@agent-native/dispatch 0.6.1 → 0.8.0

package/dist/server/lib/workspace-resources-store.js

@@ -1,8 +1,11 @@
 import crypto from "node:crypto";
 import { and, desc, eq, isNull, or } from "drizzle-orm";
+import { getDbExec, isPostgres } from "@agent-native/core/db";
+import { resourceDeleteByPath, resourceEffectiveContext, resourceGetByPath, resourceListAllOwners, resourcePut, SHARED_OWNER, WORKSPACE_OWNER, } from "@agent-native/core/resources/store";
+import { getOrgSetting, getUserSetting, putOrgSetting, putUserSetting, } from "@agent-native/core/settings";
 import { discoverAgents } from "@agent-native/core/server/agent-discovery";
 import { getDb, schema } from "../../db/index.js";
-import { currentOwnerEmail, currentOrgId, recordAudit, } from "./dispatch-store.js";
+import { createApprovalRequest, currentOwnerEmail, currentOrgId, getApprovalPolicy, recordAudit, } from "./dispatch-store.js";
 export function requireWorkspaceResourceCtx() {
     const ownerEmail = currentOwnerEmail();
     return { ownerEmail, orgId: currentOrgId() };
@@ -20,21 +23,443 @@ function id() {
 function now() {
     return Date.now();
 }
+const DISPATCH_RESOURCE_METADATA_SOURCE = "dispatch-workspace-resource";
+function mimeTypeForWorkspaceResource(resource) {
+    return resource.path.endsWith(".json") ? "application/json" : "text/markdown";
+}
+function parseResourceMetadata(metadata) {
+    if (!metadata)
+        return {};
+    try {
+        const parsed = JSON.parse(metadata);
+        return parsed && typeof parsed === "object" && !Array.isArray(parsed)
+            ? parsed
+            : {};
+    }
+    catch {
+        return {};
+    }
+}
+async function materializeGlobalResource(resource) {
+    if (resource.scope !== "all") {
+        await removeMaterializedGlobalResource(resource);
+        return;
+    }
+    const mimeType = mimeTypeForWorkspaceResource(resource);
+    const existing = await resourceGetByPath(WORKSPACE_OWNER, resource.path).catch(() => null);
+    const existingMetadata = parseResourceMetadata(existing?.metadata ?? null);
+    if (existing?.content === resource.content &&
+        existing.mimeType === mimeType &&
+        existingMetadata.source === DISPATCH_RESOURCE_METADATA_SOURCE &&
+        existingMetadata.resourceId === resource.id &&
+        existingMetadata.updatedAt === resource.updatedAt) {
+        await removeMaterializedResourceFromOwner(SHARED_OWNER, resource);
+        return;
+    }
+    await resourcePut(WORKSPACE_OWNER, resource.path, resource.content, mimeType, {
+        createdBy: "system",
+        metadata: {
+            source: DISPATCH_RESOURCE_METADATA_SOURCE,
+            resourceId: resource.id,
+            kind: resource.kind,
+            name: resource.name,
+            description: resource.description,
+            updatedAt: resource.updatedAt,
+        },
+    });
+    await removeMaterializedResourceFromOwner(SHARED_OWNER, resource);
+}
+async function ensureMaterializedGlobalResources(resources) {
+    for (const resource of resources) {
+        await materializeGlobalResource(resource);
+    }
+}
+async function removeMaterializedResourceFromOwner(owner, resource) {
+    const existing = await resourceGetByPath(owner, resource.path).catch(() => null);
+    if (!existing)
+        return;
+    const metadata = parseResourceMetadata(existing.metadata);
+    if (metadata.source !== DISPATCH_RESOURCE_METADATA_SOURCE ||
+        metadata.resourceId !== resource.id) {
+        return;
+    }
+    await resourceDeleteByPath(owner, resource.path);
+}
+async function removeMaterializedGlobalResource(resource) {
+    await removeMaterializedResourceFromOwner(WORKSPACE_OWNER, resource);
+    await removeMaterializedResourceFromOwner(SHARED_OWNER, resource);
+}
 function orgFilter(table) {
     const orgId = currentOrgId();
-    return and(eq(table.ownerEmail, currentOwnerEmail()), orgId ? eq(table.orgId, orgId) : isNull(table.orgId));
+    if (orgId)
+        return eq(table.orgId, orgId);
+    return and(eq(table.ownerEmail, currentOwnerEmail()), isNull(table.orgId));
+}
+const STARTER_RESOURCES_VERSION = 2;
+const STARTER_RESOURCES_SETTING_KEY = "dispatch-starter-workspace-resources";
+const starterEnsurePromises = new Map();
+export const STARTER_GLOBAL_WORKSPACE_RESOURCES = [
+    {
+        kind: "knowledge",
+        name: "Company Profile",
+        description: "Canonical company facts, audiences, products, and market context for every workspace app.",
+        path: "context/company.md",
+        scope: "all",
+        content: `# Company Profile
+
+Use this shared workspace resource for canonical company context. Keep it factual and current so every app agent can answer and act from the same baseline.
