npm - @rubytech/create-realagent - Versions diffs - 1.0.818 → 1.0.819 - Mend

@rubytech/create-realagent 1.0.818 → 1.0.819

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/payload/server/server.js CHANGED Viewed

@@ -121,8 +121,225 @@ import {
   writeAdminUserAndPerson
 } from "./chunk-PXQA2MA3.js";
-// ../lib/graph-trash/dist/index.js
+// ../lib/graph-write/dist/audit.js
+var require_audit = __commonJS({
+  "../lib/graph-write/dist/audit.js"(exports) {
+    "use strict";
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.auditCypherWrite = auditCypherWrite;
+    exports.formatAuditLine = formatAuditLine;
+    var EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
+    var CREATE_OR_MERGE_NODE = /\b(?:CREATE|MERGE)\s*\(\s*[A-Za-z_][A-Za-z0-9_]*\s*:\s*[A-Z]/g;
+    var PROVENANCE_TOKEN = /\bcreatedBy(?:Agent|Tool|Session|Source)\b/g;
+    function stripStringLiterals(cypher) {
+      return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
+    }
+    function extractEdgeTypes(cleaned) {
+      const out = /* @__PURE__ */ new Set();
+      for (const m of cleaned.matchAll(EDGE_PATTERN)) {
+        for (const t of m[1].split("|")) {
+          const clean = t.trim();
+          if (clean)
+            out.add(clean);
+        }
+      }
+      return out;
+    }
+    function countCreateOrMergeNodes(cleaned) {
+      const matches = cleaned.match(CREATE_OR_MERGE_NODE);
+      return matches ? matches.length : 0;
+    }
+    function countProvenanceStamps(cleaned) {
+      const matches = cleaned.match(PROVENANCE_TOKEN);
+      return matches ? matches.length : 0;
+    }
+    function auditCypherWrite(input) {
+      const warnings = [];
+      const cleaned = stripStringLiterals(input.cypher);
+      const referencedTypes = extractEdgeTypes(cleaned);
+      for (const t of referencedTypes) {
+        if (!input.schema.relationshipTypes.has(t)) {
+          warnings.push({ kind: "unknown-type-warning", type: t });
+        }
+      }
+      if (input.nodesCreated > 0) {
+        const createOrMergeNodes = countCreateOrMergeNodes(cleaned);
+        if (createOrMergeNodes > 0) {
+          const stamps = countProvenanceStamps(cleaned);
+          if (stamps < createOrMergeNodes) {
+            warnings.push({
+              kind: "missing-provenance-warning",
+              created: createOrMergeNodes,
+              stamped: stamps
+            });
+          }
+        }
+      }
+      if (input.orphanIds.length > 0) {
+        warnings.push({ kind: "orphan-warning", orphanIds: input.orphanIds });
+      }
+      return warnings;
+    }
+    function formatAuditLine(line) {
+      const prefixField = `query="${line.cypherPrefix.replace(/"/g, "'")}"`;
+      switch (line.kind) {
+        case "accepted":
+          return `[graph-cypher-write] accepted ${prefixField} nodesCreated=${line.nodesCreated} relsCreated=${line.relsCreated} agentName=${line.agentName} sessionId=${line.sessionId}`;
+        case "orphan-warning":
+          return `[graph-cypher-write] orphan-warning ${prefixField} orphanIds=${line.orphanIds.join(",")}`;
+        case "unknown-type-warning":
+          return `[graph-cypher-write] unknown-type-warning ${prefixField} type=${line.type}`;
+        case "missing-provenance-warning":
+          return `[graph-cypher-write] missing-provenance-warning ${prefixField} created=${line.created} stamped=${line.stamped}`;
+      }
+    }
+  }
+});
+// ../lib/graph-write/dist/index.js
 var require_dist = __commonJS({
+  "../lib/graph-write/dist/index.js"(exports) {
+    "use strict";
+    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      var desc = Object.getOwnPropertyDescriptor(m, k);
+      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+        desc = { enumerable: true, get: function() {
+          return m[k];
+        } };
+      }
