@rubytech/create-realagent 1.0.819 → 1.0.821

package/payload/server/server.js

@@ -51,7 +51,7 @@ import {
   vncLog,
   waitForExit,
   writeChromiumWrapper
-} from "./chunk-AJLGI7Y3.js";
+} from "./chunk-NUXYHO6N.js";
 import {
   agentLogStream,
   clearSessionHistory,
@@ -79,12 +79,27 @@ import {
   sigtermFlushStreamLogs,
   unregisterSession,
   validateSession
-} from "./chunk-ON3LBL2Y.js";
+} from "./chunk-SALVIGXH.js";
 import {
   ACCOUNTS_DIR,
+  PLATFORM_ROOT,
+  getDefaultAccountId,
+  resolveAccount,
+  resolveAgentConfig,
+  resolveDefaultAgentSlug,
+  resolveUserAccounts,
+  validateAgentSlug
+} from "./chunk-5OG7TUQL.js";
+import {
+  CLOUDFLARE_TASK_DIAGNOSTICS,
+  appendCloudflareSteps,
+  completeCloudflareTask,
+  openCloudflareTask,
+  readTunnelState
+} from "./chunk-CZGOB575.js";
+import {
   GREETING_DIRECTIVE,
   HAIKU_MODEL,
-  PLATFORM_ROOT,
   __commonJS,
   __toESM,
   backfillNullUserIdConversations,
@@ -99,7 +114,6 @@ import {
   findRecentConversation,
   generateSessionLabel,
   getAgentSessionIdForConversation,
-  getDefaultAccountId,
   getGroupParticipants,
   getMessagesSince,
   getRecentMessages,
@@ -110,236 +124,14 @@ import {
   loadOnboardingStep,
   projectAgent,
   renameConversation,
-  resolveAccount,
-  resolveAgentConfig,
-  resolveDefaultAgentSlug,
-  resolveUserAccounts,
   runBootMigrations,
-  validateAgentSlug,
   verifyAndGetConversationUpdatedAt,
   verifyConversationOwnership,
   writeAdminUserAndPerson
-} from "./chunk-PXQA2MA3.js";
-
-// ../lib/graph-write/dist/audit.js
-var require_audit = __commonJS({
-  "../lib/graph-write/dist/audit.js"(exports) {
-    "use strict";
-    Object.defineProperty(exports, "__esModule", { value: true });
-    exports.auditCypherWrite = auditCypherWrite;
-    exports.formatAuditLine = formatAuditLine;
-    var EDGE_PATTERN = /\[[^\]]*?:([A-Z_][A-Za-z0-9_]*(?:\|[A-Z_][A-Za-z0-9_]*)*)[^\]]*?\]/g;
-    var CREATE_OR_MERGE_NODE = /\b(?:CREATE|MERGE)\s*\(\s*[A-Za-z_][A-Za-z0-9_]*\s*:\s*[A-Z]/g;
-    var PROVENANCE_TOKEN = /\bcreatedBy(?:Agent|Tool|Session|Source)\b/g;
-    function stripStringLiterals(cypher) {
-      return cypher.replace(/'[^']*'|"[^"]*"/g, '""');
-    }
-    function extractEdgeTypes(cleaned) {
-      const out = /* @__PURE__ */ new Set();
-      for (const m of cleaned.matchAll(EDGE_PATTERN)) {
-        for (const t of m[1].split("|")) {
-          const clean = t.trim();
-          if (clean)
-            out.add(clean);
-        }
-      }
-      return out;
-    }
-    function countCreateOrMergeNodes(cleaned) {
-      const matches = cleaned.match(CREATE_OR_MERGE_NODE);
-      return matches ? matches.length : 0;
-    }
-    function countProvenanceStamps(cleaned) {
-      const matches = cleaned.match(PROVENANCE_TOKEN);
-      return matches ? matches.length : 0;
-    }
-    function auditCypherWrite(input) {
-      const warnings = [];
-      const cleaned = stripStringLiterals(input.cypher);
-      const referencedTypes = extractEdgeTypes(cleaned);
-      for (const t of referencedTypes) {
-        if (!input.schema.relationshipTypes.has(t)) {
-          warnings.push({ kind: "unknown-type-warning", type: t });
-        }
-      }
-      if (input.nodesCreated > 0) {
-        const createOrMergeNodes = countCreateOrMergeNodes(cleaned);
-        if (createOrMergeNodes > 0) {
-          const stamps = countProvenanceStamps(cleaned);
-          if (stamps < createOrMergeNodes) {
-            warnings.push({
-              kind: "missing-provenance-warning",
-              created: createOrMergeNodes,
-              stamped: stamps
-            });
-          }
-        }
-      }
-      if (input.orphanIds.length > 0) {
-        warnings.push({ kind: "orphan-warning", orphanIds: input.orphanIds });
-      }
-      return warnings;
-    }
-    function formatAuditLine(line) {
-      const prefixField = `query="${line.cypherPrefix.replace(/"/g, "'")}"`;
-      switch (line.kind) {
-        case "accepted":
-          return `[graph-cypher-write] accepted ${prefixField} nodesCreated=${line.nodesCreated} relsCreated=${line.relsCreated} agentName=${line.agentName} sessionId=${line.sessionId}`;
-        case "orphan-warning":
-          return `[graph-cypher-write] orphan-warning ${prefixField} orphanIds=${line.orphanIds.join(",")}`;
-        case "unknown-type-warning":
-          return `[graph-cypher-write] unknown-type-warning ${prefixField} type=${line.type}`;
-        case "missing-provenance-warning":
-          return `[graph-cypher-write] missing-provenance-warning ${prefixField} created=${line.created} stamped=${line.stamped}`;
-      }
-    }
-  }
-});
-
-// ../lib/graph-write/dist/index.js
-var require_dist = __commonJS({
-  "../lib/graph-write/dist/index.js"(exports) {
-    "use strict";
-    var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __exportStar = exports && exports.__exportStar || function(m, exports2) {
-      for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports2, p)) __createBinding(exports2, m, p);
-    };
-    Object.defineProperty(exports, "__esModule", { value: true });
-    exports.ACTION_PROVENANCE_LABELS = void 0;
-    exports.stampCreatedBy = stampCreatedBy;
-    exports.writeNodeWithEdges = writeNodeWithEdges2;
-    __exportStar(require_audit(), exports);
-    exports.ACTION_PROVENANCE_LABELS = /* @__PURE__ */ new Set([
-      "Person",
-      "UserProfile",
-      "AdminUser",
-      "Organization",
-      "LocalBusiness",
-      "CloudflareTunnel",
-      "CloudflareHostname"
-    ]);
-    function requiresActionProvenance(labels) {
-      for (const label of labels) {
-        if (exports.ACTION_PROVENANCE_LABELS.has(label))
-          return true;
-      }
-      return false;
-    }
-    function findProducedFromTaskCandidates(relationships) {
