@rubytech/create-realagent 1.0.817 → 1.0.819

package/payload/platform/lib/graph-write/src/index.ts

@@ -13,11 +13,26 @@ export * from "./audit.js";
  * maps, and flat props are queryable — `MATCH (n) WHERE n.createdBySession
  * = $id RETURN n` is the forensic entry point).
  *
+ * Process provenance doctrine (Task 885): writes targeting any label in
+ * `ACTION_PROVENANCE_LABELS` (Person, UserProfile, AdminUser, Organization,
+ * LocalBusiness, CloudflareTunnel, CloudflareHostname) must include exactly
+ * one inbound `:PRODUCED` edge whose source is a `:Task` node. This makes
+ * every durable LLM-tool-driven entity creation traversable from the Task
+ * node that produced it, and forward from Task→Conversation via
+ * `:RAISED_DURING`. Bootstrap writes (`createdBy.agent === 'system'`) are
+ * exempt — installer / migration / lazy-create paths run as system writers.
+ *
  * Rejection paths (every one emits a stderr log the admin server pipes to
  * server.log, so orphan pressure is visible per-write not just in the
  * hourly [graph-health] signal):
- *   - zero relationships      → `[graph-write] reject reason=zero-relationships`
- *   - unresolved target id    → `[graph-write] reject reason=unresolved-target`
+ *   - zero relationships          → `[graph-write] reject reason=zero-relationships`
+ *   - unresolved target id        → `[graph-write] reject reason=unresolved-target`
+ *   - missing action provenance   → `[graph-write] reject reason=missing-action-provenance`
+ *   - removed-feature write       → `[graph-write] reject reason=removed-feature`
+ *     (`:ReviewAlert` and `:Event {actionTool:"review-digest-compose"}` are
+ *     deleted features; the gate catches doctrine-compliant writers
+ *     re-introducing them. The vitest tombstone grep is the primary fence
+ *     for raw `session.run("MERGE …")` callers that bypass this primitive.)
  *
  * The `createdBy.agent` field is advisory, not authoritative — it is sourced
  * from the MCP server's AGENT_SLUG env var, which is set by the trusted
@@ -26,6 +41,43 @@ export * from "./audit.js";
  * this field for access control — it is forensic, not a security boundary.
  */
 
+/**
+ * Labels that require an inbound `:PRODUCED` edge from a `:Task` (Task 885).
+ * Bootstrap writes with `createdBy.agent === 'system'` are exempt — that
+ * carve-out covers PIN-setup `writeAdminUserAndPerson`, schema migrations,
+ * and the lazy `loadUserProfile` MERGE path that bypasses this primitive
+ * entirely (raw Cypher in `platform/ui/app/lib/neo4j-store.ts`).
+ *
+ * The set is intentionally not exhaustive — labels added here become a
+ * blocking gate for every LLM-tool write of that label. Add a label only
+ * after every legitimate writer of it can either (a) carry a Task-PRODUCED
+ * edge, or (b) declare itself as `agent: 'system'`.
+ */
+export const ACTION_PROVENANCE_LABELS: ReadonlySet<string> = new Set([
+  "Person",
+  "UserProfile",
+  "AdminUser",
+  "Organization",
+  "LocalBusiness",
+  "CloudflareTunnel",
+  "CloudflareHostname",
+]);
+
+function requiresActionProvenance(labels: readonly string[]): boolean {
+  for (const label of labels) {
+    if (ACTION_PROVENANCE_LABELS.has(label)) return true;
+  }
+  return false;
+}
+
+function findProducedFromTaskCandidates(
+  relationships: readonly GraphRelationship[],
+): GraphRelationship[] {
+  return relationships.filter(
+    (r) => r.type === "PRODUCED" && r.direction === "incoming",
+  );
+}
+
 import type { Session } from "neo4j-driver";
 
 export interface GraphRelationship {
@@ -88,6 +140,26 @@ export async function writeNodeWithEdges(
   const agentLabel = createdBy.agent ?? createdBy.source ?? "unknown";
   const labelCsv = labels.join(",");
 
