@absolutejs/absolute 0.19.0-beta.615 → 0.19.0-beta.616

package/dist/ai/index.js

@@ -187,7 +187,7 @@ var parseAIMessage = (raw) => {
     return null;
   }
 };
-var serializeAIMessage = (msg) => JSON.stringify(msg);
+var serializeAIMessage = (message) => JSON.stringify(message);
 
 // src/ai/rag/grounding.ts
 var getContextString = (value) => typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
@@ -1275,7 +1275,10 @@ var evaluateRAGCollectionCases = async ({
     const expectedIds = normalizeExpectedIds(mode === "chunkId" ? caseInput.expectedChunkIds ?? [] : mode === "source" ? caseInput.expectedSources ?? [] : caseInput.expectedDocumentIds ?? []);
     const topK = typeof caseInput.topK === "number" ? caseInput.topK : typeof input.topK === "number" ? input.topK : defaultTopK;
     const searchInput = {
-      filter: typeof caseInput.filter === "object" ? caseInput.filter : input.filter,
+      filter: caseInput.corpusKey ? {
+        ...(typeof caseInput.filter === "object" ? caseInput.filter : input.filter) ?? {},
+        corpusKey: caseInput.corpusKey
+      } : typeof caseInput.filter === "object" ? caseInput.filter : input.filter,
       model: caseInput.model ?? input.model,
       query,
       rerank,
@@ -1677,6 +1680,7 @@ var buildEvaluationCaseTraceSnapshot = ({
   return {
     candidateTopK: currentTrace?.candidateTopK ?? 0,
     caseId: caseResult.caseId,
+    corpusKey: caseResult.corpusKey,
     inputFilter: filter,
     finalCount: currentTrace?.resultCounts.final ?? 0,
     label: caseResult.label,
@@ -3229,11 +3233,15 @@ var persistRAGRetrievalReleaseLaneEscalationPolicyHistory = async ({
 };
 var buildRAGEvaluationResponse = (cases) => {
   const totalCases = cases.length;
+  const corpusKeys = [
+    ...new Set(cases.flatMap((entry) => entry.corpusKey ?? []))
+  ];
   const passedCases = cases.filter((entry) => entry.status === "pass").length;
   const partialCases = cases.filter((entry) => entry.status === "partial").length;
   const failedCases = cases.filter((entry) => entry.status === "fail").length;
   return {
     cases,
+    ...corpusKeys.length > 0 ? { corpusKeys } : {},
     elapsedMs: cases.reduce((sum, result) => sum + result.elapsedMs, 0),
     ok: true,
     passingRate: totalCases > 0 ? passedCases / totalCases * 100 : 0,
@@ -3459,6 +3467,9 @@ var compareRAGRetrievalStrategies = async ({
     traceSummary: entry.traceSummary
   })));
   return {
+    corpusKeys: [
+      ...new Set(entries.flatMap((entry) => entry.response.corpusKeys ?? []))
+    ],
     entries,
     leaderboard,
     summary: summarizeRAGRetrievalComparison(entries),
@@ -3491,6 +3502,7 @@ var compareRAGRetrievalTraceSummaries = (current, previous) => ({
 });
 var buildSearchTraceResultSnapshots = (results) => results.map((result) => ({
   chunkId: result.chunkId,
+  corpusKey: result.corpusKey ?? (typeof result.metadata?.corpusKey === "string" ? result.metadata.corpusKey : undefined),
   documentId: typeof result.metadata?.documentId === "string" ? result.metadata.documentId : undefined,
   score: result.score,
   source: result.source,
@@ -3690,6 +3702,7 @@ var summarizeRAGEvaluationCase = ({
   const status = expectedCount === 0 ? "partial" : matchedCount === expectedCount ? "pass" : matchedCount > 0 ? "partial" : "fail";
   return {
     caseId: caseInput.id ?? `case-${caseIndex + 1}`,
+    corpusKey: caseInput.corpusKey,
     elapsedMs,
     expectedCount,
     expectedIds,
@@ -4289,10 +4302,14 @@ var buildProvenanceLabel2 = (metadata) => {
   const transcriptSource = getContextString2(metadata.transcriptSource);
   const pdfTextMode = getContextString2(metadata.pdfTextMode);
   const ocrEngine = getContextString2(metadata.ocrEngine);
+  const extractorRegistryMatch = getContextString2(metadata.extractorRegistryMatch);
+  const chunkingProfile = getContextString2(metadata.chunkingProfile);
   const ocrConfidence = getContextNumber2(metadata.ocrRegionConfidence) ?? getContextNumber2(metadata.ocrConfidence);
   const labels = [
     pdfTextMode ? `PDF ${pdfTextMode}` : "",
     ocrEngine ? `OCR ${ocrEngine}` : "",
+    extractorRegistryMatch ? `Extractor ${extractorRegistryMatch}` : "",
+    chunkingProfile ? `Chunking ${chunkingProfile}` : "",
     typeof ocrConfidence === "number" ? `Confidence ${ocrConfidence.toFixed(2)}` : "",
     mediaKind ? `Media ${mediaKind}` : "",
     transcriptSource ? `Transcript ${transcriptSource}` : "",
@@ -6741,12 +6758,12 @@ var checkBackpressure = async (socket) => {
     await delay(BACKPRESSURE_DELAY);
   }
 };
-var sendMessage = async (socket, msg) => {
+var sendMessage = async (socket, message) => {
   if (socket.readyState !== WS_OPEN) {
     return false;
   }
   await checkBackpressure(socket);
-  socket.send(serializeAIMessage(msg));
+  socket.send(serializeAIMessage(message));
   return true;
 };
 var buildToolDefinitions = (tools) => Object.entries(tools).map(([name, def]) => ({
@@ -9689,6 +9706,7 @@ var createEmailExtractor = () => ({
         chunking: input.chunking,
         contentType: attachment.contentType,
         data: attachment.data,
+        extractorRegistry: input.extractorRegistry,
         format: inferFormatFromContentType(attachment.contentType ?? null) ?? inferFormatFromName(attachment.fileName),
         metadata: {
           ...messageMetadata,
@@ -9844,6 +9862,8 @@ ${slide.text}`),
 });
 var createRAGArchiveExpander = (expander) => expander;
 var createRAGFileExtractor = (extractor) => extractor;
+var createRAGFileExtractorRegistry = (registry) => registry;
+var createRAGChunkingRegistry = (registry) => registry;
 var createRAGImageOCRExtractor = (provider) => ({
   name: `absolute_image_ocr:${provider.name}`,
   supports: imageExtractorSupports,
@@ -9934,11 +9954,12 @@ var createTextFileExtractor = () => ({
     title: input.title
   })
 });
-var expandArchiveEntry = async (entry, archiveInput, extractors) => {
+var expandArchiveEntry = async (entry, archiveInput, extractors, registry) => {
   const documents = await extractRAGFileDocuments({
     chunking: archiveInput.chunking,
     contentType: entry.contentType,
     data: entry.data,
+    extractorRegistry: archiveInput.extractorRegistry,
     format: entry.format,
     metadata: {
       ...archiveInput.metadata ?? {},
@@ -9952,7 +9973,7 @@ var expandArchiveEntry = async (entry, archiveInput, extractors) => {
     name: basename(entry.path),
     source: archiveInput.source && !archiveInput.source.startsWith("http") ? `${archiveInput.source}#${entry.path}` : entry.path,
     title: basename(entry.path)
-  }, extractors);
+  }, extractors, registry);
   return documents;
 };
 var createPDFFileExtractor = () => ({
@@ -10053,8 +10074,83 @@ var DEFAULT_FILE_EXTRACTORS = [
   createPDFFileExtractor(),
   createTextFileExtractor()
 ];
-var resolveFileExtractors = (extractors) => extractors && extractors.length > 0 ? [...extractors, ...DEFAULT_FILE_EXTRACTORS] : DEFAULT_FILE_EXTRACTORS;
-var applyExtractorDefaults = (document, input, extractorName) => ({
+var resolveExtractorRegistry = (registry) => {
+  if (!registry) {
+    return {
+      defaultOrder: "registry_first",
+      includeDefaults: true,
+      registrations: []
+    };
+  }
+  if (Array.isArray(registry)) {
+    return {
+      defaultOrder: "registry_first",
+      includeDefaults: true,
+      registrations: registry
+    };
+  }
+  return {
+    defaultOrder: registry.defaultOrder ?? "registry_first",
+    includeDefaults: registry.includeDefaults ?? true,
+    registrations: registry.registrations
+  };
+};
+var createExtractorRegistryInput = (input) => ({
+  ...input,
+  inferredContentType: input.contentType ?? null,
+  inferredExtension: inferExtensionFromInput(input) || null,
+  inferredFormat: input.format ?? inferFormatFromContentType(input.contentType ?? null) ?? inferFormatFromName(input.path ?? input.source ?? input.name ?? input.title)
+});
+var registrationMatches = async (registration, input) => {
+  const normalizedContentType = input.inferredContentType?.toLowerCase();
+  const normalizedExtension = input.inferredExtension?.toLowerCase();
+  const normalizedName = (input.path ?? input.source ?? input.name ?? input.title ?? "").toLowerCase();
+  if (registration.contentTypes?.length && !registration.contentTypes.some((entry) => normalizedContentType === entry.toLowerCase())) {
+    return false;
+  }
+  if (registration.extensions?.length && !registration.extensions.some((entry) => normalizedExtension === entry.toLowerCase())) {
+    return false;
+  }
+  if (registration.formats?.length && (!input.inferredFormat || !registration.formats.includes(input.inferredFormat))) {
+    return false;
+  }
+  if (registration.names?.length && !registration.names.some((entry) => normalizedName.includes(entry.toLowerCase()))) {
+    return false;
+  }
+  if (registration.match) {
+    return registration.match(input);
+  }
+  return true;
+};
+var dedupeResolvedExtractors = (extractors) => {
+  const seen = new Set;
+  const ordered = [];
+  for (const entry of extractors) {
+    if (seen.has(entry.extractor.name)) {
+      continue;
+    }
+    seen.add(entry.extractor.name);
+    ordered.push(entry);
+  }
+  return ordered;
+};
+var resolveFileExtractors = async (input, extractors, registry) => {
+  const explicit = extractors ?? [];
+  const resolvedRegistry = resolveExtractorRegistry(registry);
+  const registryInput = createExtractorRegistryInput(input);
+  const matchedRegistrations = (await Promise.all(resolvedRegistry.registrations.map(async (registration) => ({
+    matches: await registrationMatches(registration, registryInput),
+    priority: registration.priority ?? 0,
+    registration
+  })))).filter((entry) => entry.matches).sort((left, right) => right.priority - left.priority).map((entry) => ({
+    extractor: entry.registration.extractor,
+    registryMatchName: entry.registration.name ?? entry.registration.extractor.name
+  }));
+  const defaults = resolvedRegistry.includeDefaults ? DEFAULT_FILE_EXTRACTORS.map((extractor) => ({ extractor })) : [];
+  const explicitResolved = explicit.map((extractor) => ({ extractor }));
+  return dedupeResolvedExtractors(resolvedRegistry.defaultOrder === "defaults_first" ? [...explicitResolved, ...defaults, ...matchedRegistrations] : [...explicitResolved, ...matchedRegistrations, ...defaults]);
+};
+var applyExtractorDefaults = (document, input, extractorName, registryMatchName) => ({
   chunking: document.chunking ?? input.chunking,
   format: document.format ?? input.format ?? inferFormatFromContentType(document.contentType ?? input.contentType ?? null) ?? inferFormatFromName(document.source ?? input.source ?? input.path ?? input.name),
   id: document.id,
@@ -10062,20 +10158,22 @@ var applyExtractorDefaults = (document, input, extractorName) => ({
     ...input.metadata ?? {},
     ...document.metadata ?? {},
     contentType: document.contentType ?? input.contentType,
-    extractor: document.extractor ?? extractorName
+    extractor: document.extractor ?? extractorName,
+    ...registryMatchName ? { extractorRegistryMatch: registryMatchName } : {}
   },
   source: document.source ?? input.source ?? input.path ?? input.name,
   text: document.text,
   title: document.title ?? input.title
 });
-var extractRAGFileDocuments = async (input, extractors) => {
-  for (const extractor of resolveFileExtractors(extractors)) {
+var extractRAGFileDocuments = async (input, extractors, registry) => {
+  for (const resolvedExtractor of await resolveFileExtractors(input, extractors, registry)) {
+    const { extractor, registryMatchName } = resolvedExtractor;
     if (!await extractor.supports(input)) {
       continue;
     }
     const extracted = await extractor.extract(input);
     const documents = Array.isArray(extracted) ? extracted : [extracted];
-    return documents.map((document) => applyExtractorDefaults(document, input, extractor.name));
+    return documents.map((document) => applyExtractorDefaults(document, input, extractor.name, registryMatchName));
   }
   throw new Error(`No RAG file extractor matched ${inferNameFromInput(input)}. Register a custom extractor for this file type.`);
 };
@@ -10086,7 +10184,7 @@ var getFirstExtractedDocument = (documents, label) => {
   }
   return document;
 };
-var loadExtractedDocuments = async (input, extractors) => extractRAGFileDocuments(input, extractors);
+var loadExtractedDocuments = async (input, extractors, registry) => extractRAGFileDocuments(input, extractors, registry);
 var sentenceUnits = (text) => {
   const matches = text.match(/[^.!?\n]+(?:[.!?]+|$)/g);
   if (!matches) {
@@ -10283,11 +10381,92 @@ var resolveChunkingUnits = (text, options) => {
   }
   return paragraphUnits(text);
 };
-var resolveChunkingOptions = (document, defaults) => {
-  const maxChunkLength = document.chunking?.maxChunkLength ?? defaults?.maxChunkLength ?? DEFAULT_MAX_CHUNK_LENGTH;
-  const chunkOverlap = document.chunking?.chunkOverlap ?? defaults?.chunkOverlap ?? DEFAULT_CHUNK_OVERLAP;
-  const minChunkLength = document.chunking?.minChunkLength ?? defaults?.minChunkLength ?? DEFAULT_MIN_CHUNK_LENGTH;
