5 Commits

Author SHA1 Message Date
zhaoyilun
485d5ea766 docs: plan offline b-route reverse work 2026-07-12 01:44:01 +08:00
zhaoyilun
eb399853e6 docs: plan b-route bridge next steps 2026-07-12 01:36:28 +08:00
zhaoyilun
0bb07c7754 docs: clarify rpa fallback priority 2026-07-12 01:29:07 +08:00
zhaoyilun
341f08b7be docs: correct main send status and plan 2026-07-12 01:22:56 +08:00
zhaoyilun
3b01d94088 merge: a-route real chat window 2026-07-12 01:13:24 +08:00
12 changed files with 729 additions and 29 deletions

View File

@@ -1,6 +1,6 @@
# Current Status Card
Date: 2026-07-10
Date: 2026-07-12
Branch: `main`
Loop base: `e993ce1 docs: trim safety constraints from mcp roadmap`
Remote base before local roadmap commits: `b2d839e Merge branch 'codex/n15-report-hardening'`
@@ -11,10 +11,16 @@ Remote base before local roadmap commits: `b2d839e Merge branch 'codex/n15-repor
后续研发主线切换为 MCP 核心通信能力:搜索联系人、搜索群组、收发消息、收发文件。现有 UIA/selector/report 只作为底层辅助和证据,不再作为主线继续扩展。
Route priority is explicit:
1. Primary route: B-route running-client sidecar / in-process connector / existing API that reuses the logged-in `IMPlatformClient.exe` runtime.
2. Secondary route: existing bridge, local service, local data, log, cache, or database source where it can satisfy the MCP contract.
3. Backup route only: A-route/RPA/UIA. Use it to keep the product moving when the B-route is blocked or temporarily untestable, but do not promote it above B-route as the default product architecture.
## Current completed state
- Go MCP foundation exists: `cmd/isphere-mcp`, `internal/mcpserver`, `internal/helperclient`, and `internal/tools` build a stdio MCP server.
- The current MCP surface exposes ten tools: four WinHelper observation tools, four read-oriented business tools, one send-message preview-only tool, and one send-file preview-only tool:
- The current MCP surface exposes ten tools: four WinHelper observation tools, four read-oriented business tools, one send-message tool that is preview by default and can use explicit A-route UIA action config, and one send-file preview-only tool:
- `win_helper_version`
- `win_helper_self_check`
- `win_helper_scan_windows`
@@ -23,15 +29,17 @@ Remote base before local roadmap commits: `b2d839e Merge branch 'codex/n15-repor
- `isphere_search_contacts`
- `isphere_search_groups`
- `isphere_receive_files`
- `isphere_send_message` preview/dry-run only; production is blocked
- `isphere_send_message` preview/dry-run by default; explicit `uia_rpa` config can perform UI write/click, but business delivery remains unverified
- `isphere_send_file` preview/dry-run only; production file upload is blocked
- C# `ISphereWinHelper` exists under `native/ISphereWinHelper` and uses the `isphere.helper.v1` stdin/stdout JSON contract. Helper `0.4.0` adds read-only `probe_send_entrypoints` and `probe_send_uia_controls` for R6a/C31 send connector preflight.
- `scripts/verify-win-helper.ps1` and `scripts/verify-go-mcp.ps1` provide repeatable local checks for the helper, ten-tool MCP surface, default empty-source receive/contact/group/file calls, send-message preview/production-blocked behavior, send-file preview/production-blocked behavior, synthetic configured-file receive/contact/group/file smoke, and synthetic configured-directory receive/contact/group/file smoke.
- C# `ISphereWinHelper` exists under `native/ISphereWinHelper` and uses the `isphere.helper.v1` stdin/stdout JSON contract. Helper `0.5.0` includes read-only `probe_send_entrypoints` / `probe_send_uia_controls` plus `uia_send_message` for configured UI Automation write/click.
- `scripts/verify-win-helper.ps1` and `scripts/verify-go-mcp.ps1` provide repeatable local checks for the helper, ten-tool MCP surface, default empty-source receive/contact/group/file calls, standard send-message preview/production-blocked behavior when A-route env is not configured, send-file preview/production-blocked behavior, synthetic configured-file receive/contact/group/file smoke, and synthetic configured-directory receive/contact/group/file smoke.
- `isphere_receive_messages` now returns the contract-facing `ok`, `conversation`, `messages`, `next_cursor`, and `audit` envelope while retaining legacy parser-native message fields for compatibility.
- `isphere_receive_messages` accepts the read-contract argument set for the current local-readonly path: `conversation_id`, `query`, `since`, `limit`, `include_attachment_metadata`, `source_preference`, `preview`, and empty `cursor`.
- `isphere_search_contacts` and `isphere_search_groups` accept and validate the safe search-contract args for the current local-readonly path and can optionally enrich results from the env-configured C29 `MsgLib.db` display-entity reader; default behavior remains log/JID-backed when MsgLib env vars are absent.
- `isphere_receive_files` list mode accepts and validates the safe file-list contract args for the current local-readonly path while keeping download blocked.
- `isphere_send_message` accepts the R6b/R6e preview/dry-run contract (`target_type`, `target_id`, `content_text`, `content_sha256`, `idempotency_key`, `execution_mode`) and returns planned preview metadata plus redacted audit/idempotency metadata; `execution_mode="production"` returns blocked status with all side-effect flags false.
- A-route fallback can now be explicitly enabled with `ISPHERE_SEND_CONNECTOR_MODE=uia_rpa` and a real/synthetic chat HWND. In that mode the helper can write text to `rtbSendMessage` and click `btnSend`; this is a UI action capability, not proof of business delivery.
- Offline/unlogged real-window work can open the real `frmP2PChat` and confirm UIA root `frmP2PChat`, editor `rtbSendMessage`, button `btnSend`, and receive area `rtbRecvMessage`. The local offline client still reports that messages cannot be sent while offline.
- `native/MsgLibReadSidecar` provides a bounded x86 .NET read-only boundary for `MsgLib.db` schema/display-source checks, bounded contact/group display-entity reads, message-source metadata, and sidecar-level bounded message listing; `internal/msglib` wraps it from Go, C30 wires display metadata as an optional MCP contact/group enrichment source, C39 adds a Go receive-source adapter around `ListMessages`, C40 adds tool-level explicit `msglib_readonly` source selection, and C41 wires it through env configuration without changing the MCP default source.
- N12-pre and N12R documents define safe offline evidence intake and internal-sandbox live UIA capture procedures.
- N13/N14/N15 produced selector catalog/report validation infrastructure, but those are supporting validation assets only.
@@ -41,7 +49,7 @@ Remote base before local roadmap commits: `b2d839e Merge branch 'codex/n15-repor
- The project has not yet implemented production message sending, file download, or production file sending; `isphere_receive_messages`, `isphere_search_contacts`, `isphere_search_groups`, and `isphere_receive_files` list mode have operator-local encrypted log-file/log-directory support but not a production ingestion path.
- The project has not completed production iSphere integration.
- The project has not proven a stable real message source for the full business workflow beyond decrypted PacketReader log evidence and synthetic/redacted tests.
- The project has not implemented real message sending or real file upload. R6b adds preview/dry-run only; it does not prove send invocation, success/ack, or idempotent production behavior.
- The project has not proven business-level message delivery or real file upload. A-route can perform UI write/click when explicitly configured, but local offline clicks do not prove server send, receiver delivery, success/ack, or sent-record evidence.
- N12-pre offline evidence is not N12 pass.
- N13/N14/N15 selector/report work is pre-business evidence, not finished contact/message/file capability.
@@ -59,12 +67,14 @@ N13/N14/N15 are pre-business validation results. They can help identify UI eleme
## Current loop
Current loop: `R14 release-candidate report complete`; next step is evidence-driven production gate review.
Current loop: `A-route real chat window merged to main`; next step is evidence-driven B-route send/file production verification, with A-route/RPA kept as backup readiness.
Active continuous execution plan: `docs/superpowers/plans/2026-07-10-r6f-r14-continuous-execution-plan.md`.
Active continuous execution plan: `docs/superpowers/plans/2026-07-11-a-route-rpa-send.md`.
Previous roadmap file: `docs/superpowers/plans/2026-07-10-core-business-capabilities-roadmap.md`.
Current business status correction: `docs/reports/2026-07-12-main-business-status-correction.md`.
Loop rule:
1. Write or update the plan before coding.
@@ -387,12 +397,23 @@ R14 release-candidate report is complete:
## A-route UIA send branch
A-route UIA send branch is in progress on `codex/a-route-rpa-send`:
A-route UIA send work has been merged into `main`:
- Route positioning: A-route/RPA is a fallback, not the primary product route. B-route sidecar/API connector evidence remains the preferred path for real send/file capability.