+  // Task 884: review-detector / review-digest feature is removed entirely.
+  // Reject any re-introduction via the doctrine surface. The actionTool check
+  // is property-keyed (not label-keyed) so a future scheduled-Event writer
+  // re-introducing the daily digest by tool name is caught here even though
+  // `:Event` is otherwise a valid label. Fires before the zero-relationships
+  // check because the dead-feature rejection is structurally more fundamental.
+  const reviewDigestActionTool =
+    typeof props.actionTool === "string" && props.actionTool === "review-digest-compose";
+  if (labels.includes("ReviewAlert") || reviewDigestActionTool) {
+    const actionToolField = reviewDigestActionTool
+      ? "review-digest-compose"
+      : "n/a";
+    process.stderr.write(
+      `[graph-write] reject reason=removed-feature labels=${labelCsv} actionTool=${actionToolField} agent=${agentLabel}\n`
+    );
+    throw new Error(
+      "Write doctrine violated: review-detector feature removed (Task 884) — `:ReviewAlert` and `:Event {actionTool:'review-digest-compose'}` writes are not allowed."
+    );
+  }
+
   if (!relationships || relationships.length < 1) {
     process.stderr.write(
       `[graph-write] reject reason=zero-relationships labels=${labelCsv} agent=${agentLabel}\n`
@@ -103,10 +175,16 @@ export async function writeNodeWithEdges(
   return await session.executeWrite(async (tx) => {
     const targetIds = relationships.map((r) => r.targetNodeId);
     const check = await tx.run(
-      `UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN count(DISTINCT t) AS found`,
-      { ids: targetIds }
+      `UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN elementId(t) AS id, labels(t) AS labels`,
+      { ids: targetIds },
     );
-    const found = check.records[0].get("found").toNumber();
+
+    const labelsByTarget = new Map<string, string[]>();
+    for (const rec of check.records) {
+      labelsByTarget.set(rec.get("id") as string, rec.get("labels") as string[]);
+    }
+
+    const found = labelsByTarget.size;
     const uniqueRequested = new Set(targetIds).size;
     if (found !== uniqueRequested) {
       process.stderr.write(
@@ -117,6 +195,34 @@ export async function writeNodeWithEdges(
       );
     }
 
+    // Process provenance gate (Task 885). Labels in
+    // ACTION_PROVENANCE_LABELS require a `:Task` source on at least one
+    // inbound :PRODUCED edge so every durable LLM-tool entity write is
+    // traversable from the Task that produced it. Bootstrap writes
+    // (createdBy.agent === 'system') are exempt — installer + migration
+    // paths predate any Task. The check runs INSIDE the transaction so
+    // the labels-by-target map is consistent with target resolution.
+    let producedByTaskId: string | null = null;
+    if (
+      requiresActionProvenance(labels) &&
+      (createdBy.agent ?? "") !== "system"
+    ) {
+      const candidates = findProducedFromTaskCandidates(relationships);
+      const taskCandidates = candidates.filter((r) => {
+        const lbls = labelsByTarget.get(r.targetNodeId);
+        return Array.isArray(lbls) && lbls.includes("Task");
+      });
+      if (taskCandidates.length === 0) {
+        process.stderr.write(
+          `[graph-write] reject reason=missing-action-provenance labels=${labelCsv} agent=${agentLabel}\n`
+        );
+        throw new Error(
+          `Process provenance doctrine violated: write to ${labelCsv} requires an inbound :PRODUCED edge from a :Task (createdBy.agent='${agentLabel}'). See .docs/neo4j.md (Process provenance doctrine).`
+        );
+      }
+      producedByTaskId = taskCandidates[0].targetNodeId;
+    }
+
     let nodeRes;
     try {
       nodeRes = await tx.run(
@@ -187,7 +293,7 @@ export async function writeNodeWithEdges(
     }
 
     process.stderr.write(
-      `[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"}\n`
+      `[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"} producedByTask=${producedByTaskId ?? "none"}\n`
     );
 
     return { nodeId, labels: nodeLabels, edgesCreated };

package/payload/platform/neo4j/edge-annotations.json

@@ -96,14 +96,6 @@
       "direction": "(Email)-[:RECEIVED_BY]->(Person)",
       "note": "Email recipient."
     },
-    "RAISED_BY": {
-      "direction": "(ReviewAlert)-[:RAISED_BY]->(*)",
-      "note": "Alert provenance."
-    },
-    "AFFECTS": {
-      "direction": "(ReviewAlert)-[:AFFECTS]->(*)",
-      "note": "Alert impact surface."
-    },
     "BLOCKS": {
       "direction": "(Task)-[:BLOCKS]->(Task)",
       "note": "Task dependency."

