@rubytech/create-realagent 1.0.869 → 1.0.871

package/payload/platform/plugins/admin/mcp/dist/lib/public-hostname.d.ts

@@ -1,21 +1,15 @@
-export interface ResolverSession {
-    run(cypher: string, params: Record<string, unknown>): Promise<{
-        records: Array<{
-            get: (k: string) => unknown;
-        }>;
-    }>;
-}
+export type HostnameSource = "cloudflared-config.yml" | "alias-domains.json";
 export interface PublicHostnameHit {
     hostname: string;
     isApex: boolean;
-    tunnelId: string;
+    source: HostnameSource;
 }
 export interface PublicHostnameMiss {
     hostname: null;
     isApex: null;
-    tunnelId: null;
-    reason: "no-hostname" | "no-tunnel";
+    source: null;
+    reason: "no-tunnel";
 }
 export type PublicHostnameResult = PublicHostnameHit | PublicHostnameMiss;
-export declare function resolvePublicHostname(session: ResolverSession, accountId: string): Promise<PublicHostnameResult>;
+export declare function resolvePublicHostname(configDir: string): PublicHostnameResult;
 //# sourceMappingURL=public-hostname.d.ts.map

package/payload/platform/plugins/admin/mcp/dist/lib/public-hostname.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"public-hostname.d.ts","sourceRoot":"","sources":["../../src/lib/public-hostname.ts"],"names":[],"mappings":"AAmBA,MAAM,WAAW,eAAe;IAC9B,GAAG,CACD,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,OAAO,CAAC;QAAE,OAAO,EAAE,KAAK,CAAC;YAAE,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,OAAO,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAC;CACjE;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,IAAI,CAAC;IACf,MAAM,EAAE,IAAI,CAAC;IACb,QAAQ,EAAE,IAAI,CAAC;IACf,MAAM,EAAE,aAAa,GAAG,WAAW,CAAC;CACrC;AAED,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,GAAG,kBAAkB,CAAC;AAsB1E,wBAAsB,qBAAqB,CACzC,OAAO,EAAE,eAAe,EACxB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,oBAAoB,CAAC,CAkB/B"}
+{"version":3,"file":"public-hostname.d.ts","sourceRoot":"","sources":["../../src/lib/public-hostname.ts"],"names":[],"mappings":"AAmBA,MAAM,MAAM,cAAc,GAAG,wBAAwB,GAAG,oBAAoB,CAAC;AAE7E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,OAAO,CAAC;IAChB,MAAM,EAAE,cAAc,CAAC;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,IAAI,CAAC;IACf,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;CACrB;AAED,MAAM,MAAM,oBAAoB,GAAG,iBAAiB,GAAG,kBAAkB,CAAC;AA8C1E,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,oBAAoB,CAY7E"}