- User direction: do not add a product approval gate; implement function first and let the digital employee layer decide when to call it.
- Added plan `docs\superpowers\plans\2026-07-11-a-route-rpa-send.md`.
- Go connector request now carries raw `ContentText` only to the action connector; response and audit remain redacted.
- Added Go `uia-rpa` send connector adapter and env loader.
- Added C# helper op `uia_send_message` that sets the send editor text and invokes the send button through UI Automation.
- Synthetic local verification in `scripts\verify-win-helper.ps1` proves the helper can write to a WinForms send box and trigger a send button marker.
- Added `scripts\open-offline-real-frmP2PChat.ps1`, which opens a real offline/unlogged `frmP2PChat` and confirms `rtbSendMessage` / `btnSend` selectors.
- Visual real-window demo proved the local UI can accept text and receive a send-button click, but the client remains offline and reports that the message cannot be sent.
- Default MCP smoke still clears A-route env and remains preview/blocked unless explicitly configured.
2026-07-12 business correction:
- `isphere_send_message` now has two different readiness levels:
- preview/dry-run: stable MCP contract, no send.
- A-route UI action: configured UI write/click works against synthetic and real offline windows.
- It does **not** yet have verified online business delivery. Do not describe `clicked_ui=true` or helper `sent_message=true` as “消息已送达”.
- `isphere_send_file` remains preview-only for production file upload. The real offline UIA dump did not expose `btnSendFile` as a stable automation id, so file upload needs a separate toolbar/menu locator node.

View File

@@ -2,7 +2,7 @@
This runbook is for the first Go MCP phase of `isphere-ai-bridge`. It lets an operator build and verify the Windows helper and the Go MCP server without reading the source code.
Current scope: expose four WinHelper observation operations, four business read tools, and two preview-only send tools through Go MCP. Read tools are `isphere_receive_messages`, `isphere_search_contacts`, `isphere_search_groups`, and `isphere_receive_files` list mode plus download preview/blocked status. Send tools are `isphere_send_message` and `isphere_send_file` preview/dry-run only; production send/file upload is blocked. Read tools use an empty default message source unless `ISPHERE_PACKET_LOG_FILE` points to an operator-local encrypted PacketReader log-line file or `ISPHERE_PACKET_LOG_DIR` points to an operator-local directory of encrypted PacketReader `.log`/`.txt` files. Contact/group display names can also be optionally enriched from an operator-local copied `MsgLib.db` through the bounded read-only `MsgLibReadSidecar`; receive messages can use copied DB rows only when the caller explicitly passes `source_preference="msglib_readonly"`.
Current scope: expose four WinHelper observation operations, four business read tools, one message-send tool, and one preview-only file-send tool through Go MCP. Read tools are `isphere_receive_messages`, `isphere_search_contacts`, `isphere_search_groups`, and `isphere_receive_files` list mode plus download preview/blocked status. `isphere_send_message` is preview/dry-run by default; when explicitly configured with `ISPHERE_SEND_CONNECTOR_MODE=uia_rpa` it can perform a UI write/click action against a configured chat HWND, but online business delivery is still unverified. `isphere_send_file` remains preview/dry-run only and production file upload is blocked. Read tools use an empty default message source unless `ISPHERE_PACKET_LOG_FILE` points to an operator-local encrypted PacketReader log-line file or `ISPHERE_PACKET_LOG_DIR` points to an operator-local directory of encrypted PacketReader `.log`/`.txt` files. Contact/group display names can also be optionally enriched from an operator-local copied `MsgLib.db` through the bounded read-only `MsgLibReadSidecar`; receive messages can use copied DB rows only when the caller explicitly passes `source_preference="msglib_readonly"`.
## 1. Prerequisites
@@ -563,7 +563,9 @@ Current short answer:
- 已完成:搜索联系人、搜索群组、收消息基础读取、收文件列表。
- 可预览:发消息 preview、发文件 preview。
- 阻断:生产发消息、真实文件下载、生产发文件
- A-route/RPA 是备选兜底,不是主线;主线仍是 B-route running-client sidecar / in-process connector / existing API
- A-route 已具备 UI 动作能力:显式配置后可以对聊天窗口写入文本并点击发送按钮;本地还可打开真实离线 `frmP2PChat` 验证窗口/输入框/按钮定位。
- 阻断:在线业务送达、真实文件下载、生产发文件。离线点击不等于服务端发送成功。
The two online evidence packages to send to an internal/logged-in operator are:
@@ -576,7 +578,7 @@ They are generated under ignored `runs\` and are not committed.
## 18. A-route UIA send connector
A-route is the UI Automation fallback for text sending when the B-route sidecar cannot be tested. It is function-first: there is no human approval ID gate inside the connector. The digital employee layer is responsible for deciding when to call production mode.
A-route is the UI Automation fallback for text sending when the B-route sidecar cannot be tested. It is function-first, but it is not the primary architecture. Prefer B-route running-client sidecar / in-process connector / existing API evidence whenever that route is available. There is no human approval ID gate inside the connector; the digital employee layer is responsible for deciding when to call production mode.
Local verification uses a synthetic WinForms window:
@@ -590,6 +592,17 @@ Expected output includes helper version `0.5.0` and:
{"synthetic_uia_send_action":"uia_send_message"}
```
The project also has a real offline chat-window opener:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\open-offline-real-frmP2PChat.ps1 -RuntimeMode Deps -ShowWindow -HoldSeconds 1
```
That script opens the real `frmP2PChat` without login and confirms the key UIA
ids `frmP2PChat`, `rtbSendMessage`, `btnSend`, and `rtbRecvMessage`. The window
is still offline and will show the client-side “cannot send while offline”
message.
To enable A-route in a logged-in desktop session, configure the MCP server environment before startup:
```powershell
@@ -603,6 +616,11 @@ $env:ISPHERE_SEND_UIA_HELPER_PATH = "E:\coding\codex\isphere-ai-bridge\runs\win-
Then call `isphere_send_message` with `execution_mode="production"`. The connector will set the send editor text and invoke the send button through UI Automation. Response metadata uses `connector_mode="uia-rpa"`; the audit still stores hashes and metadata, not the raw message body or raw idempotency key.
Important status boundary: helper fields such as `clicked_ui=true` or
`sent_message=true` mean the UI action ran. They do not prove server acceptance,
receiver delivery, or a sent-record match. Online/logged-in evidence is still
required before this can be called business-level send.
Standard `scripts\verify-go-mcp.ps1` clears all A-route env vars so the deterministic smoke remains preview/blocked by default.
