@rubytech/create-realagent 1.0.865 → 1.0.867

package/payload/server/server.js

@@ -1,9 +1,19 @@
 import {
+  ACCOUNTS_DIR,
   ATTACHMENTS_ROOT,
+  CDP_PORT,
+  COMMERCIAL_MODE,
   Hono,
+  LOG_DIR,
+  MAXY_DIR,
   MAX_FILES_PER_MESSAGE,
   MAX_FILE_SIZE_BYTES,
+  PLATFORM_ROOT,
   SUPPORTED_MIME_TYPES,
+  TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE,
+  TELEGRAM_WEBHOOK_SECRET_FILE,
+  USERS_FILE,
+  WEBSOCKIFY_PORT,
   assertSupportedMime,
   autoDeliverPremiumPlugins,
   browserViewerLog,
@@ -25,6 +35,8 @@ import {
   ensureLogDir,
   ensureVnc,
   findMissingPlugins,
+  getDefaultAccountId,
+  hasStubAccountDir,
   hashPassword,
   httpLog,
   invokeAgent,
@@ -37,13 +49,19 @@ import {
   load,
   logPath,
   pickComponentBytes,
+  preflushSliceOf,
   recordFailedAttempt,
   render,
   renderLoginPage,
   requireAdminSession,
+  resolveAccount,
+  resolveAgentConfig,
   resolveBrowserTransport,
   resolveClientIp,
+  resolveConversationLogPaths,
+  resolveDefaultAgentSlug,
   resolveEntitlement,
+  resolveUserAccounts,
   safeJson,
   sanitizeClientCorrId,
   serve,
@@ -56,6 +74,7 @@ import {
   streamLogPathFor,
   stripAttachmentMetaSuffix,
   tryCookieBridgeForConversation,
+  validateAgentSlug,
   validateFilePathInAccount,
   validateKey,
   validatePasswordStrength,
@@ -64,25 +83,14 @@ import {
   vncLog,
   waitForExit,
   writeChromiumWrapper
-} from "./chunk-2Q2S52GB.js";
+} from "./chunk-DHSBEMWW.js";
 import {
-  ACCOUNTS_DIR,
-  CDP_PORT,
-  COMMERCIAL_MODE,
-  LOG_DIR,
-  MAXY_DIR,
-  PLATFORM_ROOT,
-  TELEGRAM_ADMIN_WEBHOOK_SECRET_FILE,
-  TELEGRAM_WEBHOOK_SECRET_FILE,
-  USERS_FILE,
-  WEBSOCKIFY_PORT,
   agentLogStream,
   clearSessionHistory,
   completeGrantSetup,
   getAccountIdForSession,
   getAgentNameForSession,
   getConversationIdForSession,
-  getDefaultAccountId,
   getGrantForSession,
   getGroupSlugForSession,
   getRoleForSession,
@@ -90,26 +98,19 @@ import {
   getUserIdForSession,
   getUserNameForSession,
   getVisitorIdForSession,
-  hasStubAccountDir,
   interruptClient,
   listAdminSessionsInProgress,
   preConversationLogStream,
-  preflushStreamLogKey,
   registerGrantSession,
   registerResumedSession,
   registerSession,
-  resolveAccount,
-  resolveAgentConfig,
-  resolveDefaultAgentSlug,
-  resolveUserAccounts,
   setAgentSessionId,
   setConversationIdForSession,
   setGroupContextForSession,
   sigtermFlushStreamLogs,
   unregisterSession,
-  validateAgentSlug,
   validateSession
-} from "./chunk-22LK7D5R.js";
+} from "./chunk-TOLLHW7W.js";
 import {
   CLOUDFLARE_TASK_DIAGNOSTICS,
   appendCloudflareSteps,
@@ -117,13 +118,14 @@ import {
   openCloudflareTask,
   readTunnelState,
   resolveUnitGoneVerdict
-} from "./chunk-BY4LZDL4.js";
+} from "./chunk-UXLZ5Z3Y.js";
 import {
   GREETING_DIRECTIVE,
   HAIKU_MODEL,
   backfillNullUserIdConversations,
   bindVisitorToGroup,
   checkGroupMembership,
+  createNewAdminConversation,
   deleteAgentProjection,
   deleteConversation,
   embed,
@@ -148,7 +150,7 @@ import {
   verifyAndGetConversationUpdatedAt,
   verifyConversationOwnership,
   writeAdminUserAndPerson
-} from "./chunk-7ADUQXTU.js";
+} from "./chunk-FHNFKJZN.js";
 import {
   __commonJS,
   __toESM
@@ -651,8 +653,8 @@ var serveStatic = (options = { root: "" }) => {
 };
 
 // server/index.ts
-import { readFileSync as readFileSync18, existsSync as existsSync24, watchFile } from "fs";
-import { resolve as resolve21, join as join12, basename as basename4 } from "path";
+import { readFileSync as readFileSync18, existsSync as existsSync23, watchFile } from "fs";
+import { resolve as resolve21, join as join11, basename as basename4 } from "path";
 import { homedir as homedir3 } from "os";
 
 // app/lib/agent-slug-pattern.ts
@@ -7147,6 +7149,7 @@ var session_default2 = app10;
 // server/routes/admin/chat.ts
 import { resolve as resolve8 } from "path";
 import { appendFileSync as appendFileSync3 } from "fs";
+import { randomUUID as randomUUID6 } from "crypto";
 
