@rubytech/create-realagent 1.0.829 → 1.0.831

package/payload/platform/plugins/admin/hooks/__tests__/archive-ingest-surface-gate.test.sh

@@ -1,30 +1,23 @@
 #!/usr/bin/env bash
-# Regression test for archive-ingest-surface-gate.sh (Task 855, trimmed by Task 894).
+# Regression test for archive-ingest-surface-gate.sh (Task 855).
 #
-# Covers (post-Task-894):
-#   1. Edit on /platform/plugins/<x>/lib/* → BLOCKED
-#   2. Edit on benign path → ALLOWED
-#   3. Bash with `npx vitest`/`bun test`/`npm test` → BLOCKED
-#   4. PreToolUse memory-archive-write w/ archiveType=linkedin-connections → ALLOWED
-#   5. Default-allow emits a [archive-ingest-gate] decision=allow log line
-#   6. Parse-error flag lifecycle: PostToolUse on any *-export-parse / *-import-parse
-#      with isError:true sets flag; subsequent PreToolUse blocks; UserPromptSubmit
-#      clears; stale flag (>600s) auto-clears; parse-success leaves flag absent.
-#   7. Bypass attempts: nested file_path in old_string + top-level file_path in
-#      lib/* → BLOCKED.
-#   8. Fail-closed terminal check.
-#
-# Removed by Task 894:
-#   - WhatsApp-specific MCP-tool blocks (the three legacy whatsapp-export tools
-#     no longer exist; chat archives flow through memory-classify mode='chat'
-#     and memory-ingest parentLabel='ConversationArchive' via document-ingest).
-#   - memory-archive-write archiveType='whatsapp-export' block (the enum value
-#     was dropped from memory-archive-write).
-#
-# A generic LinkedIn-shaped fixture stands in for the parse-error lifecycle —
-# the gate's PostToolUse pattern matches `mcp__*__*-export-parse` /
-# `mcp__*__*-import-parse`, so any plausible parser tool name exercises the
-# flag-set / flag-clear path.
+# Covers:
+#   Preserved-from-Task-846:
+#     1. Edit on /platform/plugins/<x>/lib/* → BLOCKED
+#     2. Edit on benign path → ALLOWED
+#     3. Bash with `npx vitest`/`bun test`/`npm test` → BLOCKED
+#     4. PostToolUse on whatsapp-export-parse with isError:true sets flag
+#     5. Subsequent PreToolUse on ANY tool → BLOCKED
+#     6. UserPromptSubmit clears flag → normal allow resumes
+#     7. PostToolUse with isError:false → flag absent
+#     8. Stale flag (>600s) auto-clears
+#   New (Task 855):
+#     A. PreToolUse mcp__memory__whatsapp-export-parse → BLOCKED
+#     B. PreToolUse mcp__memory__whatsapp-export-insight-write → BLOCKED
+#     C. PreToolUse mcp__memory__memory-archive-write w/ archiveType=whatsapp-export → BLOCKED
+#     D. PreToolUse mcp__memory__memory-archive-write w/ archiveType=linkedin-connections → ALLOWED
+#     E. PreToolUse Bash invoking conversation-archive-ingest.sh → ALLOWED
+#     F. Default-allow emits a [archive-ingest-gate] decision=allow log line
 
 set -u
 
@@ -58,20 +51,18 @@ run_case() {
   fi
 }
 
-# Plugin-source-edit block ------------------------------------------------
+# Preserved cases ---------------------------------------------------------
 
-run_case "Edit on platform/plugins/linkedin-import/lib/src/parse.ts → BLOCKED" \
-  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/platform/plugins/linkedin-import/lib/src/parse.ts","old_string":"a","new_string":"b"}}' \
+run_case "Edit on platform/plugins/memory/mcp/src/lib/conversation-normalisers/whatsapp-text.ts → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/platform/plugins/memory/mcp/src/lib/conversation-normalisers/whatsapp-text.ts","old_string":"a","new_string":"b"}}' \
   2
 
 run_case "Edit on README.md → ALLOWED" \
   '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/Users/x/repo/README.md","old_string":"a","new_string":"b"}}' \
   0
 
-# Test-runner block (Bash) ------------------------------------------------
-
 run_case "Bash 'npx vitest run' → BLOCKED" \
-  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npx vitest run x.test.ts"}}' \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npx vitest run parse-export.test.ts"}}' \
   2
 
 run_case "Bash 'ls -la' → ALLOWED" \
@@ -86,18 +77,45 @@ run_case "Bash 'npm test' → BLOCKED" \
   '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"npm test"}}' \
   2
 