## 19. Troubleshooting

View File

@@ -1,5 +1,9 @@
# Business Goals Smoke - 2026-07-10
> 2026-07-12 校准A-route 已合并到 `main``isphere_send_message`
> 在显式 `uia_rpa` 配置下可以执行 UI 写入/点击;但业务送达仍未验证。
> 当前主状态见 `docs/reports/2026-07-12-main-business-status-correction.md`。
## 业务目标状态
| 目标 | 当前状态 | 说明 |

View File

@@ -1,5 +1,9 @@
# R6f-R14 Release Candidate Status - 2026-07-10
> 2026-07-12 校准:本报告是 A-route 前的 R14 状态。后续 `main`
> 已具备显式配置下的发消息 UI 写入/点击能力,但在线业务送达仍未验证。
> 当前主状态见 `docs/reports/2026-07-12-main-business-status-correction.md`。
本报告是 R6f-R14 连续轮次的业务验收材料。结论先讲清楚:数字员工现在可以用搜索、收消息基础读取、收文件列表,以及发消息/发文件 preview生产发消息、真实下载文件、生产发文件仍然需要在线可登录环境返回证据。
## Business capability status

View File

@@ -0,0 +1,34 @@
# Main Business Status Correction - 2026-07-12
本报告校准 `main` 合并 A-route 后的业务状态避免把“UI 输入/点击”误写成“业务送达”。
## 四个目标当前状态
| 目标 | 当前业务状态 | 已有能力 | 剩余卡点 |
| --- | --- | --- | --- |
| 搜索联系人 | 基础可用 | `isphere_search_contacts` 支持 log-backed 候选和可选 MsgLib enrichment。 | 更丰富字段、成员层级属于后续增强。 |
| 搜索群组 | 基础可用 | `isphere_search_groups` 支持 groupchat/conference 候选、排序、去重和可选 MsgLib enrichment。 | 群成员/管理员层级属于后续增强。 |
| 收发消息 | 收消息基础可用;发消息 UI action ready在线业务送达未验证 | `isphere_receive_messages` 可从 PacketReader/log-backed 或显式 MsgLib readonly 读取;`isphere_send_message` preview 稳定A-route `uia_rpa` 可对真实/合成聊天窗口写入 `rtbSendMessage` 并点击 `btnSend`。 | 需要在线登录环境证明 server ack、接收方送达或 sent-record/content-hash after 证据。 |
| 收发文件 | 收文件 list 可用;发文件 preview 可用;真实下载/真实上传未完成 | `isphere_receive_files` 可列文件元数据并给出 download preview blocked/planned`isphere_send_file` 可做 allowed-dir SHA256/size preview。 | 真实下载需要 cache mapping/copy gate真实发文件需要文件按钮/菜单定位、上传 connector 和在线发送证据。 |
## A-route 合并后的精确定义
- 路线定位B-route/运行客户端 sidecar/API connector 仍是主线A-route/RPA 只是备选兜底,不作为默认产品架构。
- 已实现:打开真实离线 `frmP2PChat`,识别 `rtbSendMessage``btnSend``rtbRecvMessage`
- 已实现:`uia_send_message` 可以写入发送框并触发发送按钮。
- 未证明:在线登录态下消息被服务端接受、对方收到、或本地 sent-record 产生。
- 未实现:真实文件上传。真实离线 UIA dump 没有稳定暴露 `btnSendFile` automation id。
## 后续计划
1. 主线优先:继续验证 B-route running-client sidecar / in-process connector / existing API 的真实发送和文件能力。
2. 备选保持:把真实 `frmP2PChat` HWND 接入 `isphere_send_message``uia_rpa` connector形成可重复 UI action smoke但只作为 B-route 卡住时的兜底。
3. 在线消息验证:在可登录环境采集 before/after sent-record、content hash、ack/成功提示、idempotency 不重复发送证据。
4. 文件发送节点:优先找 B-route 上传/发送 connector如果继续卡住再单独定位真实工具栏/菜单里的文件按钮,做 RPA 上传动作和在线 evidence package。
5. 更新业务 smoke`send_message_ui_action_ready``send_message_business_delivery_ready` 拆成两个字段。
## 对外口径
可以说:数字员工已经具备联系人/群组搜索、收消息基础读取、收文件列表、发消息 preview、发消息 UI 操作能力。
不要说:数字员工已经能稳定在线发送消息或发送文件。当前还缺在线业务证据。

View File

@@ -3,6 +3,10 @@
日期2026-07-11
分支:`codex/a-route-rpa-send`
> 2026-07-12 校准:本文记录的是 synthetic 离线探针阶段和当时的真实窗体构造阻塞。后续已经通过
> `scripts\open-offline-real-frmP2PChat.ps1` 在未登录/离线环境打开真实 `frmP2PChat`。
> 当前以 `docs/source-discovery/2026-07-11-a-route-open-real-chat-window.md` 为准。
## 本轮目标
用户明确当前先不要求真实发送消息,只要求“打开那个会话窗口”,用来验证数字员工是否能:
@@ -86,7 +90,7 @@ frmP2PChat(com.vision.smack.Chat chat, string pluginInfo, string extendTabJson)
- `ConfigSystemManager.config`
- `P2PChat.OtherJid`
仍未成功打开真实窗体。当前阻塞不再是脚本能力,而是构造函数内部把窗体初始化、登录态、连接态、名册状态、消息中心事件、配置状态混在一起。IL 证据显示构造函数中直接访问:
本节以下内容是当时的中间判断。后续 Task 7 已经补齐更多离线依赖并成功打开真实窗体,因此这里不再作为当前阻塞。它仍保留为风险索引:构造函数内部确实把窗体初始化、登录态、连接态、名册状态、消息中心事件、配置状态混在一起。IL 证据显示构造函数中直接访问:
- `IMPPManager.Instance.Connection.add_OnConnectError`
- `IMPPManager.Instance.Connection.add_OnReConnectOk`
@@ -98,7 +102,7 @@ frmP2PChat(com.vision.smack.Chat chat, string pluginInfo, string extendTabJson)
- `IMPPManager.Instance.RosterManager.UpdateStrangerStatus`
- `Config.BaseConfig.VisualPhoneEnable`
这说明真实 `frmP2PChat` 不是独立窗口类;它要求完整登录运行态。没有服务端/登录态时继续硬构造,投入会越来越像“重建一个假客户端运行时”
后续解决方式不是走正常登录链路,而是建立更完整的离线依赖 harness并在构造完成后补齐关键用户/JID/配置缓存。当前结论已变更为:真实 `frmP2PChat` 可以离线打开,但真实发送仍会被客户端离线状态阻断
## 当前业务结论
@@ -111,10 +115,10 @@ frmP2PChat(com.vision.smack.Chat chat, string pluginInfo, string extendTabJson)
- 点击结果可留本地审计 marker。
- 全程不发真实消息、不上传真实文件。
从“真实 iSphere 会话窗口”的目标看,仍需要在线登录环境或继续补完整客户端运行态
从“真实 iSphere 会话窗口”的目标看,后续已完成离线打开真实 `frmP2PChat`。从“真实业务发送”的目标看,仍需要在线登录环境。
## 下一步建议
1. 当前分支先使用 `open-offline-chat-window-probe.ps1` 验证 RPA 识别/定位/点击效果
2. 在线环境拿到真实登录后的 `frmP2PChat` HWND 后,用同一套 WinHelper 选择器直接验证真实窗口
3. 如果必须离线打开真实窗体,再继续走“补完整 IMPPManager/SmarkManager/Config/BaseConfig/MessageCenter 运行态”的破解路线
1. synthetic 探针只作为回归兜底;真实窗口验证优先使用 `open-offline-real-frmP2PChat.ps1`
2. 把真实离线 `frmP2PChat` HWND 接入 `isphere_send_message``uia_rpa` connector做可重复 UI 写入/点击 smoke
3. 在线环境拿到真实登录后的 `frmP2PChat` HWND 后,用同一套 WinHelper 选择器验证业务发送

View File

@@ -155,11 +155,23 @@ powershell -NoProfile -ExecutionPolicy Bypass -File scripts\open-offline-real-fr
- 本轮没有处理真实发送、真实上传、真实登录态。
- `btnSendFile` 在这次真实离线 UIA dump 中没有以 `btnSendFile` automation id 暴露;后续如果 RPA 需要上传文件,需要另开节点定位真实工具栏按钮或菜单路径。
## 2026-07-12 主分支状态校准
该能力已经随 A-route 分支合并到 `main`。业务含义如下:
- 已完成:真实离线 `frmP2PChat` 打开、UIA 识别、发送框定位、发送按钮定位。
- 已演示:在真实离线窗口内写入文本并点击 `btnSend`,可用于验证数字员工的窗口识别、定位和点击链路。
- 未完成:在线登录态下的真实发送、服务端 ack、接收方送达、发送记录匹配。
- 未完成:真实文件上传/发送。当前真实 UIA dump 没有稳定暴露 `btnSendFile`,文件发送要单独做工具栏/菜单定位。
因此,文档里出现的 helper `sent_message=true` 只能解释为“UI 发送动作已触发”,不能解释为“业务消息已送达”。
## 下一轮建议
1. 把 A-route RPA 的窗口定位目标从 synthetic probe 切到真实 `frmP2PChat`
- root `automation_id=frmP2PChat`
- send box `automation_id=rtbSendMessage`
- send button `automation_id=btnSend`
2. 如果弹出“企业信息获取失败”影响自动化,单独加一个非阻塞关闭弹窗步骤
3. 如果后续需要文件按钮,再专门分析真实工具栏图标按钮、菜单项和 `ToolStrip` 命中路径。
2. 把真实窗口 HWND 接入 `isphere_send_message``uia_rpa` connector形成可重复的本地 UI 动作 smoke
3. 在线登录环境中补一次业务发送验证发送前后记录、content hash、ack/发送记录、idempotency 不重复发送。
4. 如果后续需要文件按钮,再专门分析真实工具栏图标按钮、菜单项和 `ToolStrip` 命中路径。

View File

@@ -1,7 +1,7 @@
# A-route UIA Send Implementation Note
Date: 2026-07-11
Branch: `codex/a-route-rpa-send`
Branch: implemented on `codex/a-route-rpa-send`, merged to `main`
## Decision
@@ -25,6 +25,28 @@ $env:ISPHERE_SEND_UIA_BUTTON_AUTOMATION_ID = "btnSend"
Then call `isphere_send_message` with `execution_mode="production"`.