 // app/lib/script-stream-tailer.ts
 import * as childProcess from "child_process";
@@ -7436,7 +7439,7 @@ var app11 = new Hono();
 app11.post("/cancel", requireAdminSession, async (c) => {
   const session_key = c.var.sessionKey;
   try {
-    const { interruptClient: interruptClient2 } = await import("./client-pool-3BCJTPPA.js");
+    const { interruptClient: interruptClient2 } = await import("./client-pool-2IUOSYDF.js");
     await interruptClient2(session_key);
     return c.json({ ok: true });
   } catch (err) {
@@ -7593,17 +7596,29 @@ app11.post("/", requireAdminSession, async (c) => {
   if (!isSystemMessage) {
     gatewayResult = await processInbound(message, "web-admin");
   }
-  const encoder = new TextEncoder();
-  const sseConvId = getConversationIdForSession(session_key);
-  const sseLogStream = sseConvId ? agentLogStream("sse-events", account.accountDir, sseConvId) : preConversationLogStream("sse-events", account.accountDir);
-  const sk = sseConvId?.slice(0, 8) ?? session_key.slice(0, 8);
-  function resolveTeeStreamLogPath() {
-    const liveConvId = getConversationIdForSession(session_key);
-    const key = liveConvId ?? preflushStreamLogKey(session_key);
-    return resolve8(account.accountDir, "logs", `claude-agent-stream-${key}.log`);
+  let conversationId = getConversationIdForSession(session_key);
+  if (!conversationId) {
+    const userId = getUserIdForSession(session_key);
+    const userName = getUserNameForSession(session_key);
+    const accountId = getAccountIdForSession(session_key);
+    if (!userId || !accountId) {
+      return chatReject(401, "Invalid or expired admin session", session_key);
+    }
+    const minted = randomUUID6();
+    const created = await createNewAdminConversation(userId, accountId, session_key, userName, minted);
+    if (!created) {
+      return chatReject(500, "Failed to create conversation", session_key);
+    }
+    conversationId = created;
+    setConversationIdForSession(session_key, conversationId);
+    console.log(`[chat-route] new conversation conversationId=${conversationId} sessionKey=${session_key.slice(0, 12)}\u2026`);
   }
+  const encoder = new TextEncoder();
+  const sseLogStream = agentLogStream("sse-events", account.accountDir, conversationId);
+  const sk = conversationId.slice(0, 8);
+  const teeStreamLogPath = resolve8(account.accountDir, "logs", `claude-agent-stream-${conversationId}.log`);
   try {
-    appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task606-tee-path-resolve] sessionKey=${session_key.slice(0, 12)}\u2026
+    appendFileSync3(teeStreamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [chat-route-version=task965-mint-at-entry] sessionKey=${session_key.slice(0, 12)}\u2026 conversationId=${conversationId}
 `);
   } catch {
   }
@@ -7612,7 +7627,7 @@ app11.post("/", requireAdminSession, async (c) => {
     incoming.on("close", () => {
       const tsClose = (/* @__PURE__ */ new Date()).toISOString();
       try {
-        appendFileSync3(resolveTeeStreamLogPath(), `[${tsClose}] [incoming-close] sessionKey=${session_key.slice(0, 12)}\u2026 complete=${incoming.complete}
+        appendFileSync3(teeStreamLogPath, `[${tsClose}] [incoming-close] sessionKey=${session_key.slice(0, 12)}\u2026 complete=${incoming.complete}
 `);
       } catch {
       }
@@ -7620,7 +7635,7 @@ app11.post("/", requireAdminSession, async (c) => {
         console.error(`[${tsClose}] [incoming-close] DISCONNECT sessionKey=${session_key.slice(0, 12)}\u2026`);
         interruptClient(session_key).catch((err) => {
           try {
-            appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] interrupt-failed: ${err instanceof Error ? err.message : String(err)}
+            appendFileSync3(teeStreamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] interrupt-failed: ${err instanceof Error ? err.message : String(err)}
 `);
           } catch {
           }
@@ -7629,7 +7644,7 @@ app11.post("/", requireAdminSession, async (c) => {
     });
   } else {
     try {
-      appendFileSync3(resolveTeeStreamLogPath(), `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] UNAVAILABLE \u2014 c.env.incoming is not an EventEmitter
+      appendFileSync3(teeStreamLogPath, `[${(/* @__PURE__ */ new Date()).toISOString()}] [incoming-close] UNAVAILABLE \u2014 c.env.incoming is not an EventEmitter
 `);
     } catch {
     }
@@ -7641,7 +7656,7 @@ app11.post("/", requireAdminSession, async (c) => {
       } catch {
       }
       try {
-        appendFileSync3(resolveTeeStreamLogPath(), line);
+        appendFileSync3(teeStreamLogPath, line);
       } catch {
       }
       return true;
@@ -7681,13 +7696,12 @@ app11.post("/", requireAdminSession, async (c) => {
     },
     async start(controller) {
       let controllerOpen = true;
-      const sseEntry = { controller, conversationId: sseConvId ?? null, sessionKey: session_key };
+      const sseEntry = { controller, conversationId, sessionKey: session_key };
       try {
         const reqSignal = c.req.raw?.signal;
         if (reqSignal) {
           reqSignal.addEventListener("abort", () => {
-            const abortLogKey = sseConvId ?? preflushStreamLogKey(session_key);
-            const abortStreamLog = agentLogStream("claude-agent-stream", account.accountDir, abortLogKey);
+            const abortStreamLog = agentLogStream("claude-agent-stream", account.accountDir, conversationId);
             const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
             sseLog.write(`[${ts}] [${sk}] admin: ABORT [operator-cancel] interrupting pool client
 `);
@@ -7701,28 +7715,25 @@ app11.post("/", requireAdminSession, async (c) => {
       }
       try {
         registerAdminSSE(sseEntry);
-        if (sseConvId) {
-          const streamLogPath = resolve8(account.accountDir, "logs", `claude-agent-stream-${sseConvId}.log`);
-          tailer = startScriptStreamTailer({
-            path: streamLogPath,
-            onEvent: (event) => {
-              if (!controllerOpen) return;
-              const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
-              sseLog.write(`[${ts}] [${sk}] admin: ${JSON.stringify(event)}
+        tailer = startScriptStreamTailer({
+          path: teeStreamLogPath,
+          onEvent: (event) => {
+            if (!controllerOpen) return;
+            const ts = (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
+            sseLog.write(`[${ts}] [${sk}] admin: ${JSON.stringify(event)}
 `);
-              try {
-                controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}
+            try {
+              controller.enqueue(encoder.encode(`data: ${JSON.stringify(event)}
 