-# memory-archive-write — LinkedIn passes through unchanged ----------------
+# New (Task 855) cases ----------------------------------------------------
+
+run_case "PreToolUse mcp__memory__whatsapp-export-parse → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"/tmp/_chat.txt","accountId":"acct1","timezone":"Europe/London"}}' \
+  2
+
+run_case "PreToolUse mcp__memory__whatsapp-export-insight-write → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__whatsapp-export-insight-write","tool_input":{"kind":"MENTIONS","name":"Joel"}}' \
+  2
+
+run_case "PreToolUse memory-archive-write w/ archiveType=whatsapp-export → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__memory-archive-write","tool_input":{"archiveType":"whatsapp-export","ownerNodeId":"x","accountId":"a","rows":[]}}' \
+  2
 
 run_case "PreToolUse memory-archive-write w/ archiveType=linkedin-connections → ALLOWED" \
   '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__memory-archive-write","tool_input":{"archiveType":"linkedin-connections","ownerNodeId":"x","accountId":"a","rows":[]}}' \
   0
 
+# Bypass attempts (Task 855 code-review C1): nested archiveType in rows[0]
+# or conversation must NOT defeat the block. The gate must read the
+# top-level tool_input.archiveType, not the first textual occurrence.
+run_case "BYPASS: nested rows[0].archiveType=linkedin + top-level archiveType=whatsapp-export → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__memory-archive-write","tool_input":{"rows":[{"archiveType":"linkedin-connections"}],"archiveType":"whatsapp-export","ownerNodeId":"x","accountId":"a"}}' \
+  2
+
+run_case "BYPASS: conversation.archiveType=linkedin + top-level archiveType=whatsapp-export → BLOCKED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"mcp__memory__memory-archive-write","tool_input":{"conversation":{"archiveType":"linkedin-connections","conversationId":"x"},"archiveType":"whatsapp-export","ownerNodeId":"x","accountId":"a","rows":[]}}' \
+  2
+
 # Plugin-source-edit path block must read tool_input.file_path top-level,
 # not a nested file_path in old_string/new_string.
 run_case "BYPASS: nested file_path in old_string + top-level file_path in lib/* → BLOCKED" \
-  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/repo/platform/plugins/linkedin-import/lib/src/parse.ts","old_string":"file_path:/safe/path","new_string":"x"}}' \
+  '{"hook_event_name":"PreToolUse","tool_name":"Edit","tool_input":{"file_path":"/repo/platform/plugins/memory/mcp/src/lib/conversation-normalisers/whatsapp-text.ts","old_string":"file_path:/safe/path","new_string":"x"}}' \
   2
 
+run_case "PreToolUse Bash invoking conversation-archive-ingest.sh → ALLOWED" \
+  '{"hook_event_name":"PreToolUse","tool_name":"Bash","tool_input":{"command":"bash platform/plugins/memory/bin/conversation-archive-ingest.sh /tmp/chat.zip --source whatsapp --owner-element-id 4:abc:1 --participant-person-ids 4:abc:2 --scope admin"}}' \
+  0
+
 # Default-allow log-line check
 LOG=$(printf '%s' '{"hook_event_name":"PreToolUse","tool_name":"Read","tool_input":{"file_path":"/tmp/foo"}}' | bash "$HOOK" 2>&1 1>/dev/null)
 if printf '%s' "$LOG" | grep -q '\[archive-ingest-gate\] decision=allow tool=Read reason=default'; then
@@ -118,13 +136,10 @@ else
   FAIL=$((FAIL + 1))
 fi
 
