@rubytech/create-realagent 1.0.824 → 1.0.826

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rubytech/create-realagent",
-  "version": "1.0.824",
+  "version": "1.0.826",
   "description": "Install Real Agent — Built for agents. By agents.",
   "bin": {
     "create-realagent": "./dist/index.js"

package/payload/platform/lib/task-secrets/dist/index.d.ts

@@ -0,0 +1,40 @@
+export type JsonValue = string | number | boolean | null | JsonValue[] | {
+    [key: string]: JsonValue;
+};
+export interface FormSchema {
+    /**
+     * Field names whose values are secret and must never land on a Task node.
+     * Declared at the form definition (e.g. `cloudflare-setup-form`'s schema in
+     * `cloudflare-setup-types.ts`), not at the writer. Writers pass the form
+     * schema through unmodified — the contract is "secrets are declared once
+     * where the form is defined, redaction is enforced once at write time."
+     */
+    secretFields?: string[];
+}
+export interface RedactResult {
+    /**
+     * Payload with every `secretFields` entry removed. Non-secret keys keep
+     * their values intact (including null, false, 0, empty string). Keys not
+     * mentioned in `secretFields` always pass through — secrets are an
+     * allow-list of names to drop, not the entire universe.
+     */
+    redacted: Record<string, JsonValue>;
+    /** Number of fields that were stripped. Callers log this when > 0. */
+    droppedFields: number;
+    /** Names of fields that were stripped, sorted for stable log lines. */
+    droppedFieldNames: string[];
+}
+/**
+ * Strip every secret-tagged field from `payload` per `schema`. Pure: no IO,
+ * no logging, no thrown errors. Caller is responsible for the
+ * `[task] redacted ...` log line when `droppedFields > 0`.
+ *
+ * Edge-case behaviour:
+ * - `payload` undefined / null → empty result, droppedFields=0.
+ * - `schema` undefined / no `secretFields` → every key passes through.
+ * - A secret field whose key is absent from `payload` → no-op (not counted).
+ * - Non-string values on a secret field → key still dropped, value never
+ *   inspected. Redaction is by KEY, not by value-shape heuristic.
+ */
+export declare function redactSecrets(payload: Record<string, JsonValue> | null | undefined, schema: FormSchema | null | undefined): RedactResult;
+//# sourceMappingURL=index.d.ts.map

package/payload/platform/lib/task-secrets/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAYA,MAAM,MAAM,SAAS,GACjB,MAAM,GACN,MAAM,GACN,OAAO,GACP,IAAI,GACJ,SAAS,EAAE,GACX;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAAA;CAAE,CAAC;AAEjC,MAAM,WAAW,UAAU;IACzB;;;;;;OAMG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,YAAY;IAC3B;;;;;OAKG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACpC,sEAAsE;IACtE,aAAa,EAAE,MAAM,CAAC;IACtB,uEAAuE;IACvE,iBAAiB,EAAE,MAAM,EAAE,CAAC;CAC7B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,CAAC,GAAG,IAAI,GAAG,SAAS,EACrD,MAAM,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,GACpC,YAAY,CAgBd"}

package/payload/platform/lib/task-secrets/dist/index.js

@@ -0,0 +1,44 @@
+"use strict";
+// Task 890 — outcome contract for audit Task input persistence.
+//
+// Doctrine: every audit Task records enough operator-meaningful information to
+// explain what happened, AND no audit Task contains secret material. Mechanism
+// is centralised here, not at the per-kind writer: form/action input
+// definitions tag secret fields at the source of truth, and writers strip
+// those fields via `redactSecrets` before persisting `inputs.<field>` props
+// onto the Task node.
+//
+// Single file by design — no per-kind branching, no factory. A future
+// schema shape change extends `FormSchema` here; the contract stays one place.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.redactSecrets = redactSecrets;
+/**
+ * Strip every secret-tagged field from `payload` per `schema`. Pure: no IO,
+ * no logging, no thrown errors. Caller is responsible for the
+ * `[task] redacted ...` log line when `droppedFields > 0`.
+ *
+ * Edge-case behaviour:
+ * - `payload` undefined / null → empty result, droppedFields=0.
+ * - `schema` undefined / no `secretFields` → every key passes through.
+ * - A secret field whose key is absent from `payload` → no-op (not counted).
+ * - Non-string values on a secret field → key still dropped, value never
+ *   inspected. Redaction is by KEY, not by value-shape heuristic.
+ */
+function redactSecrets(payload, schema) {
+    if (!payload) {
+        return { redacted: {}, droppedFields: 0, droppedFieldNames: [] };
+    }
+    const secrets = new Set(schema?.secretFields ?? []);
+    const redacted = {};
+    const dropped = [];
+    for (const [key, value] of Object.entries(payload)) {
+        if (secrets.has(key)) {
+            dropped.push(key);
+            continue;
+        }
+        redacted[key] = value;
+    }
+    dropped.sort();
+    return { redacted, droppedFields: dropped.length, droppedFieldNames: dropped };
+}
+//# sourceMappingURL=index.js.map

package/payload/platform/lib/task-secrets/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA,gEAAgE;AAChE,EAAE;AACF,+EAA+E;AAC/E,+EAA+E;AAC/E,qEAAqE;AACrE,0EAA0E;AAC1E,4EAA4E;AAC5E,sBAAsB;AACtB,EAAE;AACF,sEAAsE;AACtE,+EAA+E;;AA+C/E,sCAmBC;AA/BD;;;;;;;;;;;GAWG;AACH,SAAgB,aAAa,CAC3B,OAAqD,EACrD,MAAqC;IAErC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC;IACnE,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,YAAY,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,QAAQ,GAA8B,EAAE,CAAC;IAC/C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClB,SAAS;QACX,CAAC;QACD,QAAQ,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACxB,CAAC;IACD,OAAO,CAAC,IAAI,EAAE,CAAC;IACf,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,CAAC,MAAM,EAAE,iBAAiB,EAAE,OAAO,EAAE,CAAC;AACjF,CAAC"}