-      return relationships.filter((r) => r.type === "PRODUCED" && r.direction === "incoming");
-    }
-    function stampCreatedBy(props, createdBy) {
-      return {
-        ...props,
-        createdByAgent: createdBy.agent ?? "unknown",
-        createdBySession: createdBy.session ?? "unknown",
-        createdByTool: createdBy.tool ?? null,
-        createdBySource: createdBy.source ?? null
-      };
-    }
-    async function writeNodeWithEdges2(params) {
-      const { session, labels, props, relationships, createdBy } = params;
-      const agentLabel = createdBy.agent ?? createdBy.source ?? "unknown";
-      const labelCsv = labels.join(",");
-      const reviewDigestActionTool = typeof props.actionTool === "string" && props.actionTool === "review-digest-compose";
-      if (labels.includes("ReviewAlert") || reviewDigestActionTool) {
-        const actionToolField = reviewDigestActionTool ? "review-digest-compose" : "n/a";
-        process.stderr.write(`[graph-write] reject reason=removed-feature labels=${labelCsv} actionTool=${actionToolField} agent=${agentLabel}
-`);
-        throw new Error("Write doctrine violated: review-detector feature removed (Task 884) \u2014 `:ReviewAlert` and `:Event {actionTool:'review-digest-compose'}` writes are not allowed.");
-      }
-      if (!relationships || relationships.length < 1) {
-        process.stderr.write(`[graph-write] reject reason=zero-relationships labels=${labelCsv} agent=${agentLabel}
-`);
-        throw new Error("Write doctrine violated: a node must be created with at least one relationship. See .docs/neo4j.md (Write doctrine).");
-      }
-      const labelStr = labels.map((l) => `\`${l.replace(/`/g, "")}\``).join(":");
-      const nodeProps = stampCreatedBy(props, createdBy);
-      return await session.executeWrite(async (tx) => {
-        const targetIds = relationships.map((r) => r.targetNodeId);
-        const check = await tx.run(`UNWIND $ids AS id MATCH (t) WHERE elementId(t) = id RETURN elementId(t) AS id, labels(t) AS labels`, { ids: targetIds });
-        const labelsByTarget = /* @__PURE__ */ new Map();
-        for (const rec of check.records) {
-          labelsByTarget.set(rec.get("id"), rec.get("labels"));
-        }
-        const found = labelsByTarget.size;
-        const uniqueRequested = new Set(targetIds).size;
-        if (found !== uniqueRequested) {
-          process.stderr.write(`[graph-write] reject reason=unresolved-target labels=${labelCsv} agent=${agentLabel} requested=${uniqueRequested} found=${found}
-`);
-          throw new Error(`Write doctrine violated: ${uniqueRequested - found} of ${uniqueRequested} relationship target(s) did not resolve (elementId mismatch). No node created.`);
-        }
-        let producedByTaskId = null;
-        if (requiresActionProvenance(labels) && (createdBy.agent ?? "") !== "system") {
-          const candidates = findProducedFromTaskCandidates(relationships);
-          const taskCandidates = candidates.filter((r) => {
-            const lbls = labelsByTarget.get(r.targetNodeId);
-            return Array.isArray(lbls) && lbls.includes("Task");
-          });
-          if (taskCandidates.length === 0) {
-            process.stderr.write(`[graph-write] reject reason=missing-action-provenance labels=${labelCsv} agent=${agentLabel}
-`);
-            throw new Error(`Process provenance doctrine violated: write to ${labelCsv} requires an inbound :PRODUCED edge from a :Task (createdBy.agent='${agentLabel}'). See .docs/neo4j.md (Process provenance doctrine).`);
-          }
-          producedByTaskId = taskCandidates[0].targetNodeId;
-        }
-        let nodeRes;
-        try {
-          nodeRes = await tx.run(`CREATE (n:${labelStr} $props) RETURN elementId(n) AS nodeId, labels(n) AS nodeLabels`, { props: nodeProps });
-        } catch (err) {
-          const code = err?.code ?? "";
-          if (code === "Neo.ClientError.Schema.ConstraintValidationFailed" && labels.includes("UserProfile")) {
-            const accountIdProp = nodeProps.accountId;
-            const userIdProp = nodeProps.userId;
-            const acctSlice = typeof accountIdProp === "string" ? accountIdProp.slice(0, 8) : "unknown";
-            const userSlice = typeof userIdProp === "string" ? userIdProp.slice(0, 8) : "unknown";
-            process.stderr.write(`[graph-write] reject reason=user-profile-uniqueness-violation accountId=${acctSlice} userId=${userSlice} writer=${agentLabel}
-`);
-          }
-          throw err;
-        }
-        const nodeId = nodeRes.records[0].get("nodeId");
-        const nodeLabels = nodeRes.records[0].get("nodeLabels");
-        let edgesCreated = 0;
-        for (const rel of relationships) {
-          const type = rel.type.replace(/`/g, "");
-          const q = rel.direction === "outgoing" ? `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (a)-[:\`${type}\`]->(b)` : `MATCH (a), (b) WHERE elementId(a) = $from AND elementId(b) = $to CREATE (b)-[:\`${type}\`]->(a)`;
-          const r = await tx.run(q, { from: nodeId, to: rel.targetNodeId });
-          const created = r.summary.counters.updates().relationshipsCreated;
-          if (created === 0) {
-            process.stderr.write(`[graph-write] reject reason=unresolved-target-on-create labels=${labelCsv} agent=${agentLabel} relType=${rel.type} targetId=${rel.targetNodeId}
-`);
-            throw new Error(`Write doctrine violated: relationship CREATE to target ${rel.targetNodeId} produced 0 edges (target likely deleted concurrently after pre-check). Transaction rolled back.`);
-          }
-          edgesCreated += created;
-        }
-        if (edgesCreated !== relationships.length) {