-# Parse-error flag lifecycle (preserved). The gate's PostToolUse pattern is
-# `mcp__*__*-export-parse` / `mcp__*__*-import-parse` — exercise via the
-# linkedin-import-parse name (synthetic — the linkedin importer currently
-# uses memory-archive-write, but the gate matches by tool name shape).
+# Parse-error flag lifecycle (preserved)
 rm -f "$FLAG_FILE"
 run_case "PostToolUse parse-error sets flag (exit 0)" \
-  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__linkedin-import-parse","tool_input":{"filePath":"connections.csv"},"tool_response":{"isError":true,"content":[{"type":"text","text":"parse-error file=connections.csv line=1 reason=missing-header"}]}}' \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":true,"content":[{"type":"text","text":"parse-error file=_chat.txt line=1 reason=not-a-_chat.txt"}]}}' \
   0
 [[ -f "$FLAG_FILE" ]] && { echo "PASS: parse-error flag created"; PASS=$((PASS+1)); } \
                       || { echo "FAIL: parse-error flag NOT created" >&2; FAIL=$((FAIL+1)); }
@@ -153,7 +168,7 @@ run_case "Stale flag auto-clears, PreToolUse Read → ALLOWED" \
 # PostToolUse parse-success leaves flag absent
 rm -f "$FLAG_FILE"
 run_case "PostToolUse parse-success (isError:false) does NOT set flag" \
-  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__linkedin-import-parse","tool_input":{"filePath":"connections.csv"},"tool_response":{"isError":false,"content":[{"type":"text","text":"{\"parsedLines\":[]}"}]}}' \
+  '{"hook_event_name":"PostToolUse","tool_name":"mcp__memory__whatsapp-export-parse","tool_input":{"filePath":"_chat.txt"},"tool_response":{"isError":false,"content":[{"type":"text","text":"{\"parsedLines\":[]}"}]}}' \
   0
 [[ ! -f "$FLAG_FILE" ]] && { echo "PASS: parse-success leaves flag absent"; PASS=$((PASS+1)); } \
                         || { echo "FAIL: parse-success incorrectly created flag" >&2; FAIL=$((FAIL+1)); }

package/payload/platform/plugins/admin/hooks/archive-ingest-surface-gate.sh

@@ -1,24 +1,28 @@
 #!/usr/bin/env bash
-# Archive-ingest surface gate (Task 855, updated by Task 891, trimmed by Task 894).
+# Archive-ingest surface gate (Task 855, updated by Task 891).
 #
-# Three enforcements, one script — phase decided by `hook_event_name` on stdin.
-# Task 855 narrowed the database-operator subagent's effective surface during
-# archive ingestion. Task 894 retired the WhatsApp `_chat.txt` deterministic
-# parser and its three legacy MCP tools entirely — chat archives now flow
-# through the unified `document-ingest` pipeline (`memory-classify` mode='chat'
-# + `memory-ingest` parentLabel='ConversationArchive'). The WhatsApp-specific
-# block lists were removed because the tools they referenced no longer exist
-# and the `archiveType=whatsapp-export` enum value was dropped from
-# `memory-archive-write`. The remaining blocks still cover LinkedIn and any
-# future flat-dataset archive types that ship per-source parsers.
+# Five enforcements, one script — phase decided by `hook_event_name` on stdin.
+# Task 855 narrows the database-operator subagent's effective surface during
+# WhatsApp archive ingestion to exactly one Bash entry
+# (`memory/bin/conversation-archive-ingest.sh`) plus read-only neighbours, by
+# blocking the legacy MCP deviation tools mechanically. Task 891 retired the
+# `whatsapp-export-insight-pass` tool entirely (Phase 2 enrichment moved to a
+# separate follow-up task that will operate on :Section:Conversation chunks);
+# the tool name is added to the BLOCK list so any agent that still references
+# it from a stale skill or runbook gets a loud denial instead of MCP-not-found.
 #
-# 1. Parse-error gate: PostToolUse on any `mcp__*__*-export-parse` /
-#    `mcp__*__*-import-parse` tool whose `tool_response.isError == true`
-#    writes a flag file. Subsequent PreToolUse on ANY tool blocks until
-#    UserPromptSubmit clears the flag. A 600s TTL is the cross-session safety
-#    net. Preserved from Task 846 because LinkedIn and future per-source archive
-#    parsers still use the legacy MCP path until they migrate to their own
-#    deterministic Bash entries.
+# 1. PreToolUse on the four legacy WhatsApp MCP tools — BLOCK unconditionally.
+#    The single deterministic Bash entry is the only supported path for
+#    `archiveType=whatsapp-export`. Tool source for #1-#3 remains until cleanup;
+#    `whatsapp-export-insight-pass` source was deleted by Task 891 and the
+#    block here catches stale references.
+#       mcp__memory__whatsapp-export-parse
+#       mcp__memory__whatsapp-export-insight-write
+#       mcp__memory__whatsapp-export-insight-pass     (Task 891 — deleted, retired)
+#       mcp__memory__memory-archive-write             (only when `archiveType` is
+#                                                      `whatsapp-export`; LinkedIn
+#                                                      and other archiveTypes pass
+#                                                      through unchanged.)
 #
 # 2. PreToolUse Edit/Write/NotebookEdit: deny writes under
 #    `*platform/plugins/*/lib/*` (parser/CSV-shape source for any *-import or
@@ -28,10 +32,18 @@
 # 3. PreToolUse Bash: deny commands invoking JavaScript test runners
 #    (vitest|bun test|npm test|npx jest|node .*vitest). Preserved from Task 846.
 #
-# 4. Logging: every PreToolUse decision emits one line in the format
+# 4. Parse-error gate: PostToolUse on any `mcp__*__*-export-parse` /
+#    `mcp__*__*-import-parse` tool whose `tool_response.isError == true`
+#    writes a flag file. Subsequent PreToolUse on ANY tool blocks until
+#    UserPromptSubmit clears the flag. A 600s TTL is the cross-session safety
+#    net. Preserved from Task 846 because LinkedIn and future per-source archive
+#    parsers still use the legacy MCP path until they migrate to their own
+#    deterministic Bash entries.
+#
+# 5. Logging: every PreToolUse decision emits one line in the format
 #       [archive-ingest-gate] decision=<allow|block> tool=<name> reason=<r> ...
 #    so the operator can grep the full decision trail for one ingest from
-#    server.log.
+#    server.log alongside the [whatsapp-ingest] script lines.
 #
 # Exit codes follow Claude Code hook protocol: 0 = allow, 2 = block (stderr
 # message shown to the agent). Fail-closed on terminal stdin to match
@@ -128,12 +140,25 @@ if [ -f "$FLAG_FILE" ]; then
   fi
 fi
 