package/payload/platform/plugins/admin/mcp/dist/lib/public-hostname.js

@@ -1,54 +1,73 @@
-// Task 970 — public-hostname deterministic resolver.
+// Task 971 — public-hostname resolver reads filesystem (4th recurrence of
+// llm-framing-deterministic).
 //
-// Backs the `mcp__admin__public-hostname` MCP tool. Returns the operator's
-// canonical public hostname in one tool call so the agent following the
-// publish-site skill never has to guess the property name on
-// `:CloudflareHostname` nodes — the failure mode that produced the third
-// `llm-framing-deterministic` recurrence (cf. failure marker
-// `676504f1` at platform/ui/app/lib/claude-agent/spawn-env.ts:334-336).
+// Reads the same two files that already drive routing:
+//   - <configDir>/cloudflared/config.yml — the ingress map cloudflared itself
+//     reads to decide where to route a hostname.
+//   - <configDir>/alias-domains.json     — the alias list platform/ui/server's
+//     isPublicHost() watches via watchFile.
+// hasPublicEndpointConfigured() in admin/mcp/src/index.ts already parses both
+// with the same regex; this resolver is the read-only twin that returns the
+// chosen hostname instead of a boolean.
 //
-// Contract:
-//   - On hit:       { hostname: string, isApex: boolean, tunnelId: string }
-//   - On miss:      { hostname: null, isApex: null, tunnelId: null,
-//                     reason: "no-hostname" | "no-tunnel" }
-//
-// `reason` distinguishes "tunnel is up but no hostname is bound to it yet"
-// (operator must run setup-hostname) from "no tunnel at all" (operator must
-// run setup-tunnel). Both are actionable diagnoses; "no-tunnel" was the
-// underlying state in the recurrence log.
-const HOSTNAME_CYPHER = "MATCH (h:CloudflareHostname {accountId: $accountId}) " +
-    "WHERE NOT h:Trashed " +
-    "RETURN h.hostnameValue AS hostname, h.isApex AS isApex, h.tunnelId AS tunnelId " +
-    "ORDER BY h.isApex DESC, h.updatedAt DESC " +
-    "LIMIT 1";
-const TUNNEL_COUNT_CYPHER = "MATCH (t:CloudflareTunnel {accountId: $accountId}) " +
-    "WHERE NOT t:Trashed " +
-    "RETURN count(t) AS n";
-function toNumber(v) {
-    if (typeof v === "number")
-        return v;
-    if (v && typeof v === "object" && "toNumber" in v && typeof v.toNumber === "function") {
-        return v.toNumber();
+// Graph queries are gone. The previous version (Task 970) returned (none) on
+// any account that bootstrapped its tunnel without writing :CloudflareTunnel
+// nodes — exactly the laptop Real Agent state that produced this recurrence.
+import { existsSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+const INGRESS_RE = /^\s*-\s*hostname:\s*(\S+)/gm;
+function isExcluded(host) {
+    return host === "localhost" || host.endsWith(".local");
+}
+// Apex = single domain (e.g. "realagent.app"), with optional `www.` prefix
+// stripped. Subdomain = anything else ("public.realagent.app").
+function isApex(host) {
+    const stripped = host.startsWith("www.") ? host.slice(4) : host;
+    return stripped.split(".").length === 2;
+}
+function readIngressHostnames(configDir) {
+    const path = join(configDir, "cloudflared", "config.yml");
+    if (!existsSync(path))
+        return [];
+    try {
+        const yaml = readFileSync(path, "utf-8");
+        return [...yaml.matchAll(INGRESS_RE)].map((m) => m[1]).filter((h) => !isExcluded(h));
+    }
+    catch {
+        return [];
     }
-    return Number(v);
 }
-export async function resolvePublicHostname(session, accountId) {
-    const hostnameRes = await session.run(HOSTNAME_CYPHER, { accountId });
-    if (hostnameRes.records.length > 0) {
-        const r = hostnameRes.records[0];
-        return {
-            hostname: r.get("hostname"),
-            isApex: r.get("isApex"),
-            tunnelId: r.get("tunnelId"),
-        };
+function readAliasDomains(configDir) {
+    const path = join(configDir, "alias-domains.json");
+    if (!existsSync(path))
+        return [];
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf-8"));
+        if (!Array.isArray(parsed))
+            return [];
+        return parsed.filter((h) => typeof h === "string" && h.length > 0 && !isExcluded(h));
+    }
+    catch {
+        return [];
+    }
+}
+// Tiebreak: apex wins over subdomain; otherwise first-in-file.
+function pickHostname(candidates) {
+    if (candidates.length === 0)
+        return null;
+    return candidates.find((h) => isApex(h)) ?? candidates[0];
+}
+export function resolvePublicHostname(configDir) {
+    const ingress = readIngressHostnames(configDir);
+    const chosen = pickHostname(ingress);
+    if (chosen !== null) {
+        return { hostname: chosen, isApex: isApex(chosen), source: "cloudflared-config.yml" };
+    }
+    const alias = readAliasDomains(configDir);
+    const aliasChosen = pickHostname(alias);
+    if (aliasChosen !== null) {
+        return { hostname: aliasChosen, isApex: isApex(aliasChosen), source: "alias-domains.json" };
     }
-    const tunnelRes = await session.run(TUNNEL_COUNT_CYPHER, { accountId });
-    const n = tunnelRes.records.length > 0 ? toNumber(tunnelRes.records[0].get("n")) : 0;
-    return {
-        hostname: null,
-        isApex: null,
-        tunnelId: null,
-        reason: n > 0 ? "no-hostname" : "no-tunnel",
-    };
+    return { hostname: null, isApex: null, source: null, reason: "no-tunnel" };
 }
 //# sourceMappingURL=public-hostname.js.map