-  const strategy = document.chunking?.strategy ?? defaults?.strategy ?? DEFAULT_STRATEGY;
+var resolveChunkingProfiles = (registry) => {
+  if (!registry) {
+    return [];
+  }
+  const profiles = Array.isArray(registry) ? registry : registry.profiles;
+  return profiles.map((profile, index) => normalizeChunkingProfile(profile, index)).sort((left, right) => right.priority - left.priority).map(({ profile }) => profile);
+};
+var normalizeChunkingProfile = (profile, index) => {
+  if ("resolve" in profile) {
+    return {
+      priority: 0,
+      profile
+    };
+  }
+  const options = normalizeChunkingProfileOptions(profile.profile);
+  const sourceSet = profile.sources?.filter((value) => typeof value === "string") ?? [];
+  const documentIdSet = profile.documentIds?.filter((value) => typeof value === "string") ?? [];
+  const formatSet = profile.formats?.filter((value) => typeof value === "string") ?? [];
+  const sourceNativeKindSet = profile.sourceNativeKinds?.filter((value) => typeof value === "string") ?? [];
+  return {
+    priority: profile.priority ?? 0,
+    profile: {
+      name: profile.name ?? `chunking_profile_${String(index + 1).padStart(2, "0")}`,
+      resolve: (input) => {
+        const documentId = input.document.id?.trim() || (typeof input.metadata.documentId === "string" ? input.metadata.documentId : undefined);
+        const source = input.document.source?.trim();
+        if (formatSet.length > 0 && !formatSet.includes(input.format)) {
+          return;
+        }
+        if (sourceNativeKindSet.length > 0 && (!input.sourceNativeKind || !sourceNativeKindSet.includes(input.sourceNativeKind))) {
+          return;
+        }
+        if (sourceSet.length > 0 && (!source || !sourceSet.includes(source))) {
+          return;
+        }
+        if (documentIdSet.length > 0 && (!documentId || !documentIdSet.includes(documentId))) {
+          return;
+        }
+        return options;
+      }
+    }
+  };
+};
+var normalizeChunkingProfileOptions = (profile) => isChunkingProfileOptionsWrapper(profile) ? profile.options ?? {} : profile;
+var isChunkingProfileOptionsWrapper = (profile) => Object.prototype.hasOwnProperty.call(profile, "options");
+var resolveChunkingProfileOverrides = ({
+  defaults,
+  document,
+  format,
+  normalizedText,
+  registry
+}) => {
+  const metadata = document.metadata ?? {};
+  const sourceNativeKind = typeof metadata.sourceNativeKind === "string" ? metadata.sourceNativeKind : undefined;
+  for (const profile of resolveChunkingProfiles(registry)) {
+    const options = profile.resolve({
+      defaults,
+      document,
+      format,
+      metadata,
+      normalizedText,
+      sourceNativeKind
+    });
+    if (options) {
+      return {
+        name: profile.name,
+        options
+      };
+    }
+  }
+  return;
+};
+var resolveChunkingOptions = (document, defaults, registry, format, normalizedText) => {
+  const resolvedFormat = format ?? inferFormat(document);
+  const resolvedNormalizedText = normalizedText ?? normalizeDocumentText(document.text, resolvedFormat);
+  const profileOverrides = resolveChunkingProfileOverrides({
+    defaults,
+    document,
+    format: resolvedFormat,
+    normalizedText: resolvedNormalizedText,
+    registry
+  });
+  const maxChunkLength = document.chunking?.maxChunkLength ?? profileOverrides?.options.maxChunkLength ?? defaults?.maxChunkLength ?? DEFAULT_MAX_CHUNK_LENGTH;
+  const chunkOverlap = document.chunking?.chunkOverlap ?? profileOverrides?.options.chunkOverlap ?? defaults?.chunkOverlap ?? DEFAULT_CHUNK_OVERLAP;
+  const minChunkLength = document.chunking?.minChunkLength ?? profileOverrides?.options.minChunkLength ?? defaults?.minChunkLength ?? DEFAULT_MIN_CHUNK_LENGTH;
+  const strategy = document.chunking?.strategy ?? profileOverrides?.options.strategy ?? defaults?.strategy ?? DEFAULT_STRATEGY;
   return {
     chunkOverlap: Math.max(0, Math.min(chunkOverlap, maxChunkLength - 1)),
     maxChunkLength: Math.max(RAG_MIN_CHUNK_LENGTH_FLOOR, maxChunkLength),
@@ -10305,10 +10484,17 @@ var createChunkEntries = (document, format, text, options) => {
   const units = resolveChunkingUnits(text, options);
   return chunkFromUnits(units, options.maxChunkLength, options.chunkOverlap, options.minChunkLength).map((entry) => ({ text: entry }));
 };
-var prepareRAGDocument = (document, defaultChunking) => {
+var prepareRAGDocument = (document, defaultChunking, chunkingRegistry) => {
   const format = inferFormat(document);
   const normalizedText = normalizeDocumentText(document.text, format);
-  const chunking = resolveChunkingOptions(document, defaultChunking);
+  const chunkingProfileOverrides = resolveChunkingProfileOverrides({
+    defaults: defaultChunking,
+    document,
+    format,
+    normalizedText,
+    registry: chunkingRegistry
+  });
+  const chunking = resolveChunkingOptions(document, defaultChunking, chunkingRegistry, format, normalizedText);
   const documentId = document.id?.trim() || slugify(document.source || document.title || normalizedText.slice(0, RAG_DOCUMENT_ID_PREVIEW_LENGTH));
   const title = document.title?.trim() || documentId;
   let sourceExtension = "txt";
@@ -10318,9 +10504,12 @@ var prepareRAGDocument = (document, defaultChunking) => {
     sourceExtension = "html";
   }
   const source = document.source?.trim() || `${documentId}.${sourceExtension}`;
+  const corpusKey = document.corpusKey?.trim() || (typeof document.metadata?.corpusKey === "string" ? document.metadata.corpusKey.trim() : undefined) || undefined;
   const metadata = {
     ...document.metadata ?? {},
+    ...corpusKey ? { corpusKey } : {},
     documentId,
+    ...chunkingProfileOverrides?.name ? { chunkingProfile: chunkingProfileOverrides.name } : {},
     format,
     source,
     title
@@ -10344,6 +10533,7 @@ var prepareRAGDocument = (document, defaultChunking) => {
     const nextChunkId = index + 1 < chunkEntries.length ? `${documentId}:${String(index + 2).padStart(RAG_CHUNK_ID_PAD_LENGTH, "0")}` : undefined;
     return {
       chunkId: `${documentId}:${String(index + 1).padStart(RAG_CHUNK_ID_PAD_LENGTH, "0")}`,
+      ...corpusKey ? { corpusKey } : {},
       metadata: {
         ...metadata,
         chunkCount: chunkEntries.length,
@@ -10366,6 +10556,7 @@ var prepareRAGDocument = (document, defaultChunking) => {
     };
   });
   return {
+    ...corpusKey ? { corpusKey } : {},
     chunks,
     documentId,
     format,
@@ -10375,7 +10566,7 @@ var prepareRAGDocument = (document, defaultChunking) => {
     title
   };
 };
-var prepareRAGDocuments = (input) => input.documents.map((document) => prepareRAGDocument(document, input.defaultChunking));
+var prepareRAGDocuments = (input) => input.documents.map((document) => prepareRAGDocument(document, input.defaultChunking, input.chunkingRegistry));
 var mergeMetadata = (inputMetadata, extraMetadata, baseMetadata) => ({
   ...baseMetadata ?? {},
   ...inputMetadata ?? {},
@@ -10390,12 +10581,13 @@ var loadRAGDocumentFile = async (input) => {
     chunking: input.chunking,
     contentType: input.contentType,
     data,
+    extractorRegistry: input.extractorRegistry,
     format: input.format,
     metadata: input.metadata,
     path: input.path,
     source: input.source,
     title: input.title
-  }, input.extractors);
+  }, input.extractors, input.extractorRegistry);
   return getFirstExtractedDocument(documents, "for file input");
 };
 var loadRAGDocumentFromURL = async (input) => {
@@ -10412,12 +10604,13 @@ var loadRAGDocumentFromURL = async (input) => {
     chunking: input.chunking,
     contentType: input.contentType ?? response.headers.get("content-type") ?? undefined,
     data,
+    extractorRegistry: input.extractorRegistry,
     format: input.format ?? inferFormatFromUrl(url),
     metadata: input.metadata,
     name: basename(new URL(url).pathname),
     source: input.source ?? url,
     title: input.title
-  }, input.extractors);
+  }, input.extractors, input.extractorRegistry);
   return getFirstExtractedDocument(documents, "for URL input");
 };
 var loadRAGDocumentsFromUploads = async (input) => {
@@ -10426,12 +10619,13 @@ var loadRAGDocumentsFromUploads = async (input) => {
       chunking: upload.chunking,
       contentType: upload.contentType,
       data: decodeUploadContent(upload),
+      extractorRegistry: input.extractorRegistry,
       format: upload.format,
       metadata: upload.metadata,
       name: upload.name,
       source: upload.source ?? upload.name,
       title: upload.title
-    }, input.extractors);
+    }, input.extractors, input.extractorRegistry);
     return loaded.map((document) => ({
       ...document,
       metadata: mergeMetadata(document.metadata, { uploadFile: upload.name }, input.baseMetadata)
@@ -10439,6 +10633,7 @@ var loadRAGDocumentsFromUploads = async (input) => {
   }));
   return {
     defaultChunking: input.defaultChunking,
+    chunkingRegistry: input.chunkingRegistry,
     documents: documents.flat()
   };
 };
@@ -10457,12 +10652,13 @@ var loadRAGDocumentsFromURLs = async (input) => {
       chunking: urlInput.chunking,
       contentType: urlInput.contentType ?? response.headers.get("content-type") ?? undefined,
       data,
+      extractorRegistry: urlInput.extractorRegistry ?? input.extractorRegistry,
       format: urlInput.format ?? inferFormatFromUrl(url),
       metadata: urlInput.metadata,
       name: basename(new URL(url).pathname),
       source: urlInput.source ?? url,
       title: urlInput.title
-    }, urlInput.extractors ?? input.extractors);
+    }, urlInput.extractors ?? input.extractors, urlInput.extractorRegistry ?? input.extractorRegistry);
     return loaded.map((document) => ({
       ...document,
       metadata: mergeMetadata(document.metadata, { sourceUrl: urlInput.url }, input.baseMetadata)
@@ -10470,6 +10666,7 @@ var loadRAGDocumentsFromURLs = async (input) => {
   }));
   return {
     defaultChunking: input.defaultChunking,
+    chunkingRegistry: input.chunkingRegistry,
     documents: documents.flat()
   };
 };
@@ -10478,15 +10675,16 @@ var loadRAGDocumentUpload = async (input) => {
     chunking: input.chunking,
     contentType: input.contentType,
     data: decodeUploadContent(input),
+    extractorRegistry: input.extractorRegistry,
     format: input.format,
     metadata: input.metadata,
     name: input.name,
     source: input.source ?? input.name,
     title: input.title
-  }, input.extractors);
+  }, input.extractors, input.extractorRegistry);
   return getFirstExtractedDocument(documents, "for upload input");
 };
-var prepareRAGDocumentFile = async (input, defaultChunking) => prepareRAGDocument(await loadRAGDocumentFile(input), defaultChunking);
+var prepareRAGDocumentFile = async (input, defaultChunking, chunkingRegistry) => prepareRAGDocument(await loadRAGDocumentFile(input), defaultChunking, chunkingRegistry);
 var DEFAULT_DIRECTORY_EXTENSIONS = [
   ".txt",
   ".md",
@@ -10546,7 +10744,7 @@ var buildRAGUpsertInputFromUploads = async (input) => ({
 });
 var loadRAGDocumentsFromDirectory = async (input) => {
   const root = resolve(input.directory);
-  const includeExtensions = input.includeExtensions === undefined && input.extractors?.length ? null : new Set((input.includeExtensions ?? DEFAULT_DIRECTORY_EXTENSIONS).map((entry) => entry.startsWith(".") ? entry.toLowerCase() : `.${entry.toLowerCase()}`));
+  const includeExtensions = input.includeExtensions === undefined && (input.extractors?.length || input.extractorRegistry) ? null : new Set((input.includeExtensions ?? DEFAULT_DIRECTORY_EXTENSIONS).map((entry) => entry.startsWith(".") ? entry.toLowerCase() : `.${entry.toLowerCase()}`));
   const files = await collectDirectoryFiles(root, input.recursive !== false, includeExtensions);
   const documents = await Promise.all(files.map(async (path) => {
     const source = relative(root, path).replace(/\\/g, "/");
@@ -10554,13 +10752,14 @@ var loadRAGDocumentsFromDirectory = async (input) => {
     const loaded = await loadExtractedDocuments({
       chunking: input.defaultChunking,
       data,
+      extractorRegistry: input.extractorRegistry,
       metadata: {
         fileName: basename(path),
         relativePath: source
       },
       path,
       source
-    }, input.extractors);
+    }, input.extractors, input.extractorRegistry);
     return loaded.map((document) => ({
       ...document,
       metadata: mergeMetadata(document.metadata, undefined, input.baseMetadata)
@@ -10568,6 +10767,7 @@ var loadRAGDocumentsFromDirectory = async (input) => {
   }));
   return {
     defaultChunking: input.defaultChunking,
+    chunkingRegistry: input.chunkingRegistry,
     documents: documents.flat()
   };
 };
@@ -11782,6 +11982,7 @@ var isRAGDocumentUrlArray = (value) => Array.isArray(value) && value.every((entr
 var isRAGDocumentChunkArray = (value) => Array.isArray(value) && value.every((entry) => isRAGDocumentChunk(entry));
 var buildSources2 = (results) => results.map((result) => ({
   chunkId: result.chunkId,
+  corpusKey: result.corpusKey ?? (typeof result.metadata?.corpusKey === "string" ? result.metadata.corpusKey : undefined),
   labels: buildRAGSourceLabels({
     metadata: result.metadata,