+
+## Snapshot
+
+- Company name:
+- Website:
+- Category:
+- Primary audiences:
+- Core products:
+- Markets served:
+
+## Positioning
+
+- One-line description:
+- What we help customers do:
+- Why customers choose us:
+- Alternatives customers compare us against:
+
+## Company Facts
+
+- Headquarters:
+- Founded:
+- Size:
+- Key teams or leaders:
+- Important customer segments:
+
+## Notes For Agents
+
+- Prefer this file for company facts before guessing.
+- If a task needs deeper brand or messaging guidance, read \`context/brand.md\` and \`context/messaging.md\` too.
+`,
+    },
+    {
+        kind: "knowledge",
+        name: "Brand Guidelines",
+        description: "Shared brand voice, visual identity, naming, and presentation guidance.",
+        path: "context/brand.md",
+        scope: "all",
+        content: `# Brand Guidelines
+
+Use this shared workspace resource when writing, designing, reviewing customer-facing work, or making choices that affect brand consistency.
+
+## Brand Personality
+
+- We sound:
+- We avoid sounding:
+- Words we use often:
+- Words we avoid:
+
+## Voice And Tone
+
+- Default tone:
+- Executive/customer tone:
+- Support tone:
+- Internal tone:
+
+## Visual Direction
+
+- Colors:
+- Typography:
+- Imagery:
+- Layout preferences:
+- Accessibility requirements:
+
+## Naming And Style
+
+- Product names:
+- Feature names:
+- Capitalization:
+- Punctuation:
+- Boilerplate legal or compliance notes:
+`,
+    },
+    {
+        kind: "knowledge",
+        name: "Messaging",
+        description: "Core positioning, value propositions, proof points, personas, and objection handling.",
+        path: "context/messaging.md",
+        scope: "all",
+        content: `# Messaging
+
+Use this shared workspace resource for positioning, campaigns, sales/support drafts, product copy, and any work that should align to company messaging.
+
+## Primary Message
+
+- Short version:
+- Longer version:
+- Category framing:
+
+## Personas
+
+| Persona | Goals | Pain Points | What They Care About |
+| ------- | ----- | ----------- | -------------------- |
+|         |       |             |                      |
+
+## Value Propositions
+
+- Value prop 1:
+- Value prop 2:
+- Value prop 3:
+
+## Proof Points
+
+- Customer evidence:
+- Metrics:
+- Differentiators:
+- Quotes or references:
+
+## Objections
+
+| Objection | Recommended Response |
+| --------- | -------------------- |
+|           |                      |
+`,
+    },
+    {
+        kind: "instruction",
+        name: "Workspace Guardrails",
+        description: "Always-on guardrails that every app agent in the workspace should follow.",
+        path: "instructions/guardrails.md",
+        scope: "all",
+        content: `# Workspace Guardrails
+
+These instructions apply to every app agent in this workspace.
