@rubytech/create-realagent 1.0.817 → 1.0.819

package/payload/server/server.js

@@ -51,7 +51,7 @@ import {
   vncLog,
   waitForExit,
   writeChromiumWrapper
-} from "./chunk-P3HTEK33.js";
+} from "./chunk-AJLGI7Y3.js";
 import {
   agentLogStream,
   clearSessionHistory,
@@ -79,7 +79,7 @@ import {
   sigtermFlushStreamLogs,
   unregisterSession,
   validateSession
-} from "./chunk-UYLZDEMC.js";
+} from "./chunk-ON3LBL2Y.js";
 import {
   ACCOUNTS_DIR,
   GREETING_DIRECTIVE,
@@ -119,10 +119,227 @@ import {
   verifyAndGetConversationUpdatedAt,
   verifyConversationOwnership,
   writeAdminUserAndPerson
-} from "./chunk-TQTMKIW6.js";
+} from "./chunk-PXQA2MA3.js";
 
-// ../lib/graph-trash/dist/index.js
+// ../lib/graph-write/dist/audit.js
+var require_audit = __commonJS({
+  "../lib/graph-write/dist/audit.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.auditCypherWrite = auditCypherWrite;
+    exports.formatAuditLine = formatAuditLine;
+    var EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
+    var CREATE_OR_MERGE_NODE = /\b(?:CREATE|MERGE)\s*\(\s*[A-Za-z_][A-Za-z0-9_]*\s*:\s*[A-Z]/g;
+    var PROVENANCE_TOKEN = /\bcreatedBy(?:Agent|Tool|Session|Source)\b/g;
+    function stripStringLiterals(cypher) {
+      return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
+    }
+    function extractEdgeTypes(cleaned) {
+      const out = /* @__PURE__ */ new Set();
+      for (const m of cleaned.matchAll(EDGE_PATTERN)) {
+        for (const t of m[1].split("|")) {
+          const clean = t.trim();
+          if (clean)
+            out.add(clean);
+        }
+      }
+      return out;
+    }
+    function countCreateOrMergeNodes(cleaned) {
+      const matches = cleaned.match(CREATE_OR_MERGE_NODE);
+      return matches ? matches.length : 0;
+    }
+    function countProvenanceStamps(cleaned) {
+      const matches = cleaned.match(PROVENANCE_TOKEN);
+      return matches ? matches.length : 0;
+    }
+    function auditCypherWrite(input) {
+      const warnings = [];
+      const cleaned = stripStringLiterals(input.cypher);
+      const referencedTypes = extractEdgeTypes(cleaned);
+      for (const t of referencedTypes) {
+        if (!input.schema.relationshipTypes.has(t)) {
+          warnings.push({ kind: "unknown-type-warning", type: t });
+        }
+      }
+      if (input.nodesCreated > 0) {
+        const createOrMergeNodes = countCreateOrMergeNodes(cleaned);
+        if (createOrMergeNodes > 0) {
+          const stamps = countProvenanceStamps(cleaned);
+          if (stamps < createOrMergeNodes) {
+            warnings.push({
+              kind: "missing-provenance-warning",
+              created: createOrMergeNodes,
+              stamped: stamps
+            });
+          }
+        }
+      }
+      if (input.orphanIds.length > 0) {
+        warnings.push({ kind: "orphan-warning", orphanIds: input.orphanIds });
+      }
+      return warnings;
+    }
+    function formatAuditLine(line) {
+      const prefixField = `query="${line.cypherPrefix.replace(/"/g, "'")}"`;
+      switch (line.kind) {
+        case "accepted":
+          return `[graph-cypher-write] accepted ${prefixField} nodesCreated=${line.nodesCreated} relsCreated=${line.relsCreated} agentName=${line.agentName} sessionId=${line.sessionId}`;
+        case "orphan-warning":
+          return `[graph-cypher-write] orphan-warning ${prefixField} orphanIds=${line.orphanIds.join(",")}`;
+        case "unknown-type-warning":
+          return `[graph-cypher-write] unknown-type-warning ${prefixField} type=${line.type}`;
+        case "missing-provenance-warning":
+          return `[graph-cypher-write] missing-provenance-warning ${prefixField} created=${line.created} stamped=${line.stamped}`;
+      }
+    }
+  }
+});
+
+// ../lib/graph-write/dist/index.js
 var require_dist = __commonJS({
+  "../lib/graph-write/dist/index.js"(exports) {
+    "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports && exports.__exportStar || function(m, exports2) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports2, p)) __createBinding(exports2, m, p);
+    };
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.ACTION_PROVENANCE_LABELS = void 0;
+    exports.stampCreatedBy = stampCreatedBy;
+    exports.writeNodeWithEdges = writeNodeWithEdges2;
+    __exportStar(require_audit(), exports);
+    exports.ACTION_PROVENANCE_LABELS = /* @__PURE__ */ new Set([
+      "Person",
+      "UserProfile",
+      "AdminUser",
+      "Organization",
+      "LocalBusiness",
+      "CloudflareTunnel",
+      "CloudflareHostname"
+    ]);
+    function requiresActionProvenance(labels) {
+      for (const label of labels) {
+        if (exports.ACTION_PROVENANCE_LABELS.has(label))
+          return true;
+      }
+      return false;
+    }
+    function findProducedFromTaskCandidates(relationships) {
+      return relationships.filter((r) => r.type === "PRODUCED" && r.direction === "incoming");
+    }
+    function stampCreatedBy(props, createdBy) {
+      return {
+        ...props,
+        createdByAgent: createdBy.agent ?? "unknown",
+        createdBySession: createdBy.session ?? "unknown",
+        createdByTool: createdBy.tool ?? null,
+        createdBySource: createdBy.source ?? null
+      };
+    }
+    async function writeNodeWithEdges2(params) {
+      const { session, labels, props, relationships, createdBy } = params;
+      const agentLabel = createdBy.agent ?? createdBy.source ?? "unknown";
+      const labelCsv = labels.join(",");
+      const reviewDigestActionTool = typeof props.actionTool === "string" && props.actionTool === "review-digest-compose";
+      if (labels.includes("ReviewAlert") || reviewDigestActionTool) {
+        const actionToolField = reviewDigestActionTool ? "review-digest-compose" : "n/a";
+        process.stderr.write(`[graph-write] reject reason=removed-feature labels=${labelCsv} actionTool=${actionToolField} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: review-detector feature removed (Task 884) \u2014 `:ReviewAlert` and `:Event {actionTool:'review-digest-compose'}` writes are not allowed.");
+      }
+      if (!relationships || relationships.length < 1) {
+        process.stderr.write(`[graph-write] reject reason=zero-relationships labels=${labelCsv} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: a node must be created with at least one relationship. See .docs/neo4j.md (Write doctrine).");
+      }
+      const labelStr = labels.map((l) => `\`${l.replace(/`/g, "")}\``).join(":");
+      const nodeProps = stampCreatedBy(props, createdBy);
+      return await session.executeWrite(async (tx) => {
+        const targetIds = relationships.map((r) => r.targetNodeId);
+        const check = await tx.run(`UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN elementId(t) AS id, labels(t) AS labels`, { ids: targetIds });
+        const labelsByTarget = /* @__PURE__ */ new Map();
+        for (const rec of check.records) {
+          labelsByTarget.set(rec.get("id"), rec.get("labels"));
+        }
+        const found = labelsByTarget.size;
+        const uniqueRequested = new Set(targetIds).size;
+        if (found !== uniqueRequested) {
+          process.stderr.write(`[graph-write] reject reason=unresolved-target labels=${labelCsv} agent=${agentLabel} requested=${uniqueRequested} found=${found}
+`);
+          throw new Error(`Write doctrine violated: ${uniqueRequested - found} of ${uniqueRequested} relationship target(s) did not resolve (elementId mismatch). No node created.`);
+        }
+        let producedByTaskId = null;
+        if (requiresActionProvenance(labels) && (createdBy.agent ?? "") !== "system") {
+          const candidates = findProducedFromTaskCandidates(relationships);
+          const taskCandidates = candidates.filter((r) => {
+            const lbls = labelsByTarget.get(r.targetNodeId);
+            return Array.isArray(lbls) && lbls.includes("Task");
+          });
+          if (taskCandidates.length === 0) {
+            process.stderr.write(`[graph-write] reject reason=missing-action-provenance labels=${labelCsv} agent=${agentLabel}
+`);
+            throw new Error(`Process provenance doctrine violated: write to ${labelCsv} requires an inbound :PRODUCED edge from a :Task (createdBy.agent='${agentLabel}'). See .docs/neo4j.md (Process provenance doctrine).`);
+          }
+          producedByTaskId = taskCandidates[0].targetNodeId;
+        }
+        let nodeRes;
+        try {
+          nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
+        } catch (err) {
+          const code = err?.code ?? "";
+          if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
+            const accountIdProp = nodeProps.accountId;
+            const userIdProp = nodeProps.userId;
+            const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
+            const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
+            process.stderr.write(`[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}
+`);
+          }
+          throw err;
+        }
+        const nodeId = nodeRes.records[0].get("nodeId");
+        const nodeLabels = nodeRes.records[0].get("nodeLabels");
+        let edgesCreated = 0;
+        for (const rel of relationships) {
+          const type = rel.type.replace(/`/g, "");
+          const q = rel.direction === "outgoing" ? `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (a)-[:\`${type}\`]->(b)` : `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (b)-[:\`${type}\`]->(a)`;
+          const r = await tx.run(q, { from: nodeId, to: rel.targetNodeId });
+          const created = r.summary.counters.updates().relationshipsCreated;
+          if (created === 0) {
+            process.stderr.write(`[graph-write] reject reason=unresolved-target-on-create labels=${labelCsv} agent=${agentLabel} relType=${rel.type} targetId=${rel.targetNodeId}
+`);
+            throw new Error(`Write doctrine violated: relationship CREATE to target ${rel.targetNodeId} produced 0 edges (target likely deleted concurrently after pre-check). Transaction rolled back.`);
+          }
+          edgesCreated += created;
+        }
+        if (edgesCreated !== relationships.length) {
+          process.stderr.write(`[graph-write] reject reason=edge-count-mismatch labels=${labelCsv} agent=${agentLabel} requested=${relationships.length} created=${edgesCreated}
+`);
+          throw new Error(`Write doctrine violated: expected ${relationships.length} edges, created ${edgesCreated}. Transaction rolled back.`);
+        }
+        process.stderr.write(`[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"} producedByTask=${producedByTaskId ?? "none"}
+`);
+        return { nodeId, labels: nodeLabels, edgesCreated };
+      });
+    }
+  }
+});
+
+// ../lib/graph-trash/dist/index.js
+var require_dist2 = __commonJS({
   "../lib/graph-trash/dist/index.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
@@ -618,15 +835,15 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync18, existsSync as existsSync24, watchFile } from "fs";
-import { resolve as resolve25, join as join10, basename as basename7 } from "path";
+import { readFileSync as readFileSync16, existsSync as existsSync22, watchFile } from "fs";
+import { resolve as resolve21, join as join9, basename as basename5 } from "path";
 import { homedir as homedir2 } from "os";
 
 // app/lib/agent-slug-pattern.ts
 var AGENT_SLUG_PATTERN = /^\/([a-z][a-z0-9-]{2,49})$/;
 
 // server/routes/health.ts
-import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
 import { createConnection } from "net";
 
 // app/lib/network.ts
@@ -647,1562 +864,6 @@ function getLanIp() {
   return fallback;
 }
 