-          process.stderr.write(`[graph-write] reject reason=edge-count-mismatch labels=${labelCsv} agent=${agentLabel} requested=${relationships.length} created=${edgesCreated}
-`);
-          throw new Error(`Write doctrine violated: expected ${relationships.length} edges, created ${edgesCreated}. Transaction rolled back.`);
-        }
-        process.stderr.write(`[graph-write] accepted labels=${labelCsv} edges=${edgesCreated} createdByAgent=${createdBy.agent ?? "unknown"} createdByTool=${createdBy.tool ?? createdBy.source ?? "unknown"} producedByTask=${producedByTaskId ?? "none"}
-`);
-        return { nodeId, labels: nodeLabels, edgesCreated };
-      });
-    }
-  }
-});
+} from "./chunk-ZT6LKDTP.js";
 
 // ../lib/graph-trash/dist/index.js
-var require_dist2 = __commonJS({
+var require_dist = __commonJS({
   "../lib/graph-trash/dist/index.js"(exports) {
     "use strict";
     Object.defineProperty(exports, "__esModule", { value: true });
@@ -835,7 +627,7 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync16, existsSync as existsSync22, watchFile } from "fs";
+import { readFileSync as readFileSync15, existsSync as existsSync21, watchFile } from "fs";
 import { resolve as resolve21, join as join9, basename as basename5 } from "path";
 import { homedir as homedir2 } from "os";
 
@@ -7492,7 +7284,7 @@ var app11 = new Hono();
 app11.post("/cancel", requireAdminSession, async (c) => {
   const session_key = c.var.sessionKey;
   try {
-    const { interruptClient: interruptClient2 } = await import("./client-pool-GBY5I2KQ.js");
+    const { interruptClient: interruptClient2 } = await import("./client-pool-IQU6H43X.js");
     await interruptClient2(session_key);
     return c.json({ ok: true });
   } catch (err) {
@@ -8797,7 +8589,7 @@ var events_default = app20;
 // server/routes/admin/cloudflare.ts
 import { homedir } from "os";
 import { resolve as resolve14 } from "path";
-import { readFileSync as readFileSync14 } from "fs";
+import { readFileSync as readFileSync13 } from "fs";
 
 // app/lib/dns-label.ts
 var VALID_LABEL = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/;
@@ -8835,214 +8627,6 @@ function addAliasDomain(hostname2) {
   writeFileSync6(ALIAS_DOMAINS_PATH, JSON.stringify([...existing], null, 2) + "\n", "utf-8");
 }
 
-// app/lib/cloudflare-task-tracker.ts
-import { readFileSync as readFileSync13, existsSync as existsSync17 } from "fs";
-import { randomUUID as randomUUID7 } from "crypto";
-var import_dist = __toESM(require_dist(), 1);
-var CREATED_BY_AGENT = "cloudflare-setup-endpoint";
-var TASK_KIND = "cloudflare-tunnel-login";
-async function openCloudflareTask(params) {
-  const { accountId, conversationKey, inputsProvided } = params;
-  const taskId = randomUUID7();
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  const session = getSession();
-  try {
-    const conv = await session.run(
-      `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
-      { conversationKey, accountId }
-    );
-    if (conv.records.length === 0) {
-      throw new Error(
-        `cloudflare-task-tracker: no Conversation with sessionKey=${conversationKey.slice(-8)} for accountId \u2014 refusing to create an orphan Task`
-      );
-    }
-    const conversationElementId = conv.records[0].get("id");
-    const props = {
-      taskId,
-      accountId,
-      name: "Cloudflare tunnel login + setup",
-      description: `Deterministic cloudflare setup invoked by /api/admin/cloudflare/setup. inputsProvided=[${inputsProvided.join(", ")}]`,
-      status: "running",
-      priority: "normal",
-      kind: TASK_KIND,
-      inputsProvided,
-      startedAt: now,
-      createdAt: now,
-      updatedAt: now
-    };
-    const relationships = [
-      {
-        type: "RAISED_DURING",
-        direction: "outgoing",
-        targetNodeId: conversationElementId
-      }
-    ];
-    const result = await (0, import_dist.writeNodeWithEdges)({
-      session,
-      labels: ["Task"],
-      props,
-      relationships,
-      createdBy: {
-        agent: CREATED_BY_AGENT,
-        session: conversationKey,
-        tool: "cloudflare-setup-endpoint"
-      }
-    });
-    process.stderr.write(
-      `[task] action-start kind=${TASK_KIND} taskId=${taskId} raisedDuring=${conversationKey.slice(-8)}
-`
-    );
-    return { taskId, taskElementId: result.nodeId };
-  } finally {
-    await session.close();
-  }
-}
-async function appendCloudflareSteps(taskId, accountId, streamLogPath) {
-  if (!existsSync17(streamLogPath)) return [];
-  let content;
-  try {
-    content = readFileSync13(streamLogPath, "utf-8");
-  } catch {
-    return [];
-  }
-  const steps = [];
-  for (const line of content.split(/\r?\n/)) {
-    const m = line.match(/\bphase_line\s+setup-tunnel\s+step=(\S+)/);
-    if (m) steps.push(m[1]);
-  }
-  if (steps.length === 0) return [];
-  const session = getSession();
-  try {
-    await session.run(
-      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
-       SET t.steps = coalesce(t.steps, []) + $steps,
-           t.updatedAt = $updatedAt`,
-      { taskId, accountId, steps, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
-    );
-    for (const step of steps) {
-      process.stderr.write(
-        `[task] action-step kind=${TASK_KIND} taskId=${taskId} step=${step}
-`
-      );
-    }
-    return steps;
-  } finally {
-    await session.close();
-  }
-}
-async function completeCloudflareTask(params) {
-  const { taskId, taskElementId, accountId, conversationKey, tunnelId, tunnelName, hostnames, status, errorMessage } = params;
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  if (status === "failed" && (!errorMessage || errorMessage.trim().length === 0)) {
-    throw new Error(
-      "cloudflare-task-tracker: errorMessage is required when status='failed' (Task 885 process-provenance contract)."