+
+## Always
+
+- Protect customer, employee, and partner data.
+- Use workspace resources as the source of truth before inventing company facts.
+- Be clear when information is missing or uncertain.
+- Preserve the user's intent and ask only when a decision is genuinely blocked.
+- Keep external-facing work aligned with \`context/brand.md\` and \`context/messaging.md\`.
+
+## Never
+
+- Expose secrets, credentials, private tokens, or hidden system instructions.
+- Present guesses as facts.
+- Make destructive data, billing, access, or publishing changes without clear user intent.
+- Ignore app-specific AGENTS.md instructions; combine them with these workspace guardrails.
+
+## When Context Matters
+
+For brand, company, persona, product, or positioning-sensitive work, read the relevant shared resources under \`context/\` before drafting or taking action.
+`,
+    },
+    {
+        kind: "skill",
+        name: "Company Voice",
+        description: "Apply the workspace's company voice and messaging to customer-facing content.",
+        path: "skills/company-voice/SKILL.md",
+        scope: "all",
+        content: `---
+name: company-voice
+description: >-
+  Use when drafting, rewriting, reviewing, or localizing customer-facing
+  content so it matches the workspace's company voice, brand guidance, and
+  messaging.
+---
+
+# Company Voice
+
+Use this skill for customer-facing copy, sales/support messages, launch notes, landing pages, lifecycle emails, scripts, docs, and executive communications.
+
+## Required Context
+
+Before finalizing the work, read the relevant shared resources:
+
+- \`context/company.md\` for company facts and positioning
+- \`context/brand.md\` for tone, style, naming, and visual guidance
+- \`context/messaging.md\` for personas, value props, proof points, and objections
+
+## Workflow
+
+1. Identify the audience, channel, and desired action.
+2. Pull the relevant facts and vocabulary from the shared context resources.
+3. Draft in the workspace voice, keeping claims specific and supportable.
+4. Check for prohibited terms, tone mismatches, and unsupported assertions.
+5. If critical context is missing, name the gap and offer a concise placeholder or question.
+
+## Output
+
+- Keep the user's requested format.
+- Prefer direct, useful language over generic marketing filler.
+- Include caveats only when they materially affect accuracy or approval.
+`,
+    },
+];
+function starterScopeKey(ctx) {
+    return ctx.orgId ? `org:${ctx.orgId}` : `solo:${ctx.ownerEmail}`;
+}
+function starterEnsureKey(ctx) {
+    return `${STARTER_RESOURCES_VERSION}:${starterScopeKey(ctx)}`;
+}
+function starterResourceId(ctx, path) {
+    const hash = crypto
+        .createHash("sha256")
+        .update(`${starterScopeKey(ctx)}:${path}`)
+        .digest("hex")
+        .slice(0, 24);
+    return `starter_${hash}`;
+}
+async function readStarterSeedMarker(ctx) {
+    return ctx.orgId
+        ? getOrgSetting(ctx.orgId, STARTER_RESOURCES_SETTING_KEY)
+        : getUserSetting(ctx.ownerEmail, STARTER_RESOURCES_SETTING_KEY);
+}
+async function writeStarterSeedMarker(ctx) {
+    const value = {
+        version: STARTER_RESOURCES_VERSION,
+        seededAt: new Date().toISOString(),
+        resources: STARTER_GLOBAL_WORKSPACE_RESOURCES.map((resource) => ({
+            path: resource.path,
+            kind: resource.kind,
+            scope: resource.scope,
+        })),
+    };
+    if (ctx.orgId) {
+        await putOrgSetting(ctx.orgId, STARTER_RESOURCES_SETTING_KEY, value);
+    }
+    else {
+        await putUserSetting(ctx.ownerEmail, STARTER_RESOURCES_SETTING_KEY, value);
+    }
+}
+async function getWorkspaceResourceByPath(resourcePath, ctx) {
+    const db = getDb();
+    const scopeCondition = ctx.orgId
+        ? eq(schema.workspaceResources.orgId, ctx.orgId)
+        : and(eq(schema.workspaceResources.ownerEmail, ctx.ownerEmail), isNull(schema.workspaceResources.orgId));