 `));
-              } catch {
-                controllerOpen = false;
-              }
-            },
-            onError: (err) => {
-              console.error(`[script-stream-tailer] ${streamLogPath}: ${err.message}`);
+            } catch {
+              controllerOpen = false;
             }
-          });
-        }
+          },
+          onError: (err) => {
+            console.error(`[script-stream-tailer] ${teeStreamLogPath}: ${err.message}`);
+          }
+        });
         for await (const event of invokeAgent(
           { type: "admin", skipTopicCheck },
           message,
@@ -7831,42 +7842,8 @@ app12.post("/", requireAdminSession, async (c) => {
 var compact_default = app12;
 
 // server/routes/admin/logs.ts
-import { existsSync as existsSync13, readdirSync as readdirSync5, readFileSync as readFileSync11, statSync as statSync6 } from "fs";
+import { existsSync as existsSync12, readdirSync as readdirSync5, readFileSync as readFileSync11, statSync as statSync6 } from "fs";
 import { resolve as resolve9, basename as basename2 } from "path";
-
-// app/lib/logs-read-resolve.ts
-import { existsSync as existsSync12 } from "fs";
-import { join as join9 } from "path";
-function resolveConversationLogPaths(fullFilename, preflushFilename, logDirs) {
-  const tried = [fullFilename, preflushFilename];
-  const hits = [];
-  const stalePreflushPaths = [];
-  for (const dir of logDirs) {
-    const fullPath = join9(dir, fullFilename);
-    if (existsSync12(fullPath)) {
-      hits.push({ path: fullPath, shape: "full", dir });
-      const preflushSibling = join9(dir, preflushFilename);
-      if (existsSync12(preflushSibling)) {
-        stalePreflushPaths.push(preflushSibling);
-      }
-    }
-  }
-  if (hits.length > 0) {
-    return { hits, stalePreflushPaths, tried };
-  }
-  for (const dir of logDirs) {
-    const preflushPath = join9(dir, preflushFilename);
-    if (existsSync12(preflushPath)) {
-      hits.push({ path: preflushPath, shape: "preflush", dir });
-    }
-  }
-  return { hits, stalePreflushPaths, tried };
-}
-function preflushSliceOf(id) {
-  return `preflush-${id.slice(0, 12)}`;
-}
-
-// server/routes/admin/logs.ts
 var TAIL_BYTES = 8192;
 var app13 = new Hono();
 app13.get("/", async (c) => {
@@ -7958,7 +7935,7 @@ app13.get("/", async (c) => {
     }
     const MISSING_SENTINEL = ".task702-identifier-not-supplied.log";
     const fullFilename = conversationId ? `${prefix}-${conversationId}.log` : MISSING_SENTINEL;
-    const preflushFilename = sessionKey ? `${prefix}-${preflushSliceOf(sessionKey)}.log` : MISSING_SENTINEL;
+    const preflushFilename = sessionKey && typeParam === "public" ? `${prefix}-${preflushSliceOf(sessionKey)}.log` : MISSING_SENTINEL;
     const { hits, stalePreflushPaths, tried } = resolveConversationLogPaths(
       fullFilename,
       preflushFilename,
@@ -8015,7 +7992,7 @@ app13.get("/", async (c) => {
   const seen = /* @__PURE__ */ new Set();
   const logs = {};
   for (const dir of logDirs) {
-    if (!existsSync13(dir)) continue;
+    if (!existsSync12(dir)) continue;
     let files;
     try {
       files = readdirSync5(dir).filter((f) => f.endsWith(".log"));
@@ -8066,7 +8043,7 @@ var claude_info_default = app14;
 
 // server/routes/admin/attachment.ts
 import { readFile as readFile2, readdir } from "fs/promises";
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync13 } from "fs";
 import { resolve as resolve10 } from "path";
 var app15 = new Hono();
 app15.get("/:attachmentId", requireAdminSession, async (c) => {
@@ -8080,11 +8057,11 @@ app15.get("/:attachmentId", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve10(ATTACHMENTS_ROOT, accountId, attachmentId);
-  if (!existsSync14(dir)) {
+  if (!existsSync13(dir)) {
     return new Response("Not found", { status: 404 });
   }
   const metaPath = resolve10(dir, `${attachmentId}.meta.json`);
-  if (!existsSync14(metaPath)) {
+  if (!existsSync13(metaPath)) {
     return new Response("Not found", { status: 404 });
   }
   let meta;
@@ -8112,13 +8089,13 @@ var attachment_default = app15;
 