-    );
-  }
-  const session = getSession();
-  try {
-    if (status === "completed" && tunnelId && tunnelName) {
-      const conv = await session.run(
-        `MATCH (c:Conversation {sessionKey: $conversationKey, accountId: $accountId}) RETURN elementId(c) AS id LIMIT 1`,
-        { conversationKey, accountId }
-      );
-      const conversationElementId = conv.records.length > 0 ? conv.records[0].get("id") : null;
-      const tunnelProps = {
-        accountId,
-        tunnelId,
-        tunnelName,
-        createdAt: now,
-        updatedAt: now
-      };
-      const tunnelRels = [
-        { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId }
-      ];
-      if (conversationElementId) {
-        tunnelRels.push({
-          type: "RAISED_DURING",
-          direction: "outgoing",
-          targetNodeId: conversationElementId
-        });
-      }
-      const tunnelWrite = await (0, import_dist.writeNodeWithEdges)({
-        session,
-        labels: ["CloudflareTunnel"],
-        props: tunnelProps,
-        relationships: tunnelRels,
-        createdBy: {
-          agent: CREATED_BY_AGENT,
-          session: conversationKey,
-          tool: "cloudflare-setup-endpoint"
-        }
-      });
-      for (const h of hostnames ?? []) {
-        const hostRels = [
-          { type: "PRODUCED", direction: "incoming", targetNodeId: taskElementId },
-          {
-            type: "ROUTES_TO",
-            direction: "outgoing",
-            targetNodeId: tunnelWrite.nodeId
-          }
-        ];
-        await (0, import_dist.writeNodeWithEdges)({
-          session,
-          labels: ["CloudflareHostname"],
-          props: {
-            accountId,
-            hostnameValue: h.hostnameValue,
-            tunnelId,
-            isApex: h.isApex,
-            createdAt: now,
-            updatedAt: now
-          },
-          relationships: hostRels,
-          createdBy: {
-            agent: CREATED_BY_AGENT,
-            session: conversationKey,
-            tool: "cloudflare-setup-endpoint"
-          }
-        });
-      }
-    }
-    const setClauses = [
-      "t.status = $status",
-      "t.completedAt = $now",
-      "t.updatedAt = $now"
-    ];
-    const queryParams = { taskId, accountId, status, now };
-    if (status === "failed" && errorMessage) {
-      setClauses.push("t.errorMessage = $errorMessage");
-      queryParams.errorMessage = errorMessage;
-    }
-    const updateRes = await session.run(
-      `MATCH (t:Task {taskId: $taskId, accountId: $accountId})
-       SET ${setClauses.join(", ")}
-       RETURN size(coalesce(t.steps, [])) AS stepsCount`,
-      queryParams
-    );
-    const stepsCount = updateRes.records[0]?.get("stepsCount")?.toNumber?.() ?? 0;
-    process.stderr.write(
-      `[task] action-done kind=${TASK_KIND} taskId=${taskId} status=${status} stepsCount=${stepsCount}
-`
-    );
-  } finally {
-    await session.close();
-  }
-}
-function readTunnelState(brandConfigDir) {
-  const statePath = `${process.env.HOME ?? ""}/${brandConfigDir}/cloudflared/tunnel.state`;
-  if (!existsSync17(statePath)) return null;
-  try {
-    const parsed = JSON.parse(readFileSync13(statePath, "utf-8"));
-    const tunnelId = typeof parsed.tunnelId === "string" ? parsed.tunnelId : null;
-    const tunnelName = typeof parsed.tunnelName === "string" ? parsed.tunnelName : null;
-    const domain = typeof parsed.domain === "string" ? parsed.domain : null;
-    if (!tunnelId || !tunnelName || !domain) return null;
-    return { tunnelId, tunnelName, domain };
-  } catch {
-    return null;
-  }
-}
-
 // server/routes/admin/cloudflare.ts
 var SETUP_TIMEOUT_MS = 10 * 60 * 1e3;
 var DOMAINS_TIMEOUT_MS = 40 * 1e3;
@@ -9050,7 +8634,7 @@ function loadBrandInfo() {
   const platformRoot2 = process.env.MAXY_PLATFORM_ROOT ?? resolve14(process.cwd(), "..");
   const brandPath = resolve14(platformRoot2, "config", "brand.json");
   try {
-    const parsed = JSON.parse(readFileSync14(brandPath, "utf-8"));
+    const parsed = JSON.parse(readFileSync13(brandPath, "utf-8"));
     const hostname2 = typeof parsed.hostname === "string" && parsed.hostname ? parsed.hostname : "maxy";
     const configDir2 = typeof parsed.configDir === "string" && parsed.configDir ? parsed.configDir : ".maxy";
     return { hostname: hostname2, configDir: configDir2 };
@@ -9067,6 +8651,12 @@ function resolvePort() {
   }
   return n;
 }
+function isValidTunnelId(s) {
+  return /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(s);
+}
+function isValidTunnelName(s) {
+  return /^[A-Za-z0-9_.-]{1,64}$/.test(s);
+}
 function validateBody(body) {
   if (!body || typeof body !== "object") return { field: "request", message: "Invalid request body" };
   if (typeof body.adminLabel !== "string" || !isValidLabel(body.adminLabel)) {
@@ -9091,6 +8681,20 @@ function validateBody(body) {
       return { field: "request", message: "Apex must be a valid domain or omitted." };
     }
   }
+  const idSet = typeof body.tunnelId === "string" && body.tunnelId.length > 0;
+  const nameSet = typeof body.tunnelName === "string" && body.tunnelName.length > 0;
+  if (!idSet && !nameSet) {
+    return { field: "tunnel", message: "Pick an existing tunnel from the list, or type a name to create a new one." };
+  }
+  if (idSet && nameSet) {
+    return { field: "tunnel", message: "Pick OR create \u2014 not both. Clear one of the tunnel inputs." };
+  }
+  if (idSet && !isValidTunnelId(body.tunnelId)) {
+    return { field: "tunnel", message: "Selected tunnel UUID is malformed." };
+  }
+  if (nameSet && !isValidTunnelName(body.tunnelName)) {
+    return { field: "tunnel", message: "New-tunnel name must be 1\u201364 characters of letters, digits, dot, dash, underscore." };
+  }
   return null;
 }