## Status correction after real-window work
`uia_send_message` is a UI action connector. Its helper result fields such as
`typed_text=true`, `clicked_ui=true`, and `sent_message=true` mean the editor was
written and the send button was invoked/clicked. They do not mean the server
accepted the message, the receiver got it, or a sent record was written.
After this note was first written, the project also opened a real offline
`frmP2PChat` window locally and confirmed:
- root: `frmP2PChat`
- editor: `rtbSendMessage`
- send button: `btnSend`
- receive area: `rtbRecvMessage`
The real offline window still shows the client-side offline-send blocker, so it
is useful for UI positioning and click verification, not for business delivery
verification.
## Remaining real-environment work
The local environment still cannot log in to iSphere. The code path is implemented and locally proven against synthetic UIA, but real iSphere success still needs a logged-in window handle and one real run in the online environment.
The local environment still cannot log in to iSphere. The code path is
implemented and locally proven against synthetic UIA plus the real offline chat
window, but real iSphere success still needs a logged-in window handle and one
online run with success/ack or sent-record evidence.

View File

@@ -1,6 +1,6 @@
# Capability Source Matrix
Date: 2026-07-10
Date: 2026-07-12
Stage: Core business capability roadmap
Evidence index: `docs/source-discovery/2026-07-09-n12-pre-zyl-index.md`
Schema notes: `docs/source-discovery/2026-07-09-n12-pre-zyl-schema-notes.md`
@@ -14,6 +14,9 @@ File download mapping v2: `docs/source-discovery/2026-07-10-file-download-mappin
Send-file sandbox gate: `docs/source-discovery/2026-07-10-send-file-sandbox-gate.md`
Business goals smoke: `docs/reports/2026-07-10-business-goals-smoke.md`
R14 release candidate: `docs/reports/2026-07-10-r6f-r14-release-candidate.md`
Main status correction: `docs/reports/2026-07-12-main-business-status-correction.md`
A-route UIA send: `docs/source-discovery/2026-07-11-a-route-uia-send.md`
A-route real offline chat window: `docs/source-discovery/2026-07-11-a-route-open-real-chat-window.md`
## Source priority
@@ -24,6 +27,8 @@ R14 release candidate: `docs/reports/2026-07-10-r6f-r14-release-candidate.md`
5. Network/protocol source.
6. Mock source for tests only.
Route rule: UIA helper / A-route / RPA is a backup route only. It can preserve delivery momentum while B-route is blocked or untestable, but B-route sidecar/API evidence remains the preferred path for production send and file capability.
## Matrix
| MCP tool | Primary source | Fallback source | Evidence file | Decision status | Next implementation slice |
@@ -32,8 +37,8 @@ R14 release candidate: `docs/reports/2026-07-10-r6f-r14-release-candidate.md`
| `isphere_search_contacts` | bare sender/receiver JIDs extracted from normalized log-backed messages loaded from configured PacketReader file or directory source | validated copied `MsgLib.db` tables: `TD_Roster`, `TD_CustomEffigy`, `tblRecent`, `tblChatLevel`, `tblPersonMsg`; decrypted roster/contact stanzas from `Smark.SendReceive`; UIA helper source if display names are still missing | `docs/source-discovery/2026-07-10-msglib-readonly-schema-extraction.md`; `internal/isphere/contacts_test.go`; `internal/tools/isphere_contacts_test.go` | C34 documents optional MsgLib contact display enrichment; R2 adds deterministic exact-match-first ranking, case-insensitive de-duplication across log/MsgLib candidates, and preserves `source`/`raw_ref` | core contact search complete; optional richer fields later |
| `isphere_search_groups` | decrypted `PacketReader.ProcessPacket` `type="groupchat"` stanzas and conference/MUC JIDs loaded from configured PacketReader file or directory source | validated copied `MsgLib.db` tables: `tblMsgGroupPersonMsg`, `TD_WorkGroupAuth`, `tblRecent`; UIA helper source if group display names are still missing | `docs/source-discovery/2026-07-10-msglib-readonly-schema-extraction.md`; `internal/isphere/groups_test.go`; `internal/tools/isphere_groups_test.go`; C9 ignored-log scan: PacketReader 86 groupchat/86 conference hits; Smark 24 groupchat/658 conference/631 muc hits | C34 documents optional MsgLib group display enrichment; R2 adds deterministic exact-match-first ranking, case-insensitive de-duplication across log/MsgLib candidates, and preserves `source`/`raw_ref` | core group search complete; optional member/owner hierarchy later |
| `isphere_receive_files` | decrypted `PacketReader.ProcessPacket` file-transfer message stanzas via `internal/isphere.ListFilesFromMessages` and `isphere_receive_files` list mode; configured PacketReader file or directory source; `zyl\importal\<hash>` cache entries remain unlinked | MsgLib `TD_ReceiveFileRecord` safe metadata through explicit copied-DB path; decrypted `Smark.SendReceive` and `SaveToDB` traces for file-reference reconciliation; future UIA/client connector for download | `docs/source-discovery/2026-07-09-n12-pre-zyl-schema-notes.md#c12-file-transfer-evidence-precheck`; `docs/source-discovery/2026-07-10-file-download-mapping-precheck.md`; `docs/source-discovery/2026-07-10-file-cache-mapping-diagnostic.md`; `docs/source-discovery/2026-07-10-file-download-mapping-v2.md`; `docs/reports/2026-07-10-business-goals-smoke.md` | C22 verifies safe file-list contract args; R10 proves resolver scoring with fixture accepted matches; R11 adds structured download preview with `blocked`/`planned` status and side-effect flags false; R13/R14 confirms list is ready but real download is still blocked. | blocked for real download pending accepted real cache mapping and copy gate; list mode is complete |
| `isphere_send_message` | B-route selected: running-client sidecar / in-process connector, preferring `AppContextManager.SendTxtMessageByJid(...)` or `MessageScheduling.SendChatMessage(...)` over the unimplemented `SendP2PMessage(...)` interface path; current MCP tool exposes preview/dry-run only | A-route fallback: constrained UI/RPA wrapper only if B cannot pass runtime probe, entrypoint availability, dynamic observation, and idempotent dry-run gates; network/protocol replay remains deferred | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-sandbox-gate.md`; `docs/source-discovery/2026-07-10-returned-send-sandbox-analysis.md`; `docs/source-discovery/2026-07-10-returned-send-sandbox-analysis-v2.md`; `docs/source-discovery/2026-07-10-returned-send-sent-record-diagnostic.md`; `internal/tools/isphere_send_message_test.go`; `cmd/isphere-capability-smoke/main.go`; `docs/reports/2026-07-10-business-goals-smoke.md` | R6f-R6l define connector contract, audit/idempotency replay, production gate, B-route shell, strict-v2 package, and explicit production closure. R10a validates two returned sent-record packages as manual-only evidence: `operator_observed_success=true`, but `exact_content_seen_after=false`, `content_sha256_seen_after=false`, `after_offline_blocked=true`, and `production_send_unlock_recommended=false`. Preview is complete; production remains blocked. | blocked until strict machine sent-record/content-hash after evidence passes and a connector is configured |
| `isphere_send_file` | B-route selected after send-message probe: managed offline-file path through `OffLineFileSend.sendFile()`, `IMPP.Service*.dll` `IFileTransfer.FileUpload(...)`, and `Chat.sendFileMessage(...)`; current MCP tool exposes preview/dry-run only | A-route fallback: constrained UI/RPA upload/send-file flow; native `TcpFileTransfer.dll` is a later candidate only after managed path is rejected | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-file-sandbox-gate.md`; `internal/tools/isphere_files_test.go`; `docs/reports/2026-07-10-business-goals-smoke.md` | R7 registers send-file preview as the tenth MCP tool; R8 adds audit/idempotency duplicate/conflict hardening without raw file paths/content; R9 builds and verifies the online send-file evidence package; R13/R14 confirms preview is ready and production upload remains blocked. | blocked until returned file-send package proves upload/sent evidence and an upload connector is gated |