package/payload/platform/plugins/admin/mcp/dist/lib/public-hostname.js.map

@@ -1 +1 @@
-{"version":3,"file":"public-hostname.js","sourceRoot":"","sources":["../../src/lib/public-hostname.ts"],"names":[],"mappings":"AAAA,qDAAqD;AACrD,EAAE;AACF,2EAA2E;AAC3E,wEAAwE;AACxE,6DAA6D;AAC7D,yEAAyE;AACzE,6DAA6D;AAC7D,wEAAwE;AACxE,EAAE;AACF,YAAY;AACZ,4EAA4E;AAC5E,oEAAoE;AACpE,4DAA4D;AAC5D,EAAE;AACF,2EAA2E;AAC3E,4EAA4E;AAC5E,wEAAwE;AACxE,0CAA0C;AAwB1C,MAAM,eAAe,GACnB,uDAAuD;IACvD,sBAAsB;IACtB,iFAAiF;IACjF,2CAA2C;IAC3C,SAAS,CAAC;AAEZ,MAAM,mBAAmB,GACvB,qDAAqD;IACrD,sBAAsB;IACtB,sBAAsB,CAAC;AAEzB,SAAS,QAAQ,CAAC,CAAU;IAC1B,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC;IACpC,IAAI,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,UAAU,IAAI,CAAC,IAAI,OAAQ,CAAgC,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;QACtH,OAAQ,CAAgC,CAAC,QAAQ,EAAE,CAAC;IACtD,CAAC;IACD,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAAwB,EACxB,SAAiB;IAEjB,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IACtE,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjC,OAAO;YACL,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAW;YACrC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAY;YAClC,QAAQ,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAW;SACtC,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IACxE,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACrF,OAAO;QACL,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,IAAI;QACd,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW;KAC5C,CAAC;AACJ,CAAC"}
+{"version":3,"file":"public-hostname.js","sourceRoot":"","sources":["../../src/lib/public-hostname.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,8BAA8B;AAC9B,EAAE;AACF,uDAAuD;AACvD,8EAA8E;AAC9E,iDAAiD;AACjD,+EAA+E;AAC/E,4CAA4C;AAC5C,8EAA8E;AAC9E,4EAA4E;AAC5E,wCAAwC;AACxC,EAAE;AACF,6EAA6E;AAC7E,6EAA6E;AAC7E,6EAA6E;AAE7E,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAmBjC,MAAM,UAAU,GAAG,6BAA6B,CAAC;AAEjD,SAAS,UAAU,CAAC,IAAY;IAC9B,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACzD,CAAC;AAED,2EAA2E;AAC3E,gEAAgE;AAChE,SAAS,MAAM,CAAC,IAAY;IAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;AAC1C,CAAC;AAED,SAAS,oBAAoB,CAAC,SAAiB;IAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IACvF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,SAAiB;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAC;IACnD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,OAAO,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,MAAM,CAClB,CAAC,CAAU,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CACrF,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+DAA+D;AAC/D,SAAS,YAAY,CAAC,UAAoB;IACxC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,SAAiB;IACrD,MAAM,OAAO,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IACxF,CAAC;IACD,MAAM,KAAK,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;IAC9F,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAC7E,CAAC"}

package/payload/platform/plugins/admin/skills/publish-site/SKILL.md

@@ -1,6 +1,6 @@
 # Publish Site
 
-Move an already-extracted static-site tree into the per-account static-publish surface (`<accountDir>/sites/<slug>/`) and emit exactly one canonical path slug. Pair the slug with the deterministic public hostname returned by `mcp__admin__public-hostname` (Task 970) to surface the full URL in a single turn.
+Move an already-extracted static-site tree into the per-account static-publish surface (`<accountDir>/sites/<slug>/`) and emit exactly one canonical path slug. Pair the slug with the deterministic public hostname returned by `mcp__admin__public-hostname` to surface the full URL in a single turn.
 
 **Invoked from `specialists:content-producer`** when the brief carries a host-website / publish-site / put-online intent (Task 966). Admin's IDENTITY.md routes those intents to that specialist on turn 1; running this skill inline on the main admin runner exhausts the 10-turn budget on per-turn ToolSearch + plugin-read discovery before publish-site executes.
 