+      Object.defineProperty(o, k2, desc);
+    }) : (function(o, m, k, k2) {
+      if (k2 === void 0) k2 = k;
+      o[k2] = m[k];
+    }));
+    var __exportStar = exports && exports.__exportStar || function(m, exports2) {
+      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports2, p)) __createBinding(exports2, m, p);
+    };
+    Object.defineProperty(exports, "__esModule", { value: true });
+    exports.ACTION_PROVENANCE_LABELS = void 0;
+    exports.stampCreatedBy = stampCreatedBy;
+    exports.writeNodeWithEdges = writeNodeWithEdges2;
+    __exportStar(require_audit(), exports);
+    exports.ACTION_PROVENANCE_LABELS = /* @__PURE__ */ new Set([
+      "Person",
+      "UserProfile",
+      "AdminUser",
+      "Organization",
+      "LocalBusiness",
+      "CloudflareTunnel",
+      "CloudflareHostname"
+    ]);
+    function requiresActionProvenance(labels) {
+      for (const label of labels) {
+        if (exports.ACTION_PROVENANCE_LABELS.has(label))
+          return true;
+      }
+      return false;
+    }
+    function findProducedFromTaskCandidates(relationships) {
+      return relationships.filter((r) => r.type === "PRODUCED" && r.direction === "incoming");
+    }
+    function stampCreatedBy(props, createdBy) {
+      return {
+        ...props,
+        createdByAgent: createdBy.agent ?? "unknown",
+        createdBySession: createdBy.session ?? "unknown",
+        createdByTool: createdBy.tool ?? null,
+        createdBySource: createdBy.source ?? null
+      };
+    }
+    async function writeNodeWithEdges2(params) {
+      const { session, labels, props, relationships, createdBy } = params;
+      const agentLabel = createdBy.agent ?? createdBy.source ?? "unknown";
+      const labelCsv = labels.join(",");
+      const reviewDigestActionTool = typeof props.actionTool === "string" && props.actionTool === "review-digest-compose";
+      if (labels.includes("ReviewAlert") || reviewDigestActionTool) {
+        const actionToolField = reviewDigestActionTool ? "review-digest-compose" : "n/a";
+        process.stderr.write(`[graph-write] reject reason=removed-feature labels=${labelCsv} actionTool=${actionToolField} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: review-detector feature removed (Task 884) \u2014 `:ReviewAlert` and `:Event {actionTool:'review-digest-compose'}` writes are not allowed.");
+      }
+      if (!relationships || relationships.length < 1) {
+        process.stderr.write(`[graph-write] reject reason=zero-relationships labels=${labelCsv} agent=${agentLabel}
+`);
+        throw new Error("Write doctrine violated: a node must be created with at least one relationship. See .docs/neo4j.md (Write doctrine).");
+      }
+      const labelStr = labels.map((l) => `\`${l.replace(/`/g, "")}\``).join(":");
+      const nodeProps = stampCreatedBy(props, createdBy);
+      return await session.executeWrite(async (tx) => {
+        const targetIds = relationships.map((r) => r.targetNodeId);
+        const check = await tx.run(`UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN elementId(t) AS id, labels(t) AS labels`, { ids: targetIds });
+        const labelsByTarget = /* @__PURE__ */ new Map();
+        for (const rec of check.records) {
+          labelsByTarget.set(rec.get("id"), rec.get("labels"));
+        }
+        const found = labelsByTarget.size;
+        const uniqueRequested = new Set(targetIds).size;
+        if (found !== uniqueRequested) {
+          process.stderr.write(`[graph-write] reject reason=unresolved-target labels=${labelCsv} agent=${agentLabel} requested=${uniqueRequested} found=${found}
+`);
+          throw new Error(`Write doctrine violated: ${uniqueRequested - found} of ${uniqueRequested} relationship target(s) did not resolve (elementId mismatch). No node created.`);
+        }
+        let producedByTaskId = null;