| `isphere_send_message` | B-route selected: running-client sidecar / in-process connector, preferring `AppContextManager.SendTxtMessageByJid(...)` or `MessageScheduling.SendChatMessage(...)` over the unimplemented `SendP2PMessage(...)` interface path; default MCP tool still exposes preview/dry-run unless an explicit connector mode is configured | A-route fallback is now implemented for UI action: `ISPHERE_SEND_CONNECTOR_MODE=uia_rpa` calls WinHelper `uia_send_message` against a configured HWND, writes `rtbSendMessage`, and clicks `btnSend`; this stays backup-only and network/protocol replay remains deferred | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-sandbox-gate.md`; `docs/source-discovery/2026-07-10-returned-send-sandbox-analysis.md`; `docs/source-discovery/2026-07-10-returned-send-sandbox-analysis-v2.md`; `docs/source-discovery/2026-07-10-returned-send-sent-record-diagnostic.md`; `docs/source-discovery/2026-07-11-a-route-uia-send.md`; `docs/source-discovery/2026-07-11-a-route-open-real-chat-window.md`; `internal/tools/isphere_send_message_test.go`; `cmd/isphere-capability-smoke/main.go`; `docs/reports/2026-07-10-business-goals-smoke.md` | R6f-R6l define connector contract, audit/idempotency replay, production gate, B-route shell, strict-v2 package, and explicit production closure. R10a validates two returned sent-record packages as manual-only evidence. A-route adds local UI action readiness: synthetic window proof plus real offline `frmP2PChat` open/write/click target proof. Business delivery is still not verified because local runtime is offline and no success/ack or sent-record hash evidence has passed. | B-route evidence remains next priority; A-route UI action is backup-ready only; business send remains blocked until online sent-record/content-hash/ack evidence passes |
| `isphere_send_file` | B-route selected after send-message probe: managed offline-file path through `OffLineFileSend.sendFile()`, `IMPP.Service*.dll` `IFileTransfer.FileUpload(...)`, and `Chat.sendFileMessage(...)`; current MCP tool exposes preview/dry-run only | A-route file fallback is not implemented yet; real offline UIA dump did not expose stable `btnSendFile`, so the next fallback slice is toolbar/menu locator discovery; native `TcpFileTransfer.dll` is a later candidate only after managed path is rejected | `docs/source-discovery/2026-07-10-send-message-source-precheck.md`; `docs/source-discovery/2026-07-10-send-message-connector-selection.md`; `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`; `docs/source-discovery/2026-07-10-returned-live-probe-analysis.md`; `docs/source-discovery/2026-07-10-send-connector-preflight.md`; `docs/source-discovery/2026-07-10-send-file-sandbox-gate.md`; `docs/source-discovery/2026-07-11-a-route-open-real-chat-window.md`; `internal/tools/isphere_files_test.go`; `docs/reports/2026-07-10-business-goals-smoke.md` | R7 registers send-file preview as the tenth MCP tool; R8 adds audit/idempotency duplicate/conflict hardening without raw file paths/content; R9 builds and verifies the online send-file evidence package; R13/R14 confirms preview is ready and production upload remains blocked. A-route real-window work confirms file-button automation still needs a separate locator node. | blocked until file toolbar/menu locator is found and returned file-send package proves upload/sent evidence |
## Stage C entry rule
@@ -50,4 +55,4 @@ Start Stage C with a narrow log-backed `isphere_receive_messages` source abstrac
## Deferred source work
`MsgLib.db` has a validated copied read-only open path through the bundled 32-bit `System.Data.SQLite.dll` and password `123`. C27 adds `MsgLibReadSidecar` as the bounded x86 .NET reader boundary, C28 adds the Go `internal/msglib` process client, C29 adds bounded `display_entities` extraction, C30 wires it as optional contact/group MCP enrichment, C31 proves real copied-DB MCP enrichment with sanitized output, C32 reuses it for receive-message display fields, C33 proves that receive display path through a real copied-DB MCP smoke without printing entity values, C34 documents the operator setup/verification path, C35 maps MsgLib message tables to receive-message contract fields without reading row values, C36 adds metadata-only `message_sources` readiness, C37 defines the bounded DB-backed receive-source design, C38 implements sidecar/Go-wrapper `list_messages` with sanitized verification, C39 adds a Go adapter from MsgLib list results to the receive-message domain model, C40 adds explicit tool-level `msglib_readonly` source selection, C41 wires env-configured explicit MsgLib receive with optional sanitized smoke, R1 documents source reconciliation keys, and R2 hardens contact/group search ranking and de-duplication. R6j/R6k confirm the send-message strict-v2 production gate is still not passed; R10a confirms the returned sent-record packages are manual-only evidence and do not unlock production send; R10/R11 define file-download resolver/preview behavior while keeping real copy blocked; R12 adds receive-source reconciliation without changing default routing; R13/R14 publish business-goals smoke and the release-candidate status. The active continuous execution plan `docs/superpowers/plans/2026-07-10-r6f-r14-continuous-execution-plan.md` is complete through R14; next work is evidence-driven, not local login-dependent.
`MsgLib.db` has a validated copied read-only open path through the bundled 32-bit `System.Data.SQLite.dll` and password `123`. C27 adds `MsgLibReadSidecar` as the bounded x86 .NET reader boundary, C28 adds the Go `internal/msglib` process client, C29 adds bounded `display_entities` extraction, C30 wires it as optional contact/group MCP enrichment, C31 proves real copied-DB MCP enrichment with sanitized output, C32 reuses it for receive-message display fields, C33 proves that receive display path through a real copied-DB MCP smoke without printing entity values, C34 documents the operator setup/verification path, C35 maps MsgLib message tables to receive-message contract fields without reading row values, C36 adds metadata-only `message_sources` readiness, C37 defines the bounded DB-backed receive-source design, C38 implements sidecar/Go-wrapper `list_messages` with sanitized verification, C39 adds a Go adapter from MsgLib list results to the receive-message domain model, C40 adds explicit tool-level `msglib_readonly` source selection, C41 wires env-configured explicit MsgLib receive with optional sanitized smoke, R1 documents source reconciliation keys, and R2 hardens contact/group search ranking and de-duplication. R6j/R6k confirm the send-message strict-v2 production gate is still not passed; R10a confirms the returned sent-record packages are manual-only evidence and do not unlock production send; R10/R11 define file-download resolver/preview behavior while keeping real copy blocked; R12 adds receive-source reconciliation without changing default routing; R13/R14 publish business-goals smoke and the release-candidate status. A-route now proves UI write/click readiness against synthetic and real offline chat windows, but not online delivery. The active follow-up plan is `docs/superpowers/plans/2026-07-11-a-route-rpa-send.md`; next work is evidence-driven send/file verification, not local login-dependent.

View File

@@ -2,7 +2,7 @@
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
**Goal:**`codex/a-route-rpa-send` 分支实现 A 方案:通过受控 UI Automation 路线让 `isphere_send_message` 能配置为真实 UI 写入并点击发送。
**Goal:**`codex/a-route-rpa-send` 分支实现 A 方案,并在合并到 `main` 后继续校准计划:通过受控 UI Automation 路线让 `isphere_send_message` 能配置为真实 UI 写入并点击发送;同时明确这只证明 UI 动作,不等于业务送达,而且 A-route/RPA 是备选兜底,不是主线
**Architecture:** Go MCP 继续保留稳定 `isphere_send_message` 接口、hash、idempotency、audit。新增 A-route connector 调用 C# `ISphereWinHelper` 的 UIA action opC# helper 根据窗口句柄、发送框 AutomationId、发送按钮 AutomationId 写入文本并点击。B-route sidecar 仍是主路线,但当前不可测时先实现 A-route 功能兜底。
@@ -11,12 +11,14 @@
## Global Constraints
- Repository root: `E:\coding\codex\isphere-ai-bridge`.
- Active branch: `codex/a-route-rpa-send`.
- Original implementation branch: `codex/a-route-rpa-send`; merged branch for follow-up documentation and plan correction: `main`.
- Do not use `rg`; use `git ls-files`, `ag`, `grep -R`, or PowerShell commands.
- Local machine cannot log in; use synthetic WinForms/UIA verification for local tests.
- User explicitly removed human approval as a product gate for A-route; do not add approval IDs or approval queues in this plan.
- Keep audit redaction: do not store raw message body or raw idempotency key in committed docs/audit tests.
- Real UI action requires explicit env configuration; default MCP behavior remains preview/blocked.
- Route priority must stay B-route first: running-client sidecar / in-process connector / existing API is the primary product route; A-route/RPA only keeps a fallback path alive while B-route is blocked or untestable.
- Helper fields `clicked_ui=true` and `sent_message=true` mean the helper wrote the editor and invoked/clicked the send button. They must not be interpreted as server acceptance, receiver delivery, or sent-record proof.
---
@@ -112,4 +114,43 @@ adds a no-network WinForms probe using the real selector names
- [x] Verify UIA classification finds send editor, send button, and file button.
- [x] Verify `-ProbeClick` writes text and clicks `btnSend`.
- [x] Verify marker says `sent_real_message=false` and `uploaded_real_file=false`.
- [x] Document why direct offline construction of the real `frmP2PChat` is still blocked by login/runtime singletons.
- [x] Document the then-current direct-construction blocker; Task 7 supersedes this by opening the real `frmP2PChat` with a fuller offline dependency harness.