package/payload/platform/lib/task-secrets/src/__tests__/redact-secrets.test.ts

@@ -0,0 +1,127 @@
+// Task 890 — no-secret-leak contract test.
+//
+// Verifies that `redactSecrets` strips every key declared as a secret in the
+// form schema, and is meaningful (not a no-op) — removing the `secret` tag
+// from a field MUST cause a deliberately-secret value to leak into the result,
+// proving the test would catch a regression.
+
+import { describe, expect, it } from 'vitest';
+import { redactSecrets, type FormSchema } from '../index.js';
+
+const SECRET_VALUE = 'hunter2';
+const SECRET_REGEX = /password|token|api[_-]?key|secret|credential|bearer/i;
+
+describe('redactSecrets', () => {
+  it('drops every key listed in secretFields', () => {
+    const schema: FormSchema = { secretFields: ['password', 'apiKey'] };
+    const payload = {
+      adminLabel: 'maxy-test',
+      adminDomain: 'maxy.bot',
+      password: SECRET_VALUE,
+      apiKey: 'sk-abc',
+    };
+    const { redacted, droppedFields, droppedFieldNames } = redactSecrets(payload, schema);
+
+    expect(redacted).toEqual({ adminLabel: 'maxy-test', adminDomain: 'maxy.bot' });
+    expect(droppedFields).toBe(2);
+    expect(droppedFieldNames).toEqual(['apiKey', 'password']);
+  });
+
+  it('passes every key through when schema has no secretFields', () => {
+    const payload = { mode: 'personal', emailProvided: true };
+    const { redacted, droppedFields } = redactSecrets(payload, {});
+    expect(redacted).toEqual(payload);
+    expect(droppedFields).toBe(0);
+  });
+
+  it('passes every key through when schema is undefined', () => {
+    const payload = { mode: 'personal' };
+    const { redacted, droppedFields } = redactSecrets(payload, undefined);
+    expect(redacted).toEqual(payload);
+    expect(droppedFields).toBe(0);
+  });
+
+  it('returns empty result for null/undefined payload', () => {
+    expect(redactSecrets(null, { secretFields: ['x'] })).toEqual({
+      redacted: {},
+      droppedFields: 0,
+      droppedFieldNames: [],
+    });
+    expect(redactSecrets(undefined, undefined)).toEqual({
+      redacted: {},
+      droppedFields: 0,
+      droppedFieldNames: [],
+    });
+  });
+
+  it('preserves falsy non-secret values (false, 0, empty string, null)', () => {
+    const payload = { a: false, b: 0, c: '', d: null, secret: 's' };
+    const { redacted } = redactSecrets(payload, { secretFields: ['secret'] });
+    expect(redacted).toEqual({ a: false, b: 0, c: '', d: null });
+  });
+
+  it('does not count secret keys absent from payload', () => {
+    const schema: FormSchema = { secretFields: ['password', 'missingField'] };
+    const { droppedFields, droppedFieldNames } = redactSecrets({ password: SECRET_VALUE }, schema);
+    expect(droppedFields).toBe(1);
+    expect(droppedFieldNames).toEqual(['password']);
+  });
+
+  it('drops a secret key regardless of its value shape', () => {
+    const schema: FormSchema = { secretFields: ['password'] };
+    const cases: Array<{ password: unknown }> = [
+      { password: 'string-value' },
+      { password: 42 },
+      { password: null },
+      { password: { nested: 'object' } },
+      { password: ['array', 'of', 'strings'] },
+    ];
+    for (const c of cases) {
+      const { redacted } = redactSecrets(c as Record<string, never>, schema);
+      expect(redacted).not.toHaveProperty('password');
+    }
+  });
+
+  it('CONTRACT: no recorded property value contains a secret regex match (cloudflare-setup-form)', () => {
+    // Synthetic cloudflare submission shape — mirrors CloudflareSetupRequest
+    // including both the operator-supplied secret (password) and the
+    // wire-protocol envelope (session_key, messageId) the schema also drops.
+    const cloudflareSchema: FormSchema = { secretFields: ['password', 'session_key', 'messageId'] };
+    const payload = {
+      adminLabel: 'maxy-test',
+      adminDomain: 'maxy.bot',
+      publicLabel: 'public',
+      publicDomain: 'maxy.bot',
+      apex: 'maxy.bot',
+      password: SECRET_VALUE,
+      tunnelName: 'maxy-test',
+      session_key: 'sk-conversation-correlation-12345678',
+      messageId: '11111111-2222-3333-4444-555555555555',
+    };
+    const { redacted } = redactSecrets(payload, cloudflareSchema);
+
+    // Scan every recorded value for any known-secret regex match.
+    for (const [key, value] of Object.entries(redacted)) {
+      const stringified = JSON.stringify(value);
+      expect(stringified, `field ${key} carried a secret-shaped value`).not.toMatch(SECRET_REGEX);
+      expect(stringified, `field ${key} carried the secret literal`).not.toContain(SECRET_VALUE);
+    }
+    // Wire-envelope fields must also be absent from recorded props.
+    expect(redacted).not.toHaveProperty('session_key');
+    expect(redacted).not.toHaveProperty('messageId');
+  });
+
+  it('CONTRACT (falsifiability): removing the secret tag causes the password to leak — proves the test is meaningful', () => {
+    // This test is the canary that proves the no-secret-leak guarantee comes
+    // from the schema, not from coincidence. With `secretFields` empty (the
+    // schema-author forgot to tag `password`), the value MUST leak into the
+    // recorded payload — otherwise the contract test above would still pass
+    // even with a broken schema, and would catch nothing.
+    const brokenSchema: FormSchema = { secretFields: [] };
+    const payload = { adminLabel: 'maxy-test', password: SECRET_VALUE };
+    const { redacted } = redactSecrets(payload, brokenSchema);
+
+    expect(redacted.password).toBe(SECRET_VALUE);
+    expect(JSON.stringify(redacted)).toContain(SECRET_VALUE);
+  });
+});