+        if (requiresActionProvenance(labels) && (createdBy.agent ?? "") !== "system") {
+          const candidates = findProducedFromTaskCandidates(relationships);
+          const taskCandidates = candidates.filter((r) => {
+            const lbls = labelsByTarget.get(r.targetNodeId);
+            return Array.isArray(lbls) && lbls.includes("Task");
+          });
+          if (taskCandidates.length === 0) {
+            process.stderr.write(`[graph-write] reject reason=missing-action-provenance labels=${labelCsv} agent=${agentLabel}
+`);
+            throw new Error(`Process provenance doctrine violated: write to ${labelCsv} requires an inbound :PRODUCED edge from a :Task (createdBy.agent='${agentLabel}'). See .docs/neo4j.md (Process provenance doctrine).`);
+          }
+          producedByTaskId = taskCandidates[0].targetNodeId;
+        }
+        let nodeRes;
+        try {
+          nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
+        } catch (err) {
+          const code = err?.code ?? "";
+          if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
+            const accountIdProp = nodeProps.accountId;
+            const userIdProp = nodeProps.userId;
+            const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
+            const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
+            process.stderr.write(`[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}
+`);
+          }
+          throw err;
+        }
+        const nodeId = nodeRes.records[0].get("nodeId");
+        const nodeLabels = nodeRes.records[0].get("nodeLabels");
+        let edgesCreated = 0;
+        for (const rel of relationships) {
+          const type = rel.type.replace(/`/g, "");
+          const q = rel.direction === "outgoing" ? `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (a)-[:\`${type}\`]->(b)` : `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (b)-[:\`${type}\`]->(a)`;
+          const r = await tx.run(q, { from: nodeId, to: rel.targetNodeId });
+          const created = r.summary.counters.updates().relationshipsCreated;
+          if (created === 0) {
+            process.stderr.write(`[graph-write] reject reason=unresolved-target-on-create labels=${labelCsv} agent=${agentLabel} relType=${rel.type} targetId=${rel.targetNodeId}
+`);
+            throw new Error(`Write doctrine violated: relationship CREATE to target ${rel.targetNodeId} produced 0 edges (target likely deleted concurrently after pre-check). Transaction rolled back.`);
+          }
+          edgesCreated += created;
+        }
+        if (edgesCreated !== relationships.length) {
+          process.stderr.write(`[graph-write] reject reason=edge-count-mismatch labels=${labelCsv} agent=${agentLabel} requested=${relationships.length} created=${edgesCreated}
+`);
+          throw new Error(`Write doctrine violated: expected ${relationships.length} edges, created ${edgesCreated}. Transaction rolled back.`);
+        }
+        process.stderr.write(`[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"} producedByTask=${producedByTaskId ?? "none"}
+`);
+        return { nodeId, labels: nodeLabels, edgesCreated };
+      });
+    }
+  }
+});
+// ../lib/graph-trash/dist/index.js
+var require_dist2 = __commonJS({
   "../lib/graph-trash/dist/index.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
@@ -618,7 +835,7 @@ var serveStatic = (options = { root: "" }) => {
 };
 // server/index.ts
-import { readFileSync as readFileSync15, existsSync as existsSync21, watchFile } from "fs";
+import { readFileSync as readFileSync16, existsSync as existsSync22, watchFile } from "fs";
 import { resolve as resolve21, join as join9, basename as basename5 } from "path";
 import { homedir as homedir2 } from "os";
@@ -8580,7 +8797,7 @@ var events_default = app20;
 // server/routes/admin/cloudflare.ts
 import { homedir } from "os";