     source: result.source,
@@ -11932,6 +12133,8 @@ var buildRAGContextFromQuery = async (config, topK, scoreThreshold, queryText, r
 };
 var ragChat = (config) => {
   const path = config.path ?? DEFAULT_PATH2;
+  const authorizeRAGAction = config.authorizeRAGAction;
+  const resolveRAGAccessScope = config.resolveRAGAccessScope;
   const topK = config.topK ?? DEFAULT_TOP_K3;
   const { scoreThreshold } = config;
   const { extractors } = config;
@@ -11946,6 +12149,13 @@ var ragChat = (config) => {
   const adminActions = [];
   const adminJobs = [];
   const syncJobs = [];
+  const { jobStateStore } = config;
+  const jobHistoryRetention = {
+    maxAdminActions: config.jobHistoryRetention?.maxAdminActions ?? MAX_ADMIN_ACTIONS,
+    maxAdminJobs: config.jobHistoryRetention?.maxAdminJobs ?? MAX_ADMIN_JOBS,
+    maxIngestJobs: config.jobHistoryRetention?.maxIngestJobs ?? MAX_INGEST_JOBS,
+    maxSyncJobs: config.jobHistoryRetention?.maxSyncJobs ?? MAX_ADMIN_JOBS
+  };
   const { searchTraceStore } = config;
   const { searchTraceRetention } = config;
   const { searchTraceRetentionSchedule } = config;
@@ -11964,6 +12174,134 @@ var ragChat = (config) => {
     retention: searchTraceRetention,
     schedule: searchTraceRetentionSchedule
   };
+  let jobStateLoaded = false;
+  let jobStateLoadPromise;
+  const normalizeAuthorizationDecision = (decision) => typeof decision === "boolean" ? { allowed: decision } : decision ?? { allowed: true };
+  const checkAuthorization = async (request, action, resource) => {
+    if (!authorizeRAGAction) {
+      return { allowed: true };
+    }
+    return normalizeAuthorizationDecision(await authorizeRAGAction({
+      action,
+      request,
+      resource
+    }));
+  };
+  const isAuthorized = async (request, action, resource) => (await checkAuthorization(request, action, resource)).allowed;
+  const buildAuthorizationFailure = (decision, fallback = "Forbidden") => ({
+    error: decision.reason ?? fallback,
+    ok: false
+  });
+  const isAccessScopeError = (error) => typeof error === "string" && (error.includes("allowed RAG access scope") || error.includes("Scoped sync-all is not allowed"));
+  const authorizeMutationRoute = async (request, action, input) => {
+    const decision = await checkAuthorization(request, action, input.resource);
+    return decision.allowed ? null : buildAuthorizationFailure(decision, input.fallback);
+  };
+  const normalizeAccessScope = (scope) => {
+    if (!scope) {
+      return;
+    }
+    const normalizeStringArray3 = (values) => {
+      const next = (values ?? []).map((value) => value.trim()).filter((value) => value.length > 0);
+      return next.length > 0 ? [...new Set(next)] : undefined;
+    };
+    const requiredMetadata = scope.requiredMetadata && Object.keys(scope.requiredMetadata).length > 0 ? scope.requiredMetadata : undefined;
+    return {
+      allowedComparisonGroupKeys: normalizeStringArray3(scope.allowedComparisonGroupKeys),
+      allowedCorpusKeys: normalizeStringArray3(scope.allowedCorpusKeys),
+      allowedDocumentIds: normalizeStringArray3(scope.allowedDocumentIds),
+      allowedSourcePrefixes: normalizeStringArray3(scope.allowedSourcePrefixes),
+      allowedSources: normalizeStringArray3(scope.allowedSources),
+      allowedSyncSourceIds: normalizeStringArray3(scope.allowedSyncSourceIds),
+      requiredMetadata
+    };
+  };
+  const loadAccessScope = async (request) => request && resolveRAGAccessScope ? normalizeAccessScope(await resolveRAGAccessScope(request)) : undefined;
+  const matchesRequiredMetadata = (requiredMetadata, metadata) => {
+    if (!requiredMetadata) {
+      return true;
+    }
+    return Object.entries(requiredMetadata).every(([key, value]) => metadata?.[key] === value);
+  };
+  const matchesAccessScope = (scope, input) => {
+    if (!scope) {
+      return true;
+    }
+    const corpusKey = input.corpusKey ?? (typeof input.metadata?.corpusKey === "string" ? input.metadata.corpusKey : undefined);
+    if (scope.allowedCorpusKeys?.length && (!corpusKey || !scope.allowedCorpusKeys.includes(corpusKey))) {
+      return false;
+    }
+    if (scope.allowedDocumentIds?.length && (!input.documentId || !scope.allowedDocumentIds.includes(input.documentId))) {
+      return false;
+    }
+    if (scope.allowedSources?.length && (!input.source || !scope.allowedSources.includes(input.source))) {
+      return false;
+    }
+    if (scope.allowedSourcePrefixes?.length && (!input.source || !scope.allowedSourcePrefixes.some((prefix) => (input.source ?? "").startsWith(prefix)))) {
+      return false;
+    }
+    return matchesRequiredMetadata(scope.requiredMetadata, input.metadata);
+  };
+  const matchesSyncSourceScope = (scope, source) => !scope?.allowedSyncSourceIds?.length || scope.allowedSyncSourceIds.includes(source.id);
+  const isAllowedComparisonGroupKey = (scope, groupKey) => !scope?.allowedComparisonGroupKeys?.length || typeof groupKey === "string" && scope.allowedComparisonGroupKeys.includes(groupKey);
+  const filterByComparisonGroupKey = (scope, records) => scope?.allowedComparisonGroupKeys?.length ? records.filter((record) => isAllowedComparisonGroupKey(scope, record.groupKey)) : records;
+  const persistJobStateIfConfigured = async () => {
+    if (!jobStateStore) {
+      return;
+    }
+    await jobStateStore.save({
+      adminActions: adminActions.slice(0, Math.max(0, jobHistoryRetention.maxAdminActions)),
+      adminJobs: adminJobs.slice(0, Math.max(0, jobHistoryRetention.maxAdminJobs)),
+      ingestJobs: ingestJobs.slice(0, Math.max(0, jobHistoryRetention.maxIngestJobs)),
+      syncJobs: syncJobs.slice(0, Math.max(0, jobHistoryRetention.maxSyncJobs))
+    });
+  };
+  const recoverIngestJob = (job, recoveredAt) => job.status === "running" ? {
+    ...job,
+    elapsedMs: Math.max(0, recoveredAt - job.startedAt),
+    error: job.error ?? "Interrupted before completion during recovery",
+    finishedAt: recoveredAt,
+    status: "failed"
+  } : job;
+  const recoverAdminJob = (job, recoveredAt) => job.status === "running" ? {
+    ...job,
+    elapsedMs: Math.max(0, recoveredAt - job.startedAt),
+    error: job.error ?? "Interrupted before completion during recovery",
+    finishedAt: recoveredAt,
+    status: "failed"
+  } : job;
+  const ensureJobStateLoaded = async () => {
+    if (jobStateLoaded) {
+      return;
+    }
+    if (jobStateLoadPromise) {
+      await jobStateLoadPromise;
+      return;
+    }
+    jobStateLoadPromise = (async () => {
+      if (!jobStateStore) {
+        jobStateLoaded = true;
+        return;
+      }
+      const loaded = await jobStateStore.load();
+      const recoveredAt = Date.now();
+      const nextIngestJobs = (loaded?.ingestJobs ?? []).map((job) => recoverIngestJob(job, recoveredAt)).slice(0, Math.max(0, jobHistoryRetention.maxIngestJobs));
+      const nextAdminActions = (loaded?.adminActions ?? []).slice(0, Math.max(0, jobHistoryRetention.maxAdminActions));
+      const nextAdminJobs = (loaded?.adminJobs ?? []).map((job) => recoverAdminJob(job, recoveredAt)).slice(0, Math.max(0, jobHistoryRetention.maxAdminJobs));
+      const nextSyncJobs = (loaded?.syncJobs ?? []).map((job) => recoverAdminJob(job, recoveredAt)).slice(0, Math.max(0, jobHistoryRetention.maxSyncJobs));
+      adminActions.splice(0, adminActions.length, ...nextAdminActions);
+      ingestJobs.splice(0, ingestJobs.length, ...nextIngestJobs);
+      adminJobs.splice(0, adminJobs.length, ...nextAdminJobs);
+      syncJobs.splice(0, syncJobs.length, ...nextSyncJobs);
+      jobStateLoaded = true;
+      await persistJobStateIfConfigured();
+    })();
+    try {
+      await jobStateLoadPromise;
+    } finally {
+      jobStateLoadPromise = undefined;
+    }
+  };
   const createIngestJob = (inputKind, requestedCount) => {
     const job = {
       id: generateId(),
@@ -11973,9 +12311,10 @@ var ragChat = (config) => {
       status: "running"
     };
     ingestJobs.unshift(job);
-    if (ingestJobs.length > MAX_INGEST_JOBS) {
-      ingestJobs.length = MAX_INGEST_JOBS;
+    if (ingestJobs.length > jobHistoryRetention.maxIngestJobs) {
+      ingestJobs.length = jobHistoryRetention.maxIngestJobs;
     }
+    persistJobStateIfConfigured();
     return job;
   };
   const completeIngestJob = (job, input) => {
@@ -11986,6 +12325,7 @@ var ragChat = (config) => {
     job.chunkCount = input.chunkCount;
     job.documentCount = input.documentCount;
     job.extractorNames = input.extractorNames;
+    persistJobStateIfConfigured();
   };
   const failIngestJob = (job, error, extractorNames) => {
     const finishedAt = Date.now();
@@ -11994,6 +12334,7 @@ var ragChat = (config) => {
     job.elapsedMs = finishedAt - job.startedAt;
     job.error = error;
     job.extractorNames = extractorNames;
+    persistJobStateIfConfigured();
   };
   const createAdminAction = (action, documentId, target) => {
     const record = {
@@ -12005,9 +12346,10 @@ var ragChat = (config) => {
       target
     };
     adminActions.unshift(record);
-    if (adminActions.length > MAX_ADMIN_ACTIONS) {
-      adminActions.length = MAX_ADMIN_ACTIONS;
+    if (adminActions.length > jobHistoryRetention.maxAdminActions) {
+      adminActions.length = jobHistoryRetention.maxAdminActions;
     }
+    persistJobStateIfConfigured();
     return record;
   };
   const createAdminJob = (action, target, bucket = adminJobs) => {
@@ -12019,9 +12361,11 @@ var ragChat = (config) => {
       target
     };
     bucket.unshift(job);
-    if (bucket.length > MAX_ADMIN_JOBS) {
-      bucket.length = MAX_ADMIN_JOBS;
+    const maxJobs = bucket === syncJobs ? jobHistoryRetention.maxSyncJobs : jobHistoryRetention.maxAdminJobs;
+    if (bucket.length > maxJobs) {
+      bucket.length = maxJobs;
     }
+    persistJobStateIfConfigured();
     return job;
   };
   const completeAdminAction = (record) => {
@@ -12029,6 +12373,7 @@ var ragChat = (config) => {
     record.status = "completed";
     record.finishedAt = finishedAt;
     record.elapsedMs = finishedAt - record.startedAt;
+    persistJobStateIfConfigured();
   };
   const failAdminAction = (record, error) => {
     const finishedAt = Date.now();
@@ -12036,12 +12381,14 @@ var ragChat = (config) => {
     record.finishedAt = finishedAt;
     record.elapsedMs = finishedAt - record.startedAt;
     record.error = error;
+    persistJobStateIfConfigured();
   };
   const completeAdminJob = (job) => {
     const finishedAt = Date.now();
     job.status = "completed";
     job.finishedAt = finishedAt;
     job.elapsedMs = finishedAt - job.startedAt;
+    persistJobStateIfConfigured();
   };
   const failAdminJob = (job, error) => {
     const finishedAt = Date.now();
@@ -12049,8 +12396,10 @@ var ragChat = (config) => {
     job.finishedAt = finishedAt;
     job.elapsedMs = finishedAt - job.startedAt;
     job.error = error;
+    persistJobStateIfConfigured();
   };
   const runSearchTracePrune = async (input, trigger = "manual") => {
+    await ensureJobStateLoaded();
     if (!searchTraceStore) {
       throw new Error("RAG search trace store is not configured");
     }
@@ -12138,11 +12487,12 @@ var ragChat = (config) => {
       throw error;
     }
   };
-  const buildSyncSources = async () => {
+  const buildSyncSources = async (scope) => {
     if (!indexManager?.listSyncSources) {
       return [];
     }
-    return await indexManager.listSyncSources();
+    const sources = await indexManager.listSyncSources();
+    return sources.filter((source) => matchesSyncSourceScope(scope, source));
   };
   const toHTMXResponse = (html, status, extraHeaders) => new Response(html, {
     headers: {
@@ -12306,6 +12656,7 @@ var ragChat = (config) => {
         return null;
       }
       return {
+        corpusKey: getStringProperty(candidate, "corpusKey") ?? undefined,
         filter: caseFilter,
         id: getStringProperty(candidate, "id") ?? `case-${caseIndex + 1}`,
         retrieval: parsedCaseRetrieval === undefined || parsedCaseRetrieval === null ? undefined : parsedCaseRetrieval,
@@ -12343,7 +12694,7 @@ var ragChat = (config) => {
       scoreThreshold: typeof getNumberProperty(body, "scoreThreshold") === "number" ? getNumberProperty(body, "scoreThreshold") : undefined
     };
   };
-  const handleEvaluate = async (body) => {
+  const handleEvaluate = async (body, request) => {
     const input = toRAGEvaluationInput(body);
     if (!input) {
       return {
@@ -12351,6 +12702,17 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    for (const evaluationCase of input.cases) {
+      if (evaluationCase.corpusKey && !matchesAccessScope(accessScope, {
+        corpusKey: evaluationCase.corpusKey
+      }) || (evaluationCase.expectedDocumentIds ?? []).some((documentId) => !matchesAccessScope(accessScope, { documentId })) || (evaluationCase.expectedSources ?? []).some((source) => !matchesAccessScope(accessScope, { source }))) {
+        return {
+          error: "Evaluation case is outside the allowed RAG access scope",
+          ok: false
+        };
+      }
+    }
     const collection = resolveCollection();
     if (!collection) {
       return {