package/payload/platform/lib/task-secrets/src/index.ts

@@ -0,0 +1,77 @@
+// Task 890 — outcome contract for audit Task input persistence.
+//
+// Doctrine: every audit Task records enough operator-meaningful information to
+// explain what happened, AND no audit Task contains secret material. Mechanism
+// is centralised here, not at the per-kind writer: form/action input
+// definitions tag secret fields at the source of truth, and writers strip
+// those fields via `redactSecrets` before persisting `inputs.<field>` props
+// onto the Task node.
+//
+// Single file by design — no per-kind branching, no factory. A future
+// schema shape change extends `FormSchema` here; the contract stays one place.
+
+export type JsonValue =
+  | string
+  | number
+  | boolean
+  | null
+  | JsonValue[]
+  | { [key: string]: JsonValue };
+
+export interface FormSchema {
+  /**
+   * Field names whose values are secret and must never land on a Task node.
+   * Declared at the form definition (e.g. `cloudflare-setup-form`'s schema in
+   * `cloudflare-setup-types.ts`), not at the writer. Writers pass the form
+   * schema through unmodified — the contract is "secrets are declared once
+   * where the form is defined, redaction is enforced once at write time."
+   */
+  secretFields?: string[];
+}
+
+export interface RedactResult {
+  /**
+   * Payload with every `secretFields` entry removed. Non-secret keys keep
+   * their values intact (including null, false, 0, empty string). Keys not
+   * mentioned in `secretFields` always pass through — secrets are an
+   * allow-list of names to drop, not the entire universe.
+   */
+  redacted: Record<string, JsonValue>;
+  /** Number of fields that were stripped. Callers log this when > 0. */
+  droppedFields: number;
+  /** Names of fields that were stripped, sorted for stable log lines. */
+  droppedFieldNames: string[];
+}
+
+/**
+ * Strip every secret-tagged field from `payload` per `schema`. Pure: no IO,
+ * no logging, no thrown errors. Caller is responsible for the
+ * `[task] redacted ...` log line when `droppedFields > 0`.
+ *
+ * Edge-case behaviour:
+ * - `payload` undefined / null → empty result, droppedFields=0.
+ * - `schema` undefined / no `secretFields` → every key passes through.
+ * - A secret field whose key is absent from `payload` → no-op (not counted).
+ * - Non-string values on a secret field → key still dropped, value never
+ *   inspected. Redaction is by KEY, not by value-shape heuristic.
+ */
+export function redactSecrets(
+  payload: Record<string, JsonValue> | null | undefined,
+  schema: FormSchema | null | undefined,
+): RedactResult {
+  if (!payload) {
+    return { redacted: {}, droppedFields: 0, droppedFieldNames: [] };
+  }
+  const secrets = new Set(schema?.secretFields ?? []);
+  const redacted: Record<string, JsonValue> = {};
+  const dropped: string[] = [];
+  for (const [key, value] of Object.entries(payload)) {
+    if (secrets.has(key)) {
+      dropped.push(key);
+      continue;
+    }
+    redacted[key] = value;
+  }
+  dropped.sort();
+  return { redacted, droppedFields: dropped.length, droppedFieldNames: dropped };
+}

package/payload/platform/lib/task-secrets/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"],
+  "exclude": ["src/__tests__"]
+}

package/payload/platform/lib/task-secrets/vitest.config.ts

@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    environment: 'node',
+    globals: false,
+    include: ['src/__tests__/**/*.test.ts'],
+  },
+});

package/payload/platform/neo4j/schema.cypher

@@ -601,6 +601,17 @@ FOR (up:UserProfile) REQUIRE (up.accountId, up.userId) IS UNIQUE;
 //
 // Categories: communication, scheduling, decision, workflow,
 //             content, interaction
+//
+// Recognised optional properties:
+//   notApplicable (boolean) — Task 888. When `true`, the Preference
+//     records that the user explicitly declared the (category, key)
+//     does not apply to them. Counted as covered for the field-level
+//     Coverage signal in `formatProfileSummary`; filtered from the
+//     user-facing body (no value to render). Immutable on the tool
+//     surface (`profile-update` rejects mode merge|contradict). Always
+//     written with confidence: 1.0. No constraint, no index — the
+//     read query in loadUserProfile / profile-read widens the WHERE
+//     to include `OR pref.notApplicable = true`.
 // ----------------------------------------------------------
 
 CREATE CONSTRAINT preference_id_unique IF NOT EXISTS

package/payload/platform/package.json

@@ -6,8 +6,8 @@
     "plugins/*/mcp"
   ],
   "scripts": {
-    "build": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json && tsc -p lib/entitlement/tsconfig.json && tsc -p plugins/whatsapp-import/lib/tsconfig.json && NODE_OPTIONS='--max-old-space-size=8192' tsc -b plugins/*/mcp/tsconfig.json",
-    "build:lib": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json && tsc -p lib/entitlement/tsconfig.json && tsc -p plugins/whatsapp-import/lib/tsconfig.json",
+    "build": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json && tsc -p lib/entitlement/tsconfig.json && tsc -p lib/task-secrets/tsconfig.json && tsc -p plugins/whatsapp-import/lib/tsconfig.json && NODE_OPTIONS='--max-old-space-size=8192' tsc -b plugins/*/mcp/tsconfig.json",
+    "build:lib": "tsc -p lib/models/tsconfig.json && tsc -p lib/anthropic-key/tsconfig.json && tsc -p lib/oauth-llm/tsconfig.json && tsc -p lib/mcp-stderr-tee/tsconfig.json && tsc -p lib/mcp-spawn-tee/tsconfig.json && tsc -p lib/graph-write/tsconfig.json && tsc -p lib/graph-mcp/tsconfig.json && tsc -p lib/graph-trash/tsconfig.json && tsc -p lib/graph-search/tsconfig.json && tsc -p lib/screening-patterns/tsconfig.json && tsc -p lib/device-url/tsconfig.json && tsc -p lib/brand-templating/tsconfig.json && tsc -p lib/entitlement/tsconfig.json && tsc -p lib/task-secrets/tsconfig.json && tsc -p plugins/whatsapp-import/lib/tsconfig.json",
     "build:memory": "tsc -p plugins/memory/mcp/tsconfig.json",
     "build:contacts": "tsc -p plugins/contacts/mcp/tsconfig.json",
     "build:telegram": "tsc -p plugins/telegram/mcp/tsconfig.json",

package/payload/platform/plugins/admin/skills/business-profile/SKILL.md

@@ -10,14 +10,14 @@ Applies when the business owner wants to set up, complete, or update their busin
 ## When to Activate
 
 - Admin asks to set up, edit, or complete their business profile
-- Onboarding step 9 delegates here on first run **only when the operator picked `business-owner` mode** (Task 704). Personal mode bootstraps a `Person` with `role: "admin-personal"` directly inside step 9 and does NOT invoke this skill.
+- Onboarding step 9 delegates here on first run **only when the operator picked `business-owner` mode**. Personal mode bootstraps a `Person` with `role: "admin-personal"` directly inside step 9 and does NOT invoke this skill.
 - Session-start graph check shows a `LocalBusiness` node with missing data (no hours, no services, empty description)
 - The graph-write gate rejects a `memory-write` or `memory-update` with `no-admin-user` or `no-local-business` — the error message directs the agent here. (For personal-mode accounts, the gate is satisfied by the personal-profile `Person` node, so this rejection should not fire — if it does, the personal-profile node is missing or its `role` is wrong.)
 - Admin asks questions like "update my address", "add our opening hours", "change the phone number"
 
 ## First-run path (no LocalBusiness yet)
 
-The `AdminUser` and the operator's personal-profile `Person` were written deterministically at PIN setup time (Task 830 — `writeAdminUserAndPerson`), so this skill no longer creates the AdminUser. When onboarding step 9 invokes this skill in `business-owner` mode, or when the graph-write gate reports `no-local-business`, create the LocalBusiness:
+The `AdminUser` and the operator's personal-profile `Person` are written deterministically at PIN setup time, so this skill no longer creates the AdminUser. When onboarding step 9 invokes this skill in `business-owner` mode, or when the graph-write gate reports `no-local-business`, create the LocalBusiness:
 