package/payload/platform/neo4j/migrations/004-prune-alien-accounts.ts

@@ -5,10 +5,9 @@
  * `${DATA_ROOT}/accounts/<uuid>/account.json`. Idempotent — silent when
  * the graph is already clean.
  *
- * Why a backstop, not a writer fix: the leaked nodes were written by the
- * `review-digest-compose` writer, which has since been removed in favour
- * of a coming gbrain rewrite. With no live writer to fix, this is the
- * surface that catches future writer drift before the next gbrain ships.
+ * Why a backstop, not a writer fix: the leaked nodes were written by a
+ * since-removed writer. With no live writer to fix, this is the surface
+ * that catches future writer drift.
  *
  * Hard guard: refuses to run when the on-disk account set is empty
  * (corrupt-install scenario). Refusing to wipe the graph is louder than

package/payload/platform/neo4j/migrations/005-removed-review-feature.ts

@@ -0,0 +1,102 @@
+/**
+ * Migration 005 — Remove review-detector / review-digest feature artefacts (Task 884).
+ *
+ * The review-detector subsystem was wired into boot, MERGEd a daily `:Event`
+ * with `actionTool="review-digest-compose"` on every start, and aggregated
+ * `:ReviewAlert` nodes via rule matches. The feature is deleted entirely;
+ * this migration is the boot-sweep that removes the residue from existing
+ * installs. Idempotent — once the graph is clean, both queries DETACH DELETE
+ * zero rows and the log line records `events=0 alerts=0`.
+ *
+ * Filesystem artefacts (`review.log`, `review-rules.json`, `review-state.json`,
+ * `review-pending-alerts.jsonl`) are also removed best-effort — ENOENT is the
+ * idempotent no-op; any other errno is logged and ignored so a sticky permission
+ * problem does not block boot.
+ *
+ * Same structural-type pattern as 004-prune-alien-accounts.ts: the runner sits
+ * outside `platform/ui/` so depending on the workspace dedupe state the
+ * `neo4j-driver` import resolves to a different node_modules copy, and TS
+ * treats two same-shape types from different paths as nominally distinct.
+ */
+
+import { resolve } from "node:path";
+import { unlinkSync } from "node:fs";
+import { homedir } from "node:os";
+import { basename, dirname } from "node:path";
+
+type Neo4jDriverLike = {
+  session(): {
+    run(
+      cypher: string,
+      params?: Record<string, unknown>,
+    ): Promise<{ records: Array<{ get(key: string): unknown }> }>;
+    close(): Promise<void>;
+  };
+};
+
+export async function removeReviewFeature(
+  driver: Neo4jDriverLike,
+  platformRoot: string,
+): Promise<void> {
+  const session = driver.session();
+  let eventsDeleted = 0;
+  let alertsDeleted = 0;
+
+  try {
+    const eventResult = await session.run(
+      `MATCH (e:Event)
+       WHERE e.actionTool = "review-digest-compose"
+          OR e.eventId STARTS WITH "review-digest-"
+       DETACH DELETE e
+       RETURN count(e) AS deleted`,
+    );
+    eventsDeleted = toNumber(eventResult.records[0]?.get("deleted"));
+
+    const alertResult = await session.run(
+      `MATCH (a:ReviewAlert)
+       DETACH DELETE a
+       RETURN count(a) AS deleted`,
+    );
+    alertsDeleted = toNumber(alertResult.records[0]?.get("deleted"));
+  } finally {
+    await session.close();
+  }
+
+  // Best-effort filesystem cleanup. The configDir convention is
+  // `~/.<installDirName>` where installDir = dirname(platformRoot)
+  // (e.g. `~/maxy/platform` → `~/.maxy`).
+  const installDirName = basename(dirname(platformRoot));
+  const configDir = resolve(homedir(), `.${installDirName}`);
+  const artefacts = [
+    resolve(configDir, "logs", "review.log"),
+    resolve(configDir, "review-rules.json"),
+    resolve(configDir, "review-state.json"),
+    resolve(configDir, "review-pending-alerts.jsonl"),
+  ];
+  for (const path of artefacts) {
+    try {
+      unlinkSync(path);
+    } catch (err) {
+      const code = (err as NodeJS.ErrnoException).code;
+      if (code === "ENOENT") continue;
+      console.error(
+        `[migration] removed-review-feature unlink-skip path=${path} reason=${code ?? "unknown"}`,
+      );
+    }
+  }
+
+  console.error(
+    `[migration] removed-review-feature events=${eventsDeleted} alerts=${alertsDeleted}`,
+  );
+}
+
+function toNumber(v: unknown): number {
+  if (typeof v === "number") return v;
+  if (
+    v &&
+    typeof (v as { toNumber?: () => number }).toNumber === "function"
+  ) {
+    return (v as { toNumber: () => number }).toNumber();
+  }
+  return 0;
+}