@@ -12853,7 +13215,7 @@ var ragChat = (config) => {
     });
     return incidents.find((entry) => entry.id === incidentId);
   };
-  const handleEvaluateRetrievals = async (body) => {
+  const handleEvaluateRetrievals = async (body, request) => {
     const input = toRAGRetrievalComparisonRequest(body);
     if (!input) {
       return {
@@ -12861,6 +13223,23 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (!isAllowedComparisonGroupKey(accessScope, input.groupKey)) {
+      return {
+        error: "Retrieval comparison group is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
+    for (const evaluationCase of input.cases) {
+      if (evaluationCase.corpusKey && !matchesAccessScope(accessScope, {
+        corpusKey: evaluationCase.corpusKey
+      }) || (evaluationCase.expectedDocumentIds ?? []).some((documentId) => !matchesAccessScope(accessScope, { documentId })) || (evaluationCase.expectedSources ?? []).some((source) => !matchesAccessScope(accessScope, { source }))) {
+        return {
+          error: "Retrieval comparison case is outside the allowed RAG access scope",
+          ok: false
+        };
+      }
+    }
     const collection = resolveCollection();
     if (!collection) {
       return {
@@ -12907,6 +13286,7 @@ var ragChat = (config) => {
       await persistRAGRetrievalComparisonRun({
         run: {
           comparison,
+          corpusKeys: comparison.corpusKeys,
           decisionSummary,
           elapsedMs: finishedAt - startedAt,
           finishedAt,
@@ -12930,15 +13310,23 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleRetrievalComparisonHistory = async (queryInput) => {
+  const handleRetrievalComparisonHistory = async (queryInput, request) => {
     if (!retrievalComparisonHistoryStore) {
       return {
         error: "RAG retrieval comparison history store is not configured",
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    const groupKey = getStringProperty(queryInput, "groupKey");
+    if (!isAllowedComparisonGroupKey(accessScope, groupKey)) {
+      return {
+        error: "Retrieval comparison group is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const runs = await loadRAGRetrievalComparisonHistory({
-      groupKey: getStringProperty(queryInput, "groupKey"),
+      groupKey,
       label: getStringProperty(queryInput, "label"),
       limit: getIntegerLikeProperty(queryInput, "limit"),
       store: retrievalComparisonHistoryStore,
@@ -12948,25 +13336,33 @@ var ragChat = (config) => {
     });
     return {
       ok: true,
-      runs
+      runs: filterByComparisonGroupKey(accessScope, runs)
     };
   };
-  const handleRetrievalBaselineList = async (queryInput) => {
+  const handleRetrievalBaselineList = async (queryInput, request) => {
     if (!retrievalBaselineStore) {
       return {
         error: "RAG retrieval baseline store is not configured",
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    const groupKey = getStringProperty(queryInput, "groupKey");
+    if (!isAllowedComparisonGroupKey(accessScope, groupKey)) {
+      return {
+        error: "Retrieval baseline group is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const baselines = await loadRAGRetrievalBaselines({
-      groupKey: getStringProperty(queryInput, "groupKey"),
+      groupKey,
       limit: getIntegerLikeProperty(queryInput, "limit"),
       status: getStringProperty(queryInput, "status") === "active" || getStringProperty(queryInput, "status") === "superseded" ? getStringProperty(queryInput, "status") : undefined,
       store: retrievalBaselineStore,
       tag: getStringProperty(queryInput, "tag")
     });
     return {
-      baselines,
+      baselines: filterByComparisonGroupKey(accessScope, baselines),
       ok: true
     };
   };
@@ -13679,7 +14075,7 @@ var ragChat = (config) => {
     });
     return baseline;
   };
-  const handlePromoteRetrievalBaseline = async (body) => {
+  const handlePromoteRetrievalBaseline = async (body, request) => {
     if (!retrievalBaselineStore) {
       return {
         error: "RAG retrieval baseline store is not configured",
@@ -13776,7 +14172,7 @@ var ragChat = (config) => {
       };
     }
   };
-  const handlePromoteRetrievalBaselineFromRun = async (body) => {
+  const handlePromoteRetrievalBaselineFromRun = async (body, request) => {
     if (!retrievalBaselineStore || !retrievalComparisonHistoryStore) {
       return {
         error: "RAG retrieval baseline store and retrieval comparison history store are required",
@@ -13876,7 +14272,7 @@ var ragChat = (config) => {
       };
     }
   };
-  const handleRevertRetrievalBaseline = async (body) => {
+  const handleRevertRetrievalBaseline = async (body, request) => {
     if (!retrievalBaselineStore) {
       return {
         error: "RAG retrieval baseline store is not configured",
@@ -13951,24 +14347,32 @@ var ragChat = (config) => {
       };
     }
   };
-  const handleRetrievalReleaseDecisionList = async (queryInput) => {
+  const handleRetrievalReleaseDecisionList = async (queryInput, request) => {
     if (!config.retrievalReleaseDecisionStore) {
       return {
         error: "RAG retrieval release decision store is not configured",
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    const groupKey = getStringProperty(queryInput, "groupKey");
+    if (!isAllowedComparisonGroupKey(accessScope, groupKey)) {
+      return {
+        error: "Retrieval release decision group is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const kind = getStringProperty(queryInput, "kind");
     const targetRolloutLabel = getStringProperty(queryInput, "targetRolloutLabel");
     const freshnessStatusFilter = getStringProperty(queryInput, "freshnessStatus");
     const decisions = await loadRAGRetrievalReleaseDecisions({
-      groupKey: getStringProperty(queryInput, "groupKey"),
+      groupKey,
       kind: kind === "approve" || kind === "promote" || kind === "reject" || kind === "revert" ? kind : undefined,
       limit: getIntegerLikeProperty(queryInput, "limit"),
       store: config.retrievalReleaseDecisionStore
     });
     return {
-      decisions: decisions.map((decision) => ({
+      decisions: filterByComparisonGroupKey(accessScope, decisions).map((decision) => ({
         ...decision,
         ...getDecisionFreshness({ record: decision })
       })).filter((decision) => {
@@ -13986,7 +14390,7 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleRetrievalReleaseDecisionAction = async (body, kind) => {
+  const handleRetrievalReleaseDecisionAction = async (body, kind, request) => {
     if (!retrievalComparisonHistoryStore || !config.retrievalReleaseDecisionStore) {
       return {
         error: "RAG retrieval comparison history store and release decision store are required",
@@ -15313,7 +15717,7 @@ var ragChat = (config) => {
       return { error: message, ok: false };
     }
   };
-  const handleSearch = async (body) => {
+  const handleSearch = async (body, request) => {
     if (!isObjectRecord2(body)) {
       return { error: "Invalid payload", ok: false };
     }
@@ -15325,6 +15729,7 @@ var ragChat = (config) => {
       };
     }
     const collection = resolveCollection();
+    const accessScope = await loadAccessScope(request);
     if (!collection) {
       return { error: "RAG collection is not configured", ok: false };
     }
@@ -15367,14 +15772,28 @@ var ragChat = (config) => {
           trace: result.trace
         });
       }
+      const scopedResults = buildSources2(result.results).filter((entry) => matchesAccessScope(accessScope, {
+        corpusKey: entry.corpusKey,
+        documentId: typeof entry.metadata?.documentId === "string" ? entry.metadata.documentId : entry.chunkId.split(":")[0],
+        metadata: entry.metadata,
+        source: entry.source
+      }));
       return {
         ok: true,
-        results: buildSources2(result.results),
+        results: scopedResults,
         trace: result.trace
       };
     }
     const results = await collection.search(input);
-    return { ok: true, results: buildSources2(results) };
+    return {
+      ok: true,
+      results: buildSources2(results).filter((entry) => matchesAccessScope(accessScope, {
+        corpusKey: entry.corpusKey,
+        documentId: typeof entry.metadata?.documentId === "string" ? entry.metadata.documentId : entry.chunkId.split(":")[0],
+        metadata: entry.metadata,
+        source: entry.source
+      }))
+    };
   };
   const handleTraceHistory = async (queryInput) => {
     if (!searchTraceStore) {
@@ -15520,7 +15939,10 @@ var ragChat = (config) => {
     let inspectedChunks = 0;
     let documentsWithSourceLabels = 0;
     let chunksWithSourceLabels = 0;
+    const corpusKeys = new Map;
     const sourceNativeKinds = new Map;
+    const extractorRegistryMatches = new Map;
+    const chunkingProfiles = new Map;
     const sampleDocuments = [];
     const sampleChunks = [];
     let oldestDocumentAgeMs;
@@ -15572,11 +15994,26 @@ var ragChat = (config) => {
         documentsWithSourceLabels += 1;
       }
       const documentSourceNativeKind = typeof document.metadata?.sourceNativeKind === "string" ? document.metadata.sourceNativeKind : undefined;
+      const documentCorpusKey = document.corpusKey ?? (typeof document.metadata?.corpusKey === "string" ? document.metadata.corpusKey : undefined);
+      const documentExtractorRegistryMatch = typeof document.metadata?.extractorRegistryMatch === "string" ? document.metadata.extractorRegistryMatch : undefined;
+      const documentChunkingProfile = typeof document.metadata?.chunkingProfile === "string" ? document.metadata.chunkingProfile : undefined;
       if (documentSourceNativeKind) {
         sourceNativeKinds.set(documentSourceNativeKind, (sourceNativeKinds.get(documentSourceNativeKind) ?? 0) + 1);
       }
-      if (sampleDocuments.length < 5 && (documentLabels || documentSourceNativeKind)) {
+      if (documentCorpusKey) {
+        corpusKeys.set(documentCorpusKey, (corpusKeys.get(documentCorpusKey) ?? 0) + 1);
+      }
+      if (documentExtractorRegistryMatch) {
+        extractorRegistryMatches.set(documentExtractorRegistryMatch, (extractorRegistryMatches.get(documentExtractorRegistryMatch) ?? 0) + 1);
+      }
+      if (documentChunkingProfile) {
+        chunkingProfiles.set(documentChunkingProfile, (chunkingProfiles.get(documentChunkingProfile) ?? 0) + 1);
+      }
+      if (sampleDocuments.length < 5 && (documentCorpusKey || documentLabels || documentSourceNativeKind || documentExtractorRegistryMatch || documentChunkingProfile)) {
         sampleDocuments.push({
+          corpusKey: documentCorpusKey,
+          chunkingProfile: documentChunkingProfile,
+          extractorRegistryMatch: documentExtractorRegistryMatch,
           id: document.id,
           labels: documentLabels,
           source: document.source,
@@ -15602,13 +16039,28 @@ var ragChat = (config) => {
             chunksWithSourceLabels += 1;
           }
           const chunkSourceNativeKind = typeof chunk.metadata?.sourceNativeKind === "string" ? chunk.metadata.sourceNativeKind : undefined;
+          const chunkCorpusKey = chunk.corpusKey ?? (typeof chunk.metadata?.corpusKey === "string" ? chunk.metadata.corpusKey : documentCorpusKey);
+          const chunkExtractorRegistryMatch = typeof chunk.metadata?.extractorRegistryMatch === "string" ? chunk.metadata.extractorRegistryMatch : undefined;
+          const chunkChunkingProfile = typeof chunk.metadata?.chunkingProfile === "string" ? chunk.metadata.chunkingProfile : undefined;
           if (chunkSourceNativeKind) {
             sourceNativeKinds.set(chunkSourceNativeKind, (sourceNativeKinds.get(chunkSourceNativeKind) ?? 0) + 1);
           }
-          if (sampleChunks.length < 8 && (chunkLabels || chunkSourceNativeKind)) {
+          if (chunkCorpusKey) {
+            corpusKeys.set(chunkCorpusKey, (corpusKeys.get(chunkCorpusKey) ?? 0) + 1);
+          }
+          if (chunkExtractorRegistryMatch) {
+            extractorRegistryMatches.set(chunkExtractorRegistryMatch, (extractorRegistryMatches.get(chunkExtractorRegistryMatch) ?? 0) + 1);
+          }
+          if (chunkChunkingProfile) {
+            chunkingProfiles.set(chunkChunkingProfile, (chunkingProfiles.get(chunkChunkingProfile) ?? 0) + 1);
+          }
+          if (sampleChunks.length < 8 && (chunkCorpusKey || chunkLabels || chunkSourceNativeKind || chunkExtractorRegistryMatch || chunkChunkingProfile)) {
             sampleChunks.push({
               chunkId: chunk.chunkId,
+              chunkingProfile: chunkChunkingProfile,
+              corpusKey: chunkCorpusKey,
               documentId: document.id,
+              extractorRegistryMatch: chunkExtractorRegistryMatch,
               labels: chunkLabels,
               source: chunk.source ?? preview.document.source,
               sourceNativeKind: chunkSourceNativeKind
@@ -15671,8 +16123,11 @@ var ragChat = (config) => {
       inspectedChunks,
       inspectedDocuments,
       inspection: {
+        chunkingProfiles: Object.fromEntries(chunkingProfiles.entries()),
+        corpusKeys: Object.fromEntries(corpusKeys.entries()),