 1. **LocalBusiness.** Ask the user for the business name first — this is the only mandatory property. Call `memory-write` with `labels: ["LocalBusiness"]`, minimal `properties: { name }`, `scope: "shared"`, `relationships: [{ type: "OWNS", direction: "incoming", targetNodeId: "<AdminUser-elementId>" }]`. The `LocalBusiness` label is on the exempt set, so the gate passes for this write. Find the AdminUser elementId via `memory-search` for the operator's name; the AdminUser already exists from PIN setup.
 2. **Capture the remaining domains** (address, hours, services, FAQs, brand assets) via `memory-update` on the `LocalBusiness` node and `memory-write` for related nodes (`OpeningHoursSpecification`, `Service`, `FAQPage`, `ImageObject`). With LocalBusiness present, the gate passes for all subsequent writes.

package/payload/platform/plugins/admin/skills/onboarding/SKILL.md

@@ -203,19 +203,20 @@ Pin the operator's persona and bootstrap the graph nodes that satisfy the graph-
 
 **Call `onboarding-step9-mode` with the chosen mode before any graph write or skill invocation.** The tool emits the diagnostic log line and returns the deterministic next-action prose.
 
-**Open the action record with `task-create` (Task 885 process-provenance doctrine).** Before any graph write or skill invocation, call:
+**Open the action record with `task-create` (process-provenance + audit input contract).** Before any graph write or skill invocation, call `task-create` with:
 
-```
-task-create
-  name: "Establish operator owner — onboarding step 9"
-  description: "<one-line summary of the chosen mode and what entities will be produced>"
-  status: "running"
-  kind: "onboarding-establish-owner"
-  inputsProvided: ["mode"]
-```
+- `name`: "Establish operator owner — onboarding step 9"
+- `description`: a one-line summary describing the chosen mode and what entities will be produced
+- `status`: `"running"`
+- `kind`: `"onboarding-establish-owner"`
+- `inputsProvided`: the keys you actually pass on `inputs` (e.g. `["mode"]`); records the call shape
+- `inputs`: the form payload — at minimum `{ mode: "personal" | "business-owner" }`. Add other operator-supplied non-secret fields you want the audit panel to render (e.g. when the user later provides email/phone in step 9 personal mode, you can append a follow-up `task-update` rather than reopening the Task)
+- `inputSchema`: `{ secretFields: [] }` — the step-9 mode select carries no secrets; declare the empty list explicitly so the contract is visible at the call site
 
 The returned `taskId` is the action-provenance handle for this step — every subsequent `memory-write` for an action-provenance-gated label (`Person`, `UserProfile`, `AdminUser`, `Organization`, `LocalBusiness`) MUST pass it as `producedByTaskId` so the inbound `:PRODUCED` edge from the Task is composed into the write. The Task is auto-linked to the current `AdminConversation` via `RAISED_DURING` (this is what makes `MATCH (c:AdminConversation)<-[:RAISED_DURING]-(t:Task)-[:PRODUCED]->(entity)` traversable from the conversation that initiated onboarding).
 
+The `inputs` you pass land on the Task as `inputs.<field>` props after `redactSecrets` strips any secret-tagged keys. The contract is enforced centrally — never re-classify what is or isn't a secret at the call site; declare the form's secret fields once in `inputSchema.secretFields`.
+
 Then branch on the mode.
 
 ### `business-owner`
@@ -235,4 +236,6 @@ Personal mode does not register a `LocalBusiness`. The `AdminUser` and personal-
 
 After step 9 completes in personal mode, tell the user that {{productName}} is configured for personal use — their employer (if any) is not registered here. If they later become the operator for a business of their own, they can ask {{productName}} to set up a business profile, which invokes the `business-profile` skill directly.
 
+**Post-onboarding work-preference elicitation (Task 888) — no step-9 change.** After step 9 completes, the per-turn `## About the Owner` block surfaces the field-level Coverage signal as the canonical post-onboarding elicitation source: `### Coverage / Missing: communication.preferredChannel, scheduling.workdayStartTime, …`. Onboarding deliberately does NOT pre-elicit these in a questionnaire — the agent drips them organically, one per turn, via the IDENTITY.md § Conversational Memory contract. Step 9's role is to bootstrap identity + persona; work-preferences are accumulated through normal conversation thereafter, with `notApplicable: true` covering the "doesn't apply to me" case (declined fields stop re-prompting).
+
 If the user declines to bootstrap during step 9 in any mode, leave step 9 incomplete AND call `task-update(taskId, status:"failed", errorMessage:"<one-line reason>")` so the action record reflects the abandonment instead of dangling in `running` forever. The next session will resume here with a fresh `task-create` (the prior failed Task stays in the graph as the audit record). Any attempt to write user-domain data will surface `Write blocked (no-admin-user)` or `Write blocked (no-local-business)` via the gate, pulling the agent back into this step.

package/payload/platform/plugins/admin/skills/plugin-management/SKILL.md

@@ -22,7 +22,7 @@ Built-in plugins under `$PLATFORM_ROOT/plugins/`:
 
 - Enable: call `plugin-toggle-enabled` with `pluginName` and `action: "enable"`. Activates the plugin's behaviour embed and MCP server from the next session. Plugins with scheduled behaviour (declared via `lifecycle` in PLUGIN.md frontmatter) are activated automatically by the platform heartbeat within one minute — no separate setup command needed.
 - Disable: call `plugin-toggle-enabled` with `pluginName` and `action: "disable"`. Deactivates from the next session. Any scheduled Events owned by the plugin (`sourcePlugin` field) are cancelled automatically by the platform heartbeat.
-- The tool refuses core plugins (admin, memory, docs, cloudflare, anthropic) and refuses plugins not installed under `$PLATFORM_ROOT/plugins/`. Direct `Edit` of `account.json` is denied by the pre-tool-use hook (Task 831) — `plugin-toggle-enabled` is the only legitimate path.
+- The tool refuses core plugins (admin, memory, docs, cloudflare, anthropic) and refuses plugins not installed under `$PLATFORM_ROOT/plugins/`. Direct `Edit` of `account.json` is denied by the pre-tool-use hook — `plugin-toggle-enabled` is the only legitimate path.
 
 ## Premium Plugins
 
@@ -38,11 +38,11 @@ When the user asks about a specific premium plugin (e.g., "tell me about the tea
 
 ### Recording a purchase
 
-`purchasedPlugins` is an entitlement-bearing field (Task 831): the effective list derives from the Rubytech-signed entitlement payload, not from raw `account.json`. The pre-tool-use hook denies any agent write to `account.json`. Direct purchase recording is therefore unavailable to the agent.
+`purchasedPlugins` is an entitlement-bearing field: the effective list derives from the Rubytech-signed entitlement payload, not from raw `account.json`. The pre-tool-use hook denies any agent write to `account.json`. Direct purchase recording is therefore unavailable to the agent.
 