@@ -54,7 +54,7 @@ The operator message for `ambiguous-html` names the candidate files and asks the
 4. **Choose the canonical path.** `index.html` present at top level → path is `/sites/<slug>/`. Otherwise the single top-level HTML file → path is `/sites/<slug>/<file>.html`.
 5. **Emit.** One log line:
    `[publish-site] url emitted=<path-slug> kind=<index|file>`
-6. **Resolve the public hostname and emit the full URL.** Call `mcp__admin__public-hostname` (Task 970 — single deterministic tool, never raw cypher) to fetch this account's hostname. Concatenate `https://<hostname><path-slug>` and surface that one URL to the operator. If the tool returns `reason: no-tunnel` or `reason: no-hostname`, relay the tool's remediation message verbatim — do not improvise the URL. The route at `/sites/*` (see [server/routes/sites.ts](../../../../ui/server/routes/sites.ts)) handles the trailing-slash redirect on the dir form, so the slug is correct as-emitted whether the operator's HTML uses an `index.html` entry-point or a publisher-named landing file.
+6. **Resolve the public hostname and emit the full URL.** Call `mcp__admin__public-hostname` to fetch this account's hostname; the tool reads `cloudflared/config.yml` + `alias-domains.json` — the same files the platform server trusts to route. Concatenate `https://<hostname><path-slug>` and surface that one URL to the operator. If the tool returns `reason: no-tunnel`, relay the tool's remediation message verbatim — do not improvise the URL. The route at `/sites/*` (see [server/routes/sites.ts](../../../../ui/server/routes/sites.ts)) handles the trailing-slash redirect on the dir form, so the slug is correct as-emitted whether the operator's HTML uses an `index.html` entry-point or a publisher-named landing file.
 
 ## Log lines (grep targets)
 

package/payload/platform/plugins/docs/references/internals.md

@@ -328,7 +328,7 @@ Each row in the Conversations modal exposes a `View logs` row-action that opens
 
 **Directory canonicalisation.** A request whose disk target is a directory is `301`'d to the trailing-slash form (query string preserved) before any body is served — RFC 3986 §5.3 base resolution requires the trailing slash so relative refs in the served HTML resolve under the directory, not its parent. After the redirect the route serves `<dir>/index.html` if it exists on disk; otherwise `404`. There is **no** implicit-`index.html` invention for missing paths — the publisher owns canonical URLs. A brochure shipped without `index.html` is reached at `/sites/<slug>/<file>.html`, and the admin skill `publish-site` is the sanctioned surface that moves the extracted tree under `<accountDir>/sites/<slug>/` and emits the canonical path slug. Operator-side: drop a brochure at `<accountDir>/sites/properties/<id>/brochure/output/` and it serves at `<public-host>/sites/properties/<id>/brochure/output/brochure.html` (or `<public-host>/sites/properties/<id>/brochure/output/` if that directory contains an `index.html`). See `.docs/web-chat.md` `/sites/*` route entry for the wire contract and `[sites]` log lines (`serve|redirect-trailing-slash|not-found|path-traversal-rejected|symlink-escape-rejected|no-account`).
 
-**Deterministic public-hostname surface.** The `<public-host>` half of the URL the operator pastes is resolved by the `mcp__admin__public-hostname` MCP tool — single call against `:CloudflareHostname.hostnameValue` returning `{hostname, isApex, tunnelId}` on hit or `{hostname:null, reason:"no-tunnel"\|"no-hostname"}` on miss. `publish-site` step 6 calls it after the move and emits the full URL (`https://<hostname><path-slug>`) in the same turn. Agents must never write raw cypher to discover the hostname; the property name (`hostnameValue`, not `hostname`) was the canonical recurrence-class failure mode. The graph-mcp shim additionally runs a sequential envelope-warning probe on every read response — when Neo4j emits `gql_status` codes matching `^0[12]N5\d$` (e.g. `01N52` "property does not exist"), the shim stitches them into a prefix content block on the response so property-name misses surface to the agent inline instead of returning silent `[]`. Probe failure is best-effort: the upstream response forwards unchanged with `[mcp:graph] probe-error`.
+**Deterministic public-hostname surface.** The `<public-host>` half of the URL the operator pastes is resolved by the `mcp__admin__public-hostname` MCP tool. It reads `<configDir>/cloudflared/config.yml` (ingress list) then falls back to `<configDir>/alias-domains.json` — the same two files `cloudflared` and `platform/ui/server/index.ts`'s `isPublicHost()` already trust to route. Returns `{hostname, isApex, source}` on hit (`source` is `"cloudflared-config.yml"` or `"alias-domains.json"`), or `{hostname:null, source:null, reason:"no-tunnel"}` on miss. Tiebreak: apex wins over subdomain (single-label, or `www.<apex>` stripped). `publish-site` step 6 calls it after the move and emits the full URL (`https://<hostname><path-slug>`) in the same turn. Graph queries are no longer involved — any earlier graph-backed resolver returned `(none)` on accounts bootstrapped without `cloudflare-task-tracker.ts` writes (laptop Real Agent, manual `cloudflared` setup), the `llm-framing-deterministic` recurrence class. The graph-mcp shim additionally runs a sequential envelope-warning probe on every read response — when Neo4j emits `gql_status` codes matching `^0[12]N5\d$` (e.g. `01N52` "property does not exist"), the shim stitches them into a prefix content block on the response so property-name misses surface to the agent inline instead of returning silent `[]`. Probe failure is best-effort: the upstream response forwards unchanged with `[mcp:graph] probe-error`.
 
