@rubytech/create-realagent 1.0.854 → 1.0.856

package/payload/platform/plugins/cloudflare/scripts/list-cf-domains.ts

@@ -42,19 +42,29 @@
 //            "selector drift" from "empty account" — both shapes arrive via
 //            stdout).
 
-import { appendFileSync } from "node:fs";
+import { appendFileSync, readFileSync } from "node:fs";
 import { writeFile } from "node:fs/promises";
 import { resolve } from "node:path";
 import { homedir } from "node:os";
 import { fileURLToPath } from "node:url";
 
-// CDP host/port default to the VNC Chromium's localhost bind; env overrides
-// exist solely so the vitest regression under platform/ui/__tests__ can force
-// a deterministic ECONNREFUSED (point at 127.0.0.1:1 — RFC 6335 reserved,
-// guaranteed-refused on every platform) without depending on whether a dev
-// machine happens to have VNC Chromium running on 9222.
-const CDP_HOST = process.env.LIST_CF_DOMAINS_CDP_HOST ?? "127.0.0.1";
-const CDP_PORT = Number(process.env.LIST_CF_DOMAINS_CDP_PORT ?? 9222);
+// CDP endpoint is resolved lazily inside `main()` so importing this module
+// for in-process tests (`scrapeCurrentPage` / `scrapeDomains` under JSDOM)
+// does not require an installed brand on disk.
+//
+// Task 954 source-of-truth contract:
+//   Runtime: brand.json `cdpPort` at `${MAXY_PLATFORM_ROOT}/config/brand.json`
+//     is authoritative. Wrapper exports MAXY_PLATFORM_ROOT and BRAND. Missing
+//     env / file / field → loud-fail with one of three named reasons. The
+//     pre-Task-954 silent CDP-port default made every non-Maxy brand fail
+//     `cdp-unreachable` because the helper hit Maxy's port instead of the
+//     brand's; Task 787 / NEO4J_URI sets the precedent that runtime config
+//     never falls back silently.
+//
+//   Test overrides: when BOTH `LIST_CF_DOMAINS_CDP_HOST` and
+//     `LIST_CF_DOMAINS_CDP_PORT` are set, they win over brand.json. The
+//     existing ECONNREFUSED vitest forces `127.0.0.1:1` (RFC 6335-reserved)
+//     this way without an installed brand. Production never sets these.
 
 // Phase budgets total 30s (enforced by the shell wrapper's `timeout`).
 // Individual steps get sub-budgets so an early stall does not eat the
@@ -72,7 +82,14 @@ type Reason =
   | "not-signed-in"
   | "navigate-failed"
   | "table-wait-timeout"
-  | "runtime-error";
+  | "runtime-error"
+  // Task 954 — config-class failures. The first three short-circuit before
+  // any CDP work begins; the route maps them to `field='config'` so the
+  // form renders a config-card naming the brand + path instead of a Retry
+  // button (retrying re-fires the same wrongly-resolved spawn — Task 787
+  // pattern).
+  | "brand-config-missing"
+  | "cdp-port-unresolved";
 
 // Sticky flag: once a stream-log write fails (EACCES, ENOENT, …), skip
 // subsequent file writes for the rest of this process. Repeated appends to an
@@ -120,11 +137,85 @@ function die(reason: Reason, detail = ""): never {
   process.exit(1);
 }
 