+# --- Block 2: legacy WhatsApp MCP tools — defensive denial ----------------
+# These tool sources were deleted by Task 894; the block stays as a stale-
+# reference catch (skill markdown checked into older installs may still name
+# them). The harness will return tool-not-found anyway, but a named block
+# message guides the operator to the new entry.
+case "$TOOL_NAME" in
+  mcp__memory__whatsapp-export-parse|mcp__memory__whatsapp-export-insight-write|mcp__memory__whatsapp-export-insight-pass|mcp__memory__whatsapp-export-preview)
+    emit_decision "block" "denied-mcp-legacy" \
+      "Blocked: ${TOOL_NAME} is a retired path. Task 894 generalised conversation-archive ingest — invoke 'bash platform/plugins/memory/bin/conversation-archive-ingest.sh <archive> --source whatsapp --owner-element-id <id> --participant-person-ids <csv> --scope <admin|public>' once. Normalise, sessionize, classify (mode=chat), and memory-ingest (parentLabel=ConversationArchive, source=<enum>) all run in-process."
+    ;;
+esac
+
 # Helper: extract a top-level field from `tool_input` via python3 — never via
 # grep+sed against the raw JSON, which would pick the first textual occurrence
-# including nested-object matches (`rows[0].archiveType`, etc.) and let a
-# malicious payload bypass the block. python3 is the project standard for
-# JSON-aware hook parsing (mirrors lane-gate.sh:31-46). On parse failure
-# return empty string — downstream block conditions skip cleanly.
+# including nested-object matches (`rows[0].archiveType`,
+# `conversation.archiveType`, etc.) and let a malicious payload bypass the
+# block. python3 is the project standard for JSON-aware hook parsing
+# (mirrors lane-gate.sh:31-46). On parse failure return empty string —
+# downstream block conditions skip cleanly.
 extract_tool_input_field() {
   local field="$1"
   printf '%s' "$INPUT" | python3 -c "
@@ -146,7 +171,20 @@ except Exception:
 " 2>/dev/null || echo ""
 }
 