 ### Cross-tab session rotation
 

package/payload/platform/scripts/__tests__/admin-persist-audit.test.ts

@@ -0,0 +1,182 @@
+/**
+ * Task 943 — admin-persist-audit.
+ *
+ * Pins Task 940 success criterion #7: the audit harness counts JSONL
+ * assistant turns + render-component blocks against Neo4j `:Message` +
+ * `:Component` rows for a `conversationId`, prints one
+ *
+ *   [admin-persist-audit] convId=<conv> sdkTurnUuid=<uuid> expected=<message|component> missing reason=neo4j-row-absent
+ *
+ * line per divergence, and exits non-zero on mismatch.
+ *
+ * The test mocks the Neo4j surface (`getRecentMessages`, `getSession`) so
+ * `runAudit` is a pure function of (JSONL fixture, Neo4j seed). The
+ * harness reads the fixture with the real `replayJsonl`, so the matching
+ * key (role + content) is verified end-to-end without a graph connection.
+ */
+import { resolve } from "node:path";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+const FIXTURE_PATH = resolve(__dirname, "../../ui/app/lib/__tests__/fixtures/task-940-session.jsonl");
+
+// Mock the Neo4j surface. The audit harness imports `getRecentMessages`
+// and `getSession` from `platform/ui/app/lib/neo4j-store`. We replace
+// both with vi-managed fakes; each test reseeds them as needed.
+const getRecentMessagesMock = vi.fn<[string, number?], Promise<Array<{
+  role: "user" | "assistant";
+  content: string;
+  messageId: string;
+  components?: Array<{ componentId: string; submitted: boolean }>;
+}>>>();
+
+const sessionRunMock = vi.fn<[string, Record<string, unknown>], Promise<{
+  records: Array<{ get(key: string): unknown }>;
+}>>();
+const sessionCloseMock = vi.fn<[], Promise<void>>();
+
+vi.mock("../../ui/app/lib/neo4j-store", () => ({
+  getRecentMessages: (...args: Parameters<typeof getRecentMessagesMock>) => getRecentMessagesMock(...args),
+  getSession: () => ({
+    run: (cypher: string, params: Record<string, unknown>) => sessionRunMock(cypher, params),
+    close: () => sessionCloseMock(),
+  }),
+}));
+
+vi.mock("../../ui/app/lib/claude-agent/account", () => ({
+  ACCOUNTS_DIR: "/tmp/maxy-accounts-fixture",
+}));
+
+// PERSISTENT_COMPONENTS is also imported by the audit harness for the
+// :KnowledgeDocument projection check. We mock the set so the test does
+// not depend on the runtime persistent-component list — the fixture
+// components (`document-editor`, `quick-chart`) are both included.
+vi.mock("../../lib/persistent-components/src/index", () => ({
+  PERSISTENT_COMPONENTS: new Set<string>(["document-editor", "quick-chart"]),
+  isPersistentComponent: (name: string) => name === "document-editor" || name === "quick-chart",
+}));
+
+import { runAudit, type AuditArgs } from "../admin-persist-audit";
+
+const CONV_ID = "11111111-aaaa-bbbb-cccc-dddddddddddd";
+const ACCOUNT_ID = "b3b638d9-9999-8888-7777-666666666666";
+
+const buildArgs = (): AuditArgs => ({
+  conversationId: CONV_ID,
+  accountId: ACCOUNT_ID,
+  jsonlPath: FIXTURE_PATH,
+});
+
+const captureConsole = () => {
+  const out: string[] = [];
+  const err: string[] = [];
+  const logSpy = vi.spyOn(console, "log").mockImplementation((...a) => { out.push(a.join(" ")); });
+  const errSpy = vi.spyOn(console, "error").mockImplementation((...a) => { err.push(a.join(" ")); });
+  return { out, err, restore: () => { logSpy.mockRestore(); errSpy.mockRestore(); } };
+};
+
+describe("Task 940 SC7 — admin-persist-audit divergence reporting", () => {
+  beforeEach(() => {
+    getRecentMessagesMock.mockReset();
+    sessionRunMock.mockReset();
+    sessionCloseMock.mockReset();
+    sessionCloseMock.mockResolvedValue(undefined);
+  });
+
+  it("Neo4j seed missing the assistant turn (and its components) → exit=1, one missing-message line + one missing-component line per component", async () => {
+    // Fixture has 1 user + 1 assistant (with 2 components). Seed Neo4j
+    // with the user only — the assistant turn is the silent persist
+    // failure the audit must surface.