         chunksWithSourceLabels,
         documentsWithSourceLabels,
+        extractorRegistryMatches: Object.fromEntries(extractorRegistryMatches.entries()),
         sampleChunks,
         sampleDocuments,
         sourceNativeKinds: Object.fromEntries(sourceNativeKinds.entries())
@@ -15695,28 +16150,34 @@ var ragChat = (config) => {
     providerName: typeof config.provider === "function" ? config.readinessProviderName : undefined,
     rerankerConfigured: Boolean(config.rerank ?? config.collection)
   });
-  const buildAdminCapabilities = () => ({
-    canClearIndex: Boolean(ragStore?.clear),
-    canCreateDocument: Boolean(indexManager?.createDocument),
-    canDeleteDocument: Boolean(indexManager?.deleteDocument),
-    canListSyncSources: Boolean(indexManager?.listSyncSources),
-    canManageRetrievalBaselines: Boolean(retrievalBaselineStore),
-    canPruneSearchTraces: Boolean(searchTraceStore),
-    canReindexDocument: Boolean(indexManager?.reindexDocument),
-    canReindexSource: Boolean(indexManager?.reindexSource),
-    canReseed: Boolean(indexManager?.reseed),
-    canReset: Boolean(indexManager?.reset),
-    canSyncAllSources: Boolean(indexManager?.syncAllSources),
-    canSyncSource: Boolean(indexManager?.syncSource)
+  const buildAdminCapabilities = async (request) => ({
+    canClearIndex: Boolean(ragStore?.clear) && (request ? await isAuthorized(request, "clear_index") : true),
+    canCreateDocument: Boolean(indexManager?.createDocument) && (request ? await isAuthorized(request, "create_document") : true),
+    canDeleteDocument: Boolean(indexManager?.deleteDocument) && (request ? await isAuthorized(request, "delete_document") : true),
+    canListSyncSources: Boolean(indexManager?.listSyncSources) && (request ? await isAuthorized(request, "list_sync_sources") : true),
+    canManageRetrievalBaselines: Boolean(retrievalBaselineStore) && (request ? await isAuthorized(request, "manage_retrieval_admin") : true),
+    canPruneSearchTraces: Boolean(searchTraceStore) && (request ? await isAuthorized(request, "prune_search_traces") : true),
+    canReindexDocument: Boolean(indexManager?.reindexDocument) && (request ? await isAuthorized(request, "reindex_document") : true),
+    canReindexSource: Boolean(indexManager?.reindexSource) && (request ? await isAuthorized(request, "reindex_source") : true),
+    canReseed: Boolean(indexManager?.reseed) && (request ? await isAuthorized(request, "reseed") : true),
+    canReset: Boolean(indexManager?.reset) && (request ? await isAuthorized(request, "reset") : true),
+    canSyncAllSources: Boolean(indexManager?.syncAllSources) && (request ? await isAuthorized(request, "sync_all_sources") : true),
+    canSyncSource: Boolean(indexManager?.syncSource) && (request ? await isAuthorized(request, "sync_source") : true)
   });
-  const buildOperationsPayload = async () => {
+  const buildOperationsPayload = async (request) => {
+    const accessScope = await loadAccessScope(request);
     const collection = config.collection ?? (ragStore ? createRAGCollection({
       defaultModel: config.embeddingModel,
       defaultTopK: topK,
       embedding: config.embedding,
       store: ragStore
     }) : null);
-    const indexedDocuments = indexManager ? await indexManager.listDocuments({}) : [];
+    const indexedDocuments = indexManager ? (await indexManager.listDocuments({})).filter((document) => matchesAccessScope(accessScope, {
+      corpusKey: document.corpusKey,
+      documentId: document.id,
+      metadata: document.metadata,
+      source: document.source
+    })) : [];
     const traceStats = searchTraceStore ? await summarizeRAGSearchTraceStore({
       store: searchTraceStore
     }) : undefined;
@@ -16707,7 +17168,7 @@ var ragChat = (config) => {
     searchTraceRuntime.stats = traceStats;
     searchTraceRuntime.recentRuns = recentTraceRuns;
     return {
-      admin: buildAdminCapabilities(),
+      admin: await buildAdminCapabilities(request),
       adminActions: [...adminActions],
       adminJobs: [...adminJobs, ...syncJobs].sort((left, right) => right.startedAt - left.startedAt),
       capabilities: collection?.getCapabilities?.(),
@@ -16786,27 +17247,27 @@ var ragChat = (config) => {
         stats: traceStats
       },
       status: collection?.getStatus?.(),
-      syncSources: await buildSyncSources()
+      syncSources: await buildSyncSources(accessScope)
     };
   };
-  const handleStatus = async () => buildOperationsPayload();
-  const handleRetrievalReleaseStatus = async () => {
-    const result = await buildOperationsPayload();
+  const handleStatus = async (request) => buildOperationsPayload(request);
+  const handleRetrievalReleaseStatus = async (request) => {
+    const result = await buildOperationsPayload(request);
     return {
       ok: true,
       retrievalComparisons: result.retrievalComparisons
     };
   };
-  const handleRetrievalReleaseDriftStatus = async () => {
-    const result = await buildOperationsPayload();
+  const handleRetrievalReleaseDriftStatus = async (request) => {
+    const result = await buildOperationsPayload(request);
     return {
       handoffDriftCountsByLane: result.retrievalComparisons?.handoffDriftCountsByLane,
       handoffDriftRollups: result.retrievalComparisons?.handoffDriftRollups,
       ok: true
     };
   };
-  const handleRetrievalLaneHandoffIncidentStatus = async () => {
-    const result = await buildOperationsPayload();
+  const handleRetrievalLaneHandoffIncidentStatus = async (request) => {
+    const result = await buildOperationsPayload(request);
     const incidents = result.retrievalComparisons?.recentLaneHandoffIncidents;
     return {
       freshnessWindows: result.retrievalComparisons?.handoffFreshnessWindows,
@@ -16816,8 +17277,8 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleRetrievalLaneHandoffStatus = async () => {
-    const result = await buildOperationsPayload();
+  const handleRetrievalLaneHandoffStatus = async (request) => {
+    const result = await buildOperationsPayload(request);
     const incidents = result.retrievalComparisons?.recentLaneHandoffIncidents;
     return {
       autoComplete: result.retrievalComparisons?.handoffAutoComplete,
@@ -16830,7 +17291,7 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleOps = async () => buildOperationsPayload();
+  const handleOps = async (request) => buildOperationsPayload(request);
   if (searchTraceStore && searchTraceRetention && searchTraceRetentionSchedule) {
     const runScheduledSearchTracePrune = async () => {
       searchTraceRuntime.nextScheduledAt = Date.now() + searchTraceRetentionSchedule.intervalMs;
@@ -16848,14 +17309,20 @@ var ragChat = (config) => {
     }, searchTraceRetentionSchedule.intervalMs);
     timer.unref?.();
   }
-  const handleDocuments = async (kind) => {
+  const handleDocuments = async (kind, request) => {
     if (!indexManager) {
       return {
         error: "RAG index document management is not configured",
         ok: false
       };
     }
-    const documents = await indexManager.listDocuments({ kind });
+    const accessScope = await loadAccessScope(request);
+    const documents = (await indexManager.listDocuments({ kind })).filter((document) => matchesAccessScope(accessScope, {
+      corpusKey: document.corpusKey,
+      documentId: document.id,
+      metadata: document.metadata,
+      source: document.source
+    }));
     return {
       documents: documents.map((document) => ({
         ...document,
@@ -16868,7 +17335,7 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleCreateDocument = async (body) => {
+  const handleCreateDocument = async (body, request) => {
     if (!indexManager?.createDocument) {
       return {
         error: "RAG document creation is not configured",
@@ -16887,6 +17354,18 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (!matchesAccessScope(accessScope, {
+      documentId: body.id,
+      corpusKey: body.corpusKey,
+      metadata: body.metadata,
+      source: body.source
+    })) {
+      return {
+        error: "Document is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const job = createAdminJob("create_document", body.id);
     try {
       const result = await indexManager.createDocument(body);
@@ -16902,7 +17381,7 @@ var ragChat = (config) => {
       throw caught;
     }
   };
-  const handleDocumentChunks = async (id) => {
+  const handleDocumentChunks = async (id, request) => {
     if (!indexManager) {
       return {
         error: "RAG chunk preview is not configured",
@@ -16922,6 +17401,18 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (!matchesAccessScope(accessScope, {
+      documentId: preview.document.id,
+      corpusKey: preview.document.corpusKey,
+      metadata: preview.document.metadata,
+      source: preview.document.source
+    })) {
+      return {
+        error: "document not found",
+        ok: false
+      };
+    }
     const chunks = preview.chunks.map((chunk) => ({
       ...chunk,
       labels: buildRAGSourceLabels({
@@ -16952,7 +17443,7 @@ var ragChat = (config) => {
       })
     };
   };
-  const handleDeleteDocument = async (id) => {
+  const handleDeleteDocument = async (id, request) => {
     if (!indexManager?.deleteDocument) {
       return {
         error: "RAG document deletion is not configured",
@@ -16965,6 +17456,13 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (accessScope && !matchesAccessScope(accessScope, { documentId: id })) {
+      return {
+        error: "Document is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const job = createAdminJob("delete_document", id);
     const deleted = await indexManager.deleteDocument(id);
     if (!deleted) {
@@ -16984,7 +17482,7 @@ var ragChat = (config) => {
       ok: true
     };
   };
-  const handleReindexDocument = async (id) => {
+  const handleReindexDocument = async (id, request) => {
     if (!indexManager?.reindexDocument) {
       return {
         error: "RAG document reindex is not configured",
@@ -16997,6 +17495,13 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (accessScope && !matchesAccessScope(accessScope, { documentId: id })) {
+      return {
+        error: "Document is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const job = createAdminJob("reindex_document", id);
     try {
       const result = {
@@ -17016,7 +17521,7 @@ var ragChat = (config) => {
       throw caught;
     }
   };
-  const handleReindexSource = async (source) => {
+  const handleReindexSource = async (source, request) => {
     if (!indexManager?.reindexSource) {
       return {
         error: "RAG source reindex is not configured",
@@ -17029,6 +17534,15 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (!matchesAccessScope(accessScope, {
+      source
+    })) {
+      return {
+        error: "Source is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const job = createAdminJob("reindex_source", source);
     try {
       const result = {
@@ -17112,25 +17626,33 @@ var ragChat = (config) => {
       ...normalized
     };
   };
-  const handleSyncSources = async () => {
+  const handleSyncSources = async (request) => {
     if (!indexManager?.listSyncSources) {
       return {
         error: "RAG source sync is not configured",
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
     return {
       ok: true,
-      sources: await indexManager.listSyncSources()
+      sources: await buildSyncSources(accessScope)
     };
   };
-  const handleSyncAllSources = async (options) => {
+  const handleSyncAllSources = async (request, options) => {
     if (!indexManager?.syncAllSources) {
       return {
         error: "RAG source sync is not configured",
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (accessScope?.allowedSyncSourceIds?.length) {
+      return {
+        error: "Scoped sync-all is not allowed; sync individual sources instead",
+        ok: false
+      };
+    }
     const job = createAdminJob("sync_all_sources", undefined, syncJobs);
     const action = createAdminAction("sync_all_sources");
     try {
@@ -17156,7 +17678,7 @@ var ragChat = (config) => {
       completeAdminAction(action);
       return {
         ok: true,
-        sources: await buildSyncSources()
+        sources: await buildSyncSources(accessScope)
       };
     } catch (caught) {
       const message = caught instanceof Error ? caught.message : String(caught);
@@ -17165,7 +17687,7 @@ var ragChat = (config) => {
       throw caught;
     }
   };
-  const handleSyncSource = async (id, options) => {
+  const handleSyncSource = async (id, request, options) => {
     if (!indexManager?.syncSource) {
       return {
         error: "RAG source sync is not configured",
@@ -17178,6 +17700,13 @@ var ragChat = (config) => {
         ok: false
       };
     }
+    const accessScope = await loadAccessScope(request);
+    if (!matchesSyncSourceScope(accessScope, { id })) {
+      return {
+        error: "Sync source is outside the allowed RAG access scope",
+        ok: false
+      };
+    }
     const job = createAdminJob("sync_source", id, syncJobs);
     const action = createAdminAction("sync_source", undefined, id);