-// app/lib/review-detector/boot.ts
-import { basename as basename2 } from "path";
-
-// app/lib/review-detector/rules.ts
-import { readFileSync, writeFileSync, existsSync as existsSync2, statSync as statSync2, mkdirSync, renameSync } from "fs";
-import { resolve, dirname } from "path";
-var DEFAULT_SCAN_INTERVAL_MS = 5e3;
-var RATE_LIMIT_PATTERN = "rate[- ]?limit(?:ed| reached| hit)|(?:HTTP|status)[^a-z]{0,3}429|too many requests";
-var RATE_LIMIT_PATTERN_V1 = "\\b429\\b|rate.?limit|too.?many.?requests";
-var VALID_TYPES = /* @__PURE__ */ new Set([
-  "reconnect-loop",
-  "repeated-error",
-  "silent-catch",
-  "file-write-storm",
-  "stale-log",
-  "rate-limit",
-  "absent-followup"
-]);
-var MAX_FOLLOWUP_WINDOW_MS = 6e5;
-var VALID_SOURCES = /* @__PURE__ */ new Set([
-  "any",
-  "server",
-  "vnc",
-  "system",
-  "error",
-  "session",
-  "public",
-  "mcp",
-  "cloudflared",
-  "config-dir"
-]);
-var VALID_SCOPES = /* @__PURE__ */ new Set(["global", "session"]);
-function defaultRules() {
-  return [
-    {
-      id: "whatsapp-reconnect-loop",
-      name: "WhatsApp Baileys reconnect loop",
-      type: "reconnect-loop",
-      logSource: "server",
-      pattern: "\\[whatsapp:baileys\\] ERROR",
-      thresholdCount: 5,
-      thresholdWindowMinutes: 10,
-      suggestedAction: "Check Baileys init-queries error. Run `/investigate` on the WhatsApp subsystem, or pause WhatsApp and re-pair the account from chat."
-    },
-    {
-      id: "repeated-error-generic",
-      name: "Repeated error signature",
-      type: "repeated-error",
-      // Match generic ERROR lines with a bracketed prefix. Fingerprinting by
-      // first 80 chars happens in the evaluator.
-      logSource: "server",
-      pattern: "\\] ERROR ",
-      thresholdCount: 20,
-      thresholdWindowMinutes: 60,
-      suggestedAction: "Repeated error burst. Tail the relevant log via `logs-read` and identify the upstream cause."
-    },
-    {
-      id: "silent-catch-fingerprint",
-      name: "Silent catch-block fingerprint",
-      type: "silent-catch",
-      // Patterns that historically indicated a silent catch. Every match is
-      // worth an alert — never suppressed by frequency.
-      logSource: "any",
-      pattern: "(UnhandledPromiseRejection|catch.*ignored|swallowed error|silent failure)",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "A silent-failure fingerprint appeared in logs. Read the surrounding context and turn the catch into loud failure per CLAUDE.md rule 'Observability Is Non-Negotiable'."
-    },
-    {
-      id: "credentials-write-storm",
-      name: "Credentials directory write storm",
-      type: "file-write-storm",
-      logSource: "config-dir",
-      pattern: "",
-      watchPath: "credentials",
-      thresholdCount: 5,
-      thresholdWindowMinutes: 5,
-      suggestedAction: "The credentials directory is being rewritten repeatedly. This usually means a subsystem is stuck in an auth-retry loop. Check which file is being rewritten and trace the caller."
-    },
-    // The stale-log rule type is fully supported by the evaluator but the
-    // default seed does not ship an instance of it. Choosing the right file
-    // to watch is subsystem-specific (e.g. a plugin-specific log that stops
-    // when the plugin dies); server.log is the wrong target because it is
-    // written continuously by the detector's own cycle events, so it never
-    // goes stale. Users can add a targeted stale-log rule via
-    // `review-rules-add` when they know which file matters for their
-    // subsystem.
-    {
-      id: "http-rate-limit-429",
-      name: "HTTP 429 rate-limit hit",
-      type: "rate-limit",
-      logSource: "any",
-      pattern: RATE_LIMIT_PATTERN,
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "An external API returned 429 (rate-limited). Identify the caller and add backoff, or check the quota on the relevant API key."
-    },
-    {
-      id: "approval-bypass-detected",
-      name: "Approval gating bypass",
-      type: "repeated-error",
-      logSource: "error",
-      pattern: "\\[persist\\].*(?:email-send|email-reply|whatsapp-send|whatsapp-send-document|message|contact-erase).*approval=auto-executed",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "An external-facing tool executed with auto-executed approval state. Check account.json approvalPolicy \u2014 if this tool should require review, the gating hook may have been bypassed or the policy was changed."
-    },
-    {
-      // Task 530: catches the bridgeai-style class where a single conversation
-      // sees the same tool error repeatedly and the agent silently falls back.
-      // Session-scoped so cross-conversation coincidence doesn't trigger it.
-      id: "tool-result-recurring-errors",
-      name: "Tool result errors recurring in a conversation",
-      type: "repeated-error",
-      logSource: "system",
-      pattern: "\\[tool-result\\].*error=true",
-      thresholdCount: 2,
-      thresholdWindowMinutes: 5,
-      scope: "session",
-      suggestedAction: 'The same conversation has logged multiple tool failures. Use the admin `logs-read` MCP tool with `type: "system"` (or the `logs-read.sh` script with the conversationId) to retrieve the adjacent [tool-failure-diag] lines and identify whether the cause is DNS, TCP, HTTP, or the tool\'s internal pipeline \u2014 then adapt the next attempt to match. Never retry the same tool against the same target without diagnostic-grounded reasoning.'
-    },
-    {
-      // Task 532: closes the "60-second black-box tool wait" class. Fires when
-      // a tool hits the 30-second mark of the mid-flight heartbeat. The
-      // pattern anchors on elapsed=30s specifically (the tool-wait tick emits
-      // one line per 5s per tool, so matching every tick would be noisy) and
-      // excludes tools whose long runtime is expected: `Task`/`Agent` subagent
-      // dispatch, `Bash` with explicit long timeouts.
-      id: "tool-wait-long-stall",
-      name: "Tool wait exceeds 30 seconds (possible stall)",
-      type: "repeated-error",
-      logSource: "system",
-      pattern: "\\[tool-wait\\][^\\n]*name=(?!Task\\b|Agent\\b|Bash\\b)[A-Za-z0-9_]+[^\\n]*elapsed=30s",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      scope: "session",
-      suggestedAction: "A tool call has been pending for 30 seconds without a result. Read the adjacent [tool-wait-diag] and [tool-wait-proc] lines in the conversation's stream log to determine whether the network remained healthy, the subprocess held active sockets, and the HTTP request reached the wire. If diag shows a healthy network but the subprocess has no [subproc-stderr] UNDICI/HTTP activity during the wait window, the tool's internal pipeline is stalled \u2014 do not retry the same request against the same target without a change in approach."
-    },
-    {
-      // Task 536: detect agents ignoring the WEBFETCH_CANNOT_READ_JS_SPA
-      // structured failure. A single SPA short-circuit per conversation is
-      // expected — the hook is doing its job. Two or more in the same
-      // conversation within 5 minutes means either (a) the agent retried
-      // WebFetch on the same SPA URL despite the directive, or (b) the
-      // owner is asking about multiple SPA URLs in one session and the
-      // pattern needs surfacing as a recurring class. Both signal that the
-      // IDENTITY.md "Tool Failure Discipline" guidance is not landing in the
-      // prompt — revise the copy rather than add mechanical enforcement.
-      id: "webfetch-spa-short-circuit-recurring",
-      name: "WebFetch JS-SPA short-circuit fired repeatedly in conversation",
-      type: "repeated-error",
-      logSource: "system",
-      pattern: "WEBFETCH_CANNOT_READ_JS_SPA",
-      thresholdCount: 2,
-      thresholdWindowMinutes: 5,
-      scope: "session",
-      suggestedAction: "The WebFetch SPA preflight has fired more than once in this conversation. Either the agent is ignoring the loud-failure directive (retrying WebFetch after seeing WEBFETCH_CANNOT_READ_JS_SPA), or multiple SPA URLs are being asked about. Read the conversation's stream log for the [tool-use] / [tool-result] sequence around each occurrence \u2014 if the agent dispatched WebFetch on the same URL or substituted Playwright silently, revisit the IDENTITY.md `Tool Failure Discipline` paragraph that names structured-error handling."
-    },
-    {
-      // Task 538: fires when a [spawn] line appears in a conversation's stream
-      // log but no subprocess-lifecycle marker follows within 10s. The three
-      // acceptable followups are Task 535's contract — at least one must be
-      // emitted immediately at every spawn site. Their absence means
-      // `teeProcStderrToStreamLog` regressed, the markers drifted, or the
-      // spawn site was added without wiring them up. Session scope so a single
-      // broken conversation fires exactly once, not N times for every spawn.
-      id: "subproc-tee-silent-spawn",
-      name: "Subprocess spawn without a stderr-tee lifecycle marker",
-      type: "absent-followup",
-      logSource: "system",
-      pattern: "\\[spawn\\] pid=\\d+",
-      followupPattern: "\\[subproc-stderr-tee-attached\\]|\\[subproc-debug-unavailable\\]|\\[subproc-stderr-skip\\]",
-      followupWindowMs: 1e4,
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      scope: "session",
-      suggestedAction: "The main-subprocess tee infrastructure has regressed \u2014 a spawn produced no lifecycle marker. Re-check `teeProcStderrToStreamLog` is invoked at the spawn site and that `[subproc-debug-unavailable]` or `[subproc-stderr-skip]` is written immediately when the tee cannot attach (Task 535 contract)."
-    },
-    {
-      // Task 533: surface every Cloudflare-plugin refusal. The plugin emits
-      // exactly one [cloudflare:refuse] line per refusal with a structured
-      // reason field; any single occurrence on a previously-clean device
-      // means the bound Cloudflare account does not match the operator's
-      // intent (or the post-flight FQDN drifted) and the operator needs to
-      // act in the dashboard.
-      id: "cloudflare-refuse",
-      name: "Cloudflare plugin refusal",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[cloudflare:refuse\\]|\\[cloudflare:post-flight-mismatch\\]",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "The Cloudflare plugin refused an operation. Read the refusal `reason` field in the adjacent log line. For `account-drift` or `unbound-device`, run `tunnel-login force=true` while the operator is signed into the correct Cloudflare account in the browser. For `hostname-zone-not-routable`, the domain is not on Cloudflare yet \u2014 guide the operator to add it via the Cloudflare dashboard. For `post-flight-fqdn-mismatch` or `bound-account-does-not-own-hostname`, the laptop is signed into the wrong Cloudflare account \u2014 guide the operator to switch accounts in the dashboard, then re-run `tunnel-login force=true`."
-    },
-    {
-      // Task 540: the single highest-priority refusal — surface it immediately
-      // and independently of the generic cloudflare-refuse rule so the admin
-      // agent sees it on the very next turn. This is the exact class that
-      // burned the operator for 8 days across 9+ sessions (Apr 11–18, 2026):
-      // tunnel running locally, dashboard serving the wrong account, nothing
-      // from the internet reaches the laptop, and no prior telemetry surfaced
-      // it in time for the agent to self-correct.
-      id: "cloudflare-bound-account-mismatch",
-      name: "Cloudflare bound account does not own the configured hostnames",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: '"reason":"bound-account-does-not-own-hostname"',
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "This laptop is signed into a Cloudflare account that does not own the hostnames the tunnel is configured to serve. Run `tunnel-status` to confirm, then tell the operator verbatim: 'The tunnel is running on this laptop but nothing from the internet is reaching it. The Cloudflare account this laptop is signed into doesn't own your domain. Open Cloudflare in your browser \u2014 is the account name in the top-left the one that owns your domain? If not, switch to the correct one, then tell me and I will re-sign-in.' When the operator confirms the correct account is selected, run `tunnel-login force=true`."
-    },
-    {
-      // Task 545: tunnel-login's terminal-failure class — cloudflared's
-      // login process died without writing cert.pem. Covers every reason
-      // the handler emits on the `failed` branch: either an unknown exit
-      // (`-without-cert`), an exit preceded by the courtesy browser-launch
-      // marker (`-with-marker`), auth URL never produced (`-timeout`), or
-      // crashed before producing it at all. Task 541's original pattern
-      // matched `reason=browser-launch-fetch-error` — Task 545 retired
-      // that reason because the marker alone is no longer terminal
-      // (cloudflared keeps its OAuth-callback loop alive after emitting
-      // it). Use this pattern for any new terminal reason the handler
-      // gains: extend the alternation rather than adding parallel rules.
-      id: "cloudflare-tunnel-login-failed",
-      name: "Cloudflare tunnel-login process terminated without writing cert",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[cloudflare:tunnel-login:failed\\] reason=(login-process-exited-without-cert|login-process-exited-with-marker|auth-url-timeout|process-exited-before-auth-url)",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "The cloudflared login process died before cert.pem landed on disk. For `login-process-exited-*` reasons the tunnel-login tool detected the dead process on the next call and has already respawned it \u2014 relay the new sign-in URL and wait for the operator to authorize in the VNC browser. For `auth-url-timeout` / `process-exited-before-auth-url`, the tool's most recent call returned an error and did not respawn \u2014 call `tunnel-login` again to spawn a fresh attempt. Never open the Cloudflare dashboard in any other surface; the only auth path is the sign-in URL the tool produces."
-    },
-    {
-      // Task 545: non-terminal advisory. cloudflared's browser-launch
-      // subcommand failed (DISPLAY unreachable, xdg-open absent, etc.) but
-      // its OAuth-callback listener is still running — the login can still
-      // complete if a human opens the URL. This rule fires so the admin
-      // agent can relay "open the URL yourself" to the operator the moment
-      // the condition appears, rather than waiting for the operator to
-      // notice nothing is happening in their browser. Task 546 will
-      // obsolete the advisory by rendering auth URLs that auto-open in
-      // the VNC browser.
-      id: "cloudflare-tunnel-login-browser-launch-failed",
-      name: "cloudflared couldn't open the sign-in URL (login still live)",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[cloudflare:tunnel-login:browser-launch-failed\\]",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "cloudflared's browser-launch courtesy failed on this laptop, but the sign-in URL is still live \u2014 the process is waiting for the OAuth callback. Tell the operator to open the sign-in URL in the VNC browser themselves and complete the authorization. The tunnel-login tool already includes the URL and the advisory in its most recent response; do not restart the login (that would invalidate the URL the operator is about to open)."
-    },
-    {
-      // Task 545: raw-log surface. cloudflared-login.log is now read by
-      // the review-detector's `cloudflared` source (see sources.ts). The
-      // literal "Failed to fetch resource" is emitted by cloudflared
-      // itself when its browser-launch subcommand can't reach a display.
-      // This rule catches the cloudflared-side event even if the MCP
-      // handler's classification drifts or the platform is restarting
-      // mid-login and the advisory log line is not yet written. Keeping
-      // this rule on a different source (log-line, not MCP stderr) makes
-      // the detection redundant in the "defence in depth" sense — if the
-      // MCP classification ever regresses, this still fires.
-      id: "cloudflared-login-browser-launch-failed-raw",
-      name: "cloudflared login \u2014 browser-launch fetch error in log",
-      type: "silent-catch",
-      logSource: "cloudflared",
-      pattern: "Failed to fetch resource",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "cloudflared-login.log shows the browser-launch courtesy failed. The sign-in URL from the last tunnel-login call is still live \u2014 the cloudflared process waits for the OAuth callback regardless of whether it could open the browser itself. Tell the operator to open the sign-in URL manually in the VNC browser on the device."
-    },
-    {
-      // Task 540: cloudflared.log is the one file most likely to carry the
-      // "tunnel is having real-world connectivity problems" signal — QUIC
-      // connection failures, connector drops, edge unreachability. Prior to
-      // this rule it was written but never read (the review-detector had no
-      // rule coverage for it). A single ERR line is worth surfacing; the
-      // tee'd output is typically noise-free.
-      // Task 862: setup-tunnel.sh emits `[script:setup-tunnel]
-      // step=onboarding-persist result=skipped reason=no-account-dir` via
-      // phase_line when ACCOUNT_DIR is unset. Pre-Task-862, the form-driven
-      // action runner threaded STREAM_LOG_PATH but not ACCOUNT_DIR, so the
-      // line landed in the agent's stream log (system source) and the user
-      // looped on currentStep=6 indefinitely.
-      // The agent-via-Bash path also threads STREAM_LOG_PATH; operator-SSH
-      // does not — that's the disambiguator. If this pattern reappears in
-      // a system log, a future invocation surface forgot to declare
-      // ACCOUNT_DIR. Fix at action-runner.ts WHITELIST['cloudflare-setup'],
-      // not in the script.
-      id: "cloudflare-setup-account-dir-missing",
-      name: "cloudflare-setup ran without ACCOUNT_DIR \u2014 onboarding step-7 will not persist",
-      type: "silent-catch",
-      logSource: "system",
-      pattern: "\\[script:setup-tunnel\\] step=onboarding-persist result=skipped reason=no-account-dir",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "An invocation surface for setup-tunnel.sh failed to declare ACCOUNT_DIR. Without it the script's step-7 persist block (Task 562) skips, leaving OnboardingState.currentStep=6 forever. Inspect platform/ui/server/lib/action-runner.ts WHITELIST['cloudflare-setup'].build (Task 862 thread) and platform/ui/app/lib/claude-agent/spawn-env.ts buildSpawnEnv (Task 562 thread) \u2014 confirm ACCOUNT_DIR is in the env map for whichever surface the action-id prefix indicates. Do NOT change setup-tunnel.sh; the skipped branch is correct for operator-SSH reconfigure flows."
-    },
-    {
-      id: "cloudflared-edge-errors",
-      name: "cloudflared edge connectivity errors",
-      type: "silent-catch",
-      logSource: "cloudflared",
-      pattern: "^\\S+ ERR (Failed to refresh protocol|no more connections active|Failed to dial a quic connection)",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "cloudflared is reporting edge connectivity errors in its daemon log. Read the last 20 lines of `cloudflared.log` to see the surrounding context. Transient QUIC drops are normal; sustained failures (more than a handful in a minute) point to either a network issue on this laptop or an edge-side routing problem. Run `tunnel-status` to check whether end-to-end probing still succeeds."
-    },
-    {
-      // Task 543: fires when an agent turn contains an opposing-axis choice-fork
-      // question ("Want me to X, or Y?"). Every occurrence is a violation of the
-      // IDENTITY § Questions rule — Rule A (one-sided questions) catches them
-      // all, and the sharper sub-class (Rule B — no menu when a tool returned a
-      // deterministic signal) is isolated by Task 544's `preceded-by` tightening.
-      // logSource is "any" so the rule catches violations on both the admin
-      // stream (claude-agent-stream-*) and the public agent stream
-      // (public-agent-stream-*); the regex is agent-phrasing-specific and has
-      // not been observed in other log contexts. Session scope groups matches
-      // by conversationId so a single offending turn fires exactly once.
-      id: "agent-choice-fork",
-      name: "Agent emitted a choice-fork question",
-      type: "repeated-error",
-      logSource: "any",
-      pattern: "Want me to [^\\n]+, or [^\\n]+\\?",
-      thresholdCount: 1,
-      thresholdWindowMinutes: 60,
-      scope: "session",
-      suggestedAction: 'Agent emitted a choice-fork question ("Want me to X, or Y?") instead of a one-sided question or the prescribed action. Review Task 543 IDENTITY \xA7 Questions \u2014 the agent asked an opposing-axis question, or degraded a deterministic tool signal into a menu. The log sample shows the offending turn verbatim.'
-    },
-    {
-      // Task 546: fires when the operator clicks a device-bound URL affordance
-      // and the chat UI cannot drive the device browser — either CDP is
-      // unreachable, the navigation timed out, or CDP returned an error. The
-      // log line carries intent, hostname, and navigateResult so the admin
-      // agent can name the affected flow and hostname verbatim on its next
-      // turn. Every occurrence is worth surfacing (thresholdCount: 0) because
-      // this is the exact class of silent failure Task 546 exists to close:
-      // the operator clicked, nothing happened on the device, and if we don't
-      // review the click telemetry the agent has no way to know the flow is
-      // stuck.
-      id: "device-url-click-failed",
-      name: "Device-bound URL click failed to drive the VNC browser",
-      type: "silent-catch",
-      logSource: "server",
-      // Enumerate the NavigateResult union explicitly rather than relying
-      // on a (?!ok) negative lookahead anchored to a specific token order.
-      // If a new member is added to the union in cdp-client.ts, this rule
-      // must be updated in the same commit — the pattern is order-agnostic
-      // (browser= and navigateResult= can appear in either order) and the
-      // enumerated list compile-fails the source if it ever drifts from
-      // the shared type in device-url-schema.ts.
-      pattern: "\\[device-url:click\\][^\\n]*(?:browser=fallback|navigateResult=(?:timeout|cdp-unreachable|error))",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "A device-bound URL click failed to drive Chromium on the device's VNC display. Identify the `intent` and `hostname` from the log line, then check the VNC surface: read `vnc-boot.log` and confirm Chromium on :99 is responding on CDP port 9222. If CDP is unreachable, the operator needs to restart the VNC stack; if CDP is reachable but navigation errored, the URL itself may be malformed upstream \u2014 grep the stream log for the originating `[device-url:render]` line."
-    },
-    {
-      // Task 554: fires when an agent turn emits a synthesized localhost/127.0.0.1
-      // `__remote-auth/setup` URL. The only legitimate source for that URL is
-      // `remote-auth-status`, which emits it inside a `maxy-device-url` affordance
-      // block with the device's real hostname. A synthesized localhost variant is
-      // the exact failure mode Task 554 closed: the removed "direct the user to
-      // /__remote-auth/setup" clause in the password-setter's tool description
-      // invited URL synthesis from a partial path. Session scope groups matches
-      // by conversationId so a single offending turn fires exactly once, even if
-      // the URL appears multiple times in the streamed response.
-      id: "invented-remote-auth-url",
-      name: "Invented localhost/127.0.0.1 remote-auth setup URL",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "http(s)?://(localhost|127\\.0\\.0\\.1)[:\\w/.-]*__remote-auth/setup",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      scope: "session",
-      suggestedAction: "[Task 554 regression] An assistant turn emitted a synthesized localhost/127.0.0.1 remote-auth setup URL. The only authority for the browser-setup URL is `remote-auth-status`, which emits a `maxy-device-url` affordance block with the device's real hostname. Review the offending turn, confirm the `remote-auth-set-password` tool description and onboarding SKILL.md step 3 still lack URL-synthesis language, and patch whichever prose surface invited the synthesis."
-    },
-    {
-      // Task 553: fires when `anthropic-setup` auto-resets a revoked API key.
-      // The auto-reset is silent to the agent (the tool falls through to
-      // awaiting_signin in the same call), but it is operator-visible — the
-      // user's previously-stored key was just deleted because Anthropic
-      // rejected it. Surfacing the event lets the admin agent explain on the
-      // next turn why the user is being asked to sign in again instead of
-      // continuing normally. The matching string is the exact stable prefix
-      // emitted by the state machine immediately before `deleteKey()` is
-      // invoked.
-      id: "anthropic-setup-auth-error-auto-reset",
-      name: "Anthropic API key auto-reset on auth_error",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[anthropic-setup\\] auth_error",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "The stored Anthropic API key was rejected by console.anthropic.com (invalid, revoked, or expired) and `anthropic-setup` auto-deleted it. On the next operator interaction, explain that the key was cleared and walk them through sign-in again via the onboarding skill \u2014 the tool already returned `awaiting_signin` with the correct `browser_evaluate` action on the same call."
-    },
-    {
-      // Task 562: setup-tunnel.sh persists step-7 completion to a filesystem
-      // flag before arming the service restart. The flag is consumed by the
-      // next session's `loadOnboardingStep` and `getOnboardingState` calls,
-      // so any runtime failure to write it means the next admin session
-      // will re-ask the Cloudflare question the user just answered. Every
-      // occurrence is loud-surface-worthy: the cause is either a permission
-      // issue on the onboarding directory or a filesystem problem on the
-      // device, and the recovery is deterministic (the operator can re-run
-      // setup-tunnel.sh or call `onboarding-complete-step` explicitly).
-      id: "setup-tunnel-onboarding-persist-failed",
-      name: "setup-tunnel.sh failed to persist step-7 completion",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[script:setup-tunnel\\] step=onboarding-persist result=error",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "[Task 562] setup-tunnel.sh could not persist step-7 completion before arming the service restart. Read the `reason` field on the failing phase line: `fs-flag-dir-failed` means `${ACCOUNT_DIR}/onboarding/` is not writable (chmod issue or disk full); `fs-flag-write-failed` means the flag file itself could not be written. Without the flag, the next admin session will re-ask the Cloudflare question the user just answered. Recovery: fix the permission/disk issue, then either re-run `~/setup-tunnel.sh` (the flag-write is idempotent) or call `onboarding-complete-step` with step 7 from the admin chat to mark step 7 complete explicitly."
-    },
-    {
-      // Task 570: every `[llm-call] adminModel resolution FAILED:` line
-      // is a workflow LLM step that could not resolve a model because
-      // readAdminModel returned null. The stderr line carries `reason=`
-      // (enoent/eacces/fs_error/parse_error/field_missing/
-      // field_wrong_type/field_empty) so the admin agent can act on the
-      // specific failure mode rather than reading the generic persisted
-      // error and misdiagnosing. Every occurrence is worth surfacing —
-      // the workflow already failed when this line was emitted.
-      id: "workflow-admin-model-resolution-failed",
-      name: "Workflow readAdminModel returned null (reason code in log)",
-      type: "silent-catch",
-      logSource: "any",
-      pattern: "\\[llm-call\\] adminModel resolution FAILED:",
-      thresholdCount: 0,
-      thresholdWindowMinutes: 0,
-      suggestedAction: "A workflow LLM step could not resolve the account's adminModel. Read the log line's `reason=` field: `enoent` means the account.json path is wrong or the account is unprovisioned \u2014 inspect `path=` and confirm it exists. `eacces` means permission drift \u2014 check file ownership. `parse_error` means the file is malformed, likely mid-write or truncated \u2014 read the file and repair. `field_missing` / `field_wrong_type` / `field_empty` mean the `adminModel` field needs to be set to a valid model ID. Never edit the persisted WorkflowRun.error string; fix the underlying file or permissions and re-run the workflow."
-    },
-    {
-      // Task 561: fires when an admin-agent Bash tool call installs
-      // `bind9-dnsutils` at runtime. Post-Task-561 the Maxy installer
-      // (platform/scripts/setup.sh) provisions the package on every fresh
-      // and upgrade install, so `dig` is always in PATH before
-      // setup-tunnel.sh runs. An admin apt-install of bind9-dnsutils is
-      // therefore evidence the installer regressed (or the host is on a
-      // pre-Task-561 image); in either case the fix is to re-run the
-      // installer, not to patch apt-state from chat. Session scope so a
-      // single offending turn fires exactly once.
-      id: "admin-agent-apt-bind9-install",
-      name: "Admin agent installed bind9-dnsutils at runtime (installer regression)",
-      type: "repeated-error",
-      logSource: "any",
-      pattern: "\\[tool-use\\][^\\n]*name=Bash[^\\n]*apt-get install[^\\n]*bind9-dnsutils",
-      thresholdCount: 1,
-      thresholdWindowMinutes: 60,
-      scope: "session",
-      suggestedAction: "[Task 561 regression] The admin agent ran `apt-get install bind9-dnsutils` \u2014 the exact workaround Task 561 eliminated. The Maxy installer provisions `bind9-dnsutils` in `platform/scripts/setup.sh` so `dig` is always in PATH before `setup-tunnel.sh` runs. Do not patch apt-state from chat \u2014 re-run the installer (`npx -y @rubytech/create-maxy`) and verify the installer's apt-get line still includes `bind9-dnsutils`. If the package is present in setup.sh but missing on the device, the installer did not re-run step 1 on the current image."
-    }
-  ];
-}
-function rulesFilePath(configDir2) {
-  return resolve(configDir2, "review-rules.json");
-}
-function ensureRulesFile(configDir2) {
-  const path2 = rulesFilePath(configDir2);
-  if (existsSync2(path2)) return { created: false, path: path2 };
-  mkdirSync(dirname(path2), { recursive: true });
-  const body = {
-    scanIntervalMs: DEFAULT_SCAN_INTERVAL_MS,
-    rules: defaultRules()
-  };
-  atomicWriteJson(path2, body);
-  return { created: true, path: path2 };
-}
-function loadRules(configDir2) {
-  const path2 = rulesFilePath(configDir2);
-  if (!existsSync2(path2)) {
-    throw new Error(`rules file missing at ${path2}`);
-  }
-  const raw = readFileSync(path2, "utf-8");
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (err) {
-    throw new Error(`rules file ${path2} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  return validateRulesFile(parsed, path2);
-}
-function rulesFileMtime(configDir2) {
-  const path2 = rulesFilePath(configDir2);
-  try {
-    return statSync2(path2).mtimeMs;
-  } catch {
-    return null;
-  }
-}
-function saveRules(configDir2, file) {
-  validateRulesFile(file, rulesFilePath(configDir2));
-  atomicWriteJson(rulesFilePath(configDir2), file);
-}
-function atomicWriteJson(path2, body) {
-  const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
-  writeFileSync(tmp, JSON.stringify(body, null, 2) + "\n", "utf-8");
-  renameSync(tmp, path2);
-}
-function validateRulesFile(input, sourceLabel) {
-  if (!input || typeof input !== "object") {
-    throw new Error(`${sourceLabel}: top-level must be an object`);
-  }
-  const obj = input;
-  const scanIntervalMs = obj.scanIntervalMs;
-  if (typeof scanIntervalMs !== "number" || scanIntervalMs < 500 || scanIntervalMs > 3e5) {
-    throw new Error(`${sourceLabel}: scanIntervalMs must be a number between 500 and 300000`);
-  }
-  const rulesRaw = obj.rules;
-  if (!Array.isArray(rulesRaw)) {
-    throw new Error(`${sourceLabel}: rules must be an array`);
-  }
-  const ids = /* @__PURE__ */ new Set();
-  const rules = rulesRaw.map((r, i) => validateRule(r, `${sourceLabel}#rules[${i}]`, ids));
-  return { scanIntervalMs, rules };
-}
-function addMissingDefaultRules(rulesFile) {
-  const existingIds = new Set(rulesFile.rules.map((r) => r.id));
-  const defaults = defaultRules();
-  let mutated = false;
-  for (const rule of defaults) {
-    if (!existingIds.has(rule.id)) {
-      rulesFile.rules.push(rule);
-      mutated = true;
-    }
-  }
-  return mutated;
-}
-function migrateRateLimitPattern(rulesFile) {
-  const rule = rulesFile.rules.find((r) => r.id === "http-rate-limit-429");
-  if (!rule) return false;
-  if (rule.pattern !== RATE_LIMIT_PATTERN_V1) return false;
-  rule.pattern = RATE_LIMIT_PATTERN;
-  return true;
-}
-function validateRule(input, label, seenIds) {
-  if (!input || typeof input !== "object") {
-    throw new Error(`${label}: rule must be an object`);
-  }
-  const r = input;
-  const id = r.id;
-  if (typeof id !== "string" || id.length === 0) {
-    throw new Error(`${label}: id must be a non-empty string`);
-  }
-  if (seenIds.has(id)) {
-    throw new Error(`${label}: duplicate rule id "${id}"`);
-  }
-  seenIds.add(id);
-  const name = r.name;
-  if (typeof name !== "string" || name.length === 0) {
-    throw new Error(`${label}: name must be a non-empty string`);
-  }
-  const type = r.type;
-  if (typeof type !== "string" || !VALID_TYPES.has(type)) {
-    throw new Error(`${label}: type must be one of ${[...VALID_TYPES].join(", ")}`);
-  }
-  const logSource = r.logSource;
-  if (typeof logSource !== "string" || !VALID_SOURCES.has(logSource)) {
-    throw new Error(`${label}: logSource must be one of ${[...VALID_SOURCES].join(", ")}`);
-  }
-  const pattern = r.pattern;
-  if (typeof pattern !== "string") {
-    throw new Error(`${label}: pattern must be a string (may be empty for stale-log/file-write-storm)`);
-  }
-  if (pattern.length > 0) {
-    try {
-      new RegExp(pattern);
-    } catch (err) {
-      throw new Error(`${label}: pattern is not a valid regex: ${err instanceof Error ? err.message : String(err)}`);
-    }
-  }
-  const thresholdCount = r.thresholdCount;
-  if (typeof thresholdCount !== "number" || thresholdCount < 0) {
-    throw new Error(`${label}: thresholdCount must be a non-negative number`);
-  }
-  const thresholdWindowMinutes = r.thresholdWindowMinutes;
-  if (typeof thresholdWindowMinutes !== "number" || thresholdWindowMinutes < 0) {
-    throw new Error(`${label}: thresholdWindowMinutes must be a non-negative number`);
-  }
-  const suggestedAction = r.suggestedAction;
-  if (typeof suggestedAction !== "string" || suggestedAction.length === 0) {
-    throw new Error(`${label}: suggestedAction must be a non-empty string`);
-  }
-  const rule = {
-    id,
-    name,
-    type,
-    logSource,
-    pattern,
-    thresholdCount,
-    thresholdWindowMinutes,
-    suggestedAction
-  };
-  if (typeof r.watchPath === "string") rule.watchPath = r.watchPath;
-  if (typeof r.staleHours === "number") rule.staleHours = r.staleHours;
-  if (typeof r.followupPattern === "string") {
-    if (r.followupPattern.length > 0) {
-      try {
-        new RegExp(r.followupPattern);
-      } catch (err) {
-        throw new Error(`${label}: followupPattern is not a valid regex: ${err instanceof Error ? err.message : String(err)}`);
-      }
-    }
-    rule.followupPattern = r.followupPattern;
-  }
-  if (typeof r.followupWindowMs === "number") rule.followupWindowMs = r.followupWindowMs;
-  if (typeof r.suppressedUntil === "string") rule.suppressedUntil = r.suppressedUntil;
-  if (r.scope !== void 0) {
-    if (typeof r.scope !== "string" || !VALID_SCOPES.has(r.scope)) {
-      throw new Error(`${label}: scope must be one of ${[...VALID_SCOPES].join(", ")}`);
-    }
-    rule.scope = r.scope;
-  }
-  if (rule.type === "file-write-storm" || rule.type === "stale-log") {
-    if (!rule.watchPath) {
-      throw new Error(`${label}: ${rule.type} rules require watchPath`);
-    }
-  }
-  if (rule.type === "stale-log") {
-    if (typeof rule.staleHours !== "number" || rule.staleHours <= 0) {
-      throw new Error(`${label}: stale-log rules require a positive staleHours`);
-    }
-  }
-  if (rule.type === "absent-followup") {
-    if (rule.pattern.length === 0) {
-      throw new Error(`${label}: absent-followup rules require a non-empty pattern`);
-    }
-    if (typeof rule.followupPattern !== "string" || rule.followupPattern.length === 0) {
-      throw new Error(`${label}: absent-followup rules require a non-empty followupPattern`);
-    }
-    if (typeof rule.followupWindowMs !== "number" || rule.followupWindowMs <= 0 || rule.followupWindowMs > MAX_FOLLOWUP_WINDOW_MS) {
-      throw new Error(`${label}: absent-followup rules require followupWindowMs in (0, ${MAX_FOLLOWUP_WINDOW_MS}]`);
-    }
-  }
-  return rule;
-}
-
-// app/lib/review-detector/sources.ts
-import { existsSync as existsSync3, readdirSync, statSync as statSync3, writeFileSync as writeFileSync2, renameSync as renameSync2, mkdirSync as mkdirSync2, openSync, readSync, closeSync, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2, join as join2, basename, dirname as dirname2 } from "path";
-function tailStatePath(configDir2) {
-  return resolve2(configDir2, "review-state.json");
-}
-function loadTailState(configDir2) {
-  const path2 = tailStatePath(configDir2);
-  if (!existsSync3(path2)) return {};
-  try {
-    const raw = readFileSync2(path2, "utf-8");
-    const parsed = JSON.parse(raw);
-    if (!parsed || typeof parsed !== "object") return {};
-    const clean = {};
-    for (const [key, value] of Object.entries(parsed)) {
-      const entry = value;
-      if (entry && typeof entry.offset === "number" && typeof entry.size === "number" && typeof entry.inode === "number") {
-        clean[key] = entry;
-      }
-    }
-    return clean;
-  } catch (err) {
-    console.error(`[review] tail state corrupt at ${path2}, starting fresh: ${err instanceof Error ? err.message : String(err)}`);
-    return {};
-  }
-}
-function saveTailState(configDir2, state) {
-  const path2 = tailStatePath(configDir2);
-  mkdirSync2(dirname2(path2), { recursive: true });
-  const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
-  writeFileSync2(tmp, JSON.stringify(state, null, 2) + "\n", "utf-8");
-  renameSync2(tmp, path2);
-}
-function discoverSourceFiles(configDir2, accountLogDir2, logicalSource) {
-  if (logicalSource === "server") {
-    const p = resolve2(configDir2, "logs", "server.log");
-    return existsSync3(p) ? [{ logicalSource: "server", filepath: p }] : [];
-  }
-  if (logicalSource === "vnc") {
-    const p = resolve2(configDir2, "logs", "vnc-boot.log");
-    return existsSync3(p) ? [{ logicalSource: "vnc", filepath: p }] : [];
-  }
-  if (logicalSource === "cloudflared") {
-    const files2 = [];
-    const daemon = resolve2(configDir2, "logs", "cloudflared.log");
-    if (existsSync3(daemon)) files2.push({ logicalSource: "cloudflared", filepath: daemon });
-    const login = resolve2(configDir2, "logs", "cloudflared-login.log");
-    if (existsSync3(login)) files2.push({ logicalSource: "cloudflared", filepath: login });
-    return files2;
-  }
-  const prefix = {
-    system: "claude-agent-stream-",
-    error: "claude-agent-stderr-",
-    session: "sse-events-",
-    public: "public-agent-stream-",
-    mcp: "mcp-"
-  }[logicalSource];
-  if (!existsSync3(accountLogDir2)) return [];
-  const files = [];
-  let scanned = 0;
-  let skippedPrefixMismatch = 0;
-  let skippedNotLog = 0;
-  for (const entry of readdirSync(accountLogDir2)) {
-    scanned += 1;
-    const matchesPrefix = entry.startsWith(prefix);
-    const isLog = entry.endsWith(".log");
-    if (matchesPrefix && isLog) {
-      files.push({ logicalSource, filepath: join2(accountLogDir2, entry) });
-    } else if (!matchesPrefix) {
-      skippedPrefixMismatch += 1;
-    } else {
-      skippedNotLog += 1;
-    }
-  }
-  files.sort((a, b) => {
-    try {
-      return statSync3(b.filepath).mtimeMs - statSync3(a.filepath).mtimeMs;
-    } catch {
-      return a.filepath.localeCompare(b.filepath);
-    }
-  });
-  if (skippedPrefixMismatch > 0 || skippedNotLog > 0) {
-    console.error(`[review-scan-skip] dir=${accountLogDir2} source=${logicalSource} prefix=${prefix} scanned=${scanned} matched=${files.length} skipped_prefix=${skippedPrefixMismatch} skipped_non_log=${skippedNotLog}`);
-  }
-  return files;
-}
-function discoverAllSources(configDir2, accountLogDir2) {
-  return [
-    ...discoverSourceFiles(configDir2, accountLogDir2, "server"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "vnc"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "system"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "error"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "session"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "public"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "mcp"),
-    ...discoverSourceFiles(configDir2, accountLogDir2, "cloudflared")
-  ];
-}
-function readNewLines(filepath, prev) {
-  if (!existsSync3(filepath)) return null;
-  const stat7 = statSync3(filepath);
-  const size = stat7.size;
-  const inode = stat7.ino;
-  let startOffset = 0;
-  let rotated = false;
-  let truncated = false;
-  if (prev) {
-    if (prev.inode !== inode) {
-      rotated = true;
-      startOffset = 0;
-    } else if (size < prev.offset) {
-      truncated = true;
-      startOffset = 0;
-    } else {
-      startOffset = prev.offset;
-    }
-  }
-  if (startOffset >= size) {
-    return {
-      lines: [],
-      entry: { offset: size, size, inode },
-      rotated,
-      truncated
-    };
-  }
-  const fd = openSync(filepath, "r");
-  try {
-    const bufSize = Math.max(0, size - startOffset);
-    const buf = Buffer.alloc(bufSize);
-    if (bufSize > 0) {
-      readSync(fd, buf, 0, bufSize, startOffset);
-    }
-    const text = buf.toString("utf-8");
-    const lines = text.length > 0 ? text.split("\n") : [];
-    let newOffset = size;
-    if (lines.length > 0 && !text.endsWith("\n")) {
-      const partial = lines.pop();
-      newOffset = size - Buffer.byteLength(partial, "utf-8");
-    } else if (lines.length > 0 && text.endsWith("\n")) {
-      if (lines[lines.length - 1] === "") lines.pop();
-    }
-    return {
-      lines,
-      entry: { offset: newOffset, size, inode },
-      rotated,
-      truncated
-    };
-  } finally {
-    closeSync(fd);
-  }
-}
-function countRecentWrites(dir, sinceMs) {
-  if (!existsSync3(dir)) return 0;
-  let count = 0;
-  for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    if (!entry.isFile()) continue;
-    try {
-      const st = statSync3(join2(dir, entry.name));
-      if (st.mtimeMs >= sinceMs) count += 1;
-    } catch {
-    }
-  }
-  return count;
-}
-function fileLastWriteMs(path2) {
-  if (!existsSync3(path2)) return null;
-  try {
-    return statSync3(path2).mtimeMs;
-  } catch {
-    return null;
-  }
-}
-function accountLogDir(accountDir) {
-  return resolve2(accountDir, "logs");
-}
-function sourceKey(file) {
-  return `${file.logicalSource}:${basename(file.filepath)}`;
-}
-
-// app/lib/review-detector/writer.ts
-import { appendFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync3, writeFileSync as writeFileSync3, renameSync as renameSync3, statSync as statSync4 } from "fs";
-import { resolve as resolve3, dirname as dirname3 } from "path";
-import { randomUUID } from "crypto";
-function reviewLogPath(configDir2) {
-  return resolve3(configDir2, "logs", "review.log");
-}
-function pendingAlertsPath(configDir2) {
-  return resolve3(configDir2, "review-pending-alerts.jsonl");
-}
-function reviewLog(configDir2, event) {
-  const path2 = reviewLogPath(configDir2);
-  try {
-    mkdirSync3(dirname3(path2), { recursive: true });
-    const line = `${new Date(
-      typeof event.ts === "number" ? event.ts : Date.now()
-    ).toISOString()} [review] ${JSON.stringify(event)}
-`;
-    appendFileSync(path2, line, "utf-8");
-  } catch (err) {
-    console.error(`[review] failed to write review log at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
-async function ensureReviewAlertIndex() {
-  const session = getSession();
-  try {
-    await session.run(
-      `CREATE INDEX review_alert_lookup IF NOT EXISTS
-       FOR (a:ReviewAlert)
-       ON (a.accountId, a.resolvedAt, a.lastMatchAt)`
-    );
-  } finally {
-    await session.close();
-  }
-}
-async function ensureReviewDigestSchedule(accountId) {
-  const eventId = `review-digest-${accountId}`;
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const next = /* @__PURE__ */ new Date();
-  if (next.getHours() >= 8) {
-    next.setDate(next.getDate() + 1);
-  }
-  next.setHours(8, 0, 0, 0);
-  const nextRun = next.toISOString();
-  const session = getSession();
-  try {
-    await session.run(
-      `MERGE (e:Event { eventId: $eventId })
-       ON CREATE SET
-         e.accountId = $accountId,
-         e.name = 'Daily review digest',
-         e.description = 'Task 385 \u2014 composes the review cadence digest from the last 24 hours of review.log and active ReviewAlert records. Scheduled via check-due-events.',
-         e.startDate = $now,
-         e.eventStatus = 'scheduled',
-         e.recurrence = '0 8 * * *',
-         e.nextRun = datetime($nextRun),
-         e.sourcePlugin = 'admin',
-         e.actionPlugin = 'admin',
-         e.actionTool = 'review-digest-compose',
-         e.actionArgs = '{}',
-         e.createdAt = $now,
-         e.updatedAt = $now
-       ON MATCH SET
-         e.actionPlugin = 'admin',
-         e.actionTool = 'review-digest-compose',
-         e.updatedAt = $now`,
-      { eventId, accountId, now, nextRun }
-    );
-  } finally {
-    await session.close();
-  }
-}
-async function countActiveReviewAlerts(accountId) {
-  const session = getSession();
-  try {
-    const result = await session.run(
-      `MATCH (a:ReviewAlert {accountId: $accountId})
-       WHERE a.resolvedAt IS NULL
-         AND (a.suppressedUntil IS NULL OR a.suppressedUntil < datetime())
-       RETURN count(a) AS n`,
-      { accountId }
-    );
-    const n = result.records[0]?.get("n");
-    if (typeof n === "number") return n;
-    if (n && typeof n.toNumber === "function") {
-      return n.toNumber();
-    }
-    return 0;
-  } finally {
-    await session.close();
-  }
-}
-async function upsertReviewAlert(accountId, match) {
-  const session = getSession();
-  try {
-    await session.run(
-      `MERGE (a:ReviewAlert { ruleId: $ruleId, accountId: $accountId })
-       ON CREATE SET
-         a.alertId = $alertId,
-         a.ruleName = $ruleName,
-         a.firstMatchAt = datetime($matchedAt),
-         a.lastMatchAt = datetime($matchedAt),
-         a.cumulativeMatchCount = 1,
-         a.sampleEvidence = $sampleEvidence,
-         a.suggestedAction = $suggestedAction,
-         a.suppressedUntil = null,
-         a.resolvedAt = null
-       ON MATCH SET
-         a.lastMatchAt = datetime($matchedAt),
-         a.cumulativeMatchCount = a.cumulativeMatchCount + 1,
-         a.sampleEvidence = $sampleEvidence,
-         a.suggestedAction = $suggestedAction,
-         a.resolvedAt = null`,
-      {
-        ruleId: match.ruleId,
-        accountId,
-        alertId: randomUUID(),
-        ruleName: match.ruleName,
-        matchedAt: new Date(match.matchedAt).toISOString(),
-        sampleEvidence: match.sampleEvidence,
-        suggestedAction: match.suggestedAction
-      }
-    );
-  } finally {
-    await session.close();
-  }
-}
-function queueAlert(configDir2, accountId, match) {
-  const path2 = pendingAlertsPath(configDir2);
-  try {
-    mkdirSync3(dirname3(path2), { recursive: true });
-    const line = JSON.stringify({ accountId, match }) + "\n";
-    appendFileSync(path2, line, "utf-8");
-  } catch (err) {
-    console.error(`[review] failed to queue alert at ${path2}: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
-async function drainPendingAlerts(configDir2) {
-  const path2 = pendingAlertsPath(configDir2);
-  if (!existsSync4(path2)) return { drained: 0, remaining: 0 };
-  const raw = readFileSync3(path2, "utf-8");
-  const lines = raw.split("\n").filter((l) => l.trim().length > 0);
-  if (lines.length === 0) return { drained: 0, remaining: 0 };
-  const remaining = [];
-  let drained = 0;
-  for (const line of lines) {
-    let entry = null;
-    try {
-      entry = JSON.parse(line);
-    } catch {
-      continue;
-    }
-    try {
-      await upsertReviewAlert(entry.accountId, entry.match);
-      drained += 1;
-    } catch {
-      remaining.push(line);
-    }
-  }
-  const tmp = `${path2}.tmp.${process.pid}.${Date.now()}`;
-  if (remaining.length > 0) {
-    writeFileSync3(tmp, remaining.join("\n") + "\n", "utf-8");
-  } else {
-    writeFileSync3(tmp, "", "utf-8");
-  }
-  renameSync3(tmp, path2);
-  return { drained, remaining: remaining.length };
-}
-
-// app/lib/review-detector/boot.ts
-async function bootDetector() {
-  const account = resolveAccount();
-  if (!account) {
-    console.error("[review] boot: no account resolved \u2014 detector not starting (Phase 0 expects exactly one account)");
-    return null;
-  }
-  const configDir2 = MAXY_DIR;
-  const accountId = account.accountId;
-  const accountDir = account.accountDir;
-  const ensured = ensureRulesFile(configDir2);
-  if (ensured.created) {
-    reviewLog(configDir2, { event: "rules-defaults-created", path: ensured.path });
-  }
-  let rulesFile;
-  try {
-    rulesFile = loadRules(configDir2);
-  } catch (err) {
-    reviewLog(configDir2, {
-      event: "boot-failed",
-      reason: "rules-invalid",
-      error: err instanceof Error ? err.message : String(err)
-    });
-    console.error(`[review] boot: rules file invalid \u2014 ${err instanceof Error ? err.message : String(err)}`);
-    return null;
-  }
-  if (addMissingDefaultRules(rulesFile)) {
-    saveRules(configDir2, rulesFile);
-    reviewLog(configDir2, { event: "rules-updated", update: "added-missing-defaults" });
-    console.error("[review] boot: added missing default rules to existing rules file");
-  }
-  if (migrateRateLimitPattern(rulesFile)) {
-    saveRules(configDir2, rulesFile);
-    reviewLog(configDir2, { event: "rules-migrated", migration: "rate-limit-pattern-v2" });
-    console.error("[review] boot: migrated http-rate-limit-429 pattern to v2 (Task 408)");
-  }
-  try {
-    await ensureReviewAlertIndex();
-    reviewLog(configDir2, { event: "neo4j-index-ensured" });
-  } catch (err) {
-    reviewLog(configDir2, {
-      event: "neo4j-index-failed",
-      error: err instanceof Error ? err.message : String(err)
-    });
-    console.error(`[review] boot: ensureReviewAlertIndex failed (continuing): ${err instanceof Error ? err.message : String(err)}`);
-  }
-  try {
-    await ensureReviewDigestSchedule(accountId);
-    reviewLog(configDir2, { event: "digest-schedule-ensured" });
-  } catch (err) {
-    reviewLog(configDir2, {
-      event: "digest-schedule-failed",
-      error: err instanceof Error ? err.message : String(err)
-    });
-    console.error(`[review] boot: ensureReviewDigestSchedule failed (continuing): ${err instanceof Error ? err.message : String(err)}`);
-  }
-  const tailState = loadTailState(configDir2);
-  const logDir = accountLogDir(accountDir);
-  const initialSources = discoverAllSources(configDir2, logDir);
-  const snapshot = {
-    state: "running",
-    startedAt: Date.now(),
-    lastScanAt: null,
-    lastScanDurationMs: null,
-    scanCycles: 0,
-    rulesLoaded: rulesFile.rules.length,
-    sourcesTracked: initialSources.length,
-    activeAlerts: 0,
-    lastError: null
-  };
-  reviewLog(configDir2, {
-    event: "detector-started",
-    configDir: basename2(configDir2),
-    accountId: accountId.slice(0, 8),
-    rulesLoaded: rulesFile.rules.length,
-    sourcesDiscovered: initialSources.length,
-    tailStateEntries: Object.keys(tailState).length,
-    scanIntervalMs: rulesFile.scanIntervalMs
-  });
-  const runtime = {
-    configDir: configDir2,
-    accountId,
-    accountDir,
-    rulesFile,
-    rulesFileMtimeMs: rulesFileMtime(configDir2) ?? Date.now(),
-    ruleState: /* @__PURE__ */ new Map(),
-    tailState,
-    snapshot,
-    stopped: false
-  };
-  return runtime;
-}
-
-// app/lib/review-detector/scan-loop.ts
-import { resolve as resolve4 } from "path";
-
-// app/lib/review-detector/evaluator.ts
-var SAMPLE_MAX_CHARS = 500;
-var CONV_ID_REGEX = /conversationId=([a-f0-9]{8})/;
-function scopeKeyFor(rule, line) {
-  if (rule.scope !== "session") return "";
-  const m = CONV_ID_REGEX.exec(line);
-  return m ? m[1] : "";
-}
-var compiledRegexCache = /* @__PURE__ */ new Map();
-function compileRegex(pattern) {
-  let re = compiledRegexCache.get(pattern);
-  if (re === void 0) {
-    re = new RegExp(pattern, "i");
-    compiledRegexCache.set(pattern, re);
-  }
-  return re;
-}
-function isSuppressed(rule, nowMs) {
-  if (!rule.suppressedUntil) return false;
-  const until = Date.parse(rule.suppressedUntil);
-  if (Number.isNaN(until)) return false;
-  return nowMs < until;
-}
-function toSample(line) {
-  if (line.length <= SAMPLE_MAX_CHARS) return line;
-  return line.slice(0, SAMPLE_MAX_CHARS) + "\u2026";
-}
-function newRuleState() {
-  return {
-    matchTimestamps: [],
-    matchTimestampsByScope: /* @__PURE__ */ new Map(),
-    lastAlertAt: null,
-    cumulativeSinceLastAlert: 0,
-    lastSeenAt: null,
-    pendingFollowups: []
-  };
-}
-function evaluateTextRule(rule, lines, state, nowMs) {
-  if (isSuppressed(rule, nowMs)) return { match: null, state };
-  if (rule.pattern.length === 0) return { match: null, state };
-  const regex = compileRegex(rule.pattern);
-  const matchesByScope = /* @__PURE__ */ new Map();
-  let firstSample = null;
-  for (const line of lines) {
-    if (!regex.test(line)) continue;
-    if (!firstSample) firstSample = line;
-    const key = scopeKeyFor(rule, line);
-    const existing = matchesByScope.get(key) ?? [];
-    existing.push(line);
-    matchesByScope.set(key, existing);
-  }
-  if (matchesByScope.size === 0) return { match: null, state };
-  const windowStart = rule.thresholdWindowMinutes > 0 ? nowMs - rule.thresholdWindowMinutes * 6e4 : -Infinity;
-  const updated = {
-    ...state,
-    matchTimestamps: [...state.matchTimestamps],
-    matchTimestampsByScope: new Map(state.matchTimestampsByScope ?? [])
-  };
-  let firingSample = null;
-  let fires = false;
-  const isCountZero = rule.thresholdCount === 0;
-  if (rule.scope === "session") {
-    for (const [key, hits] of matchesByScope) {
-      const prior = updated.matchTimestampsByScope.get(key) ?? [];
-      const merged = [...prior, ...hits.map(() => nowMs)].filter((t) => t >= windowStart);
-      if (merged.length === 0) {
-        updated.matchTimestampsByScope.delete(key);
-      } else {
-        updated.matchTimestampsByScope.set(key, merged);
-      }
-      if (!fires && (isCountZero || merged.length >= rule.thresholdCount)) {
-        fires = true;
-        firingSample = hits[0];
-      }
-    }
-  } else {
-    for (const hits of matchesByScope.values()) {
-      for (const _ of hits) updated.matchTimestamps.push(nowMs);
-    }
-    updated.matchTimestamps = updated.matchTimestamps.filter((t) => t >= windowStart);
-    fires = isCountZero || updated.matchTimestamps.length >= rule.thresholdCount;
-    if (fires) firingSample = firstSample;
-  }
-  if (!fires) {
-    return { match: null, state: updated };
-  }
-  const match = {
-    ruleId: rule.id,
-    ruleName: rule.name,
-    matchedAt: nowMs,
-    sampleEvidence: toSample(firingSample ?? firstSample ?? lines[0] ?? ""),
-    suggestedAction: rule.suggestedAction
-  };
-  return { match, state: updated };
-}
-function evaluateFileWriteStormRule(rule, recentWriteCount, state, nowMs) {
-  if (isSuppressed(rule, nowMs)) return { match: null, state };
-  if (recentWriteCount < rule.thresholdCount) {
-    return { match: null, state };
-  }
-  const match = {
-    ruleId: rule.id,
-    ruleName: rule.name,
-    matchedAt: nowMs,
-    sampleEvidence: `${recentWriteCount} file writes in ${rule.thresholdWindowMinutes}m at ${rule.watchPath}`,
-    suggestedAction: rule.suggestedAction
-  };
-  return { match, state };
-}
-function evaluateStaleLogRule(rule, lastMtimeMs, state, nowMs) {
-  if (isSuppressed(rule, nowMs)) return { match: null, state };
-  let lastSeenAt = state.lastSeenAt;
-  if (lastMtimeMs !== null) {
-    lastSeenAt = Math.max(lastSeenAt ?? 0, lastMtimeMs);
-  }
-  const updated = { ...state, lastSeenAt };
-  if (lastMtimeMs === null || lastSeenAt === null) {
-    return { match: null, state: updated };
-  }
-  const staleMs = (rule.staleHours ?? 24) * 60 * 60 * 1e3;
-  if (nowMs - lastSeenAt < staleMs) {
-    return { match: null, state: updated };
-  }
-  const match = {
-    ruleId: rule.id,
-    ruleName: rule.name,
-    matchedAt: nowMs,
-    sampleEvidence: `last write at ${new Date(lastSeenAt).toISOString()} (${rule.watchPath})`,
-    suggestedAction: rule.suggestedAction
-  };
-  return { match, state: updated };
-}
-function evaluateAbsentFollowupRule(rule, lines, state, nowMs) {
-  if (isSuppressed(rule, nowMs)) return { matches: [], state };
-  if (!rule.pattern || !rule.followupPattern || !rule.followupWindowMs) {
-    return { matches: [], state };
-  }
-  const triggerRegex = compileRegex(rule.pattern);
-  const followupRegex = compileRegex(rule.followupPattern);
-  const pending = [...state.pendingFollowups ?? []];
-  for (const line of lines) {
-    if (triggerRegex.test(line)) {
-      pending.push({
-        scope: scopeKeyFor(rule, line),
-        timestamp: nowMs,
-        line,
-        fulfilled: false
-      });
-      continue;
-    }
-    if (followupRegex.test(line)) {
-      const scope = scopeKeyFor(rule, line);
-      for (const entry of pending) {
-        if (!entry.fulfilled && entry.scope === scope) {
-          entry.fulfilled = true;
-          break;
-        }
-      }
-    }
-  }
-  const matches = [];
-  const kept = [];
-  for (const entry of pending) {
-    const age = nowMs - entry.timestamp;
-    if (age >= rule.followupWindowMs) {
-      if (!entry.fulfilled) {
-        matches.push({
-          ruleId: rule.id,
-          ruleName: rule.name,
-          matchedAt: nowMs,
-          sampleEvidence: toSample(entry.line),
-          suggestedAction: rule.suggestedAction,
-          missedForMs: age
-        });
-      }
-      continue;
-    }
-    kept.push(entry);
-  }
-  return {
-    matches,
-    state: { ...state, pendingFollowups: kept }
-  };
-}
-var ALERT_WINDOW_MS = 60 * 60 * 1e3;
-function rateLimitDecision(state, nowMs) {
-  const since = state.lastAlertAt === null ? Infinity : nowMs - state.lastAlertAt;
-  if (since >= ALERT_WINDOW_MS) {
-    return {
-      surface: true,
-      state: { ...state, lastAlertAt: nowMs, cumulativeSinceLastAlert: 0 }
-    };
-  }
-  return {
-    surface: false,
-    state: { ...state, cumulativeSinceLastAlert: state.cumulativeSinceLastAlert + 1 }
-  };
-}
-
-// app/lib/review-detector/scan-loop.ts
-async function runScanCycle(runtime) {
-  const cycleStart = Date.now();
-  runtime.snapshot.scanCycles += 1;
-  try {
-    const currentMtime = rulesFileMtime(runtime.configDir);
-    if (currentMtime !== null && currentMtime !== runtime.rulesFileMtimeMs) {
-      try {
-        runtime.rulesFile = loadRules(runtime.configDir);
-        runtime.rulesFileMtimeMs = currentMtime;
-        runtime.snapshot.rulesLoaded = runtime.rulesFile.rules.length;
-        reviewLog(runtime.configDir, {
-          event: "rules-reloaded",
-          rulesLoaded: runtime.rulesFile.rules.length,
-          mtime: new Date(currentMtime).toISOString()
-        });
-      } catch (err) {
-        reviewLog(runtime.configDir, {
-          event: "rules-reload-failed",
-          error: err instanceof Error ? err.message : String(err)
-        });
-        runtime.snapshot.state = "degraded";
-        runtime.snapshot.lastError = err instanceof Error ? err.message : String(err);
-      }
-    }
-    const logDir = accountLogDir(runtime.accountDir);
-    const files = discoverAllSources(runtime.configDir, logDir);
-    runtime.snapshot.sourcesTracked = files.length;
-    const linesBySource = /* @__PURE__ */ new Map();
-    for (const file of files) {
-      const key = sourceKey(file);
-      const prev = runtime.tailState[key];
-      const result = readNewLines(file.filepath, prev);
-      if (result === null) {
-        if (prev) {
-          reviewLog(runtime.configDir, {
-            event: "source-vanished",
-            source: file.logicalSource,
-            filepath: file.filepath
-          });
-          delete runtime.tailState[key];
-        }
-        continue;
-      }
-      if (result.rotated) {
-        reviewLog(runtime.configDir, {
-          event: "source-rotated",
-          source: file.logicalSource,
-          filepath: file.filepath
-        });
-      }
-      if (result.truncated) {
-        reviewLog(runtime.configDir, {
-          event: "source-truncated",
-          source: file.logicalSource,
-          filepath: file.filepath
-        });
-      }
-      runtime.tailState[key] = result.entry;
-      if (result.lines.length > 0) {
-        const bucket = linesBySource.get(file.logicalSource) ?? [];
-        bucket.push(...result.lines);
-        linesBySource.set(file.logicalSource, bucket);
-      }
-    }
-    const matches = [];
-    for (const rule of runtime.rulesFile.rules) {
-      let state = runtime.ruleState.get(rule.id) ?? newRuleState();
-      if (isSuppressed(rule, cycleStart)) {
-        reviewLog(runtime.configDir, {
-          event: "rule-suppressed",
-          ruleId: rule.id,
-          suppressedUntil: rule.suppressedUntil
-        });
-        runtime.ruleState.set(rule.id, state);
-        continue;
-      }
-      let match = null;
-      if (rule.type === "reconnect-loop" || rule.type === "repeated-error" || rule.type === "silent-catch" || rule.type === "rate-limit") {
-        let inputLines = [];
-        if (rule.logSource === "any") {
-          for (const [src, lines] of linesBySource.entries()) {
-            if (src !== "config-dir") inputLines.push(...lines);
-          }
-        } else {
-          inputLines = linesBySource.get(rule.logSource) ?? [];
-        }
-        if (inputLines.length > 0) {
-          const result = evaluateTextRule(rule, inputLines, state, cycleStart);
-          state = result.state;
-          match = result.match;
-        }
-      } else if (rule.type === "file-write-storm") {
-        const dir = resolve4(runtime.configDir, rule.watchPath ?? "");
-        const sinceMs = cycleStart - rule.thresholdWindowMinutes * 6e4;
-        const count = countRecentWrites(dir, sinceMs);
-        const result = evaluateFileWriteStormRule(rule, count, state, cycleStart);
-        state = result.state;
-        match = result.match;
-      } else if (rule.type === "stale-log") {
-        const trackedPath = resolve4(runtime.configDir, rule.watchPath ?? "");
-        const lastMs = fileLastWriteMs(trackedPath);
-        const result = evaluateStaleLogRule(rule, lastMs, state, cycleStart);
-        state = result.state;
-        match = result.match;
-      } else if (rule.type === "absent-followup") {
-        let inputLines = [];
-        if (rule.logSource === "any") {
-          for (const [src, lines] of linesBySource.entries()) {
-            if (src !== "config-dir") inputLines.push(...lines);
-          }
-        } else {
-          inputLines = linesBySource.get(rule.logSource) ?? [];
-        }
-        const result = evaluateAbsentFollowupRule(rule, inputLines, state, cycleStart);
-        state = result.state;
-        for (const m of result.matches) {
-          const safeTrigger = m.sampleEvidence.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
-          console.error(
-            `[review-detector] absent-followup rule=${rule.id} trigger="${safeTrigger}" missed_for_ms=${m.missedForMs ?? ""}`
-          );
-          matches.push(m);
-        }
-      }
-      runtime.ruleState.set(rule.id, state);
-      if (match) matches.push(match);
-    }
-    for (const match of matches) {
-      const state = runtime.ruleState.get(match.ruleId) ?? newRuleState();
-      const decision = rateLimitDecision(state, cycleStart);
-      runtime.ruleState.set(match.ruleId, decision.state);
-      if (!decision.surface) {
-        reviewLog(runtime.configDir, {
-          event: "rate-limit-deferred",
-          ruleId: match.ruleId,
-          cumulativeSinceLastAlert: decision.state.cumulativeSinceLastAlert
-        });
-        continue;
-      }
-      reviewLog(runtime.configDir, {
-        event: "match",
-        ruleId: match.ruleId,
-        ruleName: match.ruleName,
-        sampleEvidence: match.sampleEvidence,
-        suggestedAction: match.suggestedAction
-      });
-      try {
-        await upsertReviewAlert(runtime.accountId, match);
-        reviewLog(runtime.configDir, { event: "alert-persisted", ruleId: match.ruleId });
-      } catch (err) {
-        queueAlert(runtime.configDir, runtime.accountId, match);
-        reviewLog(runtime.configDir, {
-          event: "alert-queued",
-          ruleId: match.ruleId,
-          error: err instanceof Error ? err.message : String(err)
-        });
-      }
-    }
-    try {
-      const drain = await drainPendingAlerts(runtime.configDir);
-      if (drain.drained > 0 || drain.remaining > 0) {
-        reviewLog(runtime.configDir, {
-          event: "queue-drain",
-          drained: drain.drained,
-          remaining: drain.remaining
-        });
-      }
-    } catch (err) {
-      reviewLog(runtime.configDir, {
-        event: "queue-drain-failed",
-        error: err instanceof Error ? err.message : String(err)
-      });
-    }
-    try {
-      runtime.snapshot.activeAlerts = await countActiveReviewAlerts(runtime.accountId);
-    } catch (err) {
-      reviewLog(runtime.configDir, {
-        event: "active-alerts-count-failed",
-        error: err instanceof Error ? err.message : String(err)
-      });
-    }
-    saveTailState(runtime.configDir, runtime.tailState);
-    const cycleDuration = Date.now() - cycleStart;
-    runtime.snapshot.lastScanAt = cycleStart;
-    runtime.snapshot.lastScanDurationMs = cycleDuration;
-    if (runtime.snapshot.state !== "degraded" && runtime.snapshot.state !== "failed") {
-      runtime.snapshot.state = "running";
-    }
-    runtime.snapshot.lastError = null;
-    reviewLog(runtime.configDir, {
-      event: "cycle",
-      cycles: runtime.snapshot.scanCycles,
-      sources: files.length,
-      rules: runtime.rulesFile.rules.length,
-      matches: matches.length,
-      durationMs: cycleDuration
-    });
-  } catch (err) {
-    runtime.snapshot.state = "degraded";
-    runtime.snapshot.lastError = err instanceof Error ? err.message : String(err);
-    reviewLog(runtime.configDir, {
-      event: "cycle-failed",
-      error: err instanceof Error ? err.message : String(err)
-    });
-  }
-}
-function startScanLoop(runtime) {
-  let inFlight = null;
-  const interval = setInterval(async () => {
-    if (runtime.stopped) return;
-    if (inFlight) return;
-    inFlight = runScanCycle(runtime);
-    try {
-      await inFlight;
-    } finally {
-      inFlight = null;
-    }
-  }, runtime.rulesFile.scanIntervalMs);
-  inFlight = runScanCycle(runtime);
-  return async () => {
-    runtime.stopped = true;
-    clearInterval(interval);
-    if (inFlight) {
-      try {
-        await inFlight;
-      } catch {
-      }
-    }
-    runtime.snapshot.state = "stopped";
-    reviewLog(runtime.configDir, { event: "detector-stopped", cycles: runtime.snapshot.scanCycles });
-  };
-}
-
-// app/lib/review-detector/index.ts
-var activeRuntime = null;
-var stopFn = null;
-async function startReviewDetector() {
-  if (stopFn) {
-    console.error("[review] startReviewDetector called twice \u2014 ignoring second call");
-    return;
-  }
-  try {
-    activeRuntime = await bootDetector();
-    if (!activeRuntime) return;
-    stopFn = startScanLoop(activeRuntime);
-  } catch (err) {
-    console.error(`[review] detector start failed: ${err instanceof Error ? err.message : String(err)}`);
-  }
-}
-async function shutdownReviewDetector() {
-  if (!stopFn) return;
-  try {
-    await stopFn();
-  } catch (err) {
-    console.error(`[review] detector shutdown error: ${err instanceof Error ? err.message : String(err)}`);
-  }
-  stopFn = null;
-  activeRuntime = null;
-}
-function getReviewDetectorSnapshot() {
-  if (!activeRuntime) {
-    return {
-      state: "stopped",
-      startedAt: null,
-      lastScanAt: null,
-      lastScanDurationMs: null,
-      scanCycles: 0,
-      rulesLoaded: 0,
-      sourcesTracked: 0,
-      activeAlerts: 0,
-      lastError: null
-    };
-  }
-  return activeRuntime.snapshot;
-}
-
 // app/lib/whatsapp/schema.ts
 import { z } from "zod";
 var DmPolicySchema = z.enum(["open", "allowlist", "disabled"]);
@@ -2267,20 +928,20 @@ var WhatsAppConfigSchema = z.object({
 });
 