+    getRecentMessagesMock.mockResolvedValue([
+      { role: "user", content: "Please render the doc and a chart.", messageId: "neo4j-user", components: [] },
+    ]);
+    // No persistent-component rows in Neo4j (since the assistant turn
+    // never persisted). The :KnowledgeDocument check finds nothing → no
+    // additional kd-absent divergences.
+    sessionRunMock.mockResolvedValue({ records: [] });
+
+    const cap = captureConsole();
+    try {
+      const code = await runAudit(buildArgs());
+      expect(code).toBe(1);
+
+      // One divergence line for the assistant message itself…
+      const messageMisses = cap.out.filter((l) => /expected=message missing reason=neo4j-row-absent/.test(l));
+      expect(messageMisses).toHaveLength(1);
+      expect(messageMisses[0]).toMatch(/sdkTurnUuid=22222222/); // matches fixture uuid prefix
+
+      // …plus one divergence line per component sibling that was queued
+      // by the assistant turn's render-component blocks.
+      const componentMisses = cap.out.filter((l) => /expected=component .* missing reason=neo4j-row-absent/.test(l));
+      expect(componentMisses).toHaveLength(2);
+      expect(componentMisses[0]).toMatch(/component_name=document-editor ordinal=0/);
+      expect(componentMisses[1]).toMatch(/component_name=quick-chart ordinal=1/);
+
+      // Status summary line ends with status=mismatch.
+      expect(cap.out.some((l) => /status=mismatch/.test(l))).toBe(true);
+    } finally {
+      cap.restore();
+    }
+  });
+
+  it("Neo4j seed in lockstep with JSONL → exit=0, status=ok, zero divergence lines", async () => {
+    getRecentMessagesMock.mockResolvedValue([
+      { role: "user", content: "Please render the doc and a chart.", messageId: "neo4j-user", components: [] },
+      {
+        role: "assistant",
+        content: "Here is the doc.\n\nAnd a chart follows.",
+        messageId: "neo4j-asst",
+        components: [
+          { componentId: "comp-doc", submitted: false },
+          { componentId: "comp-chart", submitted: false },
+        ],
+      },
+    ]);
+    // Persistent-component KD projection: both rows have a sibling
+    // :KnowledgeDocument row → no kd-absent divergences.
+    sessionRunMock.mockResolvedValue({
+      records: [
+        { get: (k: string) => ({ componentId: "comp-doc", componentName: "document-editor", accountId: ACCOUNT_ID, attachmentId: "att-doc", hasProjection: true })[k] },
+        { get: (k: string) => ({ componentId: "comp-chart", componentName: "quick-chart", accountId: ACCOUNT_ID, attachmentId: "att-chart", hasProjection: true })[k] },
+      ],
+    });
+
+    const cap = captureConsole();
+    try {
+      const code = await runAudit(buildArgs());
+      expect(code).toBe(0);
+      expect(cap.out.some((l) => /divergences=0 status=ok/.test(l))).toBe(true);
+      expect(cap.out.some((l) => /missing reason=neo4j-row-absent/.test(l))).toBe(false);
+    } finally {
+      cap.restore();
+    }
+  });
+
+  it("Neo4j throw on getRecentMessages → exit=2 (invocation error), no divergence lines", async () => {
+    getRecentMessagesMock.mockRejectedValue(new Error("bolt://neo4j unreachable"));
+    sessionRunMock.mockResolvedValue({ records: [] });
+
+    const cap = captureConsole();
+    try {
+      const code = await runAudit(buildArgs());
+      expect(code).toBe(2);
+      expect(cap.err.some((l) => /neo4j-read-failed/.test(l) && /bolt:\/\/neo4j unreachable/.test(l))).toBe(true);
+    } finally {
+      cap.restore();
+    }
+  });
+
+  it("JSONL absent → exit=2 (invocation error)", async () => {
+    const cap = captureConsole();
+    try {
+      const code = await runAudit({
+        conversationId: CONV_ID,
+        accountId: ACCOUNT_ID,
+        jsonlPath: resolve(__dirname, "fixtures/does-not-exist.jsonl"),
+      });
+      expect(code).toBe(2);
+      expect(cap.err.some((l) => /jsonl absent path=/.test(l))).toBe(true);
+    } finally {
+      cap.restore();
+    }
+  });
+});