## Task 7: Replace synthetic-only proof with real offline `frmP2PChat`
**Files:**
- Create: `scripts/open-offline-real-frmP2PChat.ps1`
- Create: `scripts/extract-frmP2PChat-il-risk.ps1`
- Create: `scripts/test-extract-frmP2PChat-il-risk.ps1`
- Create: `scripts/test-open-offline-real-frmP2PChat-contract.ps1`
- Create: `docs/source-discovery/2026-07-11-a-route-open-real-chat-window.md`
**Purpose:** local machine still cannot log in, but RPA validation should run
against a real client chat form instead of only a synthetic WinForms probe.
- [x] Extract constructor/load IL risks for `frmP2PChat`.
- [x] Build an offline dependency harness that can construct and show the real `frmP2PChat`.
- [x] Confirm UIA root `automation_id=frmP2PChat`.
- [x] Confirm send editor `automation_id=rtbSendMessage`.
- [x] Confirm send button `automation_id=btnSend`.
- [x] Confirm receive area `automation_id=rtbRecvMessage`.
- [x] Record that the real offline window shows the expected offline-send blocker.
- [x] Merge and push the real-window branch to `main`.
## Task 8: Corrected next loop after main merge
**Business status after Task 7:**
- Message send: UI write/click path exists; online delivery is not verified.
- File send: preview-only; no real upload path is implemented.
- Receive/search: unchanged from R14; basic digital-employee read/search remains usable through local-readonly evidence paths.
**Next implementation slices:**
- [ ] Re-check B-route sidecar / in-process connector / existing API feasibility before promoting any RPA path.
- [ ] Add a real-window A-route smoke that opens `frmP2PChat`, passes its HWND into the MCP `uia_rpa` connector, writes a unique text, clicks `btnSend`, and records sanitized UI evidence; treat this as backup readiness only.
- [ ] Add an online/logged-in verification package for message send: first target B-route evidence; include A-route evidence only as a fallback comparison path.
- [ ] Keep default `verify-go-mcp.ps1` preview/blocked unless explicit A-route env is set, so CI does not depend on a desktop login.
- [ ] Start a separate file-send RPA locator node: identify the real toolbar/menu path for file attach because `btnSendFile` was not exposed in the real offline UIA dump.
- [ ] Only after file locator proof, add file upload action and online file-send evidence package.
- [x] Create `docs/reports/2026-07-12-main-business-status-correction.md` separating “UI action ready” from “business delivery ready”.

View File

@@ -0,0 +1,323 @@
# B-Route Bridge Next Implementation Plan
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
**Goal:** Push the primary B-route from a dry-run shell toward a verifiable sidecar/API bridge without enabling real send yet.
**Architecture:** Keep the Go MCP tool contracts stable. B-route remains the primary product route: reuse the logged-in `IMPlatformClient.exe` runtime through a narrow sidecar/API bridge if a safe bridge transport exists. A-route/RPA remains backup-only and should be used only for UI action smoke or when B-route is proven blocked.
**Tech Stack:** Go 1.23.4, github.com/modelcontextprotocol/go-sdk, Windows PowerShell, .NET Framework C# helper/sidecar, stdin/stdout JSON protocols, Windows UI Automation only as fallback.
## Global Constraints
- Repository root: `E:\coding\codex\isphere-ai-bridge`.
- Active branch for execution should be a new `codex/` branch, not `main` directly.
- Do not use `rg`; use `git ls-files`, `ag`, `grep -R`, or PowerShell commands.
- Local machine cannot log in to iSphere; local work must use static analysis, fake sidecar processes, synthetic fixtures, or offline real-window UI only.
- B-route is primary: running-client sidecar / in-process connector / existing API comes before A-route/RPA.
- A-route/RPA is backup-only: keep it runnable, but do not make it the default product architecture.
- No real send/file upload in this plan. Stop at bridge feasibility, self_check, runtime probe, and dry-run preview.
- Keep audit redaction: do not store raw message body, raw idempotency key, raw file contents, or raw local file paths in committed outputs.
---
## Offline reverse amendment
Because the next working day has no logged-in iSphere environment, execute `docs/superpowers/plans/2026-07-12-offline-broute-reverse-plan.md` before the online evidence/package tasks. This keeps B-route primary while using offline static reverse evidence to decide IPC/plugin/in-process/preview-only feasibility. A-route/RPA remains backup-only.
## Current evidence summary
The current `main` state already has:
- `isphere_send_message` MCP contract, preview/dry-run metadata, audit, idempotency, and connector abstraction.
- `internal/tools/send_message_broute_adapter.go` with B-route `disabled` and `dry_run_contract` modes only.
- `internal/tools/send_message_uia_adapter.go` wired from env only for `ISPHERE_SEND_CONNECTOR_MODE=uia_rpa`.
- C# WinHelper `probe_client_runtime`, `probe_send_entrypoints`, `probe_send_uia_controls`, and `uia_send_message`.
- Offline real `frmP2PChat` opener for RPA backup validation.
- No B-route env wiring, no process-backed B-route sidecar client, no in-process bridge transport decision, and no real send/file-upload connector.
Important technical conclusion: an external C# process cannot automatically reuse the logged-in static runtime of `IMPlatformClient.exe`. Before building send invocation, the next B-route node must decide the bridge transport: existing API/IPC, plugin/extension loading, in-process adapter, or fallback.
---
## Task 1: B-route bridge transport feasibility report
**Files:**
- Create: `docs/source-discovery/2026-07-12-b-route-bridge-feasibility.md`
- Modify: `docs/source-discovery/capability-source-matrix.md`
**Interfaces:**
- Consumes: existing docs `docs/source-discovery/2026-07-10-send-sidecar-b-first-plan.md`, `docs/source-discovery/2026-07-10-send-connector-preflight.md`, and current Go/C# connector files.
- Produces: a route decision table with exact choices: `existing_ipc`, `plugin_extension`, `in_process_adapter`, `external_dry_run_only`, or `fallback_rpa`.
- [ ] Re-read current B-route evidence.
Run:
```powershell
Get-Content -LiteralPath docs\source-discovery\2026-07-10-send-sidecar-b-first-plan.md
Get-Content -LiteralPath docs\source-discovery\2026-07-10-send-connector-preflight.md
Get-Content -LiteralPath internal\tools\send_message_broute_adapter.go
Get-Content -LiteralPath internal\tools\send_message_uia_adapter.go
```
Expected: confirm B-route entrypoint names exist, but no bridge transport is implemented.
- [ ] Write the feasibility report with this required conclusion block:
```markdown
## Decision
B-route remains primary. The immediate next implementation is not production send; it is bridge transport selection plus dry-run sidecar plumbing.
| Candidate | Can reuse logged-in runtime? | Local feasibility | Next action |
| --- | --- | --- | --- |
| existing_ipc/local_service | unknown | inspect live probe named pipes/services/network metadata | continue if concrete API appears |
| plugin_extension | unknown | inspect install/plugin loader evidence | continue if client loads local plugin DLL/exe |
| in_process_adapter | possible but highest risk | requires explicit bridge mechanism | defer until IPC/plugin ruled out |
| external_dry_run_only | cannot reuse logged-in static runtime | useful for protocol/client tests only | implement as non-mutating sidecar boundary |
| fallback_rpa | can drive UI only | already backup-ready | keep as backup, not primary |
```
- [ ] Update `capability-source-matrix.md` so the next slice says: “B-route bridge transport feasibility and dry-run sidecar boundary”, not “RPA send”.
- [ ] Verify docs.
Run:
```powershell
git diff --check
```
Expected: exit 0.
## Task 2: Add B-route connector env selection without starting real send
**Files:**
- Modify: `internal/tools/send_message_uia_adapter.go` or split env loading into `internal/tools/send_message_connector_env.go`
- Modify: `internal/tools/send_message_uia_adapter_test.go` or create `internal/tools/send_message_connector_env_test.go`
- Modify: `docs/go-mcp-runbook.md`
**Interfaces:**
- Consumes: `NewBRouteSendMessageConnector(BRouteSendAdapterConfig)`.
- Produces: `NewSendMessageConnectorFromEnv()` supports:
- `ISPHERE_SEND_CONNECTOR_MODE=broute_dry_run`
- `ISPHERE_SEND_CONNECTOR_MODE=broute_sidecar`
- `ISPHERE_SEND_BROUTE_MODE=disabled|dry_run_contract|sidecar_preview`
- `ISPHERE_SEND_BROUTE_SIDECAR_EXE=<path>`
- `ISPHERE_SEND_BROUTE_TIMEOUT_SECONDS=<positive int>`
- [ ] Write failing env-loader tests.