 var app21 = new Hono();
@@ -9203,6 +8807,91 @@ ${result.stderr}` : ""}`;
   );
   return c.json(success, 200);
 });
+var TUNNELS_TIMEOUT_MS = 30 * 1e3;
+app21.get("/tunnels", requireAdminSession, async (c) => {
+  const started = Date.now();
+  const sessionKey = c.var.sessionKey;
+  let correlationId;
+  let sessionKeyTail;
+  let streamLogPath;
+  function tag() {
+    if (!correlationId) return "";
+    return ` conversationId=${correlationId} session_key=${sessionKeyTail ?? "unknown"}`;
+  }
+  function log(line) {
+    console.log(`[cloudflare-tunnels] ${line}${tag()}`);
+  }
+  function logErr(line) {
+    console.error(`[cloudflare-tunnels] ${line}${tag()}`);
+  }
+  function err(field, message, output) {
+    logErr(`phase=error field=${field} reason="${message.slice(0, 160).replace(/"/g, "'")}"`);
+    if (streamLogPath) {
+      writeRouteMilestone(
+        streamLogPath,
+        "cloudflare-tunnels",
+        `phase=error field=${field} reason="${message.slice(0, 160).replace(/"/g, "'")}"`
+      );
+    }
+    const body = { ok: false, field, message, output, correlationId, streamLogPath };
+    return c.json(body, 200);
+  }
+  const accountId = getAccountIdForSession(sessionKey);
+  correlationId = getConversationIdForSession(sessionKey);
+  sessionKeyTail = sessionKey.slice(-8);
+  if (!accountId) return err("session", "No account bound to session \u2014 refresh chat.");
+  if (!correlationId) return err("session", "No active conversation for session \u2014 refresh chat.");
+  streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
+  const brand = loadBrandInfo();
+  const certPath = resolve14(homedir(), brand.configDir, "cloudflared", "cert.pem");
+  const { existsSync: existsSync22 } = await import("fs");
+  if (!existsSync22(certPath)) {
+    return err("cert", `Cloudflare origin certificate is not on disk yet (${certPath}). Complete the Cloudflare login first by submitting the form once \u2014 the OAuth flow writes cert.pem.`);
+  }
+  const result = await runFormSpawn({
+    scriptPath: "cloudflared",
+    args: ["--origincert", certPath, "tunnel", "list", "--output", "json"],
+    streamLogPath,
+    correlationId,
+    timeoutMs: TUNNELS_TIMEOUT_MS,
+    log,
+    logErr,
+    broadcast: broadcastToConversation
+  });
+  const combined = `${result.stdout}${result.stderr ? `
+---
+${result.stderr}` : ""}`;
+  if (result.code !== 0) {
+    const message = result.timedOut ? `cloudflared tunnel list timed out after ${TUNNELS_TIMEOUT_MS / 1e3}s` : `cloudflared tunnel list exited with code ${result.code ?? "null"}${result.signal ? ` (signal ${result.signal})` : ""}`;
+    return err("script", message, combined);
+  }
+  let tunnels;
+  try {
+    const parsed = JSON.parse(result.stdout.trim());
+    if (!Array.isArray(parsed)) throw new Error("cloudflared response is not an array");
+    tunnels = parsed.filter((t) => t.deleted_at == null).map((t) => {
+      if (typeof t.id !== "string" || typeof t.name !== "string") {
+        throw new Error("tunnel entry missing id or name");
+      }
+      return { id: t.id, name: t.name };
+    });
+  } catch (e) {
+    return err(
+      "script",
+      `cloudflared returned malformed JSON: ${e instanceof Error ? e.message : String(e)}`,
+      combined
+    );
+  }
+  const total = Date.now() - started;
+  log(`phase=response-sent total_ms=${total} count=${tunnels.length}`);
+  writeRouteMilestone(
+    streamLogPath,
+    "cloudflare-tunnels",
+    `phase=response-sent total_ms=${total} count=${tunnels.length} source=cloudflared`
+  );
+  const success = { ok: true, tunnels, correlationId, streamLogPath };
+  return c.json(success, 200);
+});
 app21.post("/setup", requireAdminSession, async (c) => {
   const started = Date.now();
   const sessionKey = c.var.sessionKey;
@@ -9297,7 +8986,15 @@ app21.post("/setup", requireAdminSession, async (c) => {
     cloudflareTask = await openCloudflareTask({
       accountId,
       conversationKey: sessionKey,
-      inputsProvided: ["adminLabel", "adminDomain", publicFqdn ? "publicLabel" : null, apex ? "apex" : null, "password"].filter((s) => typeof s === "string")
+      inputsProvided: ["adminLabel", "adminDomain", publicFqdn ? "publicLabel" : null, apex ? "apex" : null, "password"].filter((s) => typeof s === "string"),
+      inputs: {
+        adminLabel: body.adminLabel,
+        adminDomain: body.adminDomain,
+        publicLabel: body.publicLabel,
+        publicDomain: body.publicDomain,
+        apex: body.apex
+      },
+      messageId: typeof body.messageId === "string" && body.messageId.length > 0 ? body.messageId : void 0
     });
     log(`phase=task-opened taskId=${cloudflareTask.taskId}`);
   } catch (e) {
@@ -9306,7 +9003,13 @@ app21.post("/setup", requireAdminSession, async (c) => {
   let actionId;
   let unit;
   try {
-    const launched = await launchAction("cloudflare-setup", { positional: args, streamLogPath, accountDir });
+    const launched = await launchAction("cloudflare-setup", {
+      positional: args,
+      streamLogPath,
+      accountDir,
+      tunnelId: typeof body.tunnelId === "string" && body.tunnelId.length > 0 ? body.tunnelId : void 0,
+      tunnelName: typeof body.tunnelName === "string" && body.tunnelName.length > 0 ? body.tunnelName : void 0
+    });
     actionId = launched.actionId;
     unit = launched.unit;
   } catch (e) {
@@ -9324,14 +9027,14 @@ app21.post("/setup", requireAdminSession, async (c) => {
     if (!status || status.execMainStatus !== 0) {
       logErr(`phase=post-exit-skipped reason=${status ? `exit=${status.execMainStatus}` : "unit-gone"} id=${actionId}`);
       try {
-        const exitReason = status ? `script exited with status ${status.execMainStatus}` : "systemd unit vanished before exit recorded";