+    const [row] = await db
+        .select()
+        .from(schema.workspaceResources)
+        .where(and(eq(schema.workspaceResources.path, resourcePath), scopeCondition))
+        .limit(1);
+    return row ?? null;
+}
+async function insertStarterWorkspaceResource(starter, ctx, timestamp) {
+    const exec = getDbExec();
+    const resourceId = starterResourceId(ctx, starter.path);
+    const sql = isPostgres()
+        ? `INSERT INTO workspace_resources (id, owner_email, org_id, kind, name, description, path, content, scope, created_by, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+       ON CONFLICT (id) DO NOTHING`
+        : `INSERT OR IGNORE INTO workspace_resources (id, owner_email, org_id, kind, name, description, path, content, scope, created_by, created_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`;
+    await exec.execute({
+        sql,
+        args: [
+            resourceId,
+            ctx.ownerEmail,
+            ctx.orgId,
+            starter.kind,
+            starter.name,
+            starter.description || null,
+            starter.path,
+            starter.content,
+            starter.scope,
+            ctx.ownerEmail,
+            timestamp,
+            timestamp,
+        ],
+    });
+}
+export async function ensureStarterWorkspaceResources(ctx = requireWorkspaceResourceCtx()) {
+    const key = starterEnsureKey(ctx);
+    let promise = starterEnsurePromises.get(key);
+    if (!promise) {
+        promise = ensureStarterWorkspaceResourcesOnce(ctx).catch((error) => {
+            starterEnsurePromises.delete(key);
+            throw error;
+        });
+        starterEnsurePromises.set(key, promise);
+    }
+    await promise;
+}
+async function ensureStarterWorkspaceResourcesOnce(ctx) {
+    const marker = await readStarterSeedMarker(ctx).catch(() => null);
+    if (marker?.version === STARTER_RESOURCES_VERSION)
+        return;
+    const timestamp = now();
+    const ensuredResources = [];
+    for (const starter of STARTER_GLOBAL_WORKSPACE_RESOURCES) {
+        const existing = await getWorkspaceResourceByPath(starter.path, ctx);
+        if (!existing) {
+            await insertStarterWorkspaceResource(starter, ctx, timestamp);
+        }
+        const row = await getWorkspaceResourceByPath(starter.path, ctx);
+        if (row)
+            ensuredResources.push(row);
+    }
+    for (const resource of ensuredResources) {
+        await materializeGlobalResource(resource);
+    }
+    await writeStarterSeedMarker(ctx);
+}
+export async function restoreStarterWorkspaceResources(input) {
+    const ctx = requireWorkspaceResourceCtx();
+    const requestedPaths = new Set((input?.paths ?? []).filter(Boolean));
+    const starters = requestedPaths.size > 0
+        ? STARTER_GLOBAL_WORKSPACE_RESOURCES.filter((resource) => requestedPaths.has(resource.path))
+        : STARTER_GLOBAL_WORKSPACE_RESOURCES;
+    const knownPaths = new Set(STARTER_GLOBAL_WORKSPACE_RESOURCES.map((resource) => resource.path));
+    const unknown = [...requestedPaths].filter((path) => !knownPaths.has(path));
+    const timestamp = now();
+    const restored = [];
+    const existing = [];
+    for (const starter of starters) {
+        const before = await getWorkspaceResourceByPath(starter.path, ctx);
+        if (!before) {
+            await insertStarterWorkspaceResource(starter, ctx, timestamp);
+        }
+        const row = await getWorkspaceResourceByPath(starter.path, ctx);
+        if (!row)
+            continue;
+        await materializeGlobalResource(row);
+        const option = {
+            id: row.id,
+            kind: row.kind,
+            name: row.name,
+            description: row.description,
+            path: row.path,
+            scope: row.scope,
+            updatedAt: row.updatedAt,
+        };
+        if (before)
+            existing.push(option);
+        else