 // app/lib/whatsapp/config-persist.ts
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync5 } from "fs";
-import { resolve as resolve5, join as join3 } from "path";
+import { readFileSync, writeFileSync, existsSync as existsSync2 } from "fs";
+import { resolve, join as join2 } from "path";
 var TAG = "[whatsapp:config]";
 function configPath(accountDir) {
-  return resolve5(accountDir, "account.json");
+  return resolve(accountDir, "account.json");
 }
 function readConfig(accountDir) {
   const path2 = configPath(accountDir);
-  if (!existsSync5(path2)) throw new Error(`account.json not found at ${path2}`);
-  return JSON.parse(readFileSync4(path2, "utf-8"));
+  if (!existsSync2(path2)) throw new Error(`account.json not found at ${path2}`);
+  return JSON.parse(readFileSync(path2, "utf-8"));
 }
 function writeConfig(accountDir, config) {
   const path2 = configPath(accountDir);
-  writeFileSync4(path2, JSON.stringify(config, null, 2) + "\n", "utf-8");
+  writeFileSync(path2, JSON.stringify(config, null, 2) + "\n", "utf-8");
 }
 function reloadManagerConfig(accountDir) {
   try {
@@ -2450,8 +1111,8 @@ function setPublicAgent(accountDir, slug) {
   if (!trimmed) {
     return { ok: false, error: "Agent slug cannot be empty." };
   }
-  const agentConfigPath = join3(accountDir, "agents", trimmed, "config.json");
-  if (!existsSync5(agentConfigPath)) {
+  const agentConfigPath = join2(accountDir, "agents", trimmed, "config.json");
+  if (!existsSync2(agentConfigPath)) {
     return { ok: false, error: `Agent "${trimmed}" not found \u2014 no config.json at ${agentConfigPath}. Check the agent slug and try again.` };
   }
   try {
@@ -2514,8 +1175,8 @@ function setGroupPublicAgent(accountDir, accountId, groupJid, slug) {
   if (!trimmedSlug) return { ok: false, error: "Agent slug cannot be empty." };
   if (!trimmedGroup) return { ok: false, error: "Group JID cannot be empty." };
   if (!trimmedAccount) return { ok: false, error: "Account ID cannot be empty." };
-  const agentConfigPath = join3(accountDir, "agents", trimmedSlug, "config.json");
-  if (!existsSync5(agentConfigPath)) {
+  const agentConfigPath = join2(accountDir, "agents", trimmedSlug, "config.json");
+  if (!existsSync2(agentConfigPath)) {
     return { ok: false, error: `Agent "${trimmedSlug}" not found \u2014 no config.json at ${agentConfigPath}. Check the agent slug and try again.` };
   }
   try {
@@ -2744,7 +1405,7 @@ function listCredentialAccountIds(configDir2) {
 }
 