     try {
@@ -17194,7 +17723,7 @@ var ragChat = (config) => {
       }
       completeAdminJob(job);
       completeAdminAction(action);
-      const source = (await buildSyncSources()).find((record) => record.id === id);
+      const source = (await buildSyncSources(accessScope)).find((record) => record.id === id);
       return source ? { ok: true, source } : {
         error: "sync source not found",
         ok: false
@@ -17260,7 +17789,7 @@ var ragChat = (config) => {
         };
         return;
       }
-      const lastMessage = conversation.messages.findLast((msg) => msg.id === messageId && msg.role === "user");
+      const lastMessage = conversation.messages.findLast((message) => message.id === messageId && message.role === "user");
       if (!lastMessage) {
         yield {
           data: renderers.error("Message not found"),
@@ -17304,7 +17833,7 @@ var ragChat = (config) => {
       const controller = new AbortController;
       abortControllers.set(conversationId, controller);
       const history = buildHistory(conversation);
-      const lastMessageIndex = conversation.messages.findIndex((msg) => msg.id === messageId);
+      const lastMessageIndex = conversation.messages.findIndex((message) => message.id === messageId);
       const userHistory = lastMessageIndex >= 0 ? history.slice(0, lastMessageIndex) : history;
       const messageWithContext = buildUserMessage2(content, lastMessage.attachments, ragContext);
       const sseStream = streamAIToSSE(conversationId, assistantMessageId, {
@@ -17330,24 +17859,24 @@ var ragChat = (config) => {
   };
   return new Elysia2().ws(path, {
     message: async (ws, raw) => {
-      const msg = parseAIMessage(raw);
-      if (!msg) {
+      const message = parseAIMessage(raw);
+      if (!message) {
         return;
       }
-      if (msg.type === "cancel") {
-        handleCancel(msg.conversationId);
+      if (message.type === "cancel") {
+        handleCancel(message.conversationId);
         return;
       }
-      if (msg.type === "branch") {
-        await handleBranch(ws, msg.messageId, msg.conversationId);
+      if (message.type === "branch") {
+        await handleBranch(ws, message.messageId, message.conversationId);
         return;
       }
-      if (msg.type === "message") {
-        await handleMessage(ws, msg.content, msg.conversationId, msg.attachments);
+      if (message.type === "message") {
+        await handleMessage(ws, message.content, message.conversationId, message.attachments);
       }
     }
   }).post(`${path}/search`, async ({ body, request, set }) => {
-    const result = await handleSearch(body);
+    const result = await handleSearch(body, request);
     if (!result.ok) {
       set.status = result.error === "Invalid payload" || result.error?.startsWith("Expected payload shape:") ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
     }
@@ -17424,6 +17953,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/traces/prune`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "prune_search_traces", {
+      fallback: "Search trace pruning is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Search trace prune failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleTracePrune(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17454,7 +17993,7 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval`, async ({ body, request, set }) => {
-    const result = await handleEvaluateRetrievals(body);
+    const result = await handleEvaluateRetrievals(body, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17469,7 +18008,7 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/compare/retrieval/history`, async ({ query, request, set }) => {
-    const result = await handleRetrievalComparisonHistory(query);
+    const result = await handleRetrievalComparisonHistory(query, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17484,7 +18023,7 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/compare/retrieval/baselines`, async ({ query, request, set }) => {
-    const result = await handleRetrievalBaselineList(query);
+    const result = await handleRetrievalBaselineList(query, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17499,7 +18038,7 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/compare/retrieval/baselines/decisions`, async ({ query, request, set }) => {
-    const result = await handleRetrievalReleaseDecisionList(query);
+    const result = await handleRetrievalReleaseDecisionList(query, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17604,6 +18143,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/handoffs/incidents/acknowledge`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval lane handoff incident acknowledgement is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval lane handoff incident acknowledgement failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleRetrievalLaneHandoffIncidentAcknowledge(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17619,6 +18168,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/handoffs/incidents/unacknowledge`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval lane handoff incident unacknowledge is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval lane handoff incident unacknowledge failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleRetrievalLaneHandoffIncidentUnacknowledge(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17634,6 +18193,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/handoffs/incidents/resolve`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval lane handoff incident resolve is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval lane handoff incident resolve failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleResolveRetrievalLaneHandoffIncident(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17649,6 +18218,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/handoffs/decide`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval lane handoff decision is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval lane handoff decision failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleRetrievalLaneHandoffDecision(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17709,6 +18288,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/remediations`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval incident remediation decision record is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval incident remediation decision record failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleRecordRetrievalIncidentRemediationDecision(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17724,6 +18313,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/remediations/execute`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval incident remediation execution is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval incident remediation execution failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleExecuteRetrievalIncidentRemediation(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17739,6 +18338,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/remediations/execute/bulk`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Bulk retrieval incident remediation execution is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Bulk retrieval incident remediation execution failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleBulkExecuteRetrievalIncidentRemediations(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17754,6 +18363,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/acknowledge`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval release incident acknowledgement is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval release incident acknowledgement failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleAcknowledgeRetrievalReleaseIncident(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17769,6 +18388,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/unacknowledge`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval release incident unacknowledge is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval release incident unacknowledge failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleUnacknowledgeRetrievalReleaseIncident(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17784,6 +18413,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/incidents/resolve`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval release incident resolve is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval release incident resolve failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handleResolveRetrievalReleaseIncident(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17814,7 +18453,15 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/approve`, async ({ body, request, set }) => {
-    const result = await handleRetrievalReleaseDecisionAction(body, "approve");
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", { fallback: "Retrieval approval is not allowed" });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval approval failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
+    const result = await handleRetrievalReleaseDecisionAction(body, "approve", request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17829,7 +18476,15 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/reject`, async ({ body, request, set }) => {
-    const result = await handleRetrievalReleaseDecisionAction(body, "reject");
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", { fallback: "Retrieval rejection is not allowed" });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval rejection failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
+    const result = await handleRetrievalReleaseDecisionAction(body, "reject", request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17844,7 +18499,15 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/promote`, async ({ body, request, set }) => {
-    const result = await handlePromoteRetrievalBaseline(body);
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", { fallback: "Retrieval baseline promotion is not allowed" });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval baseline promotion failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
+    const result = await handlePromoteRetrievalBaseline(body, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17859,6 +18522,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/promote-lane`, async ({ body, request, set }) => {
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval rollout-lane promotion is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval rollout-lane promotion failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
     const result = await handlePromoteRetrievalBaselineToLane(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -17874,7 +18547,17 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/promote-run`, async ({ body, request, set }) => {
-    const result = await handlePromoteRetrievalBaselineFromRun(body);
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", {
+      fallback: "Retrieval baseline promotion from run is not allowed"
+    });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval baseline promotion from run failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
+    const result = await handlePromoteRetrievalBaselineFromRun(body, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17889,7 +18572,15 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/compare/retrieval/baselines/revert`, async ({ body, request, set }) => {
-    const result = await handleRevertRetrievalBaseline(body);
+    const denied = await authorizeMutationRoute(request, "manage_retrieval_admin", { fallback: "Retrieval baseline revert is not allowed" });
+    if (denied) {
+      set.status = 403;
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(denied.error ?? "Retrieval baseline revert failed"), getNumericStatus(set.status));
+      }
+      return denied;
+    }
+    const result = await handleRevertRetrievalBaseline(body, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17904,7 +18595,7 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/evaluate`, async ({ body, request, set }) => {
-    const result = await handleEvaluate(body);
+    const result = await handleEvaluate(body, request);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
     }
@@ -17919,7 +18610,7 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/status`, async ({ request }) => {
-    const result = await handleStatus();
+    const result = await handleStatus(request);
     if (config.htmx && isHTMXRequest(request)) {
       return toHTMXResponse(workflowRenderers.status({
         capabilities: result.capabilities,
@@ -17988,20 +18679,21 @@ var ragChat = (config) => {
       });
     }
     return result;
-  }).get(`${path}/status/release`, async () => {
-    return handleRetrievalReleaseStatus();
+  }).get(`${path}/status/release`, async ({ request }) => {
+    return handleRetrievalReleaseStatus(request);
   }).get(`${path}/status/release/incidents`, async () => {