 // server/routes/admin/agents.ts
 import { resolve as resolve11 } from "path";
-import { readdirSync as readdirSync6, readFileSync as readFileSync12, existsSync as existsSync15, rmSync } from "fs";
+import { readdirSync as readdirSync6, readFileSync as readFileSync12, existsSync as existsSync14, rmSync } from "fs";
 var app16 = new Hono();
 app16.get("/", (c) => {
   const account = resolveAccount();
   if (!account) return c.json({ agents: [] });
   const agentsDir = resolve11(account.accountDir, "agents");
-  if (!existsSync15(agentsDir)) return c.json({ agents: [] });
+  if (!existsSync14(agentsDir)) return c.json({ agents: [] });
   const agents = [];
   try {
     const entries = readdirSync6(agentsDir, { withFileTypes: true });
@@ -8126,7 +8103,7 @@ app16.get("/", (c) => {
       if (!entry.isDirectory()) continue;
       if (entry.name === "admin") continue;
       const configPath2 = resolve11(agentsDir, entry.name, "config.json");
-      if (!existsSync15(configPath2)) continue;
+      if (!existsSync14(configPath2)) continue;
       try {
         const config = JSON.parse(readFileSync12(configPath2, "utf-8"));
         agents.push({
@@ -8155,7 +8132,7 @@ app16.delete("/:slug", async (c) => {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
   const agentDir = resolve11(account.accountDir, "agents", slug);
-  if (!existsSync15(agentDir)) {
+  if (!existsSync14(agentDir)) {
     return c.json({ error: "Agent not found" }, 404);
   }
   try {
@@ -8185,7 +8162,7 @@ app16.post("/:slug/project", async (c) => {
     return c.json({ error: "Invalid agent slug" }, 400);
   }
   const agentDir = resolve11(account.accountDir, "agents", slug);
-  if (!existsSync15(agentDir)) {
+  if (!existsSync14(agentDir)) {
     return c.json({ error: "Agent not found on disk" }, 404);
   }
   try {
@@ -8201,7 +8178,7 @@ var agents_default = app16;
 // server/routes/admin/sessions.ts
 import crypto2 from "crypto";
 import { resolve as resolvePath } from "path";
-import { appendFileSync as appendFileSync4, existsSync as existsSync17 } from "fs";
+import { appendFileSync as appendFileSync4, existsSync as existsSync16 } from "fs";
 
 // app/lib/synthetic-marker.ts
 var CLOUDFLARE_MARKER_PREFIX = "Cloudflare setup completed (actionId: ";
@@ -8213,9 +8190,9 @@ function isSyntheticUserMarker(content) {
 }
 
 // app/lib/claude-agent/jsonl-replay.ts
-import { existsSync as existsSync16, readFileSync as readFileSync13 } from "fs";
+import { existsSync as existsSync15, readFileSync as readFileSync13 } from "fs";
 function replayJsonl(jsonlPath) {
-  if (!existsSync16(jsonlPath)) {
+  if (!existsSync15(jsonlPath)) {
     return { messages: [], jsonlMissing: true, malformedLines: 0 };
   }
   let raw;
@@ -8349,7 +8326,7 @@ function validateAndShapeAttachments(raws, conversationAccountId, conversationId
     let reason = null;
     if (!a.attachmentId || !a.filename || !a.mimeType || !a.storagePath) reason = "schema-fail";
     else if (a.accountId !== conversationAccountId) reason = "account-mismatch";
-    else if (!existsSync17(a.storagePath)) reason = "missing-file";
+    else if (!existsSync16(a.storagePath)) reason = "missing-file";
     if (reason) {
       invalid++;
       try {
@@ -9125,12 +9102,12 @@ function isValidDomain(value) {
 }
 
 // app/lib/alias-domains.ts
-import { existsSync as existsSync18, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync17, mkdirSync as mkdirSync6, readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
 import { dirname as dirname5 } from "path";
 import { resolve as resolve12 } from "path";
 var ALIAS_DOMAINS_PATH = resolve12(MAXY_DIR, "alias-domains.json");
 function readExisting() {
-  if (!existsSync18(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
+  if (!existsSync17(ALIAS_DOMAINS_PATH)) return /* @__PURE__ */ new Set();
   try {
     const parsed = JSON.parse(readFileSync14(ALIAS_DOMAINS_PATH, "utf-8"));
     if (!Array.isArray(parsed)) return /* @__PURE__ */ new Set();
@@ -9378,8 +9355,8 @@ app22.get("/tunnels", requireAdminSession, async (c) => {
   if (!correlationId) return err("session", "No active conversation for session \u2014 refresh chat.");
   streamLogPath = streamLogPathFor(accountId, correlationId).streamLogPath;
   const certPath = resolve13(homedir2(), brand.configDir, "cloudflared", "cert.pem");
-  const { existsSync: existsSync25 } = await import("fs");
-  if (!existsSync25(certPath)) {
+  const { existsSync: existsSync24 } = await import("fs");
+  if (!existsSync24(certPath)) {
     return err("cert", `Cloudflare origin certificate is not on disk yet (${certPath}). Complete the Cloudflare login first by submitting the form once \u2014 the OAuth flow writes cert.pem.`);
   }
   const result = await runFormSpawn({
@@ -9677,7 +9654,7 @@ var cloudflare_default = app22;
 import { createReadStream as createReadStream3 } from "fs";
 import { readdir as readdir2, readFile as readFile3, stat as stat3, mkdir as mkdir2, writeFile as writeFile3, unlink as unlink2 } from "fs/promises";
 import { realpathSync as realpathSync3 } from "fs";
-import { basename as basename3, dirname as dirname6, join as join10, resolve as resolve15, sep as sep2 } from "path";
+import { basename as basename3, dirname as dirname6, join as join9, resolve as resolve15, sep as sep2 } from "path";
 import { Readable as Readable2 } from "stream";
 