 import { resolve as resolve14 } from "path";
-import { readFileSync as readFileSync13 } from "fs";
+import { readFileSync as readFileSync14 } from "fs";
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -8618,6 +8835,214 @@ function addAliasDomain(hostname2) {
   writeFileSync6(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
 }
+// app/lib/cloudflare-task-tracker.ts
+import { readFileSync as readFileSync13, existsSync as existsSync17 } from "fs";
+import { randomUUID as randomUUID7 } from "crypto";
+var import_dist = __toESM(require_dist(), 1);
+var CREATED_BY_AGENT = "cloudflare-setup-endpoint";
+var TASK_KIND = "cloudflare-tunnel-login";
+async function openCloudflareTask(params) {
+  const { accountId, conversationKey, inputsProvided } = params;
+  const taskId = randomUUID7();
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const session = getSession();
+  try {
+    const conv = await session.run(
+      `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+      { conversationKey, accountId }
+    );
+    if (conv.records.length === 0) {
+      throw new Error(
+        `cloudflare-task-tracker: no Conversation with sessionKey=${conversationKey.slice(-8)} for accountId \u2014 refusing to create an orphan Task`
+      );
+    }
+    const conversationElementId = conv.records[0].get("id");
+    const props = {
+      taskId,
+      accountId,
+      name: "Cloudflare tunnel login + setup",
+      description: `Deterministic cloudflare setup invoked by /api/admin/cloudflare/setup. inputsProvided=[${inputsProvided.join(", ")}]`,
+      status: "running",
+      priority: "normal",
+      kind: TASK_KIND,
+      inputsProvided,
+      startedAt: now,
+      createdAt: now,
+      updatedAt: now
+    };
+    const relationships = [
+      {
+        type: "RAISED_DURING",
+        direction: "outgoing",
+        targetNodeId: conversationElementId
+      }
+    ];
+    const result = await (0, import_dist.writeNodeWithEdges)({
+      session,
+      labels: ["Task"],
+      props,
+      relationships,
+      createdBy: {
+        agent: CREATED_BY_AGENT,
+        session: conversationKey,
+        tool: "cloudflare-setup-endpoint"
+      }
+    });
+    process.stderr.write(
+      `[task] action-start kind=${TASK_KIND} taskId=${taskId} raisedDuring=${conversationKey.slice(-8)}
+`
+    );
+    return { taskId, taskElementId: result.nodeId };
+  } finally {
+    await session.close();
+  }
+}
+async function appendCloudflareSteps(taskId, accountId, streamLogPath) {
+  if (!existsSync17(streamLogPath)) return [];
+  let content;
+  try {
+    content = readFileSync13(streamLogPath, "utf-8");
+  } catch {
+    return [];
+  }
+  const steps = [];
+  for (const line of content.split(/\r?\n/)) {
+    const m = line.match(/\bphase_line\s+setup-tunnel\s+step=(\S+)/);
+    if (m) steps.push(m[1]);
+  }
+  if (steps.length === 0) return [];
+  const session = getSession();
+  try {
+    await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET t.steps = coalesce(t.steps, []) + $steps,
+           t.updatedAt = $updatedAt`,
+      { taskId, accountId, steps, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    );
+    for (const step of steps) {
+      process.stderr.write(
+        `[task] action-step kind=${TASK_KIND} taskId=${taskId} step=${step}
+`
+      );
+    }
+    return steps;
+  } finally {
+    await session.close();
+  }
+}
+async function completeCloudflareTask(params) {
+  const { taskId, taskElementId, accountId, conversationKey, tunnelId, tunnelName, hostnames, status, errorMessage } = params;
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  if (status === "failed" && (!errorMessage || errorMessage.trim().length === 0)) {
+    throw new Error(
+      "cloudflare-task-tracker: errorMessage is required when status='failed' (Task 885 process-provenance contract)."