package/payload/platform/neo4j/schema.cypher

@@ -284,7 +284,6 @@ OPTIONS {
 //   - Workflows: Workflow, WorkflowStep, WorkflowRun, StepResult
 //   - Onboarding: OnboardingState
 //   - Email: Email, EmailAccount
-//   - Review signals: ReviewAlert
 //   - CV/career sublabels: Position, Credential
 //   - Public agents: Agent (Task 837 — projection of file-based public agents)
 //
@@ -314,7 +313,7 @@ FOR (n:LocalBusiness|Service|PriceSpecification|OpeningHoursSpecification|Organi
     |Conversation|AdminConversation|PublicConversation|Message|UserMessage|AssistantMessage|ToolCall
     |Task|Project|Event
     |Workflow|WorkflowStep|WorkflowRun|StepResult
-    |OnboardingState|Email|EmailAccount|ReviewAlert
+    |OnboardingState|Email|EmailAccount
     |Position|Credential|Agent)
 ON EACH [n.name, n.firstName, n.lastName, n.givenName, n.familyName,
          n.title, n.currentTitle, n.summary, n.body, n.content, n.text, n.description, n.headline, n.abstract,
@@ -832,26 +831,6 @@ FOR (au:AdminUser) REQUIRE au.userId IS UNIQUE;
 CREATE INDEX graph_preference_account_user IF NOT EXISTS
 FOR (p:GraphPreference) ON (p.accountId, p.userId);
 
-// ----------------------------------------------------------
-// ReviewAlert — review-detector rule-match aggregation
-//
-// One alert per (accountId, ruleId); subsequent rule matches bump
-// lastMatchAt and cumulativeMatchCount via ON MATCH. Written by
-// platform/ui/app/lib/review-detector/writer.ts, read by the admin
-// chat's alert-surfacing tools. Listed in FILTER_EXCLUDED_LABELS
-// (graph-labels.ts, Task 626) so it never surfaces as a /graph filter
-// row, but registered in GRAPH_LABEL_COLOURS so neighbourhood-mode
-// drilldown / search hits can still render it.
-//
-// Composite MERGE key (accountId, ruleId) — no UNIQUE constraint for
-// the same reason as GraphPreference: the composite MERGE is
-// idempotent and a composite constraint would add schema surface
-// for no behavioural gain.
-// ----------------------------------------------------------
-
-CREATE INDEX review_alert_account_rule IF NOT EXISTS
-FOR (a:ReviewAlert) ON (a.accountId, a.ruleId);
-
 // ----------------------------------------------------------
 // ToolCall — durable audit trail for agent tool invocations
 //
@@ -1039,3 +1018,27 @@ FOR (n:Section) ON (n.createdBySession);
 
 CREATE INDEX task_created_by_session IF NOT EXISTS
 FOR (n:Task) ON (n.createdBySession);
+
+// ----------------------------------------------------------
+// CloudflareTunnel / CloudflareHostname (Task 885) — graph audit of
+// the tunnel-login deterministic flow. Written by the
+// /api/admin/cloudflare/setup endpoint after setup-tunnel.sh exits 0,
+// linked via (Task {kind:'cloudflare-tunnel-login'})-[:PRODUCED]->.
+// CloudflareHostname carries the routed FQDN; CloudflareTunnel
+// carries the connector identity. Source of truth remains the on-disk
+// cert.pem + tunnel.state + config.yml — these nodes are the graph
+// projection so operators can MATCH from a Conversation to "which
+// cloudflare resources did this onboarding produce?"
+// ----------------------------------------------------------
+
+CREATE CONSTRAINT cloudflare_tunnel_id_unique IF NOT EXISTS
+FOR (t:CloudflareTunnel) REQUIRE t.tunnelId IS UNIQUE;
+
+CREATE INDEX cloudflare_tunnel_account IF NOT EXISTS
+FOR (t:CloudflareTunnel) ON (t.accountId);
+
+CREATE CONSTRAINT cloudflare_hostname_unique IF NOT EXISTS
+FOR (h:CloudflareHostname) REQUIRE (h.accountId, h.hostnameValue) IS UNIQUE;
+
+CREATE INDEX cloudflare_hostname_account IF NOT EXISTS
+FOR (h:CloudflareHostname) ON (h.accountId);