-async function cdpVersion(): Promise<void> {
+interface CdpEndpoint {
+  host: string;
+  port: number;
+  source: "env-override" | "brand.json";
+}
+
+// Task 954 — single source of truth for the CDP endpoint. Called once from
+// `main()` so the JSDOM scrape test (which imports `scrapeCurrentPage`
+// directly without invoking `main`) does not need an installed brand.
+function resolveCdpEndpoint(): CdpEndpoint {
+  const envHost = process.env.LIST_CF_DOMAINS_CDP_HOST;
+  const envPortRaw = process.env.LIST_CF_DOMAINS_CDP_PORT;
+  if (envHost !== undefined && envPortRaw !== undefined) {
+    const envPort = Number(envPortRaw);
+    if (!Number.isInteger(envPort) || envPort <= 0 || envPort > 65535) {
+      die(
+        "cdp-port-unresolved",
+        `LIST_CF_DOMAINS_CDP_PORT="${envPortRaw}" is not a valid integer port`,
+      );
+    }
+    return { host: envHost, port: envPort, source: "env-override" };
+  }
+
+  const brand = process.env.BRAND;
+  if (!brand) {
+    die(
+      "brand-config-missing",
+      "BRAND env var not set by wrapper — refusing to guess brand identity",
+    );
+  }
+  const platformRoot = process.env.MAXY_PLATFORM_ROOT;
+  if (!platformRoot) {
+    die(
+      "brand-config-missing",
+      "MAXY_PLATFORM_ROOT env var not set — wrapper must export it before spawn",
+    );
+  }
+  const brandPath = resolve(platformRoot, "config", "brand.json");
+  let raw: string;
+  try {
+    raw = readFileSync(brandPath, "utf-8");
+  } catch (err) {
+    // Distinct emission (not via `die`) so the path is named on the same line
+    // — config-card rendering on the route side keys off it.
+    logPhase(
+      `phase=error reason=brand-config-missing path=${brandPath} detail="${(err instanceof Error ? err.message : String(err)).replace(/"/g, "'").slice(0, 200)}"`,
+    );
+    process.exit(1);
+  }
+  let parsed: Record<string, unknown>;
+  try {
+    parsed = JSON.parse(raw) as Record<string, unknown>;
+  } catch (err) {
+    logPhase(
+      `phase=error reason=brand-config-missing path=${brandPath} detail="parse failed: ${(err instanceof Error ? err.message : String(err)).replace(/"/g, "'").slice(0, 160)}"`,
+    );
+    process.exit(1);
+  }
+  const cdpPort = parsed.cdpPort;
+  if (typeof cdpPort !== "number" || !Number.isInteger(cdpPort) || cdpPort <= 0 || cdpPort > 65535) {
+    // Names the keys actually present so a schema-drift incident surfaces
+    // immediately ("oh, brand.json renamed `cdpPort` to `cdp_port` in r123").
+    const keys = Object.keys(parsed).join(",");
+    logPhase(
+      `phase=error reason=cdp-port-unresolved brand=${brand} json_keys=${keys}`,
+    );
+    process.exit(1);
+  }
+  // Host stays 127.0.0.1 on the runtime path — vnc.sh binds Chromium's CDP
+  // server to localhost only, by construction. brand.json carries the port,
+  // not the host, because the host has never varied across brands.
+  return { host: "127.0.0.1", port: cdpPort, source: "brand.json" };
+}
+
+async function cdpVersion(host: string, port: number): Promise<void> {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), CONNECT_TIMEOUT_MS);
   try {
-    const res = await fetch(`http://${CDP_HOST}:${CDP_PORT}/json/version`, { signal: controller.signal });
+    const res = await fetch(`http://${host}:${port}/json/version`, { signal: controller.signal });
     if (!res.ok) die("cdp-unreachable", `HTTP ${res.status}`);
   } catch (err) {
     die("cdp-unreachable", err instanceof Error ? err.message : String(err));
@@ -138,12 +229,12 @@ interface CdpTarget {
   webSocketDebuggerUrl: string;
 }
 
-async function createTarget(): Promise<CdpTarget> {
+async function createTarget(host: string, port: number): Promise<CdpTarget> {
   // `PUT /json/new?<url>` returns JSON describing the target. The URL goes
   // as a query-string argument (not a ?url= key), matching Chromium's CDP
   // server. about:blank avoids a wasted navigation — the real navigate
   // happens over WS after we attach.
-  const endpoint = `http://${CDP_HOST}:${CDP_PORT}/json/new?about:blank`;
+  const endpoint = `http://${host}:${port}/json/new?about:blank`;
   let res: Response;
   try {
     res = await fetch(endpoint, { method: "PUT", signal: AbortSignal.timeout(CONNECT_TIMEOUT_MS) });
@@ -158,9 +249,9 @@ async function createTarget(): Promise<CdpTarget> {
   return target as CdpTarget;
 }
 
-async function closeTarget(id: string): Promise<void> {
+async function closeTarget(host: string, port: number, id: string): Promise<void> {
   try {
-    await fetch(`http://${CDP_HOST}:${CDP_PORT}/json/close/${id}`, {
+    await fetch(`http://${host}:${port}/json/close/${id}`, {
       signal: AbortSignal.timeout(CONNECT_TIMEOUT_MS),
     });
   } catch {
@@ -602,19 +693,20 @@ async function waitForDocumentReady(cdp: CdpClient): Promise<void> {
 }
 
 async function main(): Promise<void> {
-  logPhase(`phase=script-start cdp=${CDP_HOST}:${CDP_PORT}`);
+  const endpoint = resolveCdpEndpoint();
+  logPhase(`phase=script-start cdp=${endpoint.host}:${endpoint.port} source=${endpoint.source}`);
 
-  await cdpVersion();
+  await cdpVersion(endpoint.host, endpoint.port);
   logPhase(`phase=cdp-connect result=ok`);
 
-  const target = await createTarget();
+  const target = await createTarget(endpoint.host, endpoint.port);
   logPhase(`phase=target-created targetId=${target.id.slice(0, 8)}…`);
 
   let cdp: CdpClient;
   try {
     cdp = await CdpClient.connect(target.webSocketDebuggerUrl);
   } catch (err) {
-    await closeTarget(target.id);
+    await closeTarget(endpoint.host, endpoint.port, target.id);
     die("ws-connect-failed", err instanceof Error ? err.message : String(err));
   }
 