+        const diagnostic = status ? `${CLOUDFLARE_TASK_DIAGNOSTICS.scriptExitedNonzero} exit=${status.execMainStatus}` : CLOUDFLARE_TASK_DIAGNOSTICS.endpointDiedPreReconcile;
         await completeCloudflareTask({
           taskId: cloudflareTask.taskId,
           taskElementId: cloudflareTask.taskElementId,
           accountId,
           conversationKey: sessionKey,
           status: "failed",
-          errorMessage: exitReason
+          errorMessage: diagnostic
         });
       } catch (e) {
         logErr(`phase=task-close-failed status=failed reason="${e instanceof Error ? e.message : String(e)}"`);
@@ -10071,7 +9774,7 @@ app22.delete("/", requireAdminSession, async (c) => {
 var files_default = app22;
 
 // ../lib/graph-search/src/index.ts
-var import_dist2 = __toESM(require_dist2());
+var import_dist = __toESM(require_dist());
 import { int } from "neo4j-driver";
 var VECTOR_WEIGHT = 0.7;
 var BM25_WEIGHT = 0.3;
@@ -10126,7 +9829,7 @@ async function bm25Only(session, params) {
        ${scopeClause}
        ${agentClause}
        ${labelClause}
-       AND ${(0, import_dist2.notTrashed)("node")}
+       AND ${(0, import_dist.notTrashed)("node")}
        ${kwClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -10216,7 +9919,7 @@ async function hybrid(session, embed2, params) {
        WHERE node.accountId = $accountId
        ${scopeClause}
        ${agentClause}
-       AND ${(0, import_dist2.notTrashed)("node")}
+       AND ${(0, import_dist.notTrashed)("node")}
        ${keywordClause}
        RETURN node, score, labels(node) AS nodeLabels, elementId(node) AS nodeId
        ORDER BY score DESC
@@ -10277,7 +9980,7 @@ async function hybrid(session, embed2, params) {
     const propResult = await session.run(
       `MATCH (node)
        WHERE node.accountId = $accountId
-       AND ${(0, import_dist2.notTrashed)("node")}
+       AND ${(0, import_dist.notTrashed)("node")}
        AND node.keywords IS NOT NULL
        AND ANY(kw IN $kwSubs WHERE ANY(nk IN node.keywords WHERE toLower(nk) = kw))
        ${propScopeClause}
@@ -10334,7 +10037,7 @@ async function hybrid(session, embed2, params) {
       `UNWIND $nodeIds AS nid
        MATCH (n)-[r]-(related)
        WHERE elementId(n) = nid
-       AND ${(0, import_dist2.notTrashed)("related")}
+       AND ${(0, import_dist.notTrashed)("related")}
        ${expandScopeClause}
        ${expandAgentClause}
        WITH nid, n, r, related
@@ -10779,6 +10482,12 @@ async function handleDefault(c, accountId) {
 var NEIGHBOURHOOD_SEARCH_DEFAULT_LIMIT = 100;
 var NEIGHBOURHOOD_SEARCH_MAX_LIMIT = 2e3;
 var NEIGHBOURHOOD_LIMIT = 2e3;
+var CLUSTER_CONVERSATION_LABELS = /* @__PURE__ */ new Set([
+  "Conversation",
+  "AdminConversation",
+  "PublicConversation"
+]);
+var MAX_CLUSTER_MESSAGES = 200;
 async function handleNeighbourhood(c, accountId) {
   const elementId = c.req.query("elementId");
   if (!elementId) {
@@ -10816,7 +10525,12 @@ async function handleNeighbourhood(c, accountId) {
       // `neo4j.int` keeps the LIMIT value as a 64-bit Integer on the wire —
       // bare JS `number` works on Pi 4 today but errors on driver versions
       // that strictly type-check LIMIT clauses against Long.
-      neighbourhoodLimit: neo4j2.int(NEIGHBOURHOOD_LIMIT)
+      neighbourhoodLimit: neo4j2.int(NEIGHBOURHOOD_LIMIT),
+      // Task 886 §C — same Long-int discipline for the cluster-expand cap.
+      // Used by NEIGHBOURHOOD_CYPHER's `siblingMessages[0..$clusterMessagesCap]`
+      // slice. The search-intersect variant ignores it (cluster-expand
+      // does not apply when search is narrowing the canvas).
+      clusterMessagesCap: neo4j2.int(MAX_CLUSTER_MESSAGES)
     };
     if (allowedIds !== null) cypherParams.allowedIds = allowedIds;
     const result = await session.executeRead(async (tx) => {
@@ -10839,6 +10553,15 @@ async function handleNeighbourhood(c, accountId) {
     console.error(
       `[graph-page] load mode=neighbourhood account=${accountId} agentActions=${includeAgentActions} elementId=${elementId} nodes=${nodes.length} edges=${edges.length} ms=${elapsed}`
     );
+    if (allowedIds === null) {
+      const conversationNode = nodes.find((n) => n.labels.some((lbl) => CLUSTER_CONVERSATION_LABELS.has(lbl)));
+      const messageCount = nodes.filter((n) => n.labels.includes("Message")).length;
+      if (conversationNode && messageCount >= 2) {
+        console.error(
+          `[graph] cluster-expand kind=conversation conversationId=${conversationNode.id} messageCount=${messageCount} reason=click-target-is-${nodes[0]?.labels.includes("Message") ? "message" : "conversation"}`
+        );
+      }
+    }
     if (allowedIds !== null) {
       console.error(
         `[graph-page] neighbourhood-search-intersect q="${q}" allowed=${allowedIds.length} root=${elementId} rendered=${nodes.length}`
@@ -10939,15 +10662,50 @@ var NEIGHBOURHOOD_CYPHER = `
     AND n.accountId = $accountId
     AND NOT n:Trashed
     AND n.deletedAt IS NULL
+
+  // Resolve the owning Conversation: either n itself if it carries a
+  // Conversation sublabel, or the Conversation reached by one PART_OF
+  // hop (Messages \u2192 Conversation). For non-cluster roots both branches
+  // null out and \`conv\` stays null.
+  OPTIONAL MATCH (n)-[:PART_OF]->(convFromMsg:Conversation)
+    WHERE convFromMsg.accountId = $accountId
+      AND NOT convFromMsg:Trashed
+      AND convFromMsg.deletedAt IS NULL
+  WITH n, CASE
+    WHEN any(lbl IN labels(n) WHERE lbl IN ['Conversation','AdminConversation','PublicConversation']) THEN n
+    ELSE convFromMsg
+  END AS conv
+
+  // Pull all sibling messages of that conversation (or all messages of
+  // n itself when n is a Conversation). EXCLUDE n from the collection
+  // so the later \`[n] + \u2026\` doesn't double-count.