package/payload/platform/plugins/admin/PLUGIN.md

@@ -1,6 +1,6 @@
 ---
 name: admin
-description: "Platform administration plugin. Provides system-status, brand-settings, account-manage, account-update, admin-add, admin-remove, admin-list, admin-update-pin, agent-list, agent-config-read, logs-read, plugin-read, render-component, session-reset, session-resume, file-attach, wifi, review-cadence tools (review-rules-list, review-rules-suppress, review-rules-unsuppress, review-rules-add, review-rules-remove, review-alerts-recent), adherence-read (attention-weighted adherence ledger), and action-approval tools (action-pending, action-approve, action-reject, action-edit) for managing the Maxy platform."
+description: "Platform administration plugin. Provides system-status, brand-settings, account-manage, account-update, admin-add, admin-remove, admin-list, admin-update-pin, agent-list, agent-config-read, logs-read, plugin-read, render-component, session-reset, session-resume, file-attach, wifi, adherence-read (attention-weighted adherence ledger), and action-approval tools (action-pending, action-approve, action-reject, action-edit) for managing the Maxy platform."
 tools:
   - system-status
   - brand-settings
@@ -18,12 +18,6 @@ tools:
   - session-reset
   - session-resume
   - file-attach
-  - review-rules-list
-  - review-rules-suppress
-  - review-rules-unsuppress
-  - review-rules-add
-  - review-rules-remove
-  - review-alerts-recent
   - adherence-read
   - action-pending
   - action-approve
@@ -40,7 +34,6 @@ hidden:
   - onboarding-step9-mode
   - qr-generate
   - wifi
-  - review-digest-compose
 always: true
 embed: false
 ---