@@ -643,7 +735,7 @@ async function main(): Promise<void> {
     die("runtime-error", err instanceof Error ? err.message : String(err));
   } finally {
     cdp.close();
-    await closeTarget(target.id);
+    await closeTarget(endpoint.host, endpoint.port, target.id);
   }
 }
 

package/payload/platform/plugins/docs/references/cloudflare.md

@@ -9,6 +9,7 @@ Each installation has its own Cloudflare account. Sign-in is OAuth in the device
 | **Product identity** (Maxy vs Real Agent) | `brand.json` (`productName`, `configDir`) — known at install. |
 | **Cloudflare account identity** | `cert.pem` from OAuth. One account per brand per device. |
 | **Domain scope** (which zones the operator can route) | Live Cloudflare dashboard at form-render time via `list-cf-domains.sh`, not `brand.json`. Brand identity has no authority over which domains the operator's CF account holds. When the scrape returns an unexpected count (e.g. 1 on a two-zone account), the stream log's per-poll `phase=dom-scrape-poll n=<k> count=<n> domains=[…]` trajectory + the on-disk HTML dump at `~/{configDir}/logs/list-cf-domains-<ts>-count<n>-<mode>-pid<pid>.html` (earlier platform fixes — written on every scrape outcome, not just empty ones) give the operator everything they need to triage the cause without re-running. |
+| **CDP port the scrape attaches to** | `brand.json` (`cdpPort`, stamped at install time) — the same brand-scoped port `vnc.sh` binds Chromium to. `list-cf-domains.sh <brand>` requires the brand arg; the helper reads `${MAXY_PLATFORM_ROOT}/config/brand.json` (no silent default). Missing brand arg, missing brand.json, or missing `cdpPort` field each exit 1 with one of three named reasons (`brand-arg-missing`, `brand-config-missing`, `cdp-port-unresolved`); the route maps all three to `field=config` so the form renders a config card naming the brand instead of a Retry button — retrying would re-fire the same wrongly-resolved spawn. |
 | **Local tunnel state** | `~/{configDir}/cloudflared/` — `cert.pem`, `<UUID>.json`, `config.yml`, `tunnel.state`, `alias-domains.json`. |
 
 There is no token-based auth for the operator-owned path (Mode A). To switch Cloudflare accounts, run `reset-tunnel.sh` (which deletes the cert and every tunnel on the current account), then run `setup-tunnel.sh` again — `cloudflared tunnel login` inside the setup script will pick a fresh account when you sign in.

package/payload/platform/plugins/docs/references/internals.md

@@ -142,6 +142,8 @@ Multi-tenancy boundary. Every query is scoped to the requesting account. The `AC
 
 The read filter alone is not sufficient — it correctly *hides* alien-account nodes from every UI but does not prevent them existing. A writer that misresolves `accountId` (literal, undefined, or inferred-from-the-wrong-context) leaks nodes into the graph with no downstream symptom; the read filter then keeps them invisible indefinitely. The write-side doctrine is documented in `.docs/neo4j.md` "Account isolation invariant" — every writer that stamps `n.accountId` must verify the value against `${DATA_ROOT}/accounts/<id>/account.json` before write. The live floor is `writeNodeWithEdges` — every doctrine-primitive write is gated by an `accountId == process.env.ACCOUNT_ID` check (the spawning process validates `ACCOUNT_ID` at boot against the on-disk account set via the `account-enumeration` lib), with `[graph-write] reject reason=invalid-account-id …` as the rejection signal.
 
+**Two boot-time surfaces stamp + validate the env** (added 2026-05-07). The brand systemd unit emits `Environment=ACCOUNT_ID=<uuid>` (resolved by the installer from `INSTALL_DIR/data/accounts/<uuid>/account.json`); the Hono boot path then calls `validateAccountIdEnv` against the on-disk set and emits `[graph-health] account-id-env present=true id=<8> matches-on-disk=true` on success or `[graph-health] account-id-env FATAL reason=<missing|no-on-disk-account|mismatch>` + `process.exit(1)` on failure. No fallback — a misconfigured Pi cannot silently boot.
+
 ---
 
 ## Query Classification

package/payload/platform/plugins/whatsapp/PLUGIN.md

@@ -53,7 +53,7 @@ When per-group activation is `mention`, the agent fires only if the inbound mess
 
 Every `messages.upsert` event (both `notify` and `append`, both `fromMe` directions) writes a `:Message:WhatsAppMessage` row to Neo4j attached to the sessionKey-keyed `:Conversation`. A single capture site at `platform/ui/app/lib/whatsapp/manager.ts` covers inbound, outbound (Baileys echoes agent-sent messages back through `messages.upsert` with `fromMe=true`), and owner-mirror — without touching `outbound/send.ts`. `messageId` namespace is `whatsapp-live:<waName>:<remoteJid>:<msg.key.id>` where `<waName>` is the Baileys credential dirname (e.g. `default`); distinct from the `:Section:Conversation` chunks written by the source-agnostic `conversation-archive` skill — live and archive live in disjoint label spaces. Persist failures are loud (`[whatsapp-persist] FAIL …`) and never block dispatch — silent loss is the worse failure mode.
 