 // app/lib/whatsapp/session.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID } from "crypto";
 import fsSync2 from "fs";
 import fs2 from "fs/promises";
 import { inspect } from "util";
@@ -2819,7 +1480,7 @@ var credsSaveQueue = Promise.resolve();
 async function drainCredsSaveQueue(timeoutMs = 5e3) {
   console.error(`${TAG3} draining credential save queue\u2026`);
   const timer2 = new Promise(
-    (resolve26) => setTimeout(() => resolve26("timeout"), timeoutMs)
+    (resolve22) => setTimeout(() => resolve22("timeout"), timeoutMs)
   );
   const result = await Promise.race([
     credsSaveQueue.then(() => "drained"),
@@ -2947,11 +1608,11 @@ async function createWaSocket(opts) {
   return sock;
 }
 async function waitForConnection(sock) {
-  return new Promise((resolve26, reject) => {
+  return new Promise((resolve22, reject) => {
     const handler = (update) => {
       if (update.connection === "open") {
         sock.ev.off("connection.update", handler);
-        resolve26();
+        resolve22();
       }
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
@@ -3065,14 +1726,14 @@ ${inspected}`;
   return inspect2(err, INSPECT_OPTS2);
 }
 function withTimeout(label, promise, timeoutMs) {
-  return new Promise((resolve26, reject) => {
+  return new Promise((resolve22, reject) => {
     const timer2 = setTimeout(() => {
       reject(new Error(`${label} timed out after ${timeoutMs}ms`));
     }, timeoutMs);
     promise.then(
       (value) => {
         clearTimeout(timer2);
-        resolve26(value);
+        resolve22(value);
       },
       (err) => {
         clearTimeout(timer2);
@@ -3607,8 +2268,8 @@ async function persistWhatsAppMessage(input) {
   const { givenName, familyName } = splitName(input.pushName);
   const prev = sessionWriteLocks.get(input.sessionKey);
   let release;
-  const mine = new Promise((resolve26) => {
-    release = resolve26;
+  const mine = new Promise((resolve22) => {
+    release = resolve22;
   });
   const chained = (prev ?? Promise.resolve()).then(() => mine);
   sessionWriteLocks.set(input.sessionKey, chained);
@@ -3793,8 +2454,8 @@ async function ensureWhatsAppConversation(input) {
 }
 
 // app/lib/whatsapp/platform-account-id.ts
-import { readdirSync as readdirSync2, readFileSync as readFileSync5 } from "fs";
-import { resolve as resolve6 } from "path";
+import { readdirSync, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 var cached = null;
 var cachedAccountsDir = null;
@@ -3818,7 +2479,7 @@ function resolvePlatformAccountId(accountsDir = ACCOUNTS_DIR) {
 function enumerateValidAccountIds(accountsDir) {
   let names;
   try {
-    names = readdirSync2(accountsDir);
+    names = readdirSync(accountsDir);
   } catch (err) {
     if (err.code === "ENOENT") return [];
     throw err;
@@ -3826,9 +2487,9 @@ function enumerateValidAccountIds(accountsDir) {
   const valid = [];
   for (const name of names) {
     if (!UUID_RE.test(name)) continue;
-    const configPath2 = resolve6(accountsDir, name, "account.json");
+    const configPath2 = resolve2(accountsDir, name, "account.json");
     try {
-      JSON.parse(readFileSync5(configPath2, "utf-8"));
+      JSON.parse(readFileSync2(configPath2, "utf-8"));
       valid.push(name);
     } catch (err) {
       const code = err.code;
@@ -3839,9 +2500,9 @@ function enumerateValidAccountIds(accountsDir) {
 }
 