 // app/lib/data-path.ts
@@ -10035,7 +10012,7 @@ async function cascadeDeleteDocument(params) {
 var UUID_RE4 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 async function readMeta(absDir, baseName) {
   try {
-    const raw = await readFile3(join10(absDir, `${baseName}.meta.json`), "utf8");
+    const raw = await readFile3(join9(absDir, `${baseName}.meta.json`), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed?.filename === "string") {
       return { filename: parsed.filename, mimeType: typeof parsed.mimeType === "string" ? parsed.mimeType : void 0 };
@@ -10073,7 +10050,7 @@ async function readAccountNames() {
 }
 async function enrich(absolute, entry, accountNames) {
   if (entry.kind === "directory" && UUID_RE4.test(entry.name)) {
-    const meta = await readMeta(join10(absolute, entry.name), entry.name);
+    const meta = await readMeta(join9(absolute, entry.name), entry.name);
     if (meta?.filename) {
       entry.displayName = meta.filename;
       entry.mimeType = meta.mimeType;
@@ -10132,7 +10109,7 @@ app23.get("/", requireAdminSession, async (c) => {
         continue;
       }
       try {
-        const entryPath = join10(absolute, name);
+        const entryPath = join9(absolute, name);
         const s = await stat3(entryPath);
         entries.push({
           name,
@@ -10305,7 +10282,7 @@ app23.delete("/", requireAdminSession, async (c) => {
     }
     const dot = base.lastIndexOf(".");
     const stem = dot === -1 ? base : base.slice(0, dot);
-    const sidecarPath = UUID_RE4.test(stem) && base !== `${stem}.meta.json` ? join10(dirname6(absolute), `${stem}.meta.json`) : null;
+    const sidecarPath = UUID_RE4.test(stem) && base !== `${stem}.meta.json` ? join9(dirname6(absolute), `${stem}.meta.json`) : null;
     await unlink2(absolute);
     if (sidecarPath) {
       try {
@@ -10460,7 +10437,16 @@ async function hybrid(session, embed2, params) {
       bm25Score: normalised[i] ?? 0,
       related: []
     }));
-    return { mode: "bm25", results: results2, embedError: msg, expandMs: 0 };
+    return {
+      mode: "bm25",
+      results: results2,
+      embedError: msg,
+      expandMs: 0,
+      rawMerged: results2.length,
+      suppressed: 0,
+      bm25Bypass: 0,
+      threshold: null
+    };
   }
   const labelToIndex = await discoverIndexes(session);
   const keywordFilter = buildKeywordFilter(keywords, keywordMatch);
@@ -10471,7 +10457,15 @@ async function hybrid(session, embed2, params) {
   if (labels && labels.length > 0) {
     indexesToQuery = labels.map((l) => labelToIndex.get(l)).filter((idx) => idx !== void 0);
     if (indexesToQuery.length === 0) {
-      return { mode: "hybrid", results: [], expandMs: 0 };
+      return {
+        mode: "hybrid",
+        results: [],
+        expandMs: 0,
+        rawMerged: 0,
+        suppressed: 0,
+        bm25Bypass: 0,
+        threshold: params.vectorThreshold ?? null
+      };
     }
   } else {
     indexesToQuery = [...new Set(labelToIndex.values())];
@@ -10516,7 +10510,8 @@ async function hybrid(session, embed2, params) {
           labels: record.get("nodeLabels"),
           properties: plainProperties(node.properties),
           vectorScore: score,
-          bm25Score: 0
+          bm25Score: 0,
+          bm25Hit: false
         });
       }
     }
@@ -10566,6 +10561,7 @@ async function hybrid(session, embed2, params) {
       const existing = scoreMap.get(nodeId);
       if (existing) {
         existing.bm25Score = Math.max(existing.bm25Score, 1);
+        existing.bm25Hit = true;
       } else {
         const node = record.get("node");
         scoreMap.set(nodeId, {
@@ -10573,15 +10569,33 @@ async function hybrid(session, embed2, params) {
           labels: record.get("nodeLabels"),
           properties: plainProperties(node.properties),
           vectorScore: 0,
-          bm25Score: 1
+          bm25Score: 1,
+          bm25Hit: true
         });
       }
     }
   }
-  const merged = [...scoreMap.values()].map((node) => ({
+  const allMerged = [...scoreMap.values()].map((node) => ({
     ...node,
     combinedScore: VECTOR_WEIGHT * node.vectorScore + BM25_WEIGHT * node.bm25Score
-  })).sort((a, b) => b.combinedScore - a.combinedScore).slice(0, limit);
+  }));
+  const rawMerged = allMerged.length;
+  const threshold = params.vectorThreshold;
+  let kept = allMerged;
+  let bm25Bypass = 0;
+  if (threshold !== void 0) {
+    kept = [];
+    for (const node of allMerged) {
+      if (node.vectorScore >= threshold) {
+        kept.push(node);
+      } else if (node.bm25Hit) {
+        kept.push(node);
+        bm25Bypass++;
+      }
+    }
+  }
+  const suppressed = rawMerged - kept.length;
+  const merged = kept.sort((a, b) => b.combinedScore - a.combinedScore).slice(0, limit);
   const results = merged.map((node) => ({
     nodeId: node.nodeId,
     labels: node.labels,
@@ -10637,19 +10651,29 @@ async function hybrid(session, embed2, params) {
       }
     }
   }
-  return { mode: "hybrid", results, expandMs };
+  return {
+    mode: "hybrid",
+    results,
+    expandMs,
+    rawMerged,
+    suppressed,
+    bm25Bypass,
+    threshold: threshold ?? null
+  };
 }
 function mergeBm25Hit(map, hit, normalisedScore) {
   const existing = map.get(hit.nodeId);
   if (existing) {
     existing.bm25Score = Math.max(existing.bm25Score, normalisedScore);
+    existing.bm25Hit = true;
   } else {
     map.set(hit.nodeId, {
       nodeId: hit.nodeId,
       labels: hit.labels,
       properties: hit.properties,
       vectorScore: 0,
-      bm25Score: normalisedScore
+      bm25Score: normalisedScore,
+      bm25Hit: true
     });
   }
 }
@@ -10669,6 +10693,7 @@ function plainProperties(properties) {
 // server/routes/admin/graph-search.ts
 var DEFAULT_LIMIT = 20;
 var MAX_LIMIT = 2e3;