-**`accountId` contract.** `n.accountId` on every `:Conversation`, `:Person`, and `:Message:WhatsAppMessage` row stamped by this plugin is the **platform-side UUID** resolved by [`resolvePlatformAccountId()`](../../ui/app/lib/whatsapp/platform-account-id.ts) from `data/accounts/<uuid>/account.json` — NOT the Baileys credential dirname (which is only used as the `messageId`/`sessionKey` namespace token). The boot-time line `[whatsapp-persist] resolved-account-id waname=<dir> uuid=<uuid>` records the resolution. Doctrine: see `.docs/neo4j.md` "Account isolation invariant" — every writer that stamps `n.accountId` must verify the value against `${DATA_ROOT}/accounts/<id>/account.json` before write. The helper loud-throws on zero or multi accounts (Phase 0 single-account invariant), aborting the WhatsApp connection start before any write can occur. The same boot-validated identity (`process.env.ACCOUNT_ID`) backs the central live floor at [`writeNodeWithEdges`](../../lib/graph-write/src/index.ts) — any write whose `accountId` differs from the spawning process's `ACCOUNT_ID` is rejected by the gate; the WhatsApp helper is the writer-side discipline, the gate is the universal floor.
+**`accountId` contract.** `n.accountId` on every `:Conversation`, `:Person`, and `:Message:WhatsAppMessage` row stamped by this plugin is the **platform-side UUID** resolved by [`resolvePlatformAccountId()`](../../ui/app/lib/whatsapp/platform-account-id.ts) from `data/accounts/<uuid>/account.json` — NOT the Baileys credential dirname (which is only used as the `messageId`/`sessionKey` namespace token). The boot-time line `[whatsapp-persist] resolved-account-id waname=<dir> uuid=<uuid>` records the resolution. Doctrine: see `.docs/neo4j.md` "Account isolation invariant" — every writer that stamps `n.accountId` must verify the value against `${DATA_ROOT}/accounts/<id>/account.json` before write. The helper loud-throws on zero or multi accounts (Phase 0 single-account invariant), aborting the WhatsApp connection start before any write can occur. The same boot-validated identity (`process.env.ACCOUNT_ID`) backs the central live floor at [`writeNodeWithEdges`](../../lib/graph-write/src/index.ts) — any write whose `accountId` differs from the spawning process's `ACCOUNT_ID` is rejected by the gate; the WhatsApp helper is the writer-side discipline, the gate is the universal floor. The env itself is stamped onto the brand systemd unit by `buildMaxyUnitFile` and re-validated at every Hono boot (`[graph-health] account-id-env present=true matches-on-disk=true`) — see `.docs/neo4j.md` "Two boot-time surfaces" (added 2026-05-07).
 
 ## Skills
 

package/payload/server/public/assets/{Checkbox-U-H3_oQu.js → Checkbox-BySsatDO.js}

@@ -1 +1 @@
-import{t as e}from"./jsx-runtime-BjkIZEse.js";var t=e();function n({checked:e,onChange:n,label:r,disabled:i}){return(0,t.jsxs)(`label`,{className:`maxy-checkbox${i?` maxy-checkbox--disabled`:``}`,children:[(0,t.jsx)(`input`,{type:`checkbox`,checked:e,onChange:e=>n(e.target.checked),disabled:i}),(0,t.jsx)(`span`,{className:`maxy-checkbox__box`,children:`✱`}),r&&(0,t.jsx)(`span`,{className:`maxy-checkbox__label`,children:r})]})}export{n as t};
+import{t as e}from"./jsx-runtime-DnY0498s.js";var t=e();function n({checked:e,onChange:n,label:r,disabled:i}){return(0,t.jsxs)(`label`,{className:`maxy-checkbox${i?` maxy-checkbox--disabled`:``}`,children:[(0,t.jsx)(`input`,{type:`checkbox`,checked:e,onChange:e=>n(e.target.checked),disabled:i}),(0,t.jsx)(`span`,{className:`maxy-checkbox__box`,children:`✱`}),r&&(0,t.jsx)(`span`,{className:`maxy-checkbox__label`,children:r})]})}export{n as t};