 // app/lib/whatsapp/inbound/media.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 import { writeFile, mkdir } from "fs/promises";
-import { join as join4 } from "path";
+import { join as join3 } from "path";
 import {
   downloadMediaMessage,
   downloadContentFromMessage,
@@ -3926,8 +2587,8 @@ async function downloadInboundMedia(msg, sock, opts) {
     }
     await mkdir(MEDIA_DIR, { recursive: true });
     const ext = mimeToExt(mimetype ?? "application/octet-stream");
-    const filename = `${randomUUID3()}.${ext}`;
-    const filePath = join4(MEDIA_DIR, filename);
+    const filename = `${randomUUID2()}.${ext}`;
+    const filePath = join3(MEDIA_DIR, filename);
     await writeFile(filePath, buffer);
     const sizeKB = (buffer.length / 1024).toFixed(0);
     console.error(`${TAG9} media downloaded type=${mimetype ?? "unknown"} size=${sizeKB}KB path=${filePath}`);
@@ -4615,11 +3276,11 @@ async function connectWithReconnect(conn) {
       console.error(
         `${TAG13} reconnecting account=${conn.accountId} in ${delay}ms (attempt ${decision.nextAttempts}/${maxAttempts})`
       );
-      await new Promise((resolve26) => {
-        const timer2 = setTimeout(resolve26, delay);
+      await new Promise((resolve22) => {
+        const timer2 = setTimeout(resolve22, delay);
         conn.abortController.signal.addEventListener("abort", () => {
           clearTimeout(timer2);
-          resolve26();
+          resolve22();
         }, { once: true });
       });
     }
@@ -4627,16 +3288,16 @@ async function connectWithReconnect(conn) {
   }
 }
 function waitForDisconnectEvent(conn) {
-  return new Promise((resolve26) => {
+  return new Promise((resolve22) => {
     if (!conn.sock) {
-      resolve26();
+      resolve22();
       return;
     }
     const sock = conn.sock;
     const handler = (update) => {
       if (update.connection === "close") {
         sock.ev.off("connection.update", handler);
-        resolve26();
+        resolve22();
       }
     };
     sock.ev.on("connection.update", handler);
@@ -4897,8 +3558,8 @@ async function handleInboundMessage(conn, msg) {
     const conversationKey = isGroup ? remoteJid : senderPhone;
     const debounceKey = `${conn.accountId}:${conversationKey}:${senderPhone}`;
     let resolvePending;
-    const sttPending = new Promise((resolve26) => {
-      resolvePending = resolve26;
+    const sttPending = new Promise((resolve22) => {
+      resolvePending = resolve22;
     });
     if (conn.debouncer) conn.debouncer.registerPending(debounceKey, sttPending);
     try {
@@ -5019,20 +3680,20 @@ async function probeApiKey() {
   return result.status;
 }
 function checkPort(port2, timeoutMs = 500) {
-  return new Promise((resolve26) => {
+  return new Promise((resolve22) => {
     const socket = createConnection(port2, "127.0.0.1");
     socket.setTimeout(timeoutMs);
     socket.once("connect", () => {
       socket.destroy();
-      resolve26(true);
+      resolve22(true);
     });
     socket.once("error", () => {
       socket.destroy();
-      resolve26(false);
+      resolve22(false);
     });
     socket.once("timeout", () => {
       socket.destroy();
-      resolve26(false);
+      resolve22(false);
     });
   });
 }
@@ -5041,8 +3702,8 @@ app.get("/", async (c) => {
   const browserTransport = resolveBrowserTransport(c.req.raw, c.env?.incoming?.socket?.remoteAddress);
   let pinConfigured = false;
   try {
-    if (existsSync6(USERS_FILE)) {
-      const raw = readFileSync6(USERS_FILE, "utf-8").trim();
+    if (existsSync3(USERS_FILE)) {
+      const raw = readFileSync3(USERS_FILE, "utf-8").trim();
       if (raw) {
         const users = JSON.parse(raw);
         pinConfigured = Array.isArray(users) && users.length > 0;
@@ -5061,7 +3722,7 @@ app.get("/", async (c) => {
   const vncRunning = await checkPort(6080);
   let apiKeyConfigured = false;
   try {
-    apiKeyConfigured = existsSync6(keyFilePath());
+    apiKeyConfigured = existsSync3(keyFilePath());
   } catch {
   }
   let apiKeyStatus = "missing";
@@ -5094,7 +3755,6 @@ app.get("/", async (c) => {
     const step = await loadOnboardingStep(account.accountId);
     if (step !== null) onboardingComplete = step >= 6;
   }
-  const reviewDetector = getReviewDetectorSnapshot();
   return c.json({
     pin_configured: pinConfigured,
     claude_authenticated: claudeAuthenticated,
@@ -5110,31 +3770,20 @@ app.get("/", async (c) => {
       any_connected: whatsappAnyConnected,
       any_stuck: whatsappAnyStuck,
       accounts: whatsappAccounts
-    },
-    review_detector: {
-      state: reviewDetector.state,
-      started_at: reviewDetector.startedAt,
-      last_scan_at: reviewDetector.lastScanAt,
-      last_scan_duration_ms: reviewDetector.lastScanDurationMs,
-      scan_cycles: reviewDetector.scanCycles,
-      rules_loaded: reviewDetector.rulesLoaded,
-      sources_tracked: reviewDetector.sourcesTracked,
-      active_alerts: reviewDetector.activeAlerts,
-      last_error: reviewDetector.lastError
     }
   });
 });
 var health_default = app;
 
 // server/routes/session.ts
-import { resolve as resolve7 } from "path";
-import { existsSync as existsSync7, writeFileSync as writeFileSync5, mkdirSync as mkdirSync4 } from "fs";
+import { resolve as resolve3 } from "path";
+import { existsSync as existsSync4, writeFileSync as writeFileSync2, mkdirSync } from "fs";
 var UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function writeBrandingCache(accountId, agentSlug, branding) {
   try {
-    const cacheDir = resolve7(MAXY_DIR, "branding-cache", accountId);
-    mkdirSync4(cacheDir, { recursive: true });
-    writeFileSync5(resolve7(cacheDir, `${agentSlug}.json`), JSON.stringify(branding), "utf-8");
+    const cacheDir = resolve3(MAXY_DIR, "branding-cache", accountId);
+    mkdirSync(cacheDir, { recursive: true });
+    writeFileSync2(resolve3(cacheDir, `${agentSlug}.json`), JSON.stringify(branding), "utf-8");
   } catch (err) {
     console.error(`[branding] cache write failed: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -5204,9 +3853,9 @@ app2.post("/", async (c) => {
   }
   let agentConfig = null;
   if (account) {
-    const agentDir = resolve7(account.accountDir, "agents", agentSlug);
-    const agentConfigPath = resolve7(agentDir, "config.json");
-    if (!existsSync7(agentDir) || !existsSync7(agentConfigPath)) {
+    const agentDir = resolve3(account.accountDir, "agents", agentSlug);
+    const agentConfigPath = resolve3(agentDir, "config.json");
+    if (!existsSync4(agentDir) || !existsSync4(agentConfigPath)) {
       return c.json({ error: "Agent not found" }, 404);
     }
     agentConfig = resolveAgentConfig(account.accountDir, agentSlug);
@@ -5456,12 +4105,12 @@ ${raw}`;
 }
 
 // app/lib/attachments.ts
-import { randomUUID as randomUUID4 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 import { mkdir as mkdir2, readFile, stat as stat2, writeFile as writeFile2 } from "fs/promises";
 import { realpathSync } from "fs";
-import { resolve as resolve8, extname, basename as basename3 } from "path";
-var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve8(process.cwd(), "../platform");
-var ATTACHMENTS_ROOT = resolve8(PLATFORM_ROOT2, "..", "data/uploads");
+import { resolve as resolve4, extname, basename } from "path";
+var PLATFORM_ROOT2 = process.env.MAXY_PLATFORM_ROOT ?? resolve4(process.cwd(), "../platform");
+var ATTACHMENTS_ROOT = resolve4(PLATFORM_ROOT2, "..", "data/uploads");
 var SUPPORTED_MIME_TYPES = /* @__PURE__ */ new Set([
   "image/jpeg",
   "image/png",
@@ -5487,12 +4136,12 @@ function assertSupportedMime(mimeType) {
   }
 }
 async function writeAttachment(scope, filename, mimeType, sizeBytes, buffer) {
-  const attachmentId = randomUUID4();
-  const dir = resolve8(ATTACHMENTS_ROOT, scope, attachmentId);
+  const attachmentId = randomUUID3();
+  const dir = resolve4(ATTACHMENTS_ROOT, scope, attachmentId);
   await mkdir2(dir, { recursive: true });
   const ext = extname(filename) || "";
-  const storagePath = resolve8(dir, `${attachmentId}${ext}`);
-  const metaPath = resolve8(dir, `${attachmentId}.meta.json`);
+  const storagePath = resolve4(dir, `${attachmentId}${ext}`);
+  const metaPath = resolve4(dir, `${attachmentId}.meta.json`);
   const meta = {
     attachmentId,
     scope,
@@ -5566,7 +4215,7 @@ async function storeGeneratedFile(accountId, filePath) {
       `File exceeds the 20 MB limit (${(fileStat.size / 1024 / 1024).toFixed(1)} MB).`
     );
   }
-  const filename = basename3(filePath);
+  const filename = basename(filePath);
   const mimeType = detectMimeType(filePath);
   const buffer = await readFile(filePath);
   return writeAttachment(accountId, filename, mimeType, fileStat.size, buffer);
@@ -5575,7 +4224,7 @@ async function storeGeneratedFile(accountId, filePath) {
 // app/lib/stt/voice-note.ts
 import { writeFile as writeFile3, mkdtemp, rm } from "fs/promises";
 import { tmpdir } from "os";
-import { join as join5 } from "path";
+import { join as join4 } from "path";
 var TAG14 = "[voice]";
 var AUDIO_MIME_TYPES = /* @__PURE__ */ new Set([
   "audio/ogg",
@@ -5613,9 +4262,9 @@ async function transcribeVoiceNote(file, source) {
   let tempDir;
   let tempPath;
   try {
-    tempDir = await mkdtemp(join5(tmpdir(), "voice-"));
+    tempDir = await mkdtemp(join4(tmpdir(), "voice-"));
     const ext = audioExtension(mimeType);
-    tempPath = join5(tempDir, `recording${ext}`);
+    tempPath = join4(tempDir, `recording${ext}`);
     const buffer = Buffer.from(await file.arrayBuffer());
     await writeFile3(tempPath, buffer);
   } catch (err) {
@@ -6170,16 +4819,16 @@ var group_default = app4;
 
 // app/lib/access-gate.ts
 import neo4j from "neo4j-driver";
-import { readFileSync as readFileSync7 } from "fs";
-import { resolve as resolve9 } from "path";
-import { randomUUID as randomUUID5, randomInt } from "crypto";
-var PLATFORM_ROOT3 = process.env.MAXY_PLATFORM_ROOT ?? resolve9(process.cwd(), "..");
+import { readFileSync as readFileSync4 } from "fs";
+import { resolve as resolve5 } from "path";
+import { randomUUID as randomUUID4, randomInt } from "crypto";
+var PLATFORM_ROOT3 = process.env.MAXY_PLATFORM_ROOT ?? resolve5(process.cwd(), "..");
 var driver = null;
 function readPassword() {
   if (process.env.NEO4J_PASSWORD) return process.env.NEO4J_PASSWORD;
-  const passwordFile = resolve9(PLATFORM_ROOT3, "config/.neo4j-password");
+  const passwordFile = resolve5(PLATFORM_ROOT3, "config/.neo4j-password");
   try {
-    return readFileSync7(passwordFile, "utf-8").trim();
+    return readFileSync4(passwordFile, "utf-8").trim();
   } catch {
     throw new Error(
       `Neo4j password not found. Expected at ${passwordFile} or in NEO4J_PASSWORD env var.`
@@ -6428,7 +5077,7 @@ async function setGrantPassword(grantId, passwordHash) {
   }
 }
 async function generateNewMagicToken(grantId) {
-  const token = randomUUID5();
+  const token = randomUUID4();
   const session = getSession2();
   try {
     await session.run(
@@ -6490,19 +5139,19 @@ async function findActiveGrantByContact(contactValue, agentSlug, accountId) {
 }
 
 // app/lib/brevo-sms.ts
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync6, mkdirSync as mkdirSync5, existsSync as existsSync8, chmodSync } from "fs";
-import { dirname as dirname4 } from "path";
-import { resolve as resolve10 } from "path";
-var BREVO_API_KEY_FILE = resolve10(MAXY_DIR, ".brevo-api-key");
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync3, mkdirSync as mkdirSync2, existsSync as existsSync5, chmodSync } from "fs";
+import { dirname } from "path";
+import { resolve as resolve6 } from "path";
+var BREVO_API_KEY_FILE = resolve6(MAXY_DIR, ".brevo-api-key");
 var BREVO_API_URL = "https://api.brevo.com/v3/transactionalSMS/sms";
 var BREVO_TIMEOUT_MS = 1e4;
 var BREVO_SENDER = "Maxy";
 var platformRoot = process.env.MAXY_PLATFORM_ROOT;
 if (platformRoot) {
   try {
-    const brandPath = resolve10(platformRoot, "config", "brand.json");
-    if (existsSync8(brandPath)) {
-      const brand = JSON.parse(readFileSync8(brandPath, "utf-8"));
+    const brandPath = resolve6(platformRoot, "config", "brand.json");
+    if (existsSync5(brandPath)) {
+      const brand = JSON.parse(readFileSync5(brandPath, "utf-8"));
       if (brand.productName) BREVO_SENDER = brand.productName;
     }
   } catch {
@@ -6510,7 +5159,7 @@ if (platformRoot) {
 }
 function readBrevoApiKey() {
   try {
-    const key = readFileSync8(BREVO_API_KEY_FILE, "utf-8").trim();
+    const key = readFileSync5(BREVO_API_KEY_FILE, "utf-8").trim();
     if (!key) {
       throw new Error(`Brevo API key file is empty: ${BREVO_API_KEY_FILE}`);
     }
@@ -6525,7 +5174,7 @@ function readBrevoApiKey() {
   }
 }
 function hasBrevoApiKey() {
-  return existsSync8(BREVO_API_KEY_FILE);
+  return existsSync5(BREVO_API_KEY_FILE);
 }
 async function sendSms(recipient, content, opts) {
   let apiKey;
@@ -6941,7 +5590,7 @@ app5.post("/send-otp", async (c) => {
 var access_default = app5;
 
 // server/routes/telegram.ts
-import { existsSync as existsSync9, readFileSync as readFileSync9 } from "fs";
+import { existsSync as existsSync6, readFileSync as readFileSync6 } from "fs";
 import { timingSafeEqual } from "crypto";
 
 // app/lib/telegram/access-control.ts
@@ -6978,8 +5627,8 @@ var TELEGRAM_API = "https://api.telegram.org";
 function getWebhookSecret(botType) {
   const filePath = botType === "admin" ? TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE : TELEGRAM_WEBHOOK_SECRET_FILE;
   try {
-    if (!existsSync9(filePath)) return null;
-    const secret = readFileSync9(filePath, "utf-8").trim();
+    if (!existsSync6(filePath)) return null;
+    const secret = readFileSync6(filePath, "utf-8").trim();
     return secret || null;
   } catch {
     return null;
@@ -7137,12 +5786,12 @@ app6.post("/webhook", async (c) => {
 var telegram_default = app6;
 
 // server/routes/whatsapp.ts
-import { join as join6, resolve as resolve11, basename as basename4 } from "path";
+import { join as join5, resolve as resolve7, basename as basename2 } from "path";
 import { readFile as readFile2, stat as stat3 } from "fs/promises";
-import { realpathSync as realpathSync2, readdirSync as readdirSync3, readFileSync as readFileSync10, existsSync as existsSync10 } from "fs";
+import { realpathSync as realpathSync2, readdirSync as readdirSync2, readFileSync as readFileSync7, existsSync as existsSync7 } from "fs";
 
 // app/lib/whatsapp/login.ts
-import { randomUUID as randomUUID6 } from "crypto";
+import { randomUUID as randomUUID5 } from "crypto";
 var TAG17 = "[whatsapp:login]";
 var ACTIVE_LOGIN_TTL_MS = 3 * 6e4;
 var activeLogins = /* @__PURE__ */ new Map();
@@ -7245,8 +5894,8 @@ async function startLogin(opts) {
   resetActiveLogin(accountId);
   let resolveQr = null;
   let rejectQr = null;
-  const qrPromise = new Promise((resolve26, reject) => {
-    resolveQr = resolve26;
+  const qrPromise = new Promise((resolve22, reject) => {
+    resolveQr = resolve22;
     rejectQr = reject;
   });
   const qrTimer = setTimeout(
@@ -7281,7 +5930,7 @@ async function startLogin(opts) {
   const login = {
     accountId,
     authDir,
-    id: randomUUID6(),
+    id: randomUUID5(),
     sock,
     startedAt: Date.now(),
     connected: false
@@ -7480,7 +6129,7 @@ app7.post("/login/start", async (c) => {
     const body = await c.req.json().catch(() => ({}));
     const accountId = validateAccountId(body.accountId);
     const force = body.force ?? false;
-    const authDir = join6(MAXY_DIR, "credentials", "whatsapp", accountId);
+    const authDir = join5(MAXY_DIR, "credentials", "whatsapp", accountId);
     const result = await startLogin({ accountId, authDir, force });
     console.error(`${TAG18} login/start result account=${accountId} hasQr=${!!result.qrRaw}${result.selfPhone ? ` phone=${result.selfPhone}` : ""}`);
     return c.json(result);
@@ -7640,17 +6289,17 @@ app7.post("/config", async (c) => {
         return c.json(result, result.ok ? 200 : 400);
       }
       case "list-public-agents": {
-        const agentsDir = resolve11(account.accountDir, "agents");
+        const agentsDir = resolve7(account.accountDir, "agents");
         const agents = [];
-        if (existsSync10(agentsDir)) {
+        if (existsSync7(agentsDir)) {
           try {
-            const entries = readdirSync3(agentsDir, { withFileTypes: true });
+            const entries = readdirSync2(agentsDir, { withFileTypes: true });
             for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
               if (!entry.isDirectory() || entry.name === "admin") continue;
-              const configPath2 = resolve11(agentsDir, entry.name, "config.json");
-              if (!existsSync10(configPath2)) continue;
+              const configPath2 = resolve7(agentsDir, entry.name, "config.json");
+              if (!existsSync7(configPath2)) continue;
               try {
-                const config = JSON.parse(readFileSync10(configPath2, "utf-8"));
+                const config = JSON.parse(readFileSync7(configPath2, "utf-8"));
                 agents.push({ slug: entry.name, displayName: config.displayName ?? entry.name });
               } catch {
                 console.error(`${TAG18} config action=list-public-agents error="failed to parse config.json for agent ${entry.name}" \u2014 skipping`);
@@ -7725,7 +6374,7 @@ app7.post("/send-document", async (c) => {
     if (!maxyAccountId || !PLATFORM_ROOT4) {
       return c.json({ error: "Cannot validate file path: missing account or platform context" }, 400);
     }
-    const accountDir = resolve11(PLATFORM_ROOT4, "..", "data/accounts", maxyAccountId);
+    const accountDir = resolve7(PLATFORM_ROOT4, "..", "data/accounts", maxyAccountId);
     let resolvedPath;
     try {
       resolvedPath = realpathSync2(filePath);
@@ -7749,7 +6398,7 @@ app7.post("/send-document", async (c) => {
       return c.json({ error: `File exceeds 20 MB limit (${(fileStat.size / 1024 / 1024).toFixed(1)} MB)` }, 400);
     }
     const buffer = Buffer.from(await readFile2(resolvedPath));
-    const filename = basename4(resolvedPath);
+    const filename = basename2(resolvedPath);
     const mimetype = detectMimeType(resolvedPath);
     const sock = getSocket(accountId);
     if (!sock) {
@@ -7949,16 +6598,16 @@ var whatsapp_default = app7;
 