+var DEFAULT_VECTOR_THRESHOLD = 0.72;
 var MESSAGE_FAMILY_LABELS = ["Message", "UserMessage", "AssistantMessage", "WhatsAppMessage"];
 var CONVERSATION_PARENT_LABELS = /* @__PURE__ */ new Set(["AdminConversation", "PublicConversation"]);
 var app24 = new Hono();
@@ -10677,6 +10702,7 @@ app24.get("/", requireAdminSession, async (c) => {
   const q = (c.req.query("q") ?? "").trim();
   const rawLimit = c.req.query("limit");
   const rawLabels = c.req.query("labels");
+  const rawThreshold = c.req.query("threshold");
   const accountId = getAccountIdForSession(sessionKey);
   if (!accountId) {
     console.error(`[graph-search] auth-rejected endpoint="/api/admin/graph-search" reason="no account for session"`);
@@ -10690,6 +10716,13 @@ app24.get("/", requireAdminSession, async (c) => {
   }
   const parsedLimit = rawLimit ? parseInt(rawLimit, 10) : DEFAULT_LIMIT;
   const limit = Number.isFinite(parsedLimit) && parsedLimit > 0 ? Math.min(parsedLimit, MAX_LIMIT) : DEFAULT_LIMIT;
+  let vectorThreshold = DEFAULT_VECTOR_THRESHOLD;
+  if (rawThreshold !== void 0) {
+    const parsed = Number(rawThreshold);
+    if (Number.isFinite(parsed) && parsed >= 0 && parsed <= 1) {
+      vectorThreshold = parsed;
+    }
+  }
   const wantsBodyFulltext = !wildcard && labels.some((l) => CONVERSATION_PARENT_LABELS.has(l));
   const forwardedLabels = wildcard ? void 0 : wantsBodyFulltext ? Array.from(/* @__PURE__ */ new Set([...labels, ...MESSAGE_FAMILY_LABELS])) : labels;
   const started = Date.now();
@@ -10700,7 +10733,8 @@ app24.get("/", requireAdminSession, async (c) => {
       accountId,
       labels: forwardedLabels,
       limit,
-      degradeOnEmbedFailure: true
+      degradeOnEmbedFailure: true,
+      vectorThreshold
     });
     const total = Date.now() - started;
     if (res.embedError) {
@@ -10767,11 +10801,23 @@ app24.get("/", requireAdminSession, async (c) => {
     console.error(
       `[graph-search] query="${q}" labels=${labelsToken} expanded=${expandedFlag} limit=${limit} mode=${res.mode} raw-results=${res.results.length} resolved-results=${resolvedResults.length} expand-ms=${res.expandMs} total-ms=${total}`
     );
+    console.error(
+      `[graph-search] threshold=${res.threshold ?? "off"} raw-merged=${res.rawMerged} suppressed=${res.suppressed} rendered=${res.results.length} bm25-bypass=${res.bm25Bypass}`
+    );
     return c.json({
       results: resolvedResults,
       mode: res.mode,
       embedError: res.embedError,
-      elapsedMs: total
+      elapsedMs: total,
+      // Task 967 — UI surfaces ("N suppressed — show all" affordance on
+      // /graph and /data). `suppressed` is the count of rows the lib
+      // dropped via the vector-cosine floor; `threshold` echoes the value
+      // applied (null when no filter ran). `bm25Bypass` is operator-only
+      // diagnostic — kept on the wire so the /data score panel can flag
+      // "kept by literal-match carve-out" rows in a future iteration.
+      suppressed: res.suppressed,
+      bm25Bypass: res.bm25Bypass,
+      threshold: res.threshold
     });
   } catch (err) {
     const elapsed = Date.now() - started;
@@ -11927,7 +11973,7 @@ var adherence_default = app31;
 import neo4j3 from "neo4j-driver";
 import { readFile as readFile4, readdir as readdir3, stat as stat4 } from "fs/promises";
 import { resolve as resolve16, relative as relative2, isAbsolute } from "path";
-import { existsSync as existsSync19 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 var LIMIT = 50;
 var TEXT_MIME_PREFIXES = ["text/", "application/json", "application/markdown"];
 var ADMIN_AGENT_FILES = ["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"];
@@ -12075,7 +12121,7 @@ async function fetchAgentTemplateRows(accountDir) {
 async function unionSpecialistFilenames(overrideDir, bundledDir) {
   const names = /* @__PURE__ */ new Set();
   for (const dir of [overrideDir, bundledDir]) {
-    if (!existsSync19(dir)) continue;
+    if (!existsSync18(dir)) continue;
     try {
       const entries = await readdir3(dir);
       for (const entry of entries) {
@@ -12090,7 +12136,7 @@ async function unionSpecialistFilenames(overrideDir, bundledDir) {
 }
 async function readAgentTemplateRow(inp) {
   let chosenPath = null;
-  if (existsSync19(inp.overridePath)) {
+  if (existsSync18(inp.overridePath)) {
     try {
       validateFilePathInAccount(inp.overridePath, inp.overrideRoot);
       chosenPath = inp.overridePath;
@@ -12101,7 +12147,7 @@ async function readAgentTemplateRow(inp) {
       );
       return null;
     }
-  } else if (existsSync19(inp.bundledPath)) {
+  } else if (existsSync18(inp.bundledPath)) {
     if (!isWithin(inp.bundledPath, inp.bundledRoot)) {
       console.error(
         `[admin/sidebar-artefacts] agent-template-read-failed agent=${inp.displayName} kind=${inp.logName} error="bundled path outside PLATFORM_ROOT"`
@@ -12143,7 +12189,7 @@ var sidebar_artefacts_default = app32;
 // server/routes/admin/sidebar-artefact-save.ts
 import { mkdir as mkdir3, readdir as readdir4, stat as stat5, writeFile as writeFile4 } from "fs/promises";
 import { resolve as resolve17 } from "path";
-import { existsSync as existsSync20 } from "fs";
+import { existsSync as existsSync19 } from "fs";
 var ADMIN_AGENT_FILES2 = /* @__PURE__ */ new Set(["IDENTITY.md", "SOUL.md", "KNOWLEDGE.md"]);
 var UUID_RE5 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app33 = new Hono();
@@ -12207,7 +12253,7 @@ async function resolveSavePath(id, accountId, accountDir) {
   }
   if (UUID_RE5.test(id)) {
     const dir = resolve17(ATTACHMENTS_ROOT, accountId, id);
-    if (!existsSync20(dir)) {
+    if (!existsSync19(dir)) {
       return { kind: "reject", status: 400, reason: "not-found" };
     }
     try {
@@ -12231,7 +12277,7 @@ var sidebar_artefact_save_default = app33;
 