+    );
+  }
+  const session = getSession();
+  try {
+    if (status === "completed" && tunnelId && tunnelName) {
+      const conv = await session.run(
+        `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
+        { conversationKey, accountId }
+      );
+      const conversationElementId = conv.records.length > 0 ? conv.records[0].get("id") : null;
+      const tunnelProps = {
+        accountId,
+        tunnelId,
+        tunnelName,
+        createdAt: now,
+        updatedAt: now
+      };
+      const tunnelRels = [
+        { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId }
+      ];
+      if (conversationElementId) {
+        tunnelRels.push({
+          type: "RAISED_DURING",
+          direction: "outgoing",
+          targetNodeId: conversationElementId
+        });
+      }
+      const tunnelWrite = await (0, import_dist.writeNodeWithEdges)({
+        session,
+        labels: ["CloudflareTunnel"],
+        props: tunnelProps,
+        relationships: tunnelRels,
+        createdBy: {
+          agent: CREATED_BY_AGENT,
+          session: conversationKey,
+          tool: "cloudflare-setup-endpoint"
+        }
+      });
+      for (const h of hostnames ?? []) {
+        const hostRels = [
+          { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId },
+          {
+            type: "ROUTES_TO",
+            direction: "outgoing",
+            targetNodeId: tunnelWrite.nodeId
+          }
+        ];
+        await (0, import_dist.writeNodeWithEdges)({
+          session,
+          labels: ["CloudflareHostname"],
+          props: {
+            accountId,
+            hostnameValue: h.hostnameValue,
+            tunnelId,
+            isApex: h.isApex,
+            createdAt: now,
+            updatedAt: now
+          },
+          relationships: hostRels,
+          createdBy: {
+            agent: CREATED_BY_AGENT,
+            session: conversationKey,
+            tool: "cloudflare-setup-endpoint"
+          }
+        });
+      }
+    }
+    const setClauses = [
+      "t.status = $status",
+      "t.completedAt = $now",
+      "t.updatedAt = $now"
+    ];
+    const queryParams = { taskId, accountId, status, now };
+    if (status === "failed" && errorMessage) {
+      setClauses.push("t.errorMessage = $errorMessage");
+      queryParams.errorMessage = errorMessage;
+    }
+    const updateRes = await session.run(
+      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
+       SET ${setClauses.join(", ")}
+       RETURN size(coalesce(t.steps, [])) AS stepsCount`,
+      queryParams
+    );
+    const stepsCount = updateRes.records[0]?.get("stepsCount")?.toNumber?.() ?? 0;
+    process.stderr.write(
+      `[task] action-done kind=${TASK_KIND} taskId=${taskId} status=${status} stepsCount=${stepsCount}
+`
+    );
+  } finally {
+    await session.close();
+  }
+}
+function readTunnelState(brandConfigDir) {
+  const statePath = `${process.env.HOME ?? ""}/${brandConfigDir}/cloudflared/tunnel.state`;
+  if (!existsSync17(statePath)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync13(statePath, "utf-8"));
+    const tunnelId = typeof parsed.tunnelId === "string" ? parsed.tunnelId : null;
+    const tunnelName = typeof parsed.tunnelName === "string" ? parsed.tunnelName : null;
+    const domain = typeof parsed.domain === "string" ? parsed.domain : null;
+    if (!tunnelId || !tunnelName || !domain) return null;
+    return { tunnelId, tunnelName, domain };
+  } catch {
+    return null;
+  }
+}
 // server/routes/admin/cloudflare.ts
 var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
 var DOMAINS_TIMEOUT_MS = 40 * 1e3;
@@ -8625,7 +9050,7 @@ function loadBrandInfo() {
   const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve14(process.cwd(), "..");
   const brandPath = resolve14(platformRoot2, "config", "brand.json");
   try {
-    const parsed = JSON.parse(readFileSync13(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync14(brandPath, "utf-8"));
     const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
     const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
     return { hostname: hostname2, configDir: configDir2 };
@@ -8867,6 +9292,17 @@ app21.post("/setup", requireAdminSession, async (c) => {
   if (await isActionActive("cloudflare-setup")) {
     return err("request", "Another Cloudflare setup is already running. Wait for it to finish before starting a new one.");
   }
+  let cloudflareTask;
+  try {