     return handleRetrievalReleaseIncidentStatus();
   }).get(`${path}/status/release/remediations`, async () => {
     return handleRetrievalIncidentRemediationStatus();
-  }).get(`${path}/status/release/drift`, async () => {
-    return handleRetrievalReleaseDriftStatus();
-  }).get(`${path}/status/handoffs/incidents`, async () => {
-    return handleRetrievalLaneHandoffIncidentStatus();
-  }).get(`${path}/status/handoffs`, async () => {
-    return handleRetrievalLaneHandoffStatus();
+  }).get(`${path}/status/release/drift`, async ({ request }) => {
+    return handleRetrievalReleaseDriftStatus(request);
+  }).get(`${path}/status/handoffs/incidents`, async ({ request }) => {
+    return handleRetrievalLaneHandoffIncidentStatus(request);
+  }).get(`${path}/status/handoffs`, async ({ request }) => {
+    return handleRetrievalLaneHandoffStatus(request);
   }).get(`${path}/ops`, async ({ request }) => {
-    const result = await handleOps();
+    await ensureJobStateLoaded();
+    const result = await handleOps(request);
     if (config.htmx && isHTMXRequest(request)) {
       return toHTMXResponse(workflowRenderers.status({
         capabilities: result.capabilities,
@@ -18011,7 +18703,7 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/documents`, async ({ query, request, set }) => {
-    const result = await handleDocuments(getStringProperty(query, "kind"));
+    const result = await handleDocuments(getStringProperty(query, "kind"), request);
     if (!result.ok) {
       set.status = HTTP_STATUS_NOT_FOUND;
     }
@@ -18025,9 +18717,19 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/documents`, async ({ body, request, set }) => {
-    const result = await handleCreateDocument(body);
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "create_document");
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Document creation is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to create document"), getNumericStatus(set.status));
+      }
+      return result2;
+    }
+    const result = await handleCreateDocument(body, request);
     if (!result.ok) {
-      const status = result.error?.includes("not configured") ? HTTP_STATUS_NOT_FOUND : HTTP_STATUS_BAD_REQUEST;
+      const status = isAccessScopeError(result.error) ? 403 : result.error?.includes("not configured") ? HTTP_STATUS_NOT_FOUND : HTTP_STATUS_BAD_REQUEST;
       set.status = status;
     }
     if (config.htmx && isHTMXRequest(request)) {
@@ -18038,9 +18740,9 @@ var ragChat = (config) => {
     }
     return result;
   }).get(`${path}/documents/:id/chunks`, async ({ params, request, set }) => {
-    const result = await handleDocumentChunks(typeof params.id === "string" ? params.id.trim() : "");
+    const result = await handleDocumentChunks(typeof params.id === "string" ? params.id.trim() : "", request);
     if (!result.ok) {
-      const status = result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
+      const status = isAccessScopeError(result.error) ? 403 : result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
       set.status = status;
     }
     if (config.htmx && isHTMXRequest(request)) {
@@ -18054,10 +18756,13 @@ var ragChat = (config) => {
     const result = await handleBackends();
     if (!result.ok) {
       set.status = HTTP_STATUS_NOT_FOUND;
+      if (isAccessScopeError(result.error)) {
+        set.status = 403;
+      }
     }
     return result;
   }).get(`${path}/sync`, async ({ request, set }) => {
-    const result = await handleSyncSources();
+    const result = await handleSyncSources(request);
     if (!result.ok) {
       set.status = HTTP_STATUS_NOT_FOUND;
     }
@@ -18072,8 +18777,18 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/sync`, async ({ body, request, set }) => {
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "sync_all_sources");
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Source sync is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to sync sources"), getNumericStatus(set.status));
+      }
+      return result2;
+    }
     const background = getBooleanProperty(body, "background");
-    const result = await handleSyncAllSources({ background });
+    const result = await handleSyncAllSources(request, { background });
     if (!result.ok) {
       set.status = HTTP_STATUS_NOT_FOUND;
     }
@@ -18088,10 +18803,28 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/sync/:id`, async ({ body, params, request, set }) => {
+    await ensureJobStateLoaded();
+    const syncSourceId = typeof params.id === "string" ? params.id.trim() : "";
+    const authorization = await checkAuthorization(request, "sync_source", {
+      sourceId: syncSourceId
+    });
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Source sync is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to sync source"), getNumericStatus(set.status));
+      }
+      return result2;
+    }
     const background = getBooleanProperty(body, "background");
-    const result = await handleSyncSource(typeof params.id === "string" ? params.id.trim() : "", { background });
+    const result = await handleSyncSource(syncSourceId, request, {
+      background
+    });
     if (!result.ok) {
       set.status = result.error === "sync source id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
+      if (isAccessScopeError(result.error)) {
+        set.status = 403;
+      }
     }
     if (config.htmx && isHTMXRequest(request)) {
       const html = result.ok ? workflowRenderers.mutationResult({
@@ -18104,6 +18837,18 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/ingest`, async ({ body, request, set }) => {
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "ingest", {
+      path: `${path}/ingest`
+    });
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "RAG ingest is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "RAG ingest failed"), getNumericStatus(set.status));
+      }
+      return result2;
+    }
     const result = await handleIngest(body);
     if (!result.ok) {
       set.status = HTTP_STATUS_BAD_REQUEST;
@@ -18115,7 +18860,13 @@ var ragChat = (config) => {
       return toHTMXResponse(workflowRenderers.mutationResult(result), HTTP_STATUS_OK, { "HX-Trigger": "rag:mutated" });
     }
     return result;
-  }).delete(`${path}/index`, async () => {
+  }).delete(`${path}/index`, async ({ request, set }) => {
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "clear_index");
+    if (!authorization.allowed) {
+      set.status = 403;
+      return buildAuthorizationFailure(authorization, "Index clearing is not allowed");
+    }
     if (!ragStore) {
       return { ok: false };
     }
@@ -18134,9 +18885,22 @@ var ragChat = (config) => {
     }
     return { ok: true };
   }).delete(`${path}/documents/:id`, async ({ params, request, set }) => {
-    const result = await handleDeleteDocument(typeof params.id === "string" ? params.id.trim() : "");
+    await ensureJobStateLoaded();
+    const documentId = typeof params.id === "string" ? params.id.trim() : "";
+    const authorization = await checkAuthorization(request, "delete_document", {
+      documentId
+    });
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Document deletion is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to delete document"), getNumericStatus(set.status), { "HX-Trigger": "rag:mutated" });
+      }
+      return result2;
+    }
+    const result = await handleDeleteDocument(documentId, request);
     if (!result.ok) {
-      const status = result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
+      const status = isAccessScopeError(result.error) ? 403 : result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
       set.status = status;
     }
     if (config.htmx && isHTMXRequest(request)) {
@@ -18147,9 +18911,20 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/reindex/documents/:id`, async ({ params, request, set }) => {
-    const result = await handleReindexDocument(typeof params.id === "string" ? params.id.trim() : "");
+    await ensureJobStateLoaded();
+    const documentId = typeof params.id === "string" ? params.id.trim() : "";
+    const authorization = await checkAuthorization(request, "reindex_document", { documentId });
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Document reindex is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to reindex document"), getNumericStatus(set.status), { "HX-Trigger": "rag:mutated" });
+      }
+      return result2;
+    }
+    const result = await handleReindexDocument(documentId, request);
     if (!result.ok) {
-      set.status = result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
+      set.status = isAccessScopeError(result.error) ? 403 : result.error === "document id is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
     }
     if (config.htmx && isHTMXRequest(request)) {
       const html = result.ok ? workflowRenderers.mutationResult(result) : workflowRenderers.error(result.error ?? "Failed to reindex document");
@@ -18159,10 +18934,22 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/reindex/source`, async ({ body, request, set }) => {
+    await ensureJobStateLoaded();
     const source = getStringProperty(body, "source")?.trim() ?? "";
-    const result = await handleReindexSource(source);
+    const authorization = await checkAuthorization(request, "reindex_source", {
+      source
+    });
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Source reindex is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to reindex source"), getNumericStatus(set.status), { "HX-Trigger": "rag:mutated" });
+      }
+      return result2;
+    }
+    const result = await handleReindexSource(source, request);
     if (!result.ok) {
-      set.status = result.error === "source is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
+      set.status = isAccessScopeError(result.error) ? 403 : result.error === "source is required" ? HTTP_STATUS_BAD_REQUEST : HTTP_STATUS_NOT_FOUND;
     }
     if (config.htmx && isHTMXRequest(request)) {
       const html = result.ok ? workflowRenderers.mutationResult(result) : workflowRenderers.error(result.error ?? "Failed to reindex source");
@@ -18172,6 +18959,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/reseed`, async ({ request, set }) => {
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "reseed");
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Index reseed is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to reseed index"), getNumericStatus(set.status), { "HX-Trigger": "rag:mutated" });
+      }
+      return result2;
+    }
     const result = await handleReseed();
     if (!result.ok) {
       set.status = 404;
@@ -18184,6 +18981,16 @@ var ragChat = (config) => {
     }
     return result;
   }).post(`${path}/reset`, async ({ request, set }) => {
+    await ensureJobStateLoaded();
+    const authorization = await checkAuthorization(request, "reset");
+    if (!authorization.allowed) {
+      set.status = 403;
+      const result2 = buildAuthorizationFailure(authorization, "Index reset is not allowed");
+      if (config.htmx && isHTMXRequest(request)) {
+        return toHTMXResponse(workflowRenderers.error(result2.error ?? "Failed to reset index"), getNumericStatus(set.status), { "HX-Trigger": "rag:mutated" });
+      }
+      return result2;
+    }
     const result = await handleReset();
     if (!result.ok) {
       set.status = 404;
@@ -18271,6 +19078,31 @@ var createHeuristicRAGRetrievalStrategy = (options = {}) => ({
     return;
   }
 });
+// src/ai/rag/accessControl.ts
+var createRAGAccessControl = (options) => {
+  const authorize = options.authorize;
+  const contextCache = new WeakMap;
+  const resolveScope = options.resolveScope;
+  const loadContext = (request) => {
+    const existing = contextCache.get(request);
+    if (existing) {
+      return existing;
+    }
+    const next = Promise.resolve(options.resolveContext(request));
+    contextCache.set(request, next);
+    return next;
+  };
+  return {
+    authorizeRAGAction: authorize ? async (input) => authorize({
+      ...input,
+      context: await loadContext(input.request)
+    }) : undefined,
+    resolveRAGAccessScope: resolveScope ? async (request) => resolveScope({
+      context: await loadContext(request),
+      request
+    }) : undefined
+  };
+};
 // src/ai/rag/embeddingProviders.ts
 var DEFAULT_OPENAI_BASE_URL = "https://api.openai.com";
 var DEFAULT_GEMINI_BASE_URL = "https://generativelanguage.googleapis.com";
@@ -19128,6 +19960,8 @@ var isManagedBySyncSource = (document, sourceId) => document.metadata?.syncSourc
 var getDocumentSyncFingerprint = (document) => typeof document.metadata?.syncFingerprint === "string" ? document.metadata.syncFingerprint : undefined;
 var reconcileManagedDocuments = async (input) => {
   const prepared = prepareRAGDocuments({
+    chunkingRegistry: input.chunkingRegistry,
+    defaultChunking: input.defaultChunking,
     documents: input.documents
   });
   const nextDocumentIds = new Set(prepared.map((document) => document.documentId));
@@ -19172,6 +20006,19 @@ var toSourceRecord = (source, overrides) => ({
   target: source.target,
   ...overrides