 // server/routes/admin/sidebar-artefact-content.ts
 import { readFile as readFile5, readdir as readdir5 } from "fs/promises";
-import { existsSync as existsSync21 } from "fs";
+import { existsSync as existsSync20 } from "fs";
 import { resolve as resolve18 } from "path";
 var UUID_RE6 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 var app34 = new Hono();
@@ -12245,7 +12291,7 @@ app34.get("/", requireAdminSession, async (c) => {
     return new Response("Not found", { status: 404 });
   }
   const dir = resolve18(ATTACHMENTS_ROOT, accountId, id);
-  if (!existsSync21(dir)) {
+  if (!existsSync20(dir)) {
     console.error(`[admin/sidebar-artefact-content] not-found id=${id.slice(0, 8)}`);
     return new Response("Not found", { status: 404 });
   }
@@ -12279,12 +12325,12 @@ app34.get("/", requireAdminSession, async (c) => {
 var sidebar_artefact_content_default = app34;
 
 // server/routes/admin/health.ts
-import { existsSync as existsSync22, readFileSync as readFileSync16 } from "fs";
-import { resolve as resolve19, join as join11 } from "path";
+import { existsSync as existsSync21, readFileSync as readFileSync16 } from "fs";
+import { resolve as resolve19, join as join10 } from "path";
 var PLATFORM_ROOT6 = process.env.MAXY_PLATFORM_ROOT ?? resolve19(process.cwd(), "..");
 var brandHostname = "maxy";
-var brandJsonPath = join11(PLATFORM_ROOT6, "config", "brand.json");
-if (existsSync22(brandJsonPath)) {
+var brandJsonPath = join10(PLATFORM_ROOT6, "config", "brand.json");
+if (existsSync21(brandJsonPath)) {
   try {
     const brand = JSON.parse(readFileSync16(brandJsonPath, "utf-8"));
     if (brand.hostname) brandHostname = brand.hostname;
@@ -12295,7 +12341,7 @@ var VERSION_FILE = resolve19(PLATFORM_ROOT6, `config/.${brandHostname}-version`)
 var PROCESS_STARTED_AT = (/* @__PURE__ */ new Date()).toISOString();
 var PROBE_TIMEOUT_MS = 1e3;
 function readVersion() {
-  if (!existsSync22(VERSION_FILE)) return "unknown";
+  if (!existsSync21(VERSION_FILE)) return "unknown";
   return readFileSync16(VERSION_FILE, "utf-8").trim() || "unknown";
 }
 async function probeConversationDb() {
@@ -12377,7 +12423,7 @@ app36.route("/health-brand", health_default2);
 var admin_default = app36;
 