+  OPTIONAL MATCH (conv)<-[:PART_OF]-(siblingMsg:Message)
+    WHERE siblingMsg.accountId = $accountId
+      AND NOT siblingMsg:Trashed
+      AND siblingMsg.deletedAt IS NULL
+      AND elementId(siblingMsg) <> elementId(n)
+  WITH n, conv, collect(DISTINCT siblingMsg) AS siblingMessages
+  WITH n, conv, siblingMessages[0..$clusterMessagesCap] AS clusterMessages
+
   OPTIONAL MATCH (n)-[]-(m)
     WHERE m.accountId = $accountId
       AND NOT m:Trashed
       AND m.deletedAt IS NULL
       AND NOT any(lbl IN labels(m) WHERE lbl IN $agentActionLabels)
-  WITH n, m
+  WITH n, conv, clusterMessages, m
   LIMIT $neighbourhoodLimit
-  WITH n, collect(DISTINCT m) AS neighbours
-  WITH [n] + [x IN neighbours WHERE x IS NOT NULL] AS windowNodes
+  WITH n, conv, clusterMessages, collect(DISTINCT m) AS neighbours
+
+  // Compose the window: root + (conv if non-null and not already n) +
+  // cluster messages + 1-hop neighbours not already in the cluster.
+  WITH [n]
+       + (CASE WHEN conv IS NOT NULL AND elementId(conv) <> elementId(n) THEN [conv] ELSE [] END)
+       + clusterMessages
+       + [x IN neighbours WHERE x IS NOT NULL
+            AND elementId(x) <> elementId(n)
+            AND (conv IS NULL OR elementId(x) <> elementId(conv))
+            AND none(c IN clusterMessages WHERE elementId(c) = elementId(x))]
+       AS windowNodes
   WITH windowNodes, [x IN windowNodes | elementId(x)] AS windowIds
   UNWIND windowNodes AS w
   OPTIONAL MATCH (w)-[r]-(o)
@@ -11510,7 +11268,7 @@ var adherence_default = app30;
 import neo4j3 from "neo4j-driver";
 import { readFile as readFile5, readdir as readdir3, stat as stat5 } from "fs/promises";
 import { resolve as resolve17, relative as relative2, isAbsolute } from "path";
-import { existsSync as existsSync18 } from "fs";
+import { existsSync as existsSync17 } from "fs";
 var LIMIT = 50;
 var TEXT_MIME_PREFIXES = ["text/", "application/json", "application/markdown"];
 var ADMIN_AGENT_FILES = ["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"];
@@ -11658,7 +11416,7 @@ async function fetchAgentTemplateRows(accountDir) {
 async function unionSpecialistFilenames(overrideDir, bundledDir) {
   const names = /* @__PURE__ */ new Set();
   for (const dir of [overrideDir, bundledDir]) {
-    if (!existsSync18(dir)) continue;
+    if (!existsSync17(dir)) continue;
     try {
       const entries = await readdir3(dir);
       for (const entry of entries) {
@@ -11673,7 +11431,7 @@ async function unionSpecialistFilenames(overrideDir, bundledDir) {
 }
 async function readAgentTemplateRow(inp) {
   let chosenPath = null;
-  if (existsSync18(inp.overridePath)) {
+  if (existsSync17(inp.overridePath)) {
     try {
       validateFilePathInAccount(inp.overridePath, inp.overrideRoot);
       chosenPath = inp.overridePath;
@@ -11684,7 +11442,7 @@ async function readAgentTemplateRow(inp) {
       );
       return null;
     }
-  } else if (existsSync18(inp.bundledPath)) {
+  } else if (existsSync17(inp.bundledPath)) {
     if (!isWithin(inp.bundledPath, inp.bundledRoot)) {
       console.error(
         `[admin/sidebar-artefacts] agent-template-read-failed agent=${inp.displayName} kind=${inp.logName} error="bundled path outside PLATFORM_ROOT"`
@@ -11726,7 +11484,7 @@ var sidebar_artefacts_default = app31;
 // server/routes/admin/sidebar-artefact-save.ts
 import { mkdir as mkdir4, readdir as readdir4, stat as stat6, writeFile as writeFile5 } from "fs/promises";
 import { resolve as resolve18 } from "path";
-import { existsSync as existsSync19 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
 var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app32 = new Hono();
@@ -11790,7 +11548,7 @@ async function resolveSavePath(id, accountId, accountDir) {
   }
   if (UUID_RE5.test(id)) {
     const dir = resolve18(ATTACHMENTS_ROOT, accountId, id);
-    if (!existsSync19(dir)) {
+    if (!existsSync18(dir)) {
       return { kind: "reject", status: 400, reason: "not-found" };
     }
     try {
@@ -11814,7 +11572,7 @@ var sidebar_artefact_save_default = app32;
 
 // server/routes/admin/sidebar-artefact-content.ts
 import { readFile as readFile6, readdir as readdir5 } from "fs/promises";
-import { existsSync as existsSync20 } from "fs";
+import { existsSync as existsSync19 } from "fs";
 import { resolve as resolve19 } from "path";
 var UUID_RE6 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app33 = new Hono();
@@ -11828,7 +11586,7 @@ app33.get("/", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve19(ATTACHMENTS_ROOT, accountId, id);
-  if (!existsSync20(dir)) {
+  if (!existsSync19(dir)) {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
@@ -11890,7 +11648,7 @@ app34.route("/sidebar-artefact-content", sidebar_artefact_content_default);
 var admin_default = app34;
 
 // server/routes/sites.ts
-import { existsSync as existsSync21, readFileSync as readFileSync15, realpathSync as realpathSync5, statSync as statSync5 } from "fs";
+import { existsSync as existsSync20, readFileSync as readFileSync14, realpathSync as realpathSync5, statSync as statSync5 } from "fs";
 import { resolve as resolve20 } from "path";
 var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var MIME = {
@@ -11957,7 +11715,7 @@ app35.get("/:rel{.*}", (c) => {
   }
   let stat7;
   try {
-    stat7 = existsSync21(filePath) ? statSync5(filePath) : null;
+    stat7 = existsSync20(filePath) ? statSync5(filePath) : null;
   } catch {
     stat7 = null;
   }
@@ -11970,7 +11728,7 @@ app35.get("/:rel{.*}", (c) => {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync21(filePath)) {
+  if (!existsSync20(filePath)) {
     console.error(`[sites] not-found path=${reqPath} status=404`);
     return c.text("Not found", 404);
   }
@@ -11989,7 +11747,7 @@ app35.get("/:rel{.*}", (c) => {
   }
   let body;
   try {
-    body = readFileSync15(realPath);
+    body = readFileSync14(realPath);
   } catch (err) {
     const code = err?.code;
     if (code === "EISDIR") {
@@ -12123,12 +11881,12 @@ function clientFrom(c) {
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
 var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join9(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync22(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync21(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync21(BRAND_JSON_PATH)) {
   try {
-    const parsed = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync15(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