+    cloudflareTask = await openCloudflareTask({
+      accountId,
+      conversationKey: sessionKey,
+      inputsProvided: ["adminLabel", "adminDomain", publicFqdn ? "publicLabel" : null, apex ? "apex" : null, "password"].filter((s) => typeof s === "string")
+    });
+    log(`phase=task-opened taskId=${cloudflareTask.taskId}`);
+  } catch (e) {
+    return err("script", `Failed to open process-provenance Task record: ${e instanceof Error ? e.message : String(e)}`);
+  }
   let actionId;
   let unit;
   try {
@@ -8879,8 +9315,27 @@ app21.post("/setup", requireAdminSession, async (c) => {
   log(`phase=action-launched id=${actionId} unit=${unit}`);
   void (async () => {
     const status = await waitForExit(unit, SETUP_TIMEOUT_MS);
+    try {
+      const appendedSteps = await appendCloudflareSteps(cloudflareTask.taskId, accountId, streamLogPath);
+      log(`phase=task-steps-appended count=${appendedSteps.length}`);
+    } catch (e) {
+      logErr(`phase=task-steps-append-failed reason="${e instanceof Error ? e.message : String(e)}"`);
+    }
     if (!status || status.execMainStatus !== 0) {
       logErr(`phase=post-exit-skipped reason=${status ? `exit=${status.execMainStatus}` : "unit-gone"} id=${actionId}`);
+      try {
+        const exitReason = status ? `script exited with status ${status.execMainStatus}` : "systemd unit vanished before exit recorded";
+        await completeCloudflareTask({
+          taskId: cloudflareTask.taskId,
+          taskElementId: cloudflareTask.taskElementId,
+          accountId,
+          conversationKey: sessionKey,
+          status: "failed",
+          errorMessage: exitReason
+        });
+      } catch (e) {
+        logErr(`phase=task-close-failed status=failed reason="${e instanceof Error ? e.message : String(e)}"`);
+      }
       return;
     }
     const candidates = [publicFqdn, apex].filter((h) => typeof h === "string" && h.length > 0);
@@ -8900,6 +9355,30 @@ app21.post("/setup", requireAdminSession, async (c) => {
         logErr(`phase=alias-domain-write host=${host} result=error reason="${e instanceof Error ? e.message : String(e)}"`);
       }
     }
+    try {
+      const tunnelState = readTunnelState(brand.configDir);
+      const allHostnames = [adminFqdn, publicFqdn, apex].filter(
+        (h) => typeof h === "string" && h.length > 0
+      );
+      const hostnameRecords = allHostnames.map((value) => ({
+        hostnameValue: value,
+        // Apex heuristic: exactly one dot in the FQDN. Mirrors setup-tunnel.sh:332.
+        isApex: (value.match(/\./g)?.length ?? 0) === 1
+      }));
+      await completeCloudflareTask({
+        taskId: cloudflareTask.taskId,
+        taskElementId: cloudflareTask.taskElementId,
+        accountId,
+        conversationKey: sessionKey,
+        tunnelId: tunnelState?.tunnelId,
+        tunnelName: tunnelState?.tunnelName,
+        hostnames: tunnelState ? hostnameRecords : void 0,
+        status: "completed"
+      });
+      log(`phase=task-closed status=completed tunnelId=${tunnelState?.tunnelId ?? "absent"} hostnames=${allHostnames.length}`);
+    } catch (e) {
+      logErr(`phase=task-close-failed status=completed reason="${e instanceof Error ? e.message : String(e)}"`);
+    }
     log(`phase=done action=${actionId}`);
   })().catch((e) => logErr(`post-exit handler threw: ${e}`));
   const total = Date.now() - started;
@@ -9592,7 +10071,7 @@ app22.delete("/", requireAdminSession, async (c) => {
 var files_default = app22;
 // ../lib/graph-search/src/index.ts
-var import_dist = __toESM(require_dist());
+var import_dist2 = __toESM(require_dist2());
 import { int } from "neo4j-driver";
 var VECTOR_WEIGHT = 0.7;
 var BM25_WEIGHT = 0.3;
@@ -9647,7 +10126,7 @@ async function bm25Only(session, params) {
        ${scopeClause}
        ${agentClause}
        ${labelClause}
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        ${kwClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -9737,7 +10216,7 @@ async function hybrid(session, embed2, params) {
        WHERE node.accountId = $accountId
        ${scopeClause}
        ${agentClause}
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        ${keywordClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -9798,7 +10277,7 @@ async function hybrid(session, embed2, params) {
     const propResult = await session.run(
       `MATCH (node)
        WHERE node.accountId = $accountId
-       AND ${(0, import_dist.notTrashed)("node")}
