17 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
                 return { content: [{ type: "text", text: `Log directory does not exist: ${LOG_DIR}` }] };
             }
             const prefixMap = {
-                system: "claude-agent-stream",
+                "agent-stream": "claude-agent-stream",
+                system: "claude-agent-stream", // Task 850 — backwards-compatible alias for agent-stream
                 error: "claude-agent-stderr",
                 session: "sse-events",
                 public: "public-agent-stream",
             };
-            const resolvedType = type ?? "system";
+            const resolvedType = type ?? "agent-stream";
             const prefix = prefixMap[resolvedType];
             if (!prefix) {
                 return {
-                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: system, error, session, public. For platform-scoped types (server, vnc, review, heartbeat, mcp) omit conversationId.` }],
+                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: agent-stream, error, session, public. For platform-scoped types (server, vnc, review, heartbeat, mcp) omit conversationId.` }],
                     isError: true,
                 };
             }
@@ -1234,7 +1267,8 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
         // --- Session-key filtered mode: grep across log files ---
         if (sessionKey) {
             const prefixes = {
-                system: "claude-agent-stream-",
+                "agent-stream": "claude-agent-stream-",
+                system: "claude-agent-stream-", // Task 850 — backwards-compatible alias
                 error: "claude-agent-stderr-",
                 session: "sse-events-",
                 public: "public-agent-stream-",
@@ -1332,7 +1366,7 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
             return { content: [{ type: "text", text: `# Session timeline: ${sessionKey}\n\n${sections.join("\n\n")}` }] };
         }
         // --- Standard mode: tail most recent file of the requested type ---
-        const resolvedType = type ?? "system";
+        const resolvedType = type ?? "agent-stream";
         // Heartbeat log is a single fixed file, not prefix-based
         if (resolvedType === "heartbeat") {
             const logFile = resolve(LOG_DIR, "check-due-events.log");
@@ -1381,6 +1415,8 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=syst
             }).toString();
             return { content: [{ type: "text", text: `# review.log\n\n${result}` }] };
         }
+        // Task 850 — agent-stream and the legacy system alias both map to
+        // claude-agent-stream-. The fall-through default also covers them.
         const prefix = resolvedType === "error" ? "claude-agent-stderr-"
             : resolvedType === "session" ? "sse-events-"
                 : resolvedType === "public" ? "public-agent-stream-"