   } catch (err) {
     console.error(`[brand] Failed to parse brand.json: ${err.message}`);
@@ -12150,8 +11908,8 @@ var brandLoginOpts = {
 var ALIAS_DOMAINS_PATH2 = join9(homedir2(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync22(ALIAS_DOMAINS_PATH2)) return null;
-    const parsed = JSON.parse(readFileSync16(ALIAS_DOMAINS_PATH2, "utf-8"));
+    if (!existsSync21(ALIAS_DOMAINS_PATH2)) return null;
+    const parsed = JSON.parse(readFileSync15(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
       return null;
@@ -12497,14 +12255,14 @@ app36.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync22(filePath)) {
+  if (!existsSync21(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[agent-assets] serve slug=${slug} file=${filename} status=200`);
-  const body = readFileSync16(filePath);
+  const body = readFileSync15(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=3600"
@@ -12527,14 +12285,14 @@ app36.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync22(filePath)) {
+  if (!existsSync21(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
   const ext = "." + filename.split(".").pop()?.toLowerCase();
   const contentType = IMAGE_MIME[ext] || "application/octet-stream";
   console.log(`[generated] serve file=${filename} status=200`);
-  const body = readFileSync16(filePath);
+  const body = readFileSync15(filePath);
   return c.body(body, 200, {
     "Content-Type": contentType,
     "Cache-Control": "public, max-age=86400"
@@ -12544,9 +12302,9 @@ app36.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync22(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync21(BRAND_JSON_PATH)) {
   try {
-    const fullBrand = JSON.parse(readFileSync16(BRAND_JSON_PATH, "utf-8"));
+    const fullBrand = JSON.parse(readFileSync15(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
     brandIconPath = fullBrand.assets?.icon ? `/brand/${fullBrand.assets.icon}` : brandLogoPath;
   } catch {
@@ -12564,8 +12322,8 @@ function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
     const versionFile = join9(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync22(versionFile)) return "unknown";
-    const content = readFileSync16(versionFile, "utf-8").trim();
+    if (!existsSync21(versionFile)) return "unknown";
+    const content = readFileSync15(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
     return "unknown";
@@ -12606,7 +12364,7 @@ var clientErrorReporterScript = `<script>
 function cachedHtml(file) {
   let html = htmlCache.get(file);
   if (!html) {
-    html = readFileSync16(resolve21(process.cwd(), "public", file), "utf-8");
+    html = readFileSync15(resolve21(process.cwd(), "public", file), "utf-8");
     const productNameEsc = escapeHtml(BRAND.productName);
     html = html.replace(/<title>([^<]*)<\/title>/, (_match, inner) => `<title>${escapeHtml(inner).replace(/Maxy/g, productNameEsc)}</title>`);
     html = html.replace('href="/favicon.ico"', `href="${escapeHtml(brandFaviconPath)}"`);
@@ -12625,13 +12383,13 @@ function loadBrandingCache(agentSlug) {
   const configDir2 = join9(homedir2(), BRAND.configDir);
   try {
     const accountJsonPath = join9(configDir2, "account.json");
-    if (!existsSync22(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
+    if (!existsSync21(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync15(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
     const cachePath = join9(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync22(cachePath)) return null;
-    return JSON.parse(readFileSync16(cachePath, "utf-8"));
+    if (!existsSync21(cachePath)) return null;
+    return JSON.parse(readFileSync15(cachePath, "utf-8"));
   } catch {
     return null;
   }
@@ -12640,8 +12398,8 @@ function resolveDefaultSlug() {
   try {
     const configDir2 = join9(homedir2(), BRAND.configDir);
     const accountJsonPath = join9(configDir2, "account.json");
-    if (!existsSync22(accountJsonPath)) return null;
-    const account = JSON.parse(readFileSync16(accountJsonPath, "utf-8"));
+    if (!existsSync21(accountJsonPath)) return null;
+    const account = JSON.parse(readFileSync15(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
     return null;
@@ -12714,7 +12472,7 @@ app36.use("/vnc-popout.html", logViewerFetch);
 app36.get("/vnc-popout.html", (c) => {
   let html = htmlCache.get("vnc-popout.html");
   if (!html) {
-    html = readFileSync16(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
+    html = readFileSync15(resolve21(process.cwd(), "public", "vnc-popout.html"), "utf-8");
     const name = escapeHtml(BRAND.productName);
     html = html.replace("<title>Browser \u2014 Maxy</title>", `<title>${name}</title>`);
     html = html.replace("</head>", `  ${brandScript}
@@ -12804,8 +12562,8 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync22(USERS_FILE)) {
-      const users = JSON.parse(readFileSync16(USERS_FILE, "utf-8").trim() || "[]");
+    if (existsSync21(USERS_FILE)) {
+      const users = JSON.parse(readFileSync15(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
     await backfillNullUserIdConversations(userId);
@@ -12835,6 +12593,29 @@ var bootEntitlement = bootAccountConfig ? resolveEntitlement(
   }
 ) : null;
 autoDeliverPremiumPlugins(bootEntitlement?.purchasedPlugins ?? void 0);
+(async () => {
+  if (!bootAccount) return;
+  try {
+    const { recoverRunningCloudflareTasks } = await import("./cloudflare-task-tracker-Q4X5BYR7.js");
+    const result = await recoverRunningCloudflareTasks(
+      bootAccount.accountId,
+      configDirForWhatsApp,
+      // No conversationKey at boot — the tracker's writeNodeWithEdges path
+      // requires it for the Conversation join, but the recovery path is
+      // operating on Tasks whose Conversation is already linked. Pass null
+      // and let the tracker pick up the linked Conversation via the Task's
+      // existing edge.
+      null
+    );
+    if (result.scanned > 0) {
+      console.error(
+        `[task] reconciler-startup kind=cloudflare-tunnel-login scanned=${result.scanned} resolved=${result.resolved.length}`
+      );
+    }
+  } catch (err) {
+    console.error(`[task] reconciler-startup failed: ${err instanceof Error ? err.message : String(err)}`);
+  }
+})();
 var bootEnabled = Array.isArray(bootAccountConfig?.enabledPlugins) ? bootAccountConfig.enabledPlugins : [];
 var bootDelivered = [];
 var bootDistMissing = [];