+       AND ${(0, import_dist2.notTrashed)("node")}
        AND node.keywords IS NOT NULL
        AND ANY(kw IN $kwSubs WHERE ANY(nk IN node.keywords WHERE toLower(nk) = kw))
        ${propScopeClause}
@@ -9855,7 +10334,7 @@ async function hybrid(session, embed2, params) {
       `UNWIND $nodeIds AS nid
        MATCH (n)-[r]-(related)
        WHERE elementId(n) = nid
-       AND ${(0, import_dist.notTrashed)("related")}
+       AND ${(0, import_dist2.notTrashed)("related")}
        ${expandScopeClause}
        ${expandAgentClause}
        WITH nid, n, r, related
@@ -11031,7 +11510,7 @@ var adherence_default = app30;
 import neo4j3 from "neo4j-driver";
 import { readFile as readFile5, readdir as readdir3, stat as stat5 } from "fs/promises";
 import { resolve as resolve17, relative as relative2, isAbsolute } from "path";
-import { existsSync as existsSync17 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 var LIMIT = 50;
 var TEXT_MIME_PREFIXES = ["text/", "application/json", "application/markdown"];
 var ADMIN_AGENT_FILES = ["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"];
@@ -11179,7 +11658,7 @@ async function fetchAgentTemplateRows(accountDir) {
 async function unionSpecialistFilenames(overrideDir, bundledDir) {
   const names = /* @__PURE__ */ new Set();
   for (const dir of [overrideDir, bundledDir]) {
-    if (!existsSync17(dir)) continue;
+    if (!existsSync18(dir)) continue;
     try {
       const entries = await readdir3(dir);
       for (const entry of entries) {
@@ -11194,7 +11673,7 @@ async function unionSpecialistFilenames(overrideDir, bundledDir) {
 }
 async function readAgentTemplateRow(inp) {
   let chosenPath = null;
-  if (existsSync17(inp.overridePath)) {
+  if (existsSync18(inp.overridePath)) {
     try {
       validateFilePathInAccount(inp.overridePath, inp.overrideRoot);
       chosenPath = inp.overridePath;
@@ -11205,7 +11684,7 @@ async function readAgentTemplateRow(inp) {
       );
       return null;
     }
-  } else if (existsSync17(inp.bundledPath)) {
+  } else if (existsSync18(inp.bundledPath)) {
     if (!isWithin(inp.bundledPath, inp.bundledRoot)) {
       console.error(
         `[admin/sidebar-artefacts] agent-template-read-failed agent=${inp.displayName} kind=${inp.logName} error="bundled path outside PLATFORM_ROOT"`
@@ -11247,7 +11726,7 @@ var sidebar_artefacts_default = app31;
 // server/routes/admin/sidebar-artefact-save.ts
 import { mkdir as mkdir4, readdir as readdir4, stat as stat6, writeFile as writeFile5 } from "fs/promises";
 import { resolve as resolve18 } from "path";
-import { existsSync as existsSync18 } from "fs";
+import { existsSync as existsSync19 } from "fs";
 var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
 var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app32 = new Hono();
@@ -11311,7 +11790,7 @@ async function resolveSavePath(id, accountId, accountDir) {
   }
   if (UUID_RE5.test(id)) {
     const dir = resolve18(ATTACHMENTS_ROOT, accountId, id);
-    if (!existsSync18(dir)) {
+    if (!existsSync19(dir)) {
       return { kind: "reject", status: 400, reason: "not-found" };
     }
     try {
@@ -11335,7 +11814,7 @@ var sidebar_artefact_save_default = app32;
 // server/routes/admin/sidebar-artefact-content.ts
 import { readFile as readFile6, readdir as readdir5 } from "fs/promises";
-import { existsSync as existsSync19 } from "fs";
+import { existsSync as existsSync20 } from "fs";
 import { resolve as resolve19 } from "path";
 var UUID_RE6 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app33 = new Hono();
@@ -11349,7 +11828,7 @@ app33.get("/", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve19(ATTACHMENTS_ROOT, accountId, id);
-  if (!existsSync19(dir)) {
+  if (!existsSync20(dir)) {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
@@ -11411,7 +11890,7 @@ app34.route("/sidebar-artefact-content", sidebar_artefact_content_default);
 var admin_default = app34;
 // server/routes/sites.ts
-import { existsSync as existsSync20, readFileSync as readFileSync14, realpathSync as realpathSync5, statSync as statSync5 } from "fs";
+import { existsSync as existsSync21, readFileSync as readFileSync15, realpathSync as realpathSync5, statSync as statSync5 } from "fs";
 import { resolve as resolve20 } from "path";
 var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var MIME = {
@@ -11478,7 +11957,7 @@ app35.get("/:rel{.*}", (c) => {
   }
   let stat7;
   try {
-    stat7 = existsSync20(filePath) ? statSync5(filePath) : null;