 // server/routes/onboarding.ts
 import { spawn, execFileSync } from "child_process";
-import { openSync as openSync2, closeSync as closeSync2, writeFileSync as writeFileSync7, writeSync, existsSync as existsSync11, mkdirSync as mkdirSync6, readFileSync as readFileSync11, unlinkSync } from "fs";
-import { resolve as resolve12, dirname as dirname5 } from "path";
-import { createHash, randomUUID as randomUUID7 } from "crypto";
+import { openSync, closeSync, writeFileSync as writeFileSync4, writeSync, existsSync as existsSync8, mkdirSync as mkdirSync3, readFileSync as readFileSync8, unlinkSync } from "fs";
+import { resolve as resolve8, dirname as dirname2 } from "path";
+import { createHash, randomUUID as randomUUID6 } from "crypto";
 var PLATFORM_ROOT5 = process.env.MAXY_PLATFORM_ROOT || "";
 function hashPin(pin) {
   return createHash("sha256").update(pin).digest("hex");
 }
 function readUsersFile() {
-  if (!existsSync11(USERS_FILE)) return null;
-  const raw = readFileSync11(USERS_FILE, "utf-8").trim();
+  if (!existsSync8(USERS_FILE)) return null;
+  const raw = readFileSync8(USERS_FILE, "utf-8").trim();
   if (!raw) return [];
   return JSON.parse(raw);
 }
@@ -8024,11 +6673,11 @@ app8.post("/claude-auth", async (c) => {
     if (!vncReady) return c.json({ error: "VNC display failed to start" }, 500);
   }
   await ensureCdp(transport);
-  writeFileSync7(logPath("claude-auth"), "");
+  writeFileSync4(logPath("claude-auth"), "");
   const chromiumWrapper = writeChromiumWrapper();
   const x11Env = buildX11Env(chromiumWrapper, transport);
   vncLog("claude-auth", { action: "start", transport });
-  const claudeAuthLogFd = openSync2(logPath("claude-auth"), "a");
+  const claudeAuthLogFd = openSync(logPath("claude-auth"), "a");
   const claudeProc = spawn("claude", ["auth", "login"], {
     env: x11Env,
     stdio: ["ignore", "pipe", "pipe"]
@@ -8037,7 +6686,7 @@ app8.post("/claude-auth", async (c) => {
   const onClaudeOutput = (chunk) => writeSync(claudeAuthLogFd, chunk);
   claudeProc.stdout?.on("data", onClaudeOutput);
   claudeProc.stderr?.on("data", onClaudeOutput);
-  claudeProc.once("close", () => closeSync2(claudeAuthLogFd));
+  claudeProc.once("close", () => closeSync(claudeAuthLogFd));
   await waitForAuthPage(2e4);
   return c.json({ started: true, transport });
 });
@@ -8068,22 +6717,22 @@ app8.post("/set-pin", async (c) => {
   const hash = hashPin(body.pin);
   const account = resolveAccount();
   const existingOwnerUserId = account?.config.admins?.find((a) => a.role === "owner")?.userId;
-  const userId = existingOwnerUserId ?? randomUUID7();
+  const userId = existingOwnerUserId ?? randomUUID6();
   if (existingOwnerUserId) {
     console.log(`[set-pin] reusing existing owner userId=${userId.slice(0, 8)}\u2026 (change-PIN preserves identity)`);
   } else {
     console.log(`[set-pin] minted new userId=${userId.slice(0, 8)}\u2026 (first-time install)`);
   }
-  mkdirSync6(dirname5(USERS_FILE), { recursive: true });
-  writeFileSync7(USERS_FILE, JSON.stringify([{ userId, pin: hash }]), { mode: 384 });
+  mkdirSync3(dirname2(USERS_FILE), { recursive: true });
+  writeFileSync4(USERS_FILE, JSON.stringify([{ userId, pin: hash }]), { mode: 384 });
   console.log(`[set-pin] wrote users.json: userId=${userId.slice(0, 8)}\u2026 hash=${hash.slice(0, 8)}\u2026`);
   if (account) {
     try {
-      const config = JSON.parse(readFileSync11(`${account.accountDir}/account.json`, "utf-8"));
+      const config = JSON.parse(readFileSync8(`${account.accountDir}/account.json`, "utf-8"));
       if (!config.admins) config.admins = [];
       if (!config.admins.some((a) => a.userId === userId)) {
         config.admins.push({ userId, role: "owner" });
-        writeFileSync7(`${account.accountDir}/account.json`, JSON.stringify(config, null, 2) + "\n");
+        writeFileSync4(`${account.accountDir}/account.json`, JSON.stringify(config, null, 2) + "\n");
         console.log(`[set-pin] added userId=${userId.slice(0, 8)}\u2026 to account.json admins`);
       }
     } catch (err) {
@@ -8136,7 +6785,7 @@ app8.delete("/set-pin", async (c) => {
     unlinkSync(USERS_FILE);
     console.log(`[set-pin] cleared users.json (last entry removed): userId=${matchedUser.userId.slice(0, 8)}\u2026`);
   } else {
-    writeFileSync7(USERS_FILE, JSON.stringify(remaining), { mode: 384 });
+    writeFileSync4(USERS_FILE, JSON.stringify(remaining), { mode: 384 });
     console.log(`[set-pin] removed entry from users.json: userId=${matchedUser.userId.slice(0, 8)}\u2026 remaining=${remaining.length}`);
   }
   return c.json({ ok: true });
@@ -8155,19 +6804,19 @@ app8.post("/skip", async (c) => {
   }
   const { accountId, accountDir } = account;
   let agentName = "Maxy";
-  const brandPath = PLATFORM_ROOT5 ? resolve12(PLATFORM_ROOT5, "config", "brand.json") : "";
-  if (brandPath && existsSync11(brandPath)) {
+  const brandPath = PLATFORM_ROOT5 ? resolve8(PLATFORM_ROOT5, "config", "brand.json") : "";
+  if (brandPath && existsSync8(brandPath)) {
     try {
-      const brand = JSON.parse(readFileSync11(brandPath, "utf-8"));
+      const brand = JSON.parse(readFileSync8(brandPath, "utf-8"));
       if (brand.productName) agentName = brand.productName;
     } catch (err) {
       console.error(`[onboarding-skip] brand.json read failed: ${err instanceof Error ? err.message : String(err)}`);
     }
   }
-  const soulPath = resolve12(accountDir, "agents", "admin", "SOUL.md");
+  const soulPath = resolve8(accountDir, "agents", "admin", "SOUL.md");
   try {
-    mkdirSync6(dirname5(soulPath), { recursive: true });
-    writeFileSync7(soulPath, `You are ${agentName}, an AI operations manager.
+    mkdirSync3(dirname2(soulPath), { recursive: true });
+    writeFileSync4(soulPath, `You are ${agentName}, an AI operations manager.
 `);
     console.log(`[onboarding-skip] wrote SOUL.md: ${soulPath}`);
   } catch (err) {
@@ -8211,9 +6860,9 @@ app8.post("/skip", async (c) => {
 var onboarding_default = app8;
 
 // server/routes/client-error.ts
-import { appendFileSync as appendFileSync2, existsSync as existsSync12, renameSync as renameSync4, statSync as statSync5 } from "fs";
-import { join as join7 } from "path";
-var CLIENT_ERRORS_LOG = join7(LOG_DIR, "client-errors.log");
+import { appendFileSync, existsSync as existsSync9, renameSync, statSync as statSync2 } from "fs";
+import { join as join6 } from "path";
+var CLIENT_ERRORS_LOG = join6(LOG_DIR, "client-errors.log");
 var MAX_LOG_SIZE = 10 * 1024 * 1024;
 var MAX_BODY_SIZE = 8 * 1024;
 var MAX_STACK_LEN = 2e3;
@@ -8256,10 +6905,10 @@ function stackHead(stack) {
 }
 function rotateIfNeeded() {
   try {
-    if (!existsSync12(CLIENT_ERRORS_LOG)) return;
-    const stats = statSync5(CLIENT_ERRORS_LOG);
+    if (!existsSync9(CLIENT_ERRORS_LOG)) return;
+    const stats = statSync2(CLIENT_ERRORS_LOG);
     if (stats.size < MAX_LOG_SIZE) return;
-    renameSync4(CLIENT_ERRORS_LOG, CLIENT_ERRORS_LOG + ".1");
+    renameSync(CLIENT_ERRORS_LOG, CLIENT_ERRORS_LOG + ".1");
   } catch (err) {
     console.error(`[client-error] log rotation failed: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -8360,7 +7009,7 @@ app9.post("/", async (c) => {
         tag: typeof body.tag === "string" ? truncate(body.tag, 32) : void 0,
         status: typeof body.status === "number" ? body.status : void 0
       };
-      appendFileSync2(CLIENT_ERRORS_LOG, JSON.stringify(payload) + "\n", "utf-8");
+      appendFileSync(CLIENT_ERRORS_LOG, JSON.stringify(payload) + "\n", "utf-8");
     } catch (err) {
       console.error(`[client-error] append failed: ${err instanceof Error ? err.message : String(err)}`);
     }
@@ -8370,15 +7019,15 @@ app9.post("/", async (c) => {
 var client_error_default = app9;
 
 // server/routes/admin/session.ts
-import { readFileSync as readFileSync12, writeFileSync as writeFileSync8, existsSync as existsSync13 } from "fs";
+import { readFileSync as readFileSync9, writeFileSync as writeFileSync5, existsSync as existsSync10 } from "fs";
 import { createHash as createHash2 } from "crypto";
 var deprecationLogged = /* @__PURE__ */ new Set();
 function hashPin2(pin) {
   return createHash2("sha256").update(pin).digest("hex");
 }
 function readUsersFile2() {
-  if (!existsSync13(USERS_FILE)) return null;
-  const raw = readFileSync12(USERS_FILE, "utf-8").trim();
+  if (!existsSync10(USERS_FILE)) return null;
+  const raw = readFileSync9(USERS_FILE, "utf-8").trim();
   if (!raw) return [];
   return JSON.parse(raw);
 }
@@ -8395,7 +7044,7 @@ function stripLegacyNameField(users) {
     }
   }
   try {
-    writeFileSync8(USERS_FILE, JSON.stringify(users), { mode: 384 });
+    writeFileSync5(USERS_FILE, JSON.stringify(users), { mode: 384 });
   } catch (err) {
     console.error(`[admin-identity] users-json strip failed: ${err instanceof Error ? err.message : String(err)}`);
   }
@@ -8552,13 +7201,13 @@ app10.post("/", async (c) => {
 var session_default2 = app10;
 
 // server/routes/admin/chat.ts
-import { resolve as resolve13 } from "path";
-import { appendFileSync as appendFileSync4 } from "fs";
+import { resolve as resolve9 } from "path";
+import { appendFileSync as appendFileSync3 } from "fs";
 
 // app/lib/script-stream-tailer.ts
 import * as childProcess from "child_process";
-import { appendFileSync as appendFileSync3, createReadStream as createReadStream2, mkdirSync as mkdirSync7, statSync as statSync6 } from "fs";
-import { dirname as dirname6 } from "path";
+import { appendFileSync as appendFileSync2, createReadStream as createReadStream2, mkdirSync as mkdirSync4, statSync as statSync3 } from "fs";
+import { dirname as dirname3 } from "path";
 import { StringDecoder } from "string_decoder";
 var SCRIPT_STREAM_RE = /^\[([^\]]+)\] \[script:([a-z][a-z0-9-]*)((?::[a-z0-9:_-]+)?)\] (.*)$/;
 function parseLine(line) {
@@ -8576,7 +7225,7 @@ function startScriptStreamTailer(opts) {
   const { path: path2, onEvent, onError } = opts;
   let offset;
   try {
-    offset = statSync6(path2).size;
+    offset = statSync3(path2).size;
   } catch {
     offset = 0;
   }
@@ -8595,7 +7244,7 @@ function startScriptStreamTailer(opts) {
     try {
       let size;
       try {
-        size = statSync6(path2).size;
+        size = statSync3(path2).size;
       } catch {
         return;
       }
@@ -8667,8 +7316,8 @@ function writeRouteMilestone(streamLogPath, scope, line) {
   }
   const ts = (/* @__PURE__ */ new Date()).toISOString();
   try {
-    mkdirSync7(dirname6(streamLogPath), { recursive: true });
-    appendFileSync3(streamLogPath, `[${ts}] [script:${scope}] ${line}
+    mkdirSync4(dirname3(streamLogPath), { recursive: true });
+    appendFileSync2(streamLogPath, `[${ts}] [script:${scope}] ${line}
 `);
   } catch (err) {
     console.error(
@@ -8843,7 +7492,7 @@ var app11 = new Hono();
 app11.post("/cancel", requireAdminSession, async (c) => {
   const session_key = c.var.sessionKey;
   try {
-    const { interruptClient: interruptClient2 } = await import("./client-pool-BMPFHXHB.js");
+    const { interruptClient: interruptClient2 } = await import("./client-pool-GBY5I2KQ.js");
     await interruptClient2(session_key);
     return c.json({ ok: true });
   } catch (err) {
@@ -9007,10 +7656,10 @@ app11.post("/", requireAdminSession, async (c) => {
   function resolveTeeStreamLogPath() {
     const liveConvId = getConversationIdForSession(session_key);
     const key = liveConvId ?? preflushStreamLogKey(session_key);
-    return resolve13(account.accountDir, "logs", `claude-agent-stream-${key}.log`);
+    return resolve9(account.accountDir, "logs", `claude-agent-stream-${key}.log`);
   }
   try {
-    appendFileSync4(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task606-tee-path-resolve] sessionKey=${session_key.slice(0, 12)}\u2026
+    appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task606-tee-path-resolve] sessionKey=${session_key.slice(0, 12)}\u2026
 `);
   } catch {
   }
@@ -9019,7 +7668,7 @@ app11.post("/", requireAdminSession, async (c) => {
     incoming.on("close", () => {
       const tsClose = (/* @__PURE__ */ new Date()).toISOString();
       try {
-        appendFileSync4(resolveTeeStreamLogPath(), `[${tsClose}] [incoming-close] sessionKey=${session_key.slice(0, 12)}\u2026 complete=${incoming.complete}
+        appendFileSync3(resolveTeeStreamLogPath(), `[${tsClose}] [incoming-close] sessionKey=${session_key.slice(0, 12)}\u2026 complete=${incoming.complete}
 `);
       } catch {
       }
@@ -9027,7 +7676,7 @@ app11.post("/", requireAdminSession, async (c) => {
         console.error(`[${tsClose}] [incoming-close] DISCONNECT sessionKey=${session_key.slice(0, 12)}\u2026`);
         interruptClient(session_key).catch((err) => {
           try {
-            appendFileSync4(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] interrupt-failed: ${err instanceof Error ? err.message : String(err)}
+            appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] interrupt-failed: ${err instanceof Error ? err.message : String(err)}
 `);
           } catch {
           }
@@ -9036,7 +7685,7 @@ app11.post("/", requireAdminSession, async (c) => {
     });
   } else {
     try {
-      appendFileSync4(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] UNAVAILABLE \u2014 c.env.incoming is not an EventEmitter
+      appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] UNAVAILABLE \u2014 c.env.incoming is not an EventEmitter
 `);
     } catch {
     }
@@ -9048,7 +7697,7 @@ app11.post("/", requireAdminSession, async (c) => {
       } catch {
       }
       try {
-        appendFileSync4(resolveTeeStreamLogPath(), line);
+        appendFileSync3(resolveTeeStreamLogPath(), line);
       } catch {
       }
       return true;
@@ -9109,7 +7758,7 @@ app11.post("/", requireAdminSession, async (c) => {
       try {
         registerAdminSSE(sseEntry);
         if (sseConvId) {
-          const streamLogPath = resolve13(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
+          const streamLogPath = resolve9(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
           tailer = startScriptStreamTailer({
             path: streamLogPath,
             onEvent: (event) => {
@@ -9238,22 +7887,22 @@ app12.post("/", requireAdminSession, async (c) => {
 var compact_default = app12;
 
 // server/routes/admin/logs.ts
-import { existsSync as existsSync15, readdirSync as readdirSync4, readFileSync as readFileSync13, statSync as statSync7 } from "fs";
-import { resolve as resolve14, basename as basename5 } from "path";
+import { existsSync as existsSync12, readdirSync as readdirSync3, readFileSync as readFileSync10, statSync as statSync4 } from "fs";
+import { resolve as resolve10, basename as basename3 } from "path";
 
 // app/lib/logs-read-resolve.ts
-import { existsSync as existsSync14 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync11 } from "fs";
+import { join as join7 } from "path";
 function resolveConversationLogPaths(fullFilename, preflushFilename, logDirs) {
   const tried = [fullFilename, preflushFilename];
   const hits = [];
   const stalePreflushPaths = [];
   for (const dir of logDirs) {
-    const fullPath = join8(dir, fullFilename);
-    if (existsSync14(fullPath)) {
+    const fullPath = join7(dir, fullFilename);
+    if (existsSync11(fullPath)) {
       hits.push({ path: fullPath, shape: "full", dir });
-      const preflushSibling = join8(dir, preflushFilename);
-      if (existsSync14(preflushSibling)) {
+      const preflushSibling = join7(dir, preflushFilename);
+      if (existsSync11(preflushSibling)) {
         stalePreflushPaths.push(preflushSibling);
       }
     }
@@ -9262,8 +7911,8 @@ function resolveConversationLogPaths(fullFilename, preflushFilename, logDirs) {
     return { hits, stalePreflushPaths, tried };
   }
   for (const dir of logDirs) {
-    const preflushPath = join8(dir, preflushFilename);
-    if (existsSync14(preflushPath)) {
+    const preflushPath = join7(dir, preflushFilename);
+    if (existsSync11(preflushPath)) {
       hits.push({ path: preflushPath, shape: "preflush", dir });
     }
   }
@@ -9283,19 +7932,19 @@ app13.get("/", async (c) => {
   const sessionKeyParam = c.req.query("sessionKey");
   const download = c.req.query("download") === "1";
   const account = resolveAccount();
-  const accountLogDir2 = account ? resolve14(account.accountDir, "logs") : null;
+  const accountLogDir = account ? resolve10(account.accountDir, "logs") : null;
   const logDirs = [];
-  if (accountLogDir2) logDirs.push(accountLogDir2);
+  if (accountLogDir) logDirs.push(accountLogDir);
   logDirs.push(LOG_DIR);
   if (fileParam) {
-    const safe = basename5(fileParam);
+    const safe = basename3(fileParam);
     const searched = [];
     for (const dir of logDirs) {
-      const filePath = resolve14(dir, safe);
+      const filePath = resolve10(dir, safe);
       searched.push(filePath);
       try {
-        const buffer = readFileSync13(filePath);
-        const onDiskBytes = statSync7(filePath).size;
+        const buffer = readFileSync10(filePath);
+        const onDiskBytes = statSync4(filePath).size;
         const headers = {
           "Content-Type": "text/plain; charset=utf-8",
           "Content-Length": String(buffer.byteLength)
@@ -9367,9 +8016,9 @@ app13.get("/", async (c) => {
       const hit = hits[0];
       console.info(`[admin/logs] resolved sessionKey=${sessionKeySlice} conversationId=${conversationIdSlice} shape=${hit.shape} stalePreflushCount=${stalePreflushCount}`);
       try {
-        const filename = basename5(hit.path);
+        const filename = basename3(hit.path);
         if (stalePreflushCount > 0 && !download) {
-          const content = readFileSync13(hit.path, "utf-8");
+          const content = readFileSync10(hit.path, "utf-8");
           return c.json({
             log: content,
             filename,
@@ -9377,8 +8026,8 @@ app13.get("/", async (c) => {
             warnings: stalePreflushPaths.map((path2) => ({ kind: "stale-preflush", path: path2 }))
           });
         }
-        const buffer = readFileSync13(hit.path);
-        const onDiskBytes = statSync7(hit.path).size;
+        const buffer = readFileSync10(hit.path);
+        const onDiskBytes = statSync4(hit.path).size;
         const headers = {
           "Content-Type": "text/plain; charset=utf-8",
           "Content-Length": String(buffer.byteLength)
@@ -9411,19 +8060,19 @@ app13.get("/", async (c) => {
   const seen = /* @__PURE__ */ new Set();
   const logs = {};
   for (const dir of logDirs) {
-    if (!existsSync15(dir)) continue;
+    if (!existsSync12(dir)) continue;
     let files;
     try {
-      files = readdirSync4(dir).filter((f) => f.endsWith(".log"));
+      files = readdirSync3(dir).filter((f) => f.endsWith(".log"));
     } catch (err) {
       const reason = err instanceof Error ? err.message : String(err);
       console.warn(`[admin/logs] readdir-fail dir=${dir} reason=${reason}`);
       continue;
     }
-    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync7(resolve14(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
+    files.filter((f) => !seen.has(f)).map((f) => ({ name: f, mtime: statSync4(resolve10(dir, f)).mtimeMs })).sort((a, b) => b.mtime - a.mtime).forEach(({ name }) => {
       seen.add(name);
       try {
-        const content = readFileSync13(resolve14(dir, name));
+        const content = readFileSync10(resolve10(dir, name));
         const tail = content.length > TAIL_BYTES ? content.subarray(content.length - TAIL_BYTES).toString("utf-8") : content.toString("utf-8");
         logs[name] = tail.trim() || "(empty)";
       } catch (err) {
@@ -9462,8 +8111,8 @@ var claude_info_default = app14;
 
 // server/routes/admin/attachment.ts
 import { readFile as readFile3, readdir } from "fs/promises";
-import { existsSync as existsSync16 } from "fs";
-import { resolve as resolve15 } from "path";
+import { existsSync as existsSync13 } from "fs";
+import { resolve as resolve11 } from "path";
 var app15 = new Hono();
 app15.get("/:attachmentId", requireAdminSession, async (c) => {
   const attachmentId = c.req.param("attachmentId");
@@ -9475,12 +8124,12 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
   if (!/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/.test(attachmentId)) {
     return new Response("Not found", { status: 404 });
   }
-  const dir = resolve15(ATTACHMENTS_ROOT, accountId, attachmentId);
-  if (!existsSync16(dir)) {
+  const dir = resolve11(ATTACHMENTS_ROOT, accountId, attachmentId);
+  if (!existsSync13(dir)) {
     return new Response("Not found", { status: 404 });
   }
-  const metaPath = resolve15(dir, `${attachmentId}.meta.json`);
-  if (!existsSync16(metaPath)) {
+  const metaPath = resolve11(dir, `${attachmentId}.meta.json`);
+  if (!existsSync13(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
   let meta;
@@ -9494,7 +8143,7 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
   if (!dataFile) {
     return new Response("Not found", { status: 404 });
   }
-  const filePath = resolve15(dir, dataFile);
+  const filePath = resolve11(dir, dataFile);
   const buffer = await readFile3(filePath);
   return new Response(new Uint8Array(buffer), {
     headers: {
@@ -9507,24 +8156,24 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
 var attachment_default = app15;
 