-# --- Block 2: plugin-source path block (Edit/Write/NotebookEdit) -----------
+# --- Block 3: memory-archive-write conditional on conversation-shaped types
+# LinkedIn-connections and future flat-dataset archiveTypes flow unchanged.
+# `whatsapp-export` was the only conversation-shaped archiveType; Task 894
+# deleted that handler entirely, so the type itself is now invalid input —
+# the block stays defensive against operator-edited skills that still name it.
+if [ "$TOOL_NAME" = "mcp__memory__memory-archive-write" ]; then
+  ARCHIVE_TYPE=$(extract_tool_input_field archiveType)
+  if [ "$ARCHIVE_TYPE" = "whatsapp-export" ]; then
+    emit_decision "block" "denied-mcp-legacy archiveType=whatsapp-export" \
+      "Blocked: memory-archive-write with archiveType='whatsapp-export' is a retired path. Task 894 routes conversation transcripts through 'bash platform/plugins/memory/bin/conversation-archive-ingest.sh <archive> --source whatsapp --owner-element-id <id> --participant-person-ids <csv> --scope <admin|public>'. Flat-dataset archiveTypes (linkedin-connections, …) flow through memory-archive-write unchanged."
+  fi
+fi
+
+# --- Block 4: plugin-source path block (Edit/Write/NotebookEdit) -----------
 case "$TOOL_NAME" in
   Edit|Write|NotebookEdit)
     FILE_PATH=$(extract_tool_input_field file_path)
@@ -159,7 +197,7 @@ case "$TOOL_NAME" in
     ;;
 esac
 
-# --- Block 3: shell test-runner block (Bash) -------------------------------
+# --- Block 5: shell test-runner block (Bash) -------------------------------
 COMMAND=""
 if [ "$TOOL_NAME" = "Bash" ]; then
   COMMAND=$(extract_tool_input_field command)

package/payload/platform/plugins/admin/mcp/dist/index.js

@@ -737,9 +737,19 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
             const firstSpace = trimmedName.search(/\s/);
             const givenName = firstSpace === -1 ? trimmedName : trimmedName.slice(0, firstSpace).trim();
             const familyName = firstSpace === -1 ? null : (trimmedName.slice(firstSpace + 1).trim() || null);
+            // Task 897: stamp `accountId` on every AdminUser at MERGE time, both
+            // ON CREATE and ON MATCH (the latter via COALESCE so a pre-existing
+            // value isn't overwritten if it differs — which would itself be a
+            // graph-invariant violation worth surfacing). Pre-897 the missing
+            // accountId fingerprint produced :AdminUser nodes that migration 004
+            // pruned silently, costing the admin pin during onboarding.
             const result = await session.run(`MERGE (au:AdminUser {userId: $userId})
-           ON CREATE SET au.name = $name, au.createdAt = $createdAt
-           ON MATCH SET au.name = $name, au.updatedAt = $createdAt
+           ON CREATE SET au.accountId = $accountId,
+                         au.name = $name,
+                         au.createdAt = $createdAt
+           ON MATCH SET au.accountId = COALESCE(au.accountId, $accountId),
+                        au.name = $name,
+                        au.updatedAt = $createdAt
            WITH au
            MATCH (b:LocalBusiness {accountId: $accountId})
            MERGE (au)-[r:ADMIN_OF]->(b)
@@ -772,11 +782,23 @@ server.tool("admin-add", "Add a new admin user to this account. Creates a device
             if (result.records.length > 0) {
                 personReused = result.records[0].get("reused");
             }
+            // Task 897 — post-write assertion mirroring Task 785 in neo4j-store.ts.
+            // MATCH back the AdminUser we just wrote and verify every required
+            // field landed. Loud-fail the tool call if accountId or name is null
+            // so a Cypher regression that drops the field is grep-detectable.
+            const verify = await session.run(`MATCH (au:AdminUser {userId: $userId})
+           RETURN coalesce(au.accountId, '') AS accountId,
+                  coalesce(au.name, '')      AS name`, { userId });
+            const verifiedAccountId = verify.records[0]?.get("accountId") || "";
+            const verifiedName = verify.records[0]?.get("name") || "";
+            if (!verifiedAccountId || !verifiedName) {
+                throw new Error(`post-write assertion failed: AdminUser userId=${userIdShort} accountId=${verifiedAccountId || "(null)"} name=${verifiedName || "(null)"} — required fields missing after MERGE`);
+            }
         }
         finally {
             await session.close();
         }
-        console.error(`[admin-auth-store] action=add userId=${userIdShort} result=ok store=neo4j personReused=${personReused}`);
+        console.error(`[admin] admin-add success userId=${userIdShort} accountId=${ACCOUNT_ID} name=${name.trim()} required-fields=ok personReused=${personReused}`);
     }
     catch (err) {
         const errMsg = err instanceof Error ? err.message : String(err);