+    stat7 = existsSync21(filePath) ? statSync5(filePath) : null;
   } catch {
     stat7 = null;
   }
@@ -11491,7 +11970,7 @@ app35.get("/:rel{.*}", (c) => {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync20(filePath)) {
+  if (!existsSync21(filePath)) {
     console.error(`[sites] not-found path=${reqPath} status=404`);
     return c.text("Not found", 404);
   }
@@ -11510,7 +11989,7 @@ app35.get("/:rel{.*}", (c) => {
   }
   let body;
   try {
-    body = readFileSync14(realPath);
+    body = readFileSync15(realPath);
   } catch (err) {
     const code = err?.code;
     if (code === "EISDIR") {
@@ -11644,12 +12123,12 @@ function clientFrom(c) {
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
 var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join9(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync21(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync22(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync21(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync15(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -11671,8 +12150,8 @@ var brandLoginOpts = {
 var ALIAS_DOMAINS_PATH2 = join9(homedir2(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync21(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync15(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync22(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync16(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -12018,14 +12497,14 @@ app36.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync21(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync15(filePath);
+  const body = readFileSync16(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -12048,14 +12527,14 @@ app36.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync21(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync15(filePath);
+  const body = readFileSync16(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -12065,9 +12544,9 @@ app36.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync21(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync15(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -12085,8 +12564,8 @@ function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
     const versionFile = join9(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync21(versionFile)) return "unknown";
-    const content = readFileSync15(versionFile, "utf-8").trim();
+    if (!existsSync22(versionFile)) return "unknown";
+    const content = readFileSync16(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -12127,7 +12606,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync15(resolve21(process.cwd(), "public", file), "utf-8");
+    html = readFileSync16(resolve21(process.cwd(), "public", file), "utf-8");
     const productNameEsc = escapeHtml(BRAND.productName);
     html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -12146,13 +12625,13 @@ function loadBrandingCache(agentSlug) {
   const configDir2 = join9(homedir2(), BRAND.configDir);
   try {
     const accountJsonPath = join9(configDir2, "account.json");
-    if (!existsSync21(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync15(accountJsonPath, "utf-8"));
+    if (!existsSync22(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
     const cachePath = join9(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync21(cachePath)) return null;
-    return JSON.parse(readFileSync15(cachePath, "utf-8"));
+    if (!existsSync22(cachePath)) return null;
+    return JSON.parse(readFileSync16(cachePath, "utf-8"));
   } catch {
     return null;
   }
@@ -12161,8 +12640,8 @@ function resolveDefaultSlug() {
   try {
     const configDir2 = join9(homedir2(), BRAND.configDir);
     const accountJsonPath = join9(configDir2, "account.json");
-    if (!existsSync21(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync15(accountJsonPath, "utf-8"));
+    if (!existsSync22(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -12235,7 +12714,7 @@ app36.use("/vnc-popout.html", logViewerFetch);
 app36.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync15(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync16(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -12325,8 +12804,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync21(USERS_FILE)) {
-      const users = JSON.parse(readFileSync15(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync22(USERS_FILE)) {
+      const users = JSON.parse(readFileSync16(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);