 });
+var recoverSyncSourceRecord = (source, record, recoveredAt) => record.status === "running" ? toSourceRecord(source, {
+  ...record,
+  lastError: record.lastError ?? "Interrupted before completion during recovery",
+  lastSyncedAt: recoveredAt,
+  nextRetryAt: undefined,
+  status: "failed"
+}) : toSourceRecord(source, {
+  ...record,
+  metadata: {
+    ...source.metadata ?? {},
+    ...record.metadata ?? {}
+  }
+});
 var createRAGDirectorySyncSource = (options) => ({
   description: options.description,
   id: options.id,
@@ -19185,14 +20032,18 @@ var createRAGDirectorySyncSource = (options) => ({
     const loaded = await loadRAGDocumentsFromDirectory({
       baseMetadata: options.baseMetadata,
       defaultChunking: options.defaultChunking,
+      chunkingRegistry: options.chunkingRegistry,
       directory: options.directory,
       extractors: options.extractors,
+      extractorRegistry: options.extractorRegistry,
       includeExtensions: options.includeExtensions,
       recursive: options.recursive
     });
     const managedDocuments = loaded.documents.map((document) => toManagedSyncDocument(options.id, document, typeof document.metadata?.relativePath === "string" ? document.metadata.relativePath : document.source ?? document.title ?? ""));
     const reconciled = await reconcileManagedDocuments({
+      chunkingRegistry: options.chunkingRegistry,
       collection,
+      defaultChunking: options.defaultChunking,
       deleteDocument,
       documents: managedDocuments,
       listDocuments,
@@ -19223,12 +20074,16 @@ var createRAGUrlSyncSource = (options) => ({
     const loaded = await loadRAGDocumentsFromURLs({
       baseMetadata: options.baseMetadata,
       defaultChunking: options.defaultChunking,
+      chunkingRegistry: options.chunkingRegistry,
       extractors: options.extractors,
+      extractorRegistry: options.extractorRegistry,
       urls: options.urls
     });
     const managedDocuments = loaded.documents.map((document) => toManagedSyncDocument(options.id, document, typeof document.metadata?.sourceUrl === "string" ? document.metadata.sourceUrl : document.source ?? document.title ?? ""));
     const reconciled = await reconcileManagedDocuments({
+      chunkingRegistry: options.chunkingRegistry,
       collection,
+      defaultChunking: options.defaultChunking,
       deleteDocument,
       documents: managedDocuments,
       listDocuments,
@@ -19326,12 +20181,16 @@ var createRAGStorageSyncSource = (options) => ({
     const loaded = await loadRAGDocumentsFromUploads({
       baseMetadata: options.baseMetadata,
       defaultChunking: options.defaultChunking,
+      chunkingRegistry: options.chunkingRegistry,
       extractors: options.extractors,
+      extractorRegistry: options.extractorRegistry,
       uploads
     });
     const managedDocuments = loaded.documents.map((document) => toManagedSyncDocument(options.id, document, typeof document.metadata?.storageKey === "string" ? document.metadata.storageKey : document.source ?? document.title ?? ""));
     const reconciled = await reconcileManagedDocuments({
+      chunkingRegistry: options.chunkingRegistry,
       collection,
+      defaultChunking: options.defaultChunking,
       deleteDocument,
       documents: managedDocuments,
       listDocuments,
@@ -19412,7 +20271,9 @@ var createRAGEmailSyncSource = (options) => ({
     const loadedAttachments = attachmentUploads.length > 0 ? await loadRAGDocumentsFromUploads({
       baseMetadata: options.baseMetadata,
       defaultChunking: options.defaultChunking,
+      chunkingRegistry: options.chunkingRegistry,
       extractors: options.extractors,
+      extractorRegistry: options.extractorRegistry,
       uploads: attachmentUploads
     }) : { documents: [] };
     const managedDocuments = [
@@ -19420,7 +20281,9 @@ var createRAGEmailSyncSource = (options) => ({
       ...loadedAttachments.documents.map((document) => toManagedSyncDocument(options.id, document, `attachment:${String(document.metadata?.attachmentId ?? document.source ?? document.title ?? "")}`))
     ];
     const reconciled = await reconcileManagedDocuments({
+      chunkingRegistry: options.chunkingRegistry,
       collection,
+      defaultChunking: options.defaultChunking,
       deleteDocument,
       documents: managedDocuments,
       listDocuments,
@@ -19455,22 +20318,18 @@ var createRAGSyncManager = (options) => {
     }
     if (!hydrationPromise) {
       hydrationPromise = Promise.resolve(options.loadState()).then((records) => {
+        const recoveredAt = Date.now();
         for (const record of records ?? []) {
           const source = sourceMap.get(record.id);
           if (!source) {
             continue;
           }
-          state.set(record.id, toSourceRecord(source, {
-            ...record,
-            metadata: {
-              ...source.metadata ?? {},
-              ...record.metadata ?? {}
-            }
-          }));
+          state.set(record.id, recoverSyncSourceRecord(source, record, recoveredAt));
         }
       });
     }
     await hydrationPromise;
+    await persistState();
   };
   const resolveRetryAttempts = (source) => Math.max(0, source.retryAttempts ?? options.retryAttempts ?? 0);
   const resolveRetryDelayMs = (source) => Math.max(0, source.retryDelayMs ?? options.retryDelayMs ?? 0);
@@ -19716,6 +20575,48 @@ var createRAGSyncScheduler = (input) => {
     listSchedules: () => [...input.schedules]
   };
 };
+// src/ai/rag/jobState.ts
+import { mkdir as mkdir3, readFile as readFile4, writeFile as writeFile3 } from "fs/promises";
+import { dirname as dirname3, resolve as resolve3 } from "path";
+var parseJobState = (content) => {
+  try {
+    const parsed = JSON.parse(content);
+    return {
+      adminActions: Array.isArray(parsed.adminActions) ? parsed.adminActions : [],
+      adminJobs: Array.isArray(parsed.adminJobs) ? parsed.adminJobs : [],
+      ingestJobs: Array.isArray(parsed.ingestJobs) ? parsed.ingestJobs : [],
+      syncJobs: Array.isArray(parsed.syncJobs) ? parsed.syncJobs : []
+    };
+  } catch {
+    return {
+      adminActions: [],
+      adminJobs: [],
+      ingestJobs: [],
+      syncJobs: []
+    };
+  }
+};
+var createRAGFileJobStateStore = (path) => {
+  const resolvedPath = resolve3(path);
+  return {
+    load: async () => {
+      try {
+        return parseJobState(await readFile4(resolvedPath, "utf8"));
+      } catch {
+        return {
+          adminActions: [],
+          adminJobs: [],
+          ingestJobs: [],
+          syncJobs: []
+        };
+      }
+    },
+    save: async (state) => {
+      await mkdir3(dirname3(resolvedPath), { recursive: true });
+      await writeFile3(resolvedPath, JSON.stringify(state, null, 2), "utf8");
+    }
+  };
+};
 // src/ai/rag/adapters/utils.ts
 var vectorDimensionDefault = 24;
 var createRAGVector = (text, dimensions = vectorDimensionDefault) => {
@@ -19874,7 +20775,7 @@ import { existsSync as existsSync2 } from "fs";
 // src/ai/rag/resolveAbsoluteSQLiteVec.ts
 import { existsSync, readFileSync } from "fs";
 import { arch, platform } from "os";
-import { dirname as dirname3, join as join2 } from "path";
+import { dirname as dirname4, join as join2 } from "path";
 var PLATFORM_PACKAGE_MAP = {
   "darwin-arm64": {
     libraryFile: "vec0.dylib",
@@ -19923,12 +20824,12 @@ var resolveAbsoluteSQLiteVec = () => {
     };
   }
   try {
-    const resolve3 = import.meta.resolve;
-    if (typeof resolve3 !== "function") {
+    const resolve4 = import.meta.resolve;
+    if (typeof resolve4 !== "function") {
       throw new Error("AbsoluteJS sqlite-vec package resolution requires import.meta.resolve support.");
     }
-    const packageJsonPath = new URL(resolve3(`${packageInfo.packageName}/package.json`)).pathname;
-    const packageRoot = dirname3(packageJsonPath);
+    const packageJsonPath = new URL(resolve4(`${packageInfo.packageName}/package.json`)).pathname;
+    const packageRoot = dirname4(packageJsonPath);
     const libraryPath = join2(packageRoot, packageInfo.libraryFile);
     const packageVersion = readPackageVersion(packageJsonPath);
     if (!existsSync(libraryPath)) {
@@ -20629,73 +21530,73 @@ var createConversationManager = () => {
   };
 };
 // src/ai/client/actions.ts
-var serverMessageToAction = (msg) => {
-  switch (msg.type) {
+var serverMessageToAction = (message) => {
+  switch (message.type) {
     case "chunk":
       return {
-        content: msg.content,
-        conversationId: msg.conversationId,
-        messageId: msg.messageId,
+        content: message.content,
+        conversationId: message.conversationId,
+        messageId: message.messageId,
         type: "chunk"
       };
     case "thinking":
       return {
-        content: msg.content,
-        conversationId: msg.conversationId,
-        messageId: msg.messageId,
+        content: message.content,
+        conversationId: message.conversationId,
+        messageId: message.messageId,
         type: "thinking"
       };
     case "tool_status":
       return {
-        conversationId: msg.conversationId,
-        input: msg.input,
-        messageId: msg.messageId,
-        name: msg.name,
-        result: msg.result,
-        status: msg.status,
+        conversationId: message.conversationId,
+        input: message.input,
+        messageId: message.messageId,
+        name: message.name,
+        result: message.result,
+        status: message.status,
         type: "tool_status"
       };
     case "image":
       return {
-        conversationId: msg.conversationId,
-        data: msg.data,
-        format: msg.format,
-        imageId: msg.imageId,
-        isPartial: msg.isPartial,
-        messageId: msg.messageId,
-        revisedPrompt: msg.revisedPrompt,
+        conversationId: message.conversationId,
+        data: message.data,
+        format: message.format,
+        imageId: message.imageId,
+        isPartial: message.isPartial,
+        messageId: message.messageId,
+        revisedPrompt: message.revisedPrompt,
         type: "image"
       };
     case "complete":
       return {
-        conversationId: msg.conversationId,
-        durationMs: msg.durationMs,
-        messageId: msg.messageId,
-        model: msg.model,
-        sources: msg.sources,
+        conversationId: message.conversationId,
+        durationMs: message.durationMs,
+        messageId: message.messageId,
+        model: message.model,
+        sources: message.sources,
         type: "complete",
-        usage: msg.usage
+        usage: message.usage
       };
     case "rag_retrieving":
       return {
-        conversationId: msg.conversationId,
-        messageId: msg.messageId,
-        retrievalStartedAt: msg.retrievalStartedAt,
+        conversationId: message.conversationId,
+        messageId: message.messageId,
+        retrievalStartedAt: message.retrievalStartedAt,
         type: "rag_retrieving"
       };
     case "rag_retrieved":
       return {
-        conversationId: msg.conversationId,
-        messageId: msg.messageId,
-        retrievalDurationMs: msg.retrievalDurationMs,
-        retrievalStartedAt: msg.retrievalStartedAt,
-        retrievedAt: msg.retrievedAt,
-        sources: msg.sources,
-        trace: msg.trace,
+        conversationId: message.conversationId,
+        messageId: message.messageId,
+        retrievalDurationMs: message.retrievalDurationMs,
+        retrievalStartedAt: message.retrievalStartedAt,
+        retrievedAt: message.retrievedAt,
+        sources: message.sources,
+        trace: message.trace,
         type: "rag_retrieved"
       };
     case "error":
-      return { message: msg.message, type: "error" };
+      return { message: message.message, type: "error" };
     default:
       return null;
   }
@@ -21154,8 +22055,8 @@ var createAIStream = (path, conversationId) => {
     listeners.forEach((listener) => listener());
   };
   const unsubscribeStore = store.subscribe(syncState);
-  const unsubscribeConnection = connection.subscribe((msg) => {
-    const action = serverMessageToAction(msg);
+  const unsubscribeConnection = connection.subscribe((message) => {
+    const action = serverMessageToAction(message);
     if (action) {
       store.dispatch(action);
     }
@@ -22514,6 +23415,8 @@ export {
   createRAGFileRetrievalComparisonHistoryStore,
   createRAGFileRetrievalBaselineStore,
   createRAGFileRetrievalBaselineGatePolicyHistoryStore,
+  createRAGFileJobStateStore,
+  createRAGFileExtractorRegistry,
   createRAGFileExtractor,
   createRAGFileEvaluationHistoryStore,
   createRAGFileAnswerGroundingEvaluationHistoryStore,
@@ -22524,9 +23427,11 @@ export {
   createRAGDirectorySyncSource,
   createRAGCollection,
   createRAGClient,
+  createRAGChunkingRegistry,
   createRAGBunS3SyncClient,
   createRAGArchiveFileExtractor,
   createRAGArchiveExpander,
+  createRAGAccessControl,
   createPDFFileExtractor,
   createOfficeDocumentExtractor,
   createMemoryStore,
@@ -22569,5 +23474,5 @@ export {
   aiChat
 };
 
-//# debugId=2EBD38302AA26EE564756E2164756E21
+//# debugId=01B4F90C8AC5AD4364756E2164756E21
 //# sourceMappingURL=index.js.map