-- **Production path:** Task 832 — Rubytech-side issuance endpoint signs an updated entitlement payload after a Stripe purchase event and delivers it to `~/<configDir>/entitlement.json`. The verifier picks up the new payload at the next session start.
+- **Production path:** the Rubytech-side issuance endpoint signs an updated entitlement payload after a Stripe purchase event and delivers it to `~/<configDir>/entitlement.json`. The verifier picks up the new payload at the next session start.
 - **Pre-launch / dev path:** the founder runs `node platform/scripts/generate-entitlement-fixture.mjs sign --account-id <id> --email <e> --tier <t> --plugins a,b,c --out ~/<configDir>/entitlement.json` to produce a signed test payload. The agent does not invoke this script.
-- **Personal-mode installs (`brand.json.commercialMode: false`, the default today):** purchasedPlugins is read from raw `account.json` via implicit-trust mode. Pre-launch the agent has no way to add purchases without operator intervention; this is intentional during the gap before Task 832 ships.
+- **Personal-mode installs (`brand.json.commercialMode: false`, the default today):** purchasedPlugins is read from raw `account.json` via implicit-trust mode. Pre-launch the agent has no way to add purchases without operator intervention; this is intentional during the gap before signed-issuance ships.
 
 If the user asks the agent to record a purchase, explain that their purchase is processed by Rubytech billing and the entitlement payload arrives on their device automatically — no agent action is required.
 

package/payload/platform/plugins/admin/skills/public-agent-manager/SKILL.md

@@ -195,7 +195,7 @@ After creation, no template metadata persists in the agent's files. The resultin
 9. **KNOWLEDGE.md generation** — populate from the now-tagged set plus keyword matches using the `update-knowledge` skill workflow
 10. Write `config.json` with selected model, plugins, status "active", `liveMemory`, and `knowledgeKeywords`. This is the last gated write — placed after IDENTITY.md, SOUL.md, and KNOWLEDGE.md to prevent cascade failure if one gate stalls.
 11. Check context budget — auto-summarise if over threshold
-12. **Project the agent into the graph** — delegate to the `database-operator` specialist with the instruction: "Project public agent `{slug}` into the graph by POSTing to `/api/admin/agents/{slug}/project` (Task 837 surface)." The route reads the on-disk files and idempotently MERGEs the `:Agent` node, the four owned `:KnowledgeDocument` projections (IDENTITY/SOUL/KNOWLEDGE/KNOWLEDGE-SUMMARY when present, namespaced `attachmentId="agent:<slug>:<role>"`), the `HAS_*` edges, and the `USES_KNOWLEDGE` edges to every operator-tagged doc. Loud-fail: if the route returns non-2xx, surface the error to the user verbatim — the agent's files exist on disk but its graph projection is incomplete, which means the operator's /graph view will not show this agent. Re-running the projection is safe; it is the same idempotent MERGE.
+12. **Project the agent into the graph** — delegate to the `database-operator` specialist with the instruction: "Project public agent `{slug}` into the graph by POSTing to `/api/admin/agents/{slug}/project`." The route reads the on-disk files and idempotently MERGEs the `:Agent` node, the four owned `:KnowledgeDocument` projections (IDENTITY/SOUL/KNOWLEDGE/KNOWLEDGE-SUMMARY when present, namespaced `attachmentId="agent:<slug>:<role>"`), the `HAS_*` edges, and the `USES_KNOWLEDGE` edges to every operator-tagged doc. Loud-fail: if the route returns non-2xx, surface the error to the user verbatim — the agent's files exist on disk but its graph projection is incomplete, which means the operator's /graph view will not show this agent. Re-running the projection is safe; it is the same idempotent MERGE.
 13. Confirm creation: "Agent created. Visitors can reach it at `/{slug}`"
 
 ### List
@@ -245,7 +245,7 @@ Deletion removes the entire agent directory (`agents/{slug}/`) — not individua
 - If no other agents remain (or the user declines to set a new default), clear the `defaultAgent` field by calling `account-update` with `field: "defaultAgent"`, `value: ""`. Tell the user that visitors to the root URL will see a "no agents" message until a new agent is created.
 
 **Cleanup sequence:**
-- Issue `DELETE /api/admin/agents/{slug}` — the route runs `deleteAgentProjection` (Task 837) FIRST to remove the `:Agent` node and its four owned `:KnowledgeDocument` projections, then `rmSync` the directory. Loud-fail: if graph cleanup throws, files are preserved and a 500 is returned with the error text. Re-issuing the DELETE is safe (idempotent on both layers). Operator-tagged docs survive the projection delete — only the `USES_KNOWLEDGE` edges from this Agent are removed.
+- Issue `DELETE /api/admin/agents/{slug}` — the route removes the `:Agent` node and its four owned `:KnowledgeDocument` projections FIRST, then deletes the directory. Loud-fail: if graph cleanup throws, files are preserved and a 500 is returned with the error text. Re-issuing the DELETE is safe (idempotent on both layers). Operator-tagged docs survive the projection delete — only the `USES_KNOWLEDGE` edges from this Agent are removed.
 - Verify the directory no longer exists
 - Report what was removed (list the files that were in the directory)
 

package/payload/platform/plugins/admin/skills/stream-log-review/SKILL.md

@@ -10,7 +10,7 @@ description: >
 
 # Stream Log Review
 
-Analyse Claude agent stream logs — the `claude-agent-stream-{conversationId}.log` files generated by the platform (Task 532). Each file is scoped to exactly one conversation; a resumed conversation accumulates in one file across multiple process lifetimes, delimited by `[spawn]` / `[process-exit]`. Pre-conversation events (CDP auth-poll, module-init warnings) live in `preconversation-claude-agent-stream-{YYYY-MM-DD}.log` — a separate file per UTC day, read only when investigating boot-time failures.
+Analyse Claude agent stream logs — the `claude-agent-stream-{conversationId}.log` files generated by the platform. Each file is scoped to exactly one conversation; a resumed conversation accumulates in one file across multiple process lifetimes, delimited by `[spawn]` / `[process-exit]`. Pre-conversation events (CDP auth-poll, module-init warnings) live in `preconversation-claude-agent-stream-{YYYY-MM-DD}.log` — a separate file per UTC day, read only when investigating boot-time failures.
 
 Parse the log, identify problems, attempt diagnosis, and produce a structured report.
 