Test cases:
```text
mode empty -> nil connector
mode uia_rpa -> existing UIA connector
mode broute_dry_run -> B-route connector mode dry_run_contract
mode broute_sidecar without sidecar exe -> connector returns blocked sidecar config error, not panic
```
Run:
```powershell
go test ./internal/tools -run "TestNewSendMessageConnectorFromEnv" -count=1
```
Expected before implementation: fail for B-route modes.
- [ ] Implement env parsing with no real send.
Required behavior:
```text
broute_dry_run -> NewBRouteSendMessageConnector(BRouteSendAdapterConfig{Mode:"dry_run_contract"})
broute_sidecar -> NewBRouteSendMessageConnector(BRouteSendAdapterConfig{Mode:"sidecar_preview", SidecarPath: env path, TimeoutSeconds: parsed timeout})
```
- [ ] Run focused tests.
```powershell
go test ./internal/tools -run "TestNewSendMessageConnectorFromEnv|TestBRoute" -count=1
```
Expected: pass.
## Task 3: Process-backed B-route sidecar client boundary
**Files:**
- Create: `internal/broute/send_sidecar_client.go`
- Create: `internal/broute/send_sidecar_client_test.go`
- Modify: `internal/tools/send_message_broute_adapter.go`
- Modify: `internal/tools/send_message_broute_adapter_test.go`
**Interfaces:**
- Produces protocol: `isphere.broute.send.v1`.
- Produces sidecar ops:
- `self_check`
- `probe_runtime`
- `preview_send_message`
- No op named `send_message` in this task.
- [ ] Write fake-process tests for `internal/broute`.
The fake sidecar must accept stdin JSON and return:
```json
{"protocol":"isphere.broute.send.v1","request_id":"...","op":"preview_send_message","ok":true,"data":{"connector_mode":"broute-sidecar-preview","would_send":false,"entrypoint":"AppContextManager.SendTxtMessageByJid","target_ref":"direct:demo","content_sha256":"..."}}
```
- [ ] Implement the client with timeout, stderr capture, protocol/op/request_id validation, and structured sidecar errors.
Use `internal/msglib/sidecar_client.go` as the pattern, but keep the package separate as `internal/broute`.
- [ ] Update `send_message_broute_adapter.go` so `Mode="sidecar_preview"` calls `preview_send_message` and returns:
```text
Accepted=false
Status=blocked
ErrorCode=broute_sidecar_preview_only
ConnectorMode=broute-sidecar-preview
ProductionEnabled=false
SideEffects all false
```
- [ ] Verify no accidental production send path exists.
Run:
```powershell
go test ./internal/broute ./internal/tools -run "BRoute|Sidecar" -count=1
```
Expected: pass; no test should require iSphere login.
## Task 4: Native B-route sidecar skeleton, preview-only
**Files:**
- Create: `native/ISphereSendSidecar/Program.cs`
- Create: `native/ISphereSendSidecar/SidecarProtocol.cs`
- Create: `scripts/build-send-sidecar.ps1`
- Create: `scripts/verify-send-sidecar.ps1`
- Create: `docs/broute-send-sidecar-contract.md`
**Interfaces:**
- Native executable accepts stdin JSON and writes stdout JSON.
- Protocol: `isphere.broute.send.v1`.
- Ops implemented:
- `self_check`
- `probe_runtime`
- `preview_send_message`
- Explicitly not implemented:
- `send_message`
- `send_file`
- `upload_file`
- hooks/injection/network replay.
- [ ] Implement `self_check` returning sidecar name, version, process bitness, and `mutates_client=false`.
- [ ] Implement `probe_runtime` by reusing safe process/module discovery logic from WinHelper where possible.
- [ ] Implement `preview_send_message` as contract validation only; it must echo hashes/target refs and `would_send=false`.
- [ ] Build and verify.
Run:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\build-send-sidecar.ps1
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-send-sidecar.ps1
go test ./...
```
Expected: all pass; sidecar verification prints only booleans/counts and no message body.
## Task 5: Online B-route evidence package v3
**Files:**
- Create: `scripts/package-broute-bridge-probe.ps1`
- Create: `scripts/verify-broute-bridge-probe-package.ps1`
- Create: `scripts/validate-returned-broute-bridge-probe.ps1`
- Create: `docs/source-discovery/2026-07-12-broute-bridge-probe-package.md`
**Interfaces:**
- Package includes:
- live probe recorder;
- send sidecar preview executable;
- `RUN-BROUTE-BRIDGE-PROBE.bat`;
- `BROUTE-BRIDGE-INPUTS.template.json`;
- return zip helper.
- [ ] Package only non-mutating probes.
- [ ] Require operator to be logged in before running.
- [ ] Validate returned package for:
- running client present;
- module availability;
- sidecar self_check passed;
- sidecar preview returned `would_send=false`;
- no real send attempted.
Run:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\package-broute-bridge-probe.ps1
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-broute-bridge-probe-package.ps1
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\validate-returned-broute-bridge-probe.ps1 -UseFixture
```
Expected: package builds and fixture validation passes.
## Task 6: Business smoke split for send readiness
**Files:**
- Modify: `scripts/verify-business-goals-smoke.ps1`
- Modify: `docs/reports/2026-07-12-main-business-status-correction.md`
- Create or modify: `docs/reports/2026-07-12-broute-next-smoke.md`
**Interfaces:**
- Produces separate booleans:
- `send_message_preview_ready`
- `send_message_broute_bridge_preview_ready`
- `send_message_ui_action_ready`
- `send_message_business_delivery_ready`
- `send_file_preview_ready`
- `send_file_business_delivery_ready`
- [ ] Update smoke script to avoid one ambiguous `send_message_production_ready` field.
- [ ] Ensure current expected state is:
```json
{
"send_message_preview_ready": true,
"send_message_broute_bridge_preview_ready": true,
"send_message_ui_action_ready": true,
"send_message_business_delivery_ready": false,
"send_file_preview_ready": true,
"send_file_business_delivery_ready": false
}
```
- [ ] Verify.
Run:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-business-goals-smoke.ps1
git diff --check
go test ./...
```
Expected: pass.
---
## Stop conditions
Stop and ask the business owner if any of these occur:
1. B-route bridge transport requires invasive in-process loading and no plugin/IPC path exists.
2. Online probe shows the logged-in client does not expose the expected modules/entrypoints.
3. B-route preview cannot distinguish direct contact vs group target.
4. Any step would perform real send/upload before explicit online evidence gates are ready.
5. A-route becomes the only viable path; this requires an explicit business decision because RPA is backup-only.
## Recommended next action
Start with Task 1 and Task 2 only. That creates a clear B-route bridge feasibility decision and lets the MCP server select a B-route dry-run connector from env without touching real send.

View File

@@ -0,0 +1,212 @@
# Offline B-Route Reverse Implementation Plan
> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
**Goal:** Use offline reverse engineering to advance the primary B-route when no logged-in iSphere environment is available.
**Architecture:** Treat the available iSphere/IMPlatformClient binaries as read-only samples. Recover the send-message, send-file, plugin/IPC, and bridge-transport evidence needed to decide whether B-route can be implemented without relying on RPA. Keep A-route/RPA as backup-only and do not execute real send or upload in this plan.
**Tech Stack:** Windows PowerShell, .NET Framework IL tools, existing extracted IL files, Go 1.23.4 for repeatable analyzers, Markdown evidence reports.
## Global Constraints
- Repository root: `E:\coding\codex\isphere-ai-bridge`.
- Active branch for execution should be a new `codex/` branch, not `main` directly.
- Do not use `rg`; use `git ls-files`, `ag`, `grep -R`, or PowerShell commands.
- Tomorrow has no logged-in iSphere environment; do not wait for online evidence.
- Preserve original binaries read-only. Any extraction output must go under ignored `runs/` or committed sanitized docs/scripts only.
- B-route remains primary. A-route/RPA remains backup-only.
- No real message send, no file upload, no network replay, no process injection, and no client mutation in this plan.
- Outputs must separate verified facts from reverse-engineering hypotheses.