package/payload/platform/scripts/admin-persist-audit.ts

@@ -37,14 +37,19 @@ import { ACCOUNTS_DIR } from "../ui/app/lib/claude-agent/account";
 import { getRecentMessages, getSession } from "../ui/app/lib/neo4j-store";
 import { PERSISTENT_COMPONENTS } from "../lib/persistent-components/src/index";
 
-interface Args {
+// Task 943 — `AuditArgs` and `runAudit` are exported so the test
+// (`platform/scripts/__tests__/admin-persist-audit.test.ts`) can mock the
+// Neo4j surface and drive the audit with synthetic JSONL + Neo4j seeds,
+// verifying the divergence-line shape and non-zero exit code without
+// re-executing the live session or requiring a real graph connection.
+export interface AuditArgs {
   conversationId: string;
   accountId: string;
   jsonlPath: string;
 }
 
-function parseArgs(argv: string[]): Args | { error: string } {
-  const out: Partial<Args> = {};
+function parseArgs(argv: string[]): AuditArgs | { error: string } {
+  const out: Partial<AuditArgs> = {};
   let sessionId: string | undefined;
   let jsonlOverride: string | undefined;
   for (const a of argv) {
@@ -66,16 +71,11 @@ function parseArgs(argv: string[]): Args | { error: string } {
   } else {
     return { error: "either --jsonl or --session-id required" };
   }
-  return out as Args;
+  return out as AuditArgs;
 }
 
-async function main(): Promise<number> {
-  const parsed = parseArgs(process.argv.slice(2));
-  if ("error" in parsed) {
-    console.error(`[admin-persist-audit] usage error: ${parsed.error}`);
-    return 2;
-  }
-  const { conversationId, jsonlPath } = parsed;
+export async function runAudit(args: AuditArgs): Promise<number> {
+  const { conversationId, jsonlPath } = args;
 
   if (!existsSync(jsonlPath)) {
     console.error(`[admin-persist-audit] jsonl absent path=${jsonlPath} convId=${conversationId.slice(0, 8)}`);
@@ -183,9 +183,35 @@ async function main(): Promise<number> {
   return 1;
 }
 
-main()
-  .then((code) => process.exit(code))
-  .catch((err) => {
-    console.error(`[admin-persist-audit] crashed: ${err instanceof Error ? err.stack : String(err)}`);
-    process.exit(2);
-  });
+async function main(): Promise<number> {
+  const parsed = parseArgs(process.argv.slice(2));
+  if ("error" in parsed) {
+    console.error(`[admin-persist-audit] usage error: ${parsed.error}`);
+    return 2;
+  }
+  return runAudit(parsed);
+}
+
+// Task 943 — only invoke main() when this script is executed directly.
+// Importing the module (e.g. from `admin-persist-audit.test.ts`) reads
+// `runAudit` and `AuditArgs` without firing the top-level argv parser or
+// process.exit, which would otherwise kill the vitest worker before any
+// assertion ran. `import.meta.url` resolves to the script path under tsx;
+// the suffix check matches both the .ts source and any compiled .js output.
+const invokedDirectly = (() => {
+  try {
+    const entry = process.argv[1];
+    return typeof entry === "string" && import.meta.url.endsWith(entry.replace(/\\/g, "/").split("/").pop() ?? "");
+  } catch {
+    return false;
+  }
+})();
+
+if (invokedDirectly) {
+  main()
+    .then((code) => process.exit(code))
+    .catch((err) => {
+      console.error(`[admin-persist-audit] crashed: ${err instanceof Error ? err.stack : String(err)}`);
+      process.exit(2);
+    });
+}