@@ -35,7 +35,7 @@ Parse the log, identify problems, attempt diagnosis, and produce a structured re
 On the Pi, use the `logs-read` MCP tool with `conversationId` to retrieve a single conversation's log. From the dev machine (SSH), use the shell counterpart:
 
 ```bash
-# Read a single conversation's stream log (primary mode — Task 532)
+# Read a single conversation's stream log (primary mode)
 sshpass -p 'password' ssh admin@<hostname>.local "~/<installDir>/platform/scripts/logs-read.sh <conversationId> system"
 
 # Tail the most-recently-active stream log (any conversation)
@@ -53,11 +53,11 @@ The `conversationId` is visible in the admin UI and appears on every `[spawn]` /
 - `[tool-wait-diag]` at 15 / 30 / 45 / 60 s — confirms DNS/TCP/HTTP health across a stall window (not just at the timeout moment).
 - `[tool-wait-proc]` at 30 s — subprocess open FDs, sockets by TCP state, RSS.
 - `[subproc-stderr]` — line from the main Claude Code subprocess's stderr. Today the CLI is a bundled Bun binary that ignores Node's `NODE_DEBUG`, so this channel is normally silent — see `[subproc-debug-unavailable]` below. MCP server stderr lines arrive separately as `[mcp:<server>]`.
-- `[subproc-stderr-tee-attached]` / `[subproc-stderr-tee-detached]` (Task 535) — lifecycle of the main-subprocess stderr tee. `bytes=0 lines=0` on detach means the tee worked but the subprocess emitted nothing. Absence of both markers next to a `[spawn]` means the tee infrastructure is broken — escalate.
-- `[subproc-debug-unavailable]` (Task 535) — one line per spawn, `reason=bundled-bun-binary-ignores-node-debug`. This is the documented reason `[subproc-stderr]` lines are normally absent for the main subprocess. Treat its absence as a regression, not its presence as a problem.
-- `[tool-failure-diag]` — one-shot probe on the failure path (Task 530); complements the mid-flight `[tool-wait-diag]` with end-of-wait network state.
+- `[subproc-stderr-tee-attached]` / `[subproc-stderr-tee-detached]` — lifecycle of the main-subprocess stderr tee. `bytes=0 lines=0` on detach means the tee worked but the subprocess emitted nothing. Absence of both markers next to a `[spawn]` means the tee infrastructure is broken — escalate.
+- `[subproc-debug-unavailable]` — one line per spawn, `reason=bundled-bun-binary-ignores-node-debug`. This is the documented reason `[subproc-stderr]` lines are normally absent for the main subprocess. Treat its absence as a regression, not its presence as a problem.
+- `[tool-failure-diag]` — one-shot probe on the failure path; complements the mid-flight `[tool-wait-diag]` with end-of-wait network state.
 - `[mcp-tee-attach]` / `[mcp-tee-skip]` / `[mcp:<server>]` — MCP server stderr routed into the stream log; a missing attach marker explains missing server diagnostics.
-- `[tool-result] error=true output="WEBFETCH_CANNOT_READ_JS_SPA: …"` — a WebFetch dispatch was short-circuited by the SPA preflight hook (Task 536). The URL is a JS-SPA shell that WebFetch cannot extract content from. The agent should have responded to the user naming the failure and asking for a paste or screenshot; if instead an `[agent-dispatch]` (Playwright, research-assistant) follows immediately, the loud-failure guidance in IDENTITY.md did not land. The hook's per-invocation decision trail lives in `{accountDir}/logs/webfetch-preflight.log` (one `[webfetch-preflight] verdict=…` line per probe).
+- `[tool-result] error=true output="WEBFETCH_CANNOT_READ_JS_SPA: …"` — a WebFetch dispatch was short-circuited by the SPA preflight hook. The URL is a JS-SPA shell that WebFetch cannot extract content from. The agent should have responded to the user naming the failure and asking for a paste or screenshot; if instead an `[agent-dispatch]` (Playwright, research-assistant) follows immediately, the loud-failure guidance in IDENTITY.md did not land. The hook's per-invocation decision trail lives in `{accountDir}/logs/webfetch-preflight.log` (one `[webfetch-preflight] verdict=…` line per probe).
 
 ## Boundaries
 

package/payload/platform/plugins/admin/skills/unzip-attachment/references/safety.md

@@ -78,4 +78,4 @@ All of these are from `unzip` (InfoZIP) + `coreutils` — installed on every Pi
 
 ## Why this is a skill, not a tool
 
-Doctrine (Task 664 precedent): the admin agent has `Bash`; the security-critical code path is a sequence of shell commands whose determinism is enforced by the shell primitives themselves, not by LLM reasoning. Wrapping this in an MCP tool would add a translation layer without adding enforcement — and per [feedback_deterministic_means_remove_llm.md](../../../../../.claude/projects/-Users-neo-getmaxy/memory/feedback_deterministic_means_remove_llm.md), a tool wrapper is still LLM-mediated at the decision boundary. The shell script is the deterministic primitive; the skill tells the agent which primitive to invoke, in which order, against which argument.
+Doctrine: the admin agent has `Bash`; the security-critical code path is a sequence of shell commands whose determinism is enforced by the shell primitives themselves, not by LLM reasoning. Wrapping this in an MCP tool would add a translation layer without adding enforcement — a tool wrapper is still LLM-mediated at the decision boundary. The shell script is the deterministic primitive; the skill tells the agent which primitive to invoke, in which order, against which argument.

package/payload/platform/plugins/cloudflare/references/manual-setup.md

@@ -217,7 +217,7 @@ cloudflared --origincert "${CFG_DIR}/cert.pem" tunnel route dns --overwrite-dns
 2. Overwritten: `Added CNAME <hostname> which will route to this tunnel` (same shape as new; `--overwrite-dns` makes overwrite transparent)
 3. Idempotent no-op: `<timestamp> INF <hostname> is already configured to route to your tunnel tunnelID=<UUID>`
 
-Shape 3 is what a second clean run of setup-tunnel.sh against an already-configured hostname emits. Historically the shell script's stdout parser rejected this shape and exited 1 on the idempotent case (session `25674fe3`, Task 559 fix); the script now relies on cloudflared's exit code exclusively.
+Shape 3 is what a second clean run of setup-tunnel.sh against an already-configured hostname emits. Historically the shell script's stdout parser rejected this shape and exited 1 on the idempotent case; the script now relies on cloudflared's exit code exclusively.
 
 **If it fails with `zone not found`:** the hostname's parent domain isn't on this brand's Cloudflare account. Either add it in the dashboard (Websites → Add a site) and re-run, or sign into the account that already owns the domain.
 
@@ -325,14 +325,14 @@ You do **not** run `cloudflared` manually. The brand's existing user-space syste
 systemctl --user restart "${BRAND}.service"
 ```
 