---
## Available offline samples
Use these local samples first:
| Sample | Purpose | SHA256 |
| --- | --- | --- |
| `runs/offline-real-client-window/full/zyl/Impp/IMPlatformClient.exe` | main managed client; text send, chat window, plugin/IPC candidates | `E2966E58360DAEEBF178410A961E2DC52748C63E9CCBD94BD6EC8434A1A09CB7` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.Service.dll` | file upload service candidates | `F859DE2F34E024B5F372D95F22CBF8A018C780F24203E7A76D392E52BD90CADD` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.Interface.dll` | service/interface contract candidates | `DD093CF61FAE85C2D2581F289B01AA477546712E098FEF81272FDD989E50D12D` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.Model.dll` | model/parameter types | `7CBABDD23A7234D15E294C549EEEC78EFBAD6E957CD45A6E8A85309349A624A5` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.UI.dll` | UI/plugin helpers and possible send controls | `4C61212519C01D1B731ED4F20DF3411C491616F4ADA98A4529722A6AA3689E6D` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.Common.dll` | shared utility and message types | `02A47C99C27C9BFE2BADC438389300C92220B07609BD87C48B4B5E1B4EE6AEB4` |
| `runs/offline-real-client-window/full/zyl/Impp/IMPP.Helper.dll` | helper abstractions | `30932D082B6678699C832C63F923E01EAD84674FAEDB613D631E034E03742FB9` |
| `runs/offline-real-client-window/full/zyl/Impp/smack.dll` | XMPP chat/send layer | `BAD0BB0591765DB153B17CECC1112B0BBDBF3B1D3370DDF973F91974E92CEC66` |
| `runs/offline-real-client-window/full/zyl/Impp/TcpFileTransfer.dll` | native/transfer candidate | `6C4874B46D1E7DC04C9B6784180603452400B881E04509D464A0D58814EFEDA7` |
| `runs/offline-real-client-window/full/zyl/Impp/HttpServerLib.dll` | local API/IPC candidate | `FFDB633216AE332B8EDFFC83E2AE546B7A80144C659FF4053FDFE4FE382A8D12` |
| `runs/offline-real-client-window/full/zyl/Impp/INetwork.dll` | network abstraction candidate | `E40BE4EE2439E4280461F4D2BADB318A5F4572428F069AB6D17B4C4F0E8CFAC9` |
| `runs/offline-real-client-window/full/zyl/Impp/IOClientNetwork.dll` | network implementation candidate | `64CA231A614771325741A5F098E52EBF20F7190E339B64962DE2EDEDCFFFF904` |
Existing IL evidence to reuse:
- `runs/offline-evidence-intake/zyl-qqfile-20260709/metadata/c28-il/IMPlatformClient.exe.il`
- `runs/offline-chat-window/frmP2PChat-ctor.il.txt`
- `runs/offline-chat-window/frmP2PChat-ctor-null-risk.md`
---
## Task 1: Offline reverse case index
**Files:**
- Create: `docs/source-discovery/2026-07-12-offline-broute-reverse-index.md`
- Create: `scripts/build-offline-broute-reverse-index.ps1`
**Interfaces:**
- Produces: a sanitized Markdown/JSON index of sample paths, SHA256, size, timestamp, and role.
- Consumes: the sample paths listed above.
- [ ] Write `scripts/build-offline-broute-reverse-index.ps1` to hash the sample list and emit `runs/offline-broute-reverse/index.json` plus `docs/source-discovery/2026-07-12-offline-broute-reverse-index.md`.
The script must not copy or modify binaries. It should only read metadata and hashes.
- [ ] Run:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\build-offline-broute-reverse-index.ps1
```
Expected: JSON and Markdown index generated; no binary copied.
## Task 2: Text-send static call graph
**Files:**
- Create: `scripts/extract-broute-text-send-map.ps1`
- Create: `docs/source-discovery/2026-07-12-broute-text-send-static-map.md`
**Interfaces:**
- Consumes: `IMPlatformClient.exe.il`, `smack.dll`, and related managed assemblies.
- Produces: function map for:
- `AppContextManager.SendTxtMessageByJid`
- `MessageScheduling.SendChatMessage`
- `Chat.SendMessage`
- `XMPPConnection.send`
- `MessageCenter` send-related callbacks
- [ ] Extract method headers, signatures, call sites, and surrounding IL windows.
- [ ] Mark each function as one of: `confirmed_signature`, `confirmed_callsite`, `string_only`, or `not_found`.
- [ ] Write the report with a conclusion section:
```markdown
## Decision
B-route text send remains plausible only if a bridge can enter the logged-in runtime or an existing IPC/API exposes the same call. Offline IL confirms call shape, but not runtime invocability.
```
- [ ] Verify:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\extract-broute-text-send-map.ps1
git diff --check
```
Expected: exit 0 and report contains all target function names.
## Task 3: File-send/static upload call graph
**Files:**
- Create: `scripts/extract-broute-file-send-map.ps1`
- Create: `docs/source-discovery/2026-07-12-broute-file-send-static-map.md`
**Interfaces:**
- Consumes: `IMPlatformClient.exe`, `IMPP.Service.dll`, `IMPP.Interface.dll`, `IMPP.Model.dll`, `TcpFileTransfer.dll`.
- Produces: function/type map for:
- `IMPP.Client.OffLineFileSend.sendFile`
- `IMPP.Client.OffLineFileSend.trans_UploadCompleted`
- `IMPP.Service.BLL.FileTransfer.FileUpload`
- `IMPP.Service.BLL.FileTransfer.AsynFileUpload`
- `FileUploadPara`
- chat/file message send method names such as `sendFileMessage`
- [ ] Extract signatures and parameter types.
- [ ] Identify whether file send is direct upload first or chat-message first.
- [ ] Identify what local file path, server file id, file hash, and target JID values are required.
- [ ] Verify:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\extract-broute-file-send-map.ps1
git diff --check
```
Expected: report separates upload step from chat message step.
## Task 4: Bridge/IPC/plugin reverse map
**Files:**
- Create: `scripts/extract-broute-bridge-map.ps1`
- Create: `docs/source-discovery/2026-07-12-broute-bridge-static-map.md`
**Interfaces:**
- Consumes: `IMPlatformClient.exe`, `HttpServerLib.dll`, `IMPlatformClient.Web.exe`, `INetwork.dll`, `IOClientNetwork.dll`, config files, and existing live-probe `services_registry_shortcuts.json` / `network_inventory.json`.
- Produces: static evidence table for:
- localhost HTTP server routes or ports;
- named pipe strings;
- plugin loader classes or directories;
- command-line switches;
- COM/service candidates;
- update/patch extension points.
- [ ] Search strings and IL for `HttpListener`, `TcpListener`, `NamedPipe`, `Pipe`, `Plugin`, `LoadFrom`, `Assembly.Load`, `localhost`, `127.0.0.1`, `http://`, `net.pipe`, `Register`, `Route`, and `Command`.
- [ ] Report exact methods/classes where bridge candidates appear.
- [ ] Classify each candidate:
- `usable_without_login`
- `requires_logged_in_process`
- `static_only_unknown`
- `not_a_bridge`
- [ ] Verify:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\extract-broute-bridge-map.ps1
git diff --check
```
Expected: report gives a yes/no recommendation for whether B-route should pursue IPC/plugin before in-process adapter.
## Task 5: Offline bridge decision update
**Files:**
- Modify: `docs/superpowers/plans/2026-07-12-b-route-bridge-next-plan.md`
- Modify: `docs/source-discovery/capability-source-matrix.md`
- Create: `docs/source-discovery/2026-07-12-offline-broute-reverse-decision.md`
**Interfaces:**
- Consumes: reports from Tasks 1-4.
- Produces: next implementation decision:
- `existing_ipc_first`
- `plugin_extension_first`
- `in_process_adapter_research`
- `external_sidecar_preview_only`
- `fallback_rpa_only`
- [ ] Write decision using only offline evidence.
- [ ] If no bridge is found, state clearly that external sidecar can only do preview/probe unless an in-process bridge is added.
- [ ] Keep RPA marked backup-only.
## Task 6: Optional offline prototype only after decision
**Files:**
- To be added only after Task 5 decision.
**Rules:**
- If decision is `existing_ipc_first`, prototype a non-mutating client call to the local API only.
- If decision is `plugin_extension_first`, prototype plugin discovery only, not send.
- If decision is `in_process_adapter_research`, create a new explicit plan before coding.
- If decision is `external_sidecar_preview_only`, continue with the already planned preview-only B-route sidecar boundary.
- If decision is `fallback_rpa_only`, ask the user before promoting RPA beyond backup.
---
## Stop conditions
Stop and report if:
1. Static evidence shows all B-route send functions require live-only objects with no reachable bridge.
2. Bridge/plugin evidence implies invasive in-process loading and no safer IPC/API path exists.
3. File send requires server-issued upload tokens that cannot be derived offline.
4. Any next step would send a real message, upload a real file, mutate the client, attach a hook, or replay network traffic.
## Recommended immediate execution
Run Task 1 through Task 4 while offline. Do not wait for tomorrow's login evidence. After those reports exist, decide whether B-route can continue through IPC/plugin/static sidecar preview or whether RPA remains the only near-term operational path.