 // server/routes/admin/agents.ts
-import { resolve as resolve16 } from "path";
-import { readdirSync as readdirSync5, readFileSync as readFileSync14, existsSync as existsSync17, rmSync } from "fs";
+import { resolve as resolve12 } from "path";
+import { readdirSync as readdirSync4, readFileSync as readFileSync11, existsSync as existsSync14, rmSync } from "fs";
 var app16 = new Hono();
 app16.get("/", (c) => {
   const account = resolveAccount();
   if (!account) return c.json({ agents: [] });
-  const agentsDir = resolve16(account.accountDir, "agents");
-  if (!existsSync17(agentsDir)) return c.json({ agents: [] });
+  const agentsDir = resolve12(account.accountDir, "agents");
+  if (!existsSync14(agentsDir)) return c.json({ agents: [] });
   const agents = [];
   try {
-    const entries = readdirSync5(agentsDir, { withFileTypes: true });
+    const entries = readdirSync4(agentsDir, { withFileTypes: true });
     for (const entry of entries.sort((a, b) => a.name.localeCompare(b.name))) {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
-      const configPath2 = resolve16(agentsDir, entry.name, "config.json");
-      if (!existsSync17(configPath2)) continue;
+      const configPath2 = resolve12(agentsDir, entry.name, "config.json");
+      if (!existsSync14(configPath2)) continue;
       try {
-        const config = JSON.parse(readFileSync14(configPath2, "utf-8"));
+        const config = JSON.parse(readFileSync11(configPath2, "utf-8"));
         agents.push({
           slug: entry.name,
           displayName: config.displayName ?? entry.name,
@@ -9550,8 +8199,8 @@ app16.delete("/:slug", async (c) => {
   if (slug.includes("/") || slug.includes("..") || slug.includes("\\")) {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
-  const agentDir = resolve16(account.accountDir, "agents", slug);
-  if (!existsSync17(agentDir)) {
+  const agentDir = resolve12(account.accountDir, "agents", slug);
+  if (!existsSync14(agentDir)) {
     return c.json({ error: "Agent not found" }, 404);
   }
   try {
@@ -9580,8 +8229,8 @@ app16.post("/:slug/project", async (c) => {
   if (slug.includes("/") || slug.includes("..") || slug.includes("\\")) {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
-  const agentDir = resolve16(account.accountDir, "agents", slug);
-  if (!existsSync17(agentDir)) {
+  const agentDir = resolve12(account.accountDir, "agents", slug);
+  if (!existsSync14(agentDir)) {
     return c.json({ error: "Agent not found on disk" }, 404);
   }
   try {
@@ -9597,7 +8246,7 @@ var agents_default = app16;
 // server/routes/admin/sessions.ts
 import crypto2 from "crypto";
 import { resolve as resolvePath } from "path";
-import { appendFileSync as appendFileSync5, existsSync as existsSync18 } from "fs";
+import { appendFileSync as appendFileSync4, existsSync as existsSync15 } from "fs";
 function validateAndShapeAttachments(raws, conversationAccountId, conversationId, messageId, streamLogPath) {
   const chips = [];
   let valid = 0;
@@ -9606,11 +8255,11 @@ function validateAndShapeAttachments(raws, conversationAccountId, conversationId
     let reason = null;
     if (!a.attachmentId || !a.filename || !a.mimeType || !a.storagePath) reason = "schema-fail";
     else if (a.accountId !== conversationAccountId) reason = "account-mismatch";
-    else if (!existsSync18(a.storagePath)) reason = "missing-file";
+    else if (!existsSync15(a.storagePath)) reason = "missing-file";
     if (reason) {
       invalid++;
       try {
-        appendFileSync5(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [attachment-rehydrate-invalid] conversationId=${conversationId.slice(0, 8)} messageId=${messageId.slice(0, 8)} attachmentId=${(a.attachmentId || "").slice(0, 8)} reason=${reason}
+        appendFileSync4(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [attachment-rehydrate-invalid] conversationId=${conversationId.slice(0, 8)} messageId=${messageId.slice(0, 8)} attachmentId=${(a.attachmentId || "").slice(0, 8)} reason=${reason}
 `);
       } catch {
       }
@@ -9673,7 +8322,7 @@ function reconstructAssistantEvents(content, components, conversationId, message
       const line = `[${(/* @__PURE__ */ new Date()).toISOString()}] [component-rehydrate-invalid] conversationId=${conversationId.slice(0, 8)} messageId=${messageId.slice(0, 8)} name=${c.name || "<unnamed>"} reason=${invalidReason}
 `;
       try {
-        appendFileSync5(streamLogPath, line);
+        appendFileSync4(streamLogPath, line);
       } catch {
       }
       continue;
@@ -9876,14 +8525,14 @@ app17.post("/:id/resume", async (c) => {
   const userMessageCount = rehydrated.filter((m) => m.role !== "assistant").length;
   const reason = bridged ? "post-restart" : "page-refresh";
   try {
-    appendFileSync5(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [admin-resume] reason=${reason} sessionKey=${sessionKey.slice(0, 8)} conversationId=${conversationId.slice(0, 8)} ${tag} loadedMessages=${messages.length} componentCount=${totalComponents} userAttachmentCount=${totalAttachments}
+    appendFileSync4(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [admin-resume] reason=${reason} sessionKey=${sessionKey.slice(0, 8)} conversationId=${conversationId.slice(0, 8)} ${tag} loadedMessages=${messages.length} componentCount=${totalComponents} userAttachmentCount=${totalAttachments}
 `);
     if (totalComponents > 0) {
-      appendFileSync5(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [component-rehydrate] conversationId=${conversationId.slice(0, 8)} count=${totalComponents} valid=${totalValid} invalid=${totalInvalid} textRuns=${textRuns}
+      appendFileSync4(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [component-rehydrate] conversationId=${conversationId.slice(0, 8)} count=${totalComponents} valid=${totalValid} invalid=${totalInvalid} textRuns=${textRuns}
 `);
     }
     if (totalAttachments > 0 || totalAttachmentInvalid > 0) {
-      appendFileSync5(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [attachment-rehydrate] conversationId=${conversationId.slice(0, 8)} userMessages=${userMessageCount} attachments=${totalAttachments} invalid=${totalAttachmentInvalid}
+      appendFileSync4(streamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [attachment-rehydrate] conversationId=${conversationId.slice(0, 8)} userMessages=${userMessageCount} attachments=${totalAttachments} invalid=${totalAttachmentInvalid}
 `);
     }
   } catch {
@@ -10147,8 +8796,8 @@ var events_default = app20;
 
 // server/routes/admin/cloudflare.ts
 import { homedir } from "os";
-import { resolve as resolve18 } from "path";
-import { readFileSync as readFileSync16 } from "fs";
+import { resolve as resolve14 } from "path";
+import { readFileSync as readFileSync14 } from "fs";
 
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -10164,14 +8813,14 @@ function isValidDomain(value) {
 }
 
 // app/lib/alias-domains.ts
-import { existsSync as existsSync19, mkdirSync as mkdirSync8, readFileSync as readFileSync15, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname7 } from "path";
-import { resolve as resolve17 } from "path";
-var ALIAS_DOMAINS_PATH = resolve17(MAXY_DIR, "alias-domains.json");
+import { existsSync as existsSync16, mkdirSync as mkdirSync5, readFileSync as readFileSync12, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname4 } from "path";
+import { resolve as resolve13 } from "path";
+var ALIAS_DOMAINS_PATH = resolve13(MAXY_DIR, "alias-domains.json");
 function readExisting() {
-  if (!existsSync19(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
+  if (!existsSync16(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
   try {
-    const parsed = JSON.parse(readFileSync15(ALIAS_DOMAINS_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync12(ALIAS_DOMAINS_PATH, "utf-8"));
     if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
     return new Set(parsed.filter((h) => typeof h === "string"));
   } catch {
@@ -10182,18 +8831,226 @@ function addAliasDomain(hostname2) {
   const existing = readExisting();
   if (existing.has(hostname2)) return;
   existing.add(hostname2);
-  mkdirSync8(dirname7(ALIAS_DOMAINS_PATH), { recursive: true });
-  writeFileSync9(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
+  mkdirSync5(dirname4(ALIAS_DOMAINS_PATH), { recursive: true });
+  writeFileSync6(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
+}
+
+// app/lib/cloudflare-task-tracker.ts
+import { readFileSync as readFileSync13, existsSync as existsSync17 } from "fs";
+import { randomUUID as randomUUID7 } from "crypto";
+var import_dist = __toESM(require_dist(), 1);
+var CREATED_BY_AGENT = "cloudflare-setup-endpoint";
+var TASK_KIND = "cloudflare-tunnel-login";
+async function openCloudflareTask(params) {
+  const { accountId, conversationKey, inputsProvided } = params;
+  const taskId = randomUUID7();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const session = getSession();
+  try {
+    const conv = await session.run(
+      `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+      { conversationKey, accountId }
+    );
+    if (conv.records.length === 0) {
+      throw new Error(
+        `cloudflare-task-tracker: no Conversation with sessionKey=${conversationKey.slice(-8)} for accountId \u2014 refusing to create an orphan Task`
+      );
+    }
+    const conversationElementId = conv.records[0].get("id");
+    const props = {
+      taskId,
+      accountId,
+      name: "Cloudflare tunnel login + setup",
+      description: `Deterministic cloudflare setup invoked by /api/admin/cloudflare/setup. inputsProvided=[${inputsProvided.join(", ")}]`,
+      status: "running",
+      priority: "normal",
+      kind: TASK_KIND,
+      inputsProvided,
+      startedAt: now,
+      createdAt: now,
+      updatedAt: now
+    };
+    const relationships = [
+      {
+        type: "RAISED_DURING",
+        direction: "outgoing",
+        targetNodeId: conversationElementId
+      }
+    ];
+    const result = await (0, import_dist.writeNodeWithEdges)({
+      session,
+      labels: ["Task"],
+      props,
+      relationships,
+      createdBy: {
+        agent: CREATED_BY_AGENT,
+        session: conversationKey,
+        tool: "cloudflare-setup-endpoint"
+      }
+    });
+    process.stderr.write(
+      `[task] action-start kind=${TASK_KIND} taskId=${taskId} raisedDuring=${conversationKey.slice(-8)}
+`
+    );
+    return { taskId, taskElementId: result.nodeId };
+  } finally {
+    await session.close();
+  }
+}
+async function appendCloudflareSteps(taskId, accountId, streamLogPath) {
+  if (!existsSync17(streamLogPath)) return [];
+  let content;
+  try {
+    content = readFileSync13(streamLogPath, "utf-8");
+  } catch {
+    return [];
+  }
+  const steps = [];
+  for (const line of content.split(/\r?\n/)) {
+    const m = line.match(/\bphase_line\s+setup-tunnel\s+step=(\S+)/);
+    if (m) steps.push(m[1]);
+  }
+  if (steps.length === 0) return [];
+  const session = getSession();
+  try {
+    await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET t.steps = coalesce(t.steps, []) + $steps,
+           t.updatedAt = $updatedAt`,
+      { taskId, accountId, steps, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    );
+    for (const step of steps) {
+      process.stderr.write(
+        `[task] action-step kind=${TASK_KIND} taskId=${taskId} step=${step}
+`
+      );
+    }
+    return steps;
+  } finally {
+    await session.close();
+  }
+}
+async function completeCloudflareTask(params) {
+  const { taskId, taskElementId, accountId, conversationKey, tunnelId, tunnelName, hostnames, status, errorMessage } = params;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  if (status === "failed" && (!errorMessage || errorMessage.trim().length === 0)) {
+    throw new Error(
+      "cloudflare-task-tracker: errorMessage is required when status='failed' (Task 885 process-provenance contract)."
+    );
+  }
+  const session = getSession();
+  try {
+    if (status === "completed" && tunnelId && tunnelName) {
+      const conv = await session.run(
+        `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+        { conversationKey, accountId }
+      );
+      const conversationElementId = conv.records.length > 0 ? conv.records[0].get("id") : null;
+      const tunnelProps = {
+        accountId,
+        tunnelId,
+        tunnelName,
+        createdAt: now,
+        updatedAt: now
+      };
+      const tunnelRels = [
+        { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId }
+      ];
+      if (conversationElementId) {
+        tunnelRels.push({
+          type: "RAISED_DURING",
+          direction: "outgoing",
+          targetNodeId: conversationElementId
+        });
+      }
+      const tunnelWrite = await (0, import_dist.writeNodeWithEdges)({
+        session,
+        labels: ["CloudflareTunnel"],
+        props: tunnelProps,
+        relationships: tunnelRels,
+        createdBy: {
+          agent: CREATED_BY_AGENT,
+          session: conversationKey,
+          tool: "cloudflare-setup-endpoint"
+        }
+      });
+      for (const h of hostnames ?? []) {
+        const hostRels = [
+          { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId },
+          {
+            type: "ROUTES_TO",
+            direction: "outgoing",
+            targetNodeId: tunnelWrite.nodeId
+          }
+        ];
+        await (0, import_dist.writeNodeWithEdges)({
+          session,
+          labels: ["CloudflareHostname"],
+          props: {
+            accountId,
+            hostnameValue: h.hostnameValue,
+            tunnelId,
+            isApex: h.isApex,
+            createdAt: now,
+            updatedAt: now
+          },
+          relationships: hostRels,
+          createdBy: {
+            agent: CREATED_BY_AGENT,
+            session: conversationKey,
+            tool: "cloudflare-setup-endpoint"
+          }
+        });
+      }
+    }
+    const setClauses = [
+      "t.status = $status",
+      "t.completedAt = $now",
+      "t.updatedAt = $now"
+    ];
+    const queryParams = { taskId, accountId, status, now };
+    if (status === "failed" && errorMessage) {
+      setClauses.push("t.errorMessage = $errorMessage");
+      queryParams.errorMessage = errorMessage;
+    }
+    const updateRes = await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET ${setClauses.join(", ")}
+       RETURN size(coalesce(t.steps, [])) AS stepsCount`,
+      queryParams
+    );
+    const stepsCount = updateRes.records[0]?.get("stepsCount")?.toNumber?.() ?? 0;
+    process.stderr.write(
+      `[task] action-done kind=${TASK_KIND} taskId=${taskId} status=${status} stepsCount=${stepsCount}
+`
+    );
+  } finally {
+    await session.close();
+  }
+}
+function readTunnelState(brandConfigDir) {
+  const statePath = `${process.env.HOME ?? ""}/${brandConfigDir}/cloudflared/tunnel.state`;
+  if (!existsSync17(statePath)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync13(statePath, "utf-8"));
+    const tunnelId = typeof parsed.tunnelId === "string" ? parsed.tunnelId : null;
+    const tunnelName = typeof parsed.tunnelName === "string" ? parsed.tunnelName : null;
+    const domain = typeof parsed.domain === "string" ? parsed.domain : null;
+    if (!tunnelId || !tunnelName || !domain) return null;
+    return { tunnelId, tunnelName, domain };
+  } catch {
+    return null;
+  }
 }
 
 // server/routes/admin/cloudflare.ts
 var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
 var DOMAINS_TIMEOUT_MS = 40 * 1e3;
 function loadBrandInfo() {
-  const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve18(process.cwd(), "..");
-  const brandPath = resolve18(platformRoot2, "config", "brand.json");
+  const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve14(process.cwd(), "..");
+  const brandPath = resolve14(platformRoot2, "config", "brand.json");
   try {
-    const parsed = JSON.parse(readFileSync16(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync14(brandPath, "utf-8"));
     const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
     const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
     return { hostname: hostname2, configDir: configDir2 };
@@ -10296,7 +9153,7 @@ app21.get("/domains", requireAdminSession, async (c) => {
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   log(`phase=stream-log-resolved path=${streamLogPath}`);
   const brand = loadBrandInfo();
-  const scriptPath = resolve18(homedir(), "list-cf-domains.sh");
+  const scriptPath = resolve14(homedir(), "list-cf-domains.sh");
   const result = await runFormSpawn({
     scriptPath,
     args: [brand.hostname],
@@ -10435,6 +9292,17 @@ app21.post("/setup", requireAdminSession, async (c) => {
   if (await isActionActive("cloudflare-setup")) {
     return err("request", "Another Cloudflare setup is already running. Wait for it to finish before starting a new one.");
   }
+  let cloudflareTask;
+  try {
+    cloudflareTask = await openCloudflareTask({
+      accountId,
+      conversationKey: sessionKey,
+      inputsProvided: ["adminLabel", "adminDomain", publicFqdn ? "publicLabel" : null, apex ? "apex" : null, "password"].filter((s) => typeof s === "string")
+    });
+    log(`phase=task-opened taskId=${cloudflareTask.taskId}`);
+  } catch (e) {
+    return err("script", `Failed to open process-provenance Task record: ${e instanceof Error ? e.message : String(e)}`);
+  }
   let actionId;
   let unit;
   try {
@@ -10447,8 +9315,27 @@ app21.post("/setup", requireAdminSession, async (c) => {
   log(`phase=action-launched id=${actionId} unit=${unit}`);
   void (async () => {
     const status = await waitForExit(unit, SETUP_TIMEOUT_MS);
+    try {
+      const appendedSteps = await appendCloudflareSteps(cloudflareTask.taskId, accountId, streamLogPath);
+      log(`phase=task-steps-appended count=${appendedSteps.length}`);
+    } catch (e) {
+      logErr(`phase=task-steps-append-failed reason="${e instanceof Error ? e.message : String(e)}"`);
+    }
     if (!status || status.execMainStatus !== 0) {
       logErr(`phase=post-exit-skipped reason=${status ? `exit=${status.execMainStatus}` : "unit-gone"} id=${actionId}`);
+      try {
+        const exitReason = status ? `script exited with status ${status.execMainStatus}` : "systemd unit vanished before exit recorded";
+        await completeCloudflareTask({
+          taskId: cloudflareTask.taskId,
+          taskElementId: cloudflareTask.taskElementId,
+          accountId,
+          conversationKey: sessionKey,
+          status: "failed",
+          errorMessage: exitReason
+        });
+      } catch (e) {
+        logErr(`phase=task-close-failed status=failed reason="${e instanceof Error ? e.message : String(e)}"`);
+      }
       return;
     }
     const candidates = [publicFqdn, apex].filter((h) => typeof h === "string" && h.length > 0);
@@ -10468,6 +9355,30 @@ app21.post("/setup", requireAdminSession, async (c) => {
         logErr(`phase=alias-domain-write host=${host} result=error reason="${e instanceof Error ? e.message : String(e)}"`);
       }
     }
+    try {
+      const tunnelState = readTunnelState(brand.configDir);
+      const allHostnames = [adminFqdn, publicFqdn, apex].filter(
+        (h) => typeof h === "string" && h.length > 0
+      );
+      const hostnameRecords = allHostnames.map((value) => ({
+        hostnameValue: value,
+        // Apex heuristic: exactly one dot in the FQDN. Mirrors setup-tunnel.sh:332.
+        isApex: (value.match(/\./g)?.length ?? 0) === 1
+      }));
+      await completeCloudflareTask({
+        taskId: cloudflareTask.taskId,
+        taskElementId: cloudflareTask.taskElementId,
+        accountId,
+        conversationKey: sessionKey,
+        tunnelId: tunnelState?.tunnelId,
+        tunnelName: tunnelState?.tunnelName,
+        hostnames: tunnelState ? hostnameRecords : void 0,
+        status: "completed"
+      });
+      log(`phase=task-closed status=completed tunnelId=${tunnelState?.tunnelId ?? "absent"} hostnames=${allHostnames.length}`);
+    } catch (e) {
+      logErr(`phase=task-close-failed status=completed reason="${e instanceof Error ? e.message : String(e)}"`);
+    }
     log(`phase=done action=${actionId}`);
   })().catch((e) => logErr(`post-exit handler threw: ${e}`));
   const total = Date.now() - started;
@@ -10495,17 +9406,17 @@ var cloudflare_default = app21;
 import { createReadStream as createReadStream3 } from "fs";
 import { readdir as readdir2, readFile as readFile4, stat as stat4, mkdir as mkdir3, writeFile as writeFile4, unlink as unlink2 } from "fs/promises";
 import { realpathSync as realpathSync4 } from "fs";
-import { basename as basename6, dirname as dirname8, join as join9, resolve as resolve20, sep as sep2 } from "path";
+import { basename as basename4, dirname as dirname5, join as join8, resolve as resolve16, sep as sep2 } from "path";
 import { Readable as Readable2 } from "stream";
 