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -17,7 +17,6 @@ import { homedir, hostname as osHostname } from "node:os";
 import QRCode from "qrcode";
 import { getSession, closeDriver } from "./lib/neo4j.js";
 import { getOnboardingState, completeOnboardingStep } from "./lib/onboarding.js";
-import { registerReviewTools } from "./lib/review-tools.js";
 const server = new McpServer({
     name: "admin",
     version: "0.1.0",
@@ -1179,8 +1178,8 @@ server.tool("agent-list", "List all public (non-admin) agents with their full co
         };
     }
 });
-server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agent-stream/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=agent-stream: per-conversation tool-use/tool-result archive (every `[tool-use]` and `[tool-result]` pair with full input + output JSON, plus raw Claude stream-json, agent events, and MCP server stderr via tee). USE THIS when investigating what an agent ACTUALLY did with its tools — server.log only carries `[persist] tool-call persisted` markers, not bodies. (`type=system` is a backwards-compatible alias for the same archive.) type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in agent-stream via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. type=review: log-review detector decisions. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
-    type: z.enum(["agent-stream", "system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc", "review"]).optional(),
+server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agent-stream/error/session/public) are now per-conversation — pass `conversationId` to retrieve a single conversation's log from first [spawn] to final [process-exit]. type=agent-stream: per-conversation tool-use/tool-result archive (every `[tool-use]` and `[tool-result]` pair with full input + output JSON, plus raw Claude stream-json, agent events, and MCP server stderr via tee). USE THIS when investigating what an agent ACTUALLY did with its tools — server.log only carries `[persist] tool-call persisted` markers, not bodies. (`type=system` is a backwards-compatible alias for the same archive.) type=session: SSE events sent to client. type=error: Claude subprocess stderr (raw — NODE_DEBUG HTTP/NET/UNDICI traces land in agent-stream via the stream tee, not here). type=heartbeat: platform event dispatcher (check-due-events cron). type=public: public agent diagnostic log. type=server: platform server log. type=mcp: MCP server stderr (per-plugin raw). type=vnc: VNC browser viewer lifecycle. sessionKey: grep legacy sessionKey-tagged lines across all logs (useful for pre-Task-532 artefacts). When conversationId is provided, reads the single per-conversation file for the requested type (or dumps all type files for that conversationId if type is omitted).", {
+    type: z.enum(["agent-stream", "system", "session", "error", "heartbeat", "public", "server", "mcp", "vnc"]).optional(),
     lines: z.number().optional(),
     sessionKey: z.string().optional(),
     conversationId: z.string().optional(),
@@ -1223,7 +1222,7 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agen
             const prefix = prefixMap[resolvedType];
             if (!prefix) {
                 return {
-                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: agent-stream, error, session, public. For platform-scoped types (server, vnc, review, heartbeat, mcp) omit conversationId.` }],
+                    content: [{ type: "text", text: `type=${resolvedType} is not per-conversation. Valid per-conversation types: agent-stream, error, session, public. For platform-scoped types (server, vnc, heartbeat, mcp) omit conversationId.` }],
                     isError: true,
                 };
             }
@@ -1276,11 +1275,11 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agen
             };
             // When a type is explicitly provided, search only that type's files.
             // When type is omitted, search all prefix-based log types (excludes heartbeat — no session context).
-            // server, vnc, and review are single-file (configDir-scoped), so they have no prefix search;
+            // server and vnc are single-file (configDir-scoped), so they have no prefix search;
             // their matches are produced by dedicated blocks below.
-            const searchPrefixes = type && type !== "heartbeat" && type !== "server" && type !== "vnc" && type !== "review" && prefixes[type]
+            const searchPrefixes = type && type !== "heartbeat" && type !== "server" && type !== "vnc" && prefixes[type]
                 ? { [type]: prefixes[type] }
-                : (type === "server" || type === "vnc" || type === "review") ? {} : prefixes;
+                : (type === "server" || type === "vnc") ? {} : prefixes;
             const allFiles = readdirSync(LOG_DIR).filter(f => f.endsWith(".log"));
             const sections = [];
             // Search account-scoped prefix-based log files
@@ -1341,25 +1340,6 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agen
                     }
                 }
             }
-            // Search review.log (platform-scoped, in configDir) — the
-            // proactive log-review detector's self-log (Task 385).
-            const includeReview = !type || type === "review";
-            if (includeReview) {
-                const reviewLog = resolve(CONFIG_DIR, "logs", "review.log");
-                if (existsSync(reviewLog)) {
-                    try {
-                        const result = execFileSync("grep", ["-F", sessionKey, reviewLog], { timeout: 5000 }).toString().trim();
-                        if (result) {
-                            sections.push(`## review.log (review)\n${result}`);
-                        }
-                    }
-                    catch (grepErr) {
-                        const exitCode = grepErr.status;
-                        if (exitCode !== 1)
-                            throw grepErr;
-                    }
-                }
-            }
             if (sections.length === 0) {
                 return { content: [{ type: "text", text: `No log lines found for session key "${sessionKey}".` }] };
             }
@@ -1401,20 +1381,6 @@ server.tool("logs-read", "Read recent logs. Task 532: the stream logs (type=agen
             }).toString();
             return { content: [{ type: "text", text: `# vnc-boot.log\n\n${result}` }] };
         }
-        // Review log is a single platform-scoped file written by the in-process
-        // review detector (Task 385). Every scan cycle, rule match, suppression,
-        // rate-limit decision, admin-tool rule mutation, and watchdog event is
-        // here. Use this to answer "did the detector see X?" questions.
-        if (resolvedType === "review") {
-            const reviewLogFile = resolve(CONFIG_DIR, "logs", "review.log");
-            if (!existsSync(reviewLogFile)) {
-                return { content: [{ type: "text", text: `No review log found at ${reviewLogFile} (detector may not have started yet)` }] };
-            }
-            const result = execFileSync("tail", ["-n", String(lines), reviewLogFile], {
-                timeout: 5000,
-            }).toString();
-            return { content: [{ type: "text", text: `# review.log\n\n${result}` }] };
-        }
         // Task 850 — agent-stream and the legacy system alias both map to
         // claude-agent-stream-. The fall-through default also covers them.
         const prefix = resolvedType === "error" ? "claude-agent-stderr-"
@@ -3229,10 +3195,6 @@ server.tool("adherence-read", "Read the attention-weighted adherence ledger for
         };
     }
 });
-// Review cadence tools (Task 385) — list, suppress, add, remove, etc.
-// Registered as the final tool bundle because they depend on CONFIG_DIR
-// and ACCOUNT_ID being resolved above.
-registerReviewTools(server, { configDir: CONFIG_DIR, accountId: ACCOUNT_ID });
 // Cleanup on exit (SIGTERM for systemd service stops on Pi)
 const cleanup = async () => {
     await closeDriver();