-**Why the script dispatches the restart via `systemd-run` instead of a direct `systemctl restart` (Task 558):** when the admin agent invokes `setup-tunnel.sh` via the Bash tool, the script runs *inside* `${BRAND}.service`'s cgroup. A direct `systemctl --user restart ${BRAND}.service` from that cgroup tells systemd to SIGTERM the entire cgroup — the node server, the claude subprocess, the Bash child, and the script itself all die simultaneously. cgroup membership is inherited: `setsid`, `nohup`, `disown`, and `&` all stay in the caller's cgroup, and `systemd-run --scope` runs in the caller's scope. Only `systemd-run --user --unit=<name> --on-active=<N>s` creates a genuinely new transient unit with its own cgroup. The script uses that primitive to arm the restart a few seconds after its own exit:
+**Why the script dispatches the restart via `systemd-run` instead of a direct `systemctl restart`:** when the admin agent invokes `setup-tunnel.sh` via the Bash tool, the script runs *inside* `${BRAND}.service`'s cgroup. A direct `systemctl --user restart ${BRAND}.service` from that cgroup tells systemd to SIGTERM the entire cgroup — the node server, the claude subprocess, the Bash child, and the script itself all die simultaneously. cgroup membership is inherited: `setsid`, `nohup`, `disown`, and `&` all stay in the caller's cgroup, and `systemd-run --scope` runs in the caller's scope. Only `systemd-run --user --unit=<name> --on-active=<N>s` creates a genuinely new transient unit with its own cgroup. The script uses that primitive to arm the restart a few seconds after its own exit:
 
 ```
 systemd-run --user --unit=maxy-tunnel-restart-<nonce>.service --on-active=3s --collect \
   /bin/systemctl --user restart "${BRAND}.service"
 ```
 
-The script then emits `[script:setup-tunnel] step=service-restart-dispatched` and `step=service-restart-armed exit=0` in the per-conversation stream log so operators see exactly when the restart was scheduled, exits 0, and the transient timer fires from outside the service's cgroup — semantically identical to this manual runbook's `systemctl --user restart`. (The `script:` prefix is Task 605's chat-surface namespace — see `_stream-log.sh` header.)
+The script then emits `[script:setup-tunnel] step=service-restart-dispatched` and `step=service-restart-armed exit=0` in the per-conversation stream log so operators see exactly when the restart was scheduled, exits 0, and the transient timer fires from outside the service's cgroup — semantically identical to this manual runbook's `systemctl --user restart`. (The `script:` prefix is the chat-surface namespace — see `_stream-log.sh` header.)
 
 When walking through manually you do **not** need `systemd-run` — your SSH shell already lives in a separate user-scope cgroup (`user@<uid>.service`), so the direct `systemctl restart` does not kill the caller. The script's extra indirection only matters when the caller *is* the service being restarted.
 

package/payload/platform/plugins/cloudflare/skills/setup-tunnel/SKILL.md

@@ -20,9 +20,9 @@ Any Cloudflare action outside these four surfaces is a discipline violation —
 
 ## 1. Autonomous path — `setup-tunnel.sh`
 
-Use this when the operator wants Cloudflare set up (or re-set up) end-to-end on the device. The script handles OAuth login, tunnel creation, DNS routing for each subdomain, config.yml + tunnel.state, and dispatches the `${BRAND}.service` restart to a transient `systemd-run` unit (Task 558) — all in one invocation. The restart fires a few seconds after the script exits so the script does not kill its own cgroup when invoked via the Bash tool; the chat UI receives a `server_shutdown` SSE frame and reconnects automatically. Post-restart hostname verification is out of scope for the script (connector is not up when the script exits) — verify via the next admin turn or manually with `curl -I https://<hostname>`. Apex hostnames cannot be routed by the CLI; when one is passed, the script prints an `ACTION REQUIRED` block naming the exact dashboard record to edit.
+Use this when the operator wants Cloudflare set up (or re-set up) end-to-end on the device. The script handles OAuth login, tunnel creation, DNS routing for each subdomain, config.yml + tunnel.state, and dispatches the `${BRAND}.service` restart to a transient `systemd-run` unit — all in one invocation. The restart fires a few seconds after the script exits so the script does not kill its own cgroup when invoked via the Bash tool; the chat UI receives a `server_shutdown` SSE frame and reconnects automatically. Post-restart hostname verification is out of scope for the script (connector is not up when the script exits) — verify via the next admin turn or manually with `curl -I https://<hostname>`. Apex hostnames cannot be routed by the CLI; when one is passed, the script prints an `ACTION REQUIRED` block naming the exact dashboard record to edit.
 
-Step 1's OAuth flow is a state machine over two observable variables: the brand-scoped cert path (`${CFG_DIR}/cert.pem`) and the OAuth-default cert path (`~/.cloudflared/cert.pem`). When the brand-scoped cert is missing but the default-path cert is present from any prior partial run, the wrapper promotes it (`mv`) and emits `step=oauth-login result=ok reason=cert-promoted-from-default-path` without re-spawning cloudflared. When both are missing, the wrapper spawns `cloudflared tunnel login`, extracts the argotunnel URL from its stdout, and the instant the URL surfaces, mechanically opens it on the Pi's VNC chromium (`DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &`) — emitting `step=browser-spawn result=ok` and `step=browser-drive mode=operator-click`. The operator clicks the zone row + Authorize on the VNC; cloudflared's callback writes `~/.cloudflared/cert.pem`; the wrapper's cert-poll (180 s budget) picks it up and `mv`s it to the brand-scoped path. There is no CDP auto-click, no DOM matcher, no consent-page driver — the wrapper's job is to faithfully relay `cloudflared tunnel login`, never to layer automation on top (Task 858, doctrine `feedback_wrappers_faithfully_relay_third_party_cli`).
+Step 1's OAuth flow is a state machine over two observable variables: the brand-scoped cert path (`${CFG_DIR}/cert.pem`) and the OAuth-default cert path (`~/.cloudflared/cert.pem`). When the brand-scoped cert is missing but the default-path cert is present from any prior partial run, the wrapper promotes it (`mv`) and emits `step=oauth-login result=ok reason=cert-promoted-from-default-path` without re-spawning cloudflared. When both are missing, the wrapper spawns `cloudflared tunnel login`, extracts the argotunnel URL from its stdout, and the instant the URL surfaces, mechanically opens it on the Pi's VNC chromium (`DISPLAY=${DISPLAY:-:99} /usr/bin/chromium <url> &`) — emitting `step=browser-spawn result=ok` and `step=browser-drive mode=operator-click`. The operator clicks the zone row + Authorize on the VNC; cloudflared's callback writes `~/.cloudflared/cert.pem`; the wrapper's cert-poll (180 s budget) picks it up and `mv`s it to the brand-scoped path. There is no CDP auto-click, no DOM matcher, no consent-page driver — the wrapper's job is to faithfully relay `cloudflared tunnel login`, never to layer automation on top.
 