 // server/routes/sites.ts
-import { existsSync as existsSync23, readFileSync as readFileSync17, realpathSync as realpathSync4, statSync as statSync7 } from "fs";
+import { existsSync as existsSync22, readFileSync as readFileSync17, realpathSync as realpathSync4, statSync as statSync7 } from "fs";
 import { resolve as resolve20 } from "path";
 var SAFE_SEG_RE = /^[a-z0-9_][a-z0-9_.-]{0,99}$/i;
 var MIME = {
@@ -12443,7 +12489,7 @@ app37.get("/:rel{.*}", (c) => {
   }
   let stat6;
   try {
-    stat6 = existsSync23(filePath) ? statSync7(filePath) : null;
+    stat6 = existsSync22(filePath) ? statSync7(filePath) : null;
   } catch {
     stat6 = null;
   }
@@ -12462,7 +12508,7 @@ app37.get("/:rel{.*}", (c) => {
     console.error(`[sites] path-traversal-rejected path=${reqPath} reason=escape status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync23(filePath)) {
+  if (!existsSync22(filePath)) {
     console.error(`[sites] not-found path=${reqPath} status=404`);
     return c.text("Not found", 404);
   }
@@ -12613,12 +12659,12 @@ function clientFrom(c) {
   );
 }
 var PLATFORM_ROOT7 = process.env.MAXY_PLATFORM_ROOT || "";
-var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join12(PLATFORM_ROOT7, "config", "brand.json") : "";
+var BRAND_JSON_PATH = PLATFORM_ROOT7 ? join11(PLATFORM_ROOT7, "config", "brand.json") : "";
 var BRAND = { productName: "Maxy", hostname: "maxy", configDir: ".maxy", domain: "getmaxy.com" };
-if (BRAND_JSON_PATH && !existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && !existsSync23(BRAND_JSON_PATH)) {
   console.error(`[brand] WARNING: brand.json not found at ${BRAND_JSON_PATH} \u2014 using Maxy defaults`);
 }
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
     const parsed = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
     BRAND = { ...BRAND, ...parsed };
@@ -12639,10 +12685,10 @@ var brandLoginOpts = {
   bodyFont: BRAND.defaultFonts?.body,
   logoContainsName: !!BRAND.logoContainsName
 };
-var ALIAS_DOMAINS_PATH2 = join12(homedir3(), BRAND.configDir, "alias-domains.json");
+var ALIAS_DOMAINS_PATH2 = join11(homedir3(), BRAND.configDir, "alias-domains.json");
 function loadAliasDomains() {
   try {
-    if (!existsSync24(ALIAS_DOMAINS_PATH2)) return null;
+    if (!existsSync23(ALIAS_DOMAINS_PATH2)) return null;
     const parsed = JSON.parse(readFileSync18(ALIAS_DOMAINS_PATH2, "utf-8"));
     if (!Array.isArray(parsed)) {
       console.error("[alias-domains] malformed alias-domains.json \u2014 expected array");
@@ -13015,7 +13061,7 @@ app38.get("/agent-assets/:slug/:filename", (c) => {
     console.error(`[agent-assets] path-traversal-rejected slug=${slug} file=${filename}`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync23(filePath)) {
     console.error(`[agent-assets] serve slug=${slug} file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -13045,7 +13091,7 @@ app38.get("/generated/:filename", (c) => {
     console.error(`[generated] serve file=${filename} status=403`);
     return c.text("Forbidden", 403);
   }
-  if (!existsSync24(filePath)) {
+  if (!existsSync23(filePath)) {
     console.error(`[generated] serve file=${filename} status=404`);
     return c.text("Not found", 404);
   }
@@ -13062,7 +13108,7 @@ app38.route("/sites", sites_default);
 var htmlCache = /* @__PURE__ */ new Map();
 var brandLogoPath = "/brand/maxy-monochrome.png";
 var brandIconPath = "/brand/maxy-monochrome.png";
-if (BRAND_JSON_PATH && existsSync24(BRAND_JSON_PATH)) {
+if (BRAND_JSON_PATH && existsSync23(BRAND_JSON_PATH)) {
   try {
     const fullBrand = JSON.parse(readFileSync18(BRAND_JSON_PATH, "utf-8"));
     if (fullBrand.assets?.logo) brandLogoPath = `/brand/${fullBrand.assets.logo}`;
@@ -13081,8 +13127,8 @@ var brandScript = `<script>window.__BRAND__=${JSON.stringify({
 function readInstalledVersion() {
   try {
     if (!PLATFORM_ROOT7) return "unknown";
-    const versionFile = join12(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
-    if (!existsSync24(versionFile)) return "unknown";
+    const versionFile = join11(PLATFORM_ROOT7, "config", `.${BRAND.hostname}-version`);
+    if (!existsSync23(versionFile)) return "unknown";
     const content = readFileSync18(versionFile, "utf-8").trim();
     return content || "unknown";
   } catch {
@@ -13140,15 +13186,15 @@ ${clientErrorReporterScript}
 }
 var brandedHtmlCache = /* @__PURE__ */ new Map();
 function loadBrandingCache(agentSlug) {
-  const configDir2 = join12(homedir3(), BRAND.configDir);
+  const configDir2 = join11(homedir3(), BRAND.configDir);
   try {
-    const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
+    const accountJsonPath = join11(configDir2, "account.json");
+    if (!existsSync23(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
     const accountId = account.accountId;
     if (!accountId) return null;
-    const cachePath = join12(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
-    if (!existsSync24(cachePath)) return null;
+    const cachePath = join11(configDir2, "branding-cache", accountId, `${agentSlug}.json`);
+    if (!existsSync23(cachePath)) return null;
     return JSON.parse(readFileSync18(cachePath, "utf-8"));
   } catch {
     return null;
@@ -13156,9 +13202,9 @@ function loadBrandingCache(agentSlug) {
 }
 function resolveDefaultSlug() {
   try {
-    const configDir2 = join12(homedir3(), BRAND.configDir);
-    const accountJsonPath = join12(configDir2, "account.json");
-    if (!existsSync24(accountJsonPath)) return null;
+    const configDir2 = join11(homedir3(), BRAND.configDir);
+    const accountJsonPath = join11(configDir2, "account.json");
+    if (!existsSync23(accountJsonPath)) return null;
     const account = JSON.parse(readFileSync18(accountJsonPath, "utf-8"));
     return account.defaultAgent || null;
   } catch {
@@ -13338,7 +13384,7 @@ try {
 (async () => {
   try {
     let userId = "";
-    if (existsSync24(USERS_FILE)) {
+    if (existsSync23(USERS_FILE)) {
       const users = JSON.parse(readFileSync18(USERS_FILE, "utf-8").trim() || "[]");
       userId = users[0]?.userId ?? "";
     }
@@ -13349,7 +13395,7 @@ try {
 })();
 (async () => {
   try {
-    if (!existsSync24(USERS_FILE)) return;
+    if (!existsSync23(USERS_FILE)) return;
     const usersRaw = readFileSync18(USERS_FILE, "utf-8").trim();
     if (!usersRaw) return;
     const users = JSON.parse(usersRaw);
@@ -13401,7 +13447,7 @@ autoDeliverPremiumPlugins(bootEntitlement?.purchasedPlugins ?? void 0);
 (async () => {
   if (!bootAccount) return;
   try {
-    const { recoverRunningCloudflareTasks } = await import("./cloudflare-task-tracker-OOQCL5ZB.js");
+    const { recoverRunningCloudflareTasks } = await import("./cloudflare-task-tracker-OCFIVXEJ.js");
     const result = await recoverRunningCloudflareTasks(
       bootAccount.accountId,
       configDirForWhatsApp,
@@ -13451,7 +13497,7 @@ if (bootAccountConfig?.whatsapp) {
 }
 init({
   configDir: configDirForWhatsApp,
-  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join12(__dirname, "..")),
+  platformRoot: resolve21(process.env.MAXY_PLATFORM_ROOT ?? join11(__dirname, "..")),
   accountConfig: bootAccountConfig,
   onMessage: async (msg) => {
     try {