 // app/lib/data-path.ts
 import { realpathSync as realpathSync3 } from "fs";
-import { resolve as resolve19, normalize, sep, relative } from "path";
-var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve19(process.cwd(), "../platform");
-var DATA_ROOT = resolve19(PLATFORM_ROOT6, "..", "data");
+import { resolve as resolve15, normalize, sep, relative } from "path";
+var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve15(process.cwd(), "../platform");
+var DATA_ROOT = resolve15(PLATFORM_ROOT6, "..", "data");
 function resolveDataPath(raw) {
   const cleaned = normalize("/" + (raw ?? "").replace(/\\/g, "/")).replace(/^\/+/, "");
-  const absolute = resolve19(DATA_ROOT, cleaned);
+  const absolute = resolve15(DATA_ROOT, cleaned);
   let dataRootReal;
   try {
     dataRootReal = realpathSync3(DATA_ROOT);
@@ -10853,7 +9764,7 @@ async function cascadeDeleteDocument(params) {
 var UUID_RE4 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function readMeta(absDir, baseName) {
   try {
-    const raw = await readFile4(join9(absDir, `${baseName}.meta.json`), "utf8");
+    const raw = await readFile4(join8(absDir, `${baseName}.meta.json`), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed?.filename === "string") {
       return { filename: parsed.filename, mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0 };
@@ -10864,7 +9775,7 @@ async function readMeta(absDir, baseName) {
 }
 async function readAccountNames() {
   const map = /* @__PURE__ */ new Map();
-  const accountsDir = resolve20(DATA_ROOT, "accounts");
+  const accountsDir = resolve16(DATA_ROOT, "accounts");
   let names;
   try {
     names = await readdir2(accountsDir);
@@ -10873,7 +9784,7 @@ async function readAccountNames() {
   }
   for (const name of names) {
     if (!UUID_RE4.test(name)) continue;
-    const configPath2 = resolve20(accountsDir, name, "account.json");
+    const configPath2 = resolve16(accountsDir, name, "account.json");
     try {
       const raw = await readFile4(configPath2, "utf8");
       const parsed = JSON.parse(raw);
@@ -10891,7 +9802,7 @@ async function readAccountNames() {
 }
 async function enrich(absolute, entry, accountNames) {
   if (entry.kind === "directory" && UUID_RE4.test(entry.name)) {
-    const meta = await readMeta(join9(absolute, entry.name), entry.name);
+    const meta = await readMeta(join8(absolute, entry.name), entry.name);
     if (meta?.filename) {
       entry.displayName = meta.filename;
       entry.mimeType = meta.mimeType;
@@ -10950,7 +9861,7 @@ app22.get("/", requireAdminSession, async (c) => {
         continue;
       }
       try {
-        const entryPath = join9(absolute, name);
+        const entryPath = join8(absolute, name);
         const s = await stat4(entryPath);
         entries.push({
           name,
@@ -11005,7 +9916,7 @@ app22.get("/download", requireAdminSession, async (c) => {
     if (!info.isFile()) {
       return c.json({ error: "Path is not a file" }, 400);
     }
-    const filename = basename6(absolute);
+    const filename = basename4(absolute);
     const mimeType = detectMimeType(absolute);
     const nodeStream = createReadStream3(absolute);
     const webStream = Readable2.toWeb(nodeStream);
@@ -11062,10 +9973,10 @@ app22.post("/upload", requireAdminSession, async (c) => {
       error: `Unsupported file type: "${file.type}". Supported: ${[...SUPPORTED_MIME_TYPES].join(", ")}.`
     }, 422);
   }
-  const safeName = basename6(file.name).replace(/[\0/\\]/g, "_");
+  const safeName = basename4(file.name).replace(/[\0/\\]/g, "_");
   const finalName = `${Date.now()}-${safeName}`;
-  const destDir = resolve20(DATA_ROOT, "uploads", accountId);
-  const destPath = resolve20(destDir, finalName);
+  const destDir = resolve16(DATA_ROOT, "uploads", accountId);
+  const destPath = resolve16(destDir, finalName);
   try {
     await mkdir3(destDir, { recursive: true });
     const dataRootReal = realpathSync4(DATA_ROOT);
@@ -11107,7 +10018,7 @@ app22.delete("/", requireAdminSession, async (c) => {
     return c.json({ error: resolution.error }, resolution.status);
   }
   const { absolute, relative: relPath2 } = resolution;
-  const base = basename6(absolute);
+  const base = basename4(absolute);
   const segments = relPath2.split("/").filter(Boolean);
   if (base === "account.json" || segments.includes(".git")) {
     console.error(`[data] file-delete blocked path="${relPath2}" reason="protected"`);
@@ -11123,7 +10034,7 @@ app22.delete("/", requireAdminSession, async (c) => {
     }
     const dot = base.lastIndexOf(".");
     const stem = dot === -1 ? base : base.slice(0, dot);
-    const sidecarPath = UUID_RE4.test(stem) && base !== `${stem}.meta.json` ? join9(dirname8(absolute), `${stem}.meta.json`) : null;
+    const sidecarPath = UUID_RE4.test(stem) && base !== `${stem}.meta.json` ? join8(dirname5(absolute), `${stem}.meta.json`) : null;
     await unlink2(absolute);
     if (sidecarPath) {
       try {
@@ -11160,7 +10071,7 @@ app22.delete("/", requireAdminSession, async (c) => {
 var files_default = app22;
 
 // ../lib/graph-search/src/index.ts
-var import_dist = __toESM(require_dist());
+var import_dist2 = __toESM(require_dist2());
 import { int } from "neo4j-driver";
 var VECTOR_WEIGHT = 0.7;
 var BM25_WEIGHT = 0.3;
@@ -11215,7 +10126,7 @@ async function bm25Only(session, params) {
        ${scopeClause}
        ${agentClause}
        ${labelClause}
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        ${kwClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -11305,7 +10216,7 @@ async function hybrid(session, embed2, params) {
        WHERE node.accountId = $accountId
        ${scopeClause}
        ${agentClause}
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        ${keywordClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -11366,7 +10277,7 @@ async function hybrid(session, embed2, params) {
     const propResult = await session.run(
       `MATCH (node)
        WHERE node.accountId = $accountId
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        AND node.keywords IS NOT NULL
        AND ANY(kw IN $kwSubs WHERE ANY(nk IN node.keywords WHERE toLower(nk) = kw))
        ${propScopeClause}
@@ -11423,7 +10334,7 @@ async function hybrid(session, embed2, params) {
       `UNWIND $nodeIds AS nid
        MATCH (n)-[r]-(related)
        WHERE elementId(n) = nid
-       AND ${(0, import_dist.notTrashed)("related")}
+       AND ${(0, import_dist2.notTrashed)("related")}
        ${expandScopeClause}
        ${expandAgentClause}
        WITH nid, n, r, related
@@ -11674,11 +10585,6 @@ var GRAPH_LABEL_COLOURS = {
   // confusion doesn't apply, but kept distinguishable for the legend)
   Email: "#6F7F4A",
   EmailAccount: "#91A063",
-  // Review signals (Task 626 — previously written by review-detector but
-  // unregistered here, producing an `unknown label` 400 whenever the
-  // filter popover advertised the label. Muted brick — still reads as
-  // alert against the cream background but doesn't shout fire-engine red.)
-  ReviewAlert: "#A85C5C",
   // Public-agent projection (Task 837) — burnished bronze sits between
   // people-terracotta and email-moss but shares neither hue, signalling
   // "operator-defined persona that traverses to KnowledgeDocuments,
@@ -12603,8 +11509,8 @@ var adherence_default = app30;
 // server/routes/admin/sidebar-artefacts.ts
 import neo4j3 from "neo4j-driver";
 import { readFile as readFile5, readdir as readdir3, stat as stat5 } from "fs/promises";
-import { resolve as resolve21, relative as relative2, isAbsolute } from "path";
-import { existsSync as existsSync20 } from "fs";
+import { resolve as resolve17, relative as relative2, isAbsolute } from "path";
+import { existsSync as existsSync18 } from "fs";
 var LIMIT = 50;
 var TEXT_MIME_PREFIXES = ["text/", "application/json", "application/markdown"];
 var ADMIN_AGENT_FILES = ["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"];
@@ -12620,7 +11526,7 @@ app31.get("/", requireAdminSession, async (c) => {
   if (docs === null) {
     return c.json({ error: "Failed to load artefacts" }, 500);
   }
-  const accountDir = resolve21(ACCOUNTS_DIR, accountId);
+  const accountDir = resolve17(ACCOUNTS_DIR, accountId);
   const agents = await fetchAgentTemplateRows(accountDir);
   const artefacts = [...docs, ...agents].sort(
     (a, b) => (b.updatedAt ?? "").localeCompare(a.updatedAt ?? "")
@@ -12683,8 +11589,8 @@ async function readArtefactContent(accountId, attachmentId, mimeType, displayNam
     logSkip(displayName, "non-text-mime", mimeType);
     return { content: "", skipReason: "non-text-mime" };
   }
-  const accountDir = resolve21(ATTACHMENTS_ROOT, accountId);
-  const dir = resolve21(accountDir, attachmentId);
+  const accountDir = resolve17(ATTACHMENTS_ROOT, accountId);
+  const dir = resolve17(accountDir, attachmentId);
   try {
     validateFilePathInAccount(dir, accountDir);
   } catch {
@@ -12698,7 +11604,7 @@ async function readArtefactContent(accountId, attachmentId, mimeType, displayNam
       logSkip(displayName, "missing-on-disk", mimeType);
       return { content: "", skipReason: "missing-on-disk" };
     }
-    return { content: await readFile5(resolve21(dir, dataFile), "utf-8"), skipReason: null };
+    return { content: await readFile5(resolve17(dir, dataFile), "utf-8"), skipReason: null };
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     console.error(`[admin/sidebar-artefacts] read-failed attachmentId=${attachmentId.slice(0, 8)} error="${message}"`);
@@ -12714,8 +11620,8 @@ function logSkip(name, reason, mimeType) {
 async function fetchAgentTemplateRows(accountDir) {
   const rows = [];
   for (const filename of ADMIN_AGENT_FILES) {
-    const overridePath = resolve21(accountDir, "agents", "admin", filename);
-    const bundledPath = resolve21(PLATFORM_ROOT, "templates", "agents", "admin", filename);
+    const overridePath = resolve17(accountDir, "agents", "admin", filename);
+    const bundledPath = resolve17(PLATFORM_ROOT, "templates", "agents", "admin", filename);
     const labelStem = filename.replace(/\.md$/, "");
     const row = await readAgentTemplateRow({
       id: `agent-template:admin:${filename}`,
@@ -12729,12 +11635,12 @@ async function fetchAgentTemplateRows(accountDir) {
     });
     if (row) rows.push(row);
   }
-  const overrideDir = resolve21(accountDir, "specialists", "agents");
-  const bundledDir = resolve21(PLATFORM_ROOT, "templates", "specialists", "agents");
+  const overrideDir = resolve17(accountDir, "specialists", "agents");
+  const bundledDir = resolve17(PLATFORM_ROOT, "templates", "specialists", "agents");
   const specialistNames = await unionSpecialistFilenames(overrideDir, bundledDir);
   for (const filename of specialistNames) {
-    const overridePath = resolve21(overrideDir, filename);
-    const bundledPath = resolve21(bundledDir, filename);
+    const overridePath = resolve17(overrideDir, filename);
+    const bundledPath = resolve17(bundledDir, filename);
     const row = await readAgentTemplateRow({
       id: `agent-template:specialist:${filename}`,
       displayName: filename.replace(/\.md$/, ""),
@@ -12752,7 +11658,7 @@ async function fetchAgentTemplateRows(accountDir) {
 async function unionSpecialistFilenames(overrideDir, bundledDir) {
   const names = /* @__PURE__ */ new Set();
   for (const dir of [overrideDir, bundledDir]) {
-    if (!existsSync20(dir)) continue;
+    if (!existsSync18(dir)) continue;
     try {
       const entries = await readdir3(dir);
       for (const entry of entries) {
@@ -12767,7 +11673,7 @@ async function unionSpecialistFilenames(overrideDir, bundledDir) {
 }
 async function readAgentTemplateRow(inp) {
   let chosenPath = null;
-  if (existsSync20(inp.overridePath)) {
+  if (existsSync18(inp.overridePath)) {
     try {
       validateFilePathInAccount(inp.overridePath, inp.overrideRoot);
       chosenPath = inp.overridePath;
@@ -12778,7 +11684,7 @@ async function readAgentTemplateRow(inp) {
       );
       return null;
     }
-  } else if (existsSync20(inp.bundledPath)) {
+  } else if (existsSync18(inp.bundledPath)) {
     if (!isWithin(inp.bundledPath, inp.bundledRoot)) {
       console.error(
         `[admin/sidebar-artefacts] agent-template-read-failed agent=${inp.displayName} kind=${inp.logName} error="bundled path outside PLATFORM_ROOT"`
@@ -12819,8 +11725,8 @@ var sidebar_artefacts_default = app31;
 
 // server/routes/admin/sidebar-artefact-save.ts
 import { mkdir as mkdir4, readdir as readdir4, stat as stat6, writeFile as writeFile5 } from "fs/promises";
-import { resolve as resolve22 } from "path";
-import { existsSync as existsSync21 } from "fs";
+import { resolve as resolve18 } from "path";
+import { existsSync as existsSync19 } from "fs";
 var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
 var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app32 = new Hono();
@@ -12832,7 +11738,7 @@ app32.post("/", requireAdminSession, async (c) => {
   if (!body || typeof body.id !== "string" || typeof body.content !== "string") {
     return c.json({ error: "id and content required" }, 400);
   }
-  const accountDir = resolve22(ACCOUNTS_DIR, accountId);
+  const accountDir = resolve18(ACCOUNTS_DIR, accountId);
   const resolved = await resolveSavePath(body.id, accountId, accountDir);
   if (resolved.kind === "reject") {
     console.error(
@@ -12873,22 +11779,22 @@ async function resolveSavePath(id, accountId, accountDir) {
     if (role !== "admin" || !ADMIN_AGENT_FILES2.has(filename)) {
       return { kind: "reject", status: 400, reason: "invalid-id" };
     }
-    const parent = resolve22(accountDir, "agents", "admin");
+    const parent = resolve18(accountDir, "agents", "admin");
     await mkdir4(parent, { recursive: true });
     try {
       validateFilePathInAccount(parent, accountDir);
     } catch {
       return { kind: "reject", status: 400, reason: "containment-rejected" };
     }
-    return { kind: "admin-template", path: resolve22(parent, filename) };
+    return { kind: "admin-template", path: resolve18(parent, filename) };
   }
   if (UUID_RE5.test(id)) {
-    const dir = resolve22(ATTACHMENTS_ROOT, accountId, id);
-    if (!existsSync21(dir)) {
+    const dir = resolve18(ATTACHMENTS_ROOT, accountId, id);
+    if (!existsSync19(dir)) {
       return { kind: "reject", status: 400, reason: "not-found" };
     }
     try {
-      validateFilePathInAccount(dir, resolve22(ATTACHMENTS_ROOT, accountId));
+      validateFilePathInAccount(dir, resolve18(ATTACHMENTS_ROOT, accountId));
     } catch {
       return { kind: "reject", status: 400, reason: "containment-rejected" };
     }
@@ -12897,7 +11803,7 @@ async function resolveSavePath(id, accountId, accountDir) {
     if (!dataFile) {
       return { kind: "reject", status: 400, reason: "not-found" };
     }
-    return { kind: "knowledge-doc", path: resolve22(dir, dataFile) };
+    return { kind: "knowledge-doc", path: resolve18(dir, dataFile) };
   }
   return { kind: "reject", status: 400, reason: "invalid-id" };
 }
@@ -12908,8 +11814,8 @@ var sidebar_artefact_save_default = app32;
 
 // server/routes/admin/sidebar-artefact-content.ts
 import { readFile as readFile6, readdir as readdir5 } from "fs/promises";
-import { existsSync as existsSync22 } from "fs";
-import { resolve as resolve23 } from "path";
+import { existsSync as existsSync20 } from "fs";
+import { resolve as resolve19 } from "path";
 var UUID_RE6 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app33 = new Hono();
 app33.get("/", requireAdminSession, async (c) => {
@@ -12921,14 +11827,14 @@ app33.get("/", requireAdminSession, async (c) => {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
-  const dir = resolve23(ATTACHMENTS_ROOT, accountId, id);
-  if (!existsSync22(dir)) {
+  const dir = resolve19(ATTACHMENTS_ROOT, accountId, id);
+  if (!existsSync20(dir)) {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
   let meta;
   try {
-    meta = JSON.parse(await readFile6(resolve23(dir, `${id}.meta.json`), "utf-8"));
+    meta = JSON.parse(await readFile6(resolve19(dir, `${id}.meta.json`), "utf-8"));
   } catch {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
@@ -12940,7 +11846,7 @@ app33.get("/", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const start = Date.now();
-  const buffer = await readFile6(resolve23(dir, dataFile));
+  const buffer = await readFile6(resolve19(dir, dataFile));
   const ms = Date.now() - start;
   console.log(
     `[admin/sidebar-artefact-content] account=${accountId} id=${id.slice(0, 8)} mime=${meta.mimeType} bytes=${buffer.length} ms=${ms}`
@@ -12984,8 +11890,8 @@ app34.route("/sidebar-artefact-content", sidebar_artefact_content_default);
 var admin_default = app34;
 
 // server/routes/sites.ts
-import { existsSync as existsSync23, readFileSync as readFileSync17, realpathSync as realpathSync5, statSync as statSync8 } from "fs";
-import { resolve as resolve24 } from "path";
+import { existsSync as existsSync21, readFileSync as readFileSync15, realpathSync as realpathSync5, statSync as statSync5 } from "fs";
+import { resolve as resolve20 } from "path";
 var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var MIME = {
   ".html": "text/html; charset=utf-8",
@@ -13043,28 +11949,28 @@ app35.get("/:rel{.*}", (c) => {
     }
     segments.push(seg);
   }
-  const rootDir = resolve24(account.accountDir, "sites");
-  let filePath = segments.length === 0 ? rootDir : resolve24(rootDir, ...segments);
+  const rootDir = resolve20(account.accountDir, "sites");
+  let filePath = segments.length === 0 ? rootDir : resolve20(rootDir, ...segments);
   if (filePath !== rootDir && !filePath.startsWith(rootDir + "/")) {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
   let stat7;
   try {
-    stat7 = existsSync23(filePath) ? statSync8(filePath) : null;
+    stat7 = existsSync21(filePath) ? statSync5(filePath) : null;
   } catch {
     stat7 = null;
   }
   if (stat7?.isDirectory()) {
-    filePath = resolve24(filePath, "index.html");
+    filePath = resolve20(filePath, "index.html");
   } else if (stat7 === null && isDirRequest) {
-    filePath = resolve24(filePath, "index.html");
+    filePath = resolve20(filePath, "index.html");
   }
   if (!filePath.startsWith(rootDir + "/")) {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync21(filePath)) {
     console.error(`[sites] not-found path=${reqPath} status=404`);
     return c.text("Not found", 404);
   }
@@ -13083,7 +11989,7 @@ app35.get("/:rel{.*}", (c) => {
   }
   let body;
   try {
-    body = readFileSync17(realPath);
+    body = readFileSync15(realPath);
   } catch (err) {
     const code = err?.code;
     if (code === "EISDIR") {
@@ -13215,14 +12121,14 @@ function clientFrom(c) {
   );
 }
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join10(PLATFORM_ROOT7, "config", "brand.json") : "";
+var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join9(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync22(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -13241,11 +12147,11 @@ var brandLoginOpts = {
   bodyFont: BRAND.defaultFonts?.body,
   logoContainsName: !!BRAND.logoContainsName
 };
-var ALIAS_DOMAINS_PATH2 = join10(homedir2(), BRAND.configDir, "alias-domains.json");
+var ALIAS_DOMAINS_PATH2 = join9(homedir2(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync24(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync18(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync22(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync16(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -13585,20 +12491,20 @@ app36.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] no-account slug=${slug} file=${filename}`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve25(account.accountDir, "agents", slug, "assets", filename);
-  const expectedDir = resolve25(account.accountDir, "agents", slug, "assets");
+  const filePath = resolve21(account.accountDir, "agents", slug, "assets", filename);
+  const expectedDir = resolve21(account.accountDir, "agents", slug, "assets");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync18(filePath);
+  const body = readFileSync16(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -13615,20 +12521,20 @@ app36.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
-  const filePath = resolve25(account.accountDir, "generated", filename);
-  const expectedDir = resolve25(account.accountDir, "generated");
+  const filePath = resolve21(account.accountDir, "generated", filename);
+  const expectedDir = resolve21(account.accountDir, "generated");
   if (!filePath.startsWith(expectedDir + "/")) {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync18(filePath);
+  const body = readFileSync16(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -13638,9 +12544,9 @@ app36.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -13657,9 +12563,9 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
-    const versionFile = join10(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync24(versionFile)) return "unknown";
-    const content = readFileSync18(versionFile, "utf-8").trim();
+    const versionFile = join9(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
+    if (!existsSync22(versionFile)) return "unknown";
+    const content = readFileSync16(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -13700,7 +12606,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync18(resolve25(process.cwd(), "public", file), "utf-8");
+    html = readFileSync16(resolve21(process.cwd(), "public", file), "utf-8");
     const productNameEsc = escapeHtml(BRAND.productName);
     html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -13716,26 +12622,26 @@ ${clientErrorReporterScript}
 }
 var brandedHtmlCache = /* @__PURE__ */ new Map();
 function loadBrandingCache(agentSlug) {
-  const configDir2 = join10(homedir2(), BRAND.configDir);
+  const configDir2 = join9(homedir2(), BRAND.configDir);
   try {
-    const accountJsonPath = join10(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
+    const accountJsonPath = join9(configDir2, "account.json");
+    if (!existsSync22(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
-    const cachePath = join10(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync24(cachePath)) return null;
-    return JSON.parse(readFileSync18(cachePath, "utf-8"));
+    const cachePath = join9(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
+    if (!existsSync22(cachePath)) return null;
+    return JSON.parse(readFileSync16(cachePath, "utf-8"));
   } catch {
     return null;
   }
 }
 function resolveDefaultSlug() {
   try {
-    const configDir2 = join10(homedir2(), BRAND.configDir);
-    const accountJsonPath = join10(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
+    const configDir2 = join9(homedir2(), BRAND.configDir);
+    const accountJsonPath = join9(configDir2, "account.json");
+    if (!existsSync22(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -13808,7 +12714,7 @@ app36.use("/vnc-popout.html", logViewerFetch);
 app36.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync18(resolve25(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync16(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -13898,8 +12804,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync24(USERS_FILE)) {
-      const users = JSON.parse(readFileSync18(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync22(USERS_FILE)) {
+      const users = JSON.parse(readFileSync16(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);
@@ -13914,15 +12820,8 @@ try {
     console.error(`[migration] runBootMigrations rejected: ${err instanceof Error ? err.message : String(err)}`);
   }
 })();
-(async () => {
-  try {
-    await startReviewDetector();
-  } catch (err) {
-    console.error(`[review] startReviewDetector rejected: ${err instanceof Error ? err.message : String(err)}`);
-  }
-})();
 startGraphHealthTimer();
-var configDirForWhatsApp = basename7(MAXY_DIR) || ".maxy";
+var configDirForWhatsApp = basename5(MAXY_DIR) || ".maxy";
 var bootAccount = resolveAccount();
 var bootAccountConfig = bootAccount?.config;
 var bootPublicAgent = bootAccount ? resolvePublicAgent(bootAccount.accountDir, { accountId: bootAccount.accountId })?.slug ?? null : null;
@@ -13966,7 +12865,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve25(process.env.MAXY_PLATFORM_ROOT ?? join10(__dirname, "..")),
+  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join9(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {
@@ -14103,11 +13002,6 @@ process.on("SIGTERM", async () => {
   } catch (err) {
     console.error(`[server] shutdown error: ${String(err)}`);
   }
-  try {
-    await shutdownReviewDetector();
-  } catch (err) {
-    console.error(`[server] review detector shutdown error: ${String(err)}`);
-  }
   console.error("[server] graceful shutdown complete \u2014 exiting");
   process.exit(0);
 });