 ### How inputs reach the script
 
@@ -52,7 +52,7 @@ The agent does not invoke the script directly during onboarding — the endpoint
 
 The endpoint returns `{ ok: false, field: "script", message, output }` and the form surfaces the error inline. Relay the output to the user, name the exit code, and cite `references/reset-guide.md` for the next action. Offer to re-render the form after any manual steps the script's error output named. Do not attempt a second invocation outside the form, a Playwright-driven dashboard inspection, or an alternative `cloudflared` command sequence. The discipline rule below applies.
 
-When the failure reason is `timeout-waiting-cert` (Task 858 — operator did not click Authorize within the 180 s budget), the form surfaces the timeout and the operator can re-submit. The page is still on the Pi VNC; the operator can click Authorize there and the next form submit will complete via the cert-promotion pre-flight (the cert lands in `~/.cloudflared/cert.pem` after consent, and the wrapper's `mv` runs on the next invocation). Do not suggest `~/reset-tunnel.sh` — the cert path is intact and a fresh attempt is the only remediation needed.
+When the failure reason is `timeout-waiting-cert` (operator did not click Authorize within the 180 s budget), the form surfaces the timeout and the operator can re-submit. The page is still on the Pi VNC; the operator can click Authorize there and the next form submit will complete via the cert-promotion pre-flight (the cert lands in `~/.cloudflared/cert.pem` after consent, and the wrapper's `mv` runs on the next invocation). Do not suggest `~/reset-tunnel.sh` — the cert path is intact and a fresh attempt is the only remediation needed.
 
 ---
 
@@ -90,7 +90,7 @@ Example:
 
 Use this when the operator needs to do something only the Cloudflare dashboard can do: sign in, switch accounts, add a site, edit an apex CNAME, verify zone nameservers, delete a tunnel after stopping its replicas. The guide has one numbered click-path per operation. Quote the relevant click-path verbatim — the operator follows it in the browser. The agent does not drive dashboard mutations via Playwright or Chrome DevTools.
 
-The single exception is `list-cf-domains.sh` (Task 589), which reads the domains attached to the logged-in account to populate the `cloudflare-setup-form` dropdowns. That script is deterministic (bash + raw CDP, no LLM in the decision path), invoked only by the `/api/admin/cloudflare/domains` route, and produces only a JSON `string[]` on stdout; no dashboard state is changed. Any dashboard scrape that is not this exact script is forbidden — the agent does not extend this carve-out to new scripts it writes, hypothesises, or finds. Adding a new sanctioned scrape surface requires a code change reviewed as a doctrine change, not an inline agent decision.
+The single exception is `list-cf-domains.sh`, which reads the domains attached to the logged-in account to populate the `cloudflare-setup-form` dropdowns. That script is deterministic (bash + raw CDP, no LLM in the decision path), invoked only by the `/api/admin/cloudflare/domains` route, and produces only a JSON `string[]` on stdout; no dashboard state is changed. Any dashboard scrape that is not this exact script is forbidden — the agent does not extend this carve-out to new scripts it writes, hypothesises, or finds. Adding a new sanctioned scrape surface requires a code change reviewed as a doctrine change, not an inline agent decision.
 
 ---
 

package/payload/platform/plugins/docs/references/cloudflare.md

@@ -30,7 +30,7 @@ When you submit, the `/api/admin/cloudflare/setup` endpoint runs — in strict o
 - `cloudflared tunnel route dns` for each subdomain hostname. Apex hostnames cannot be routed this way — the script prints an **ACTION REQUIRED** block naming the exact dashboard record to add or edit. Stream log emits `step=route-dns hostname=… tunnel_id=…` before the call and `step=route-dns hostname=… result=ok|apex-skip|error` after; on error the bounded cloudflared stderr (≤400 chars) rides in the same phase line. **The script does not parse cloudflared's stdout** — exit code is the sole decision signal, so all three legitimate cloudflared output shapes (new record, overwrite, idempotent "already configured") are treated as success.
 - `config.yml` and `tunnel.state` written under `${CFG_DIR}`.
 - **Step-7 onboarding completion persisted** — the script writes `${ACCOUNT_DIR}/onboarding/step7-complete` (a JSON marker with the completion timestamp and tunnel ID) before arming the restart. Stream log: `step=onboarding-persist result=ok|error reason=<r>`. The marker is consumed by the next admin session's first state read and advances `OnboardingState.currentStep` to 7. Without this, the service restart below would SIGTERM the admin agent before it could persist step-7 completion, and the next session would re-ask the Cloudflare question you just finished. Both invocation surfaces (the form-driven action and the agent-via-Bash path) declare `ACCOUNT_DIR` explicitly because `systemd-run --user` does not inherit parent env — when ACCOUNT_DIR isn't reaching the script you'll see `result=skipped reason=no-account-dir` in the stream log instead of `result=ok`.
-- **Post-restart resume contract** — when the form's ActionLogPanel reports `code=0`, the form dispatches the `admin-chat:post-restart-resume` window CustomEvent with `{actionId, message}`. The chat hook ([useAdminChat.ts](../../../../platform/ui/app/useAdminChat.ts)) waits for the brand-service down-then-up cycle on `/api/health`, calls `POST /api/admin/sessions/<cid>/resume?session_key=<sk>` (cookie-bridge-rehydrates the wiped sessionStore via the surviving `__remote_session` cookie and binds the conversation), then sends the captured "Cloudflare setup completed (actionId: <id>)." marker as a normal hidden chat POST that re-invokes the agent. No relay queue, no boot-drain, no banner, no rebind endpoint. Diagnostic: `grep '\[admin-resume\] reason=post-restart' ~/{configDir}/logs/server.log` (expect one line per restart cycle), `grep '\[client-event\] kind=post-restart-resume' ~/{configDir}/logs/server.log` for the operator-visible client trace. See `.docs/web-chat.md` "Post-restart resume contract" for the full client/server contract.
+- **Post-restart resume contract** — when the script exits cleanly, the form fires a client-side resume event. The chat hook ([useAdminChat.ts](../../../../platform/ui/app/useAdminChat.ts)) waits for the brand-service to come back via `/api/health` (down-then-up), re-binds the conversation to the new server process, and sends the "Cloudflare setup completed" marker as a normal hidden chat POST that re-invokes the agent in a fresh session. No relay queue, no boot-drain, no banner. Diagnostic: `grep '\[admin-resume\] reason=post-restart' ~/{configDir}/logs/server.log` (expect one line per restart cycle), `grep '\[client-event\] kind=post-restart-resume' ~/{configDir}/logs/server.log` for the operator-visible client trace. See `.docs/web-chat.md` "Post-restart resume contract" for the full client/server contract.
 - `systemctl --user restart ${BRAND}.service` — restarts the platform service so the new tunnel spawns via the service's `ExecStartPre=resume-tunnel.sh`.
 - Post-restart verification — `ps -ef | grep '[c]loudflared'` confirms the connector is alive, then `curl -I https://<hostname>` against each subdomain (up to 60 s per host) confirms a non-530 response.