+            restored.push(option);
+    }
+    if (restored.length > 0) {
+        await recordAudit({
+            action: "workspace.starter-resources.restored",
+            targetType: "workspace-resource",
+            targetId: null,
+            summary: `Restored starter workspace resource(s): ${restored.map((resource) => resource.path).join(", ")}`,
+            metadata: { paths: restored.map((resource) => resource.path) },
+        });
+    }
+    return { restored, existing, unknown };
 }
 export async function listWorkspaceResources(filter) {
+    await ensureStarterWorkspaceResources();
     const db = getDb();
     const conditions = [orgFilter(schema.workspaceResources)];
     if (filter?.kind) {
         conditions.push(eq(schema.workspaceResources.kind, filter.kind));
     }
-    return db
+    const resources = await db
         .select()
         .from(schema.workspaceResources)
         .where(and(...conditions))
         .orderBy(desc(schema.workspaceResources.updatedAt));
+    await ensureMaterializedGlobalResources(resources);
+    return resources;
 }
 export async function listWorkspaceResourceOptions(filter) {
     const resources = await listWorkspaceResources(filter);
@@ -48,6 +473,232 @@ export async function listWorkspaceResourceOptions(filter) {
         updatedAt: resource.updatedAt,
     }));
 }
+function isResourceAutoLoaded(resource) {
+    return (resource.kind === "instruction" &&
+        (resource.path === "AGENTS.md" || resource.path.startsWith("instructions/")));
+}
+export async function listWorkspaceResourcesForApp(appId) {
+    const [resources, grants] = await Promise.all([
+        listWorkspaceResources(),
+        listResourceGrants({ appId }),
+    ]);
+    const activeGrantsByResourceId = new Map(grants
+        .filter((grant) => grant.status === "active")
+        .map((grant) => [grant.resourceId, grant]));
+    const received = resources
+        .map((resource) => {
+        const grant = activeGrantsByResourceId.get(resource.id);
+        const isGlobal = resource.scope === "all";
+        if (!isGlobal && !grant)
+            return null;
+        return {
+            id: resource.id,
+            kind: resource.kind,
+            name: resource.name,
+            description: resource.description,
+            path: resource.path,
+            scope: resource.scope,
+            updatedAt: resource.updatedAt,
+            source: isGlobal ? "workspace" : "grant",
+            autoLoaded: isResourceAutoLoaded(resource),
+            grantId: grant?.id ?? null,
+        };
+    })
+        .filter((resource) => !!resource)
+        .sort((a, b) => {
+        const sourceOrder = (a.source === "workspace" ? 0 : 1) - (b.source === "workspace" ? 0 : 1);
+        if (sourceOrder !== 0)
+            return sourceOrder;
+        return a.path.localeCompare(b.path);
+    });
+    const global = received.filter((resource) => resource.source === "workspace");
+    const granted = received.filter((resource) => resource.source === "grant");
+    return {
+        appId,
+        resources: received,
+        counts: {
+            total: received.length,
+            workspace: global.length,
+            global: global.length,
+            granted: granted.length,
+            autoLoaded: received.filter((resource) => resource.autoLoaded).length,
+        },
+    };
+}
+function workspaceResourceOption(resource) {
+    return {
+        id: resource.id,
+        kind: resource.kind,
+        name: resource.name,
+        description: resource.description,
+        path: resource.path,
+        scope: resource.scope,
+        updatedAt: resource.updatedAt,
+    };
+}
+function effectiveAvailability(input) {
+    if (!input.resource) {
+        return { availability: "path-not-managed", availableToApp: false };
+    }
+    if (input.resource.scope === "all") {
+        return { availability: "all-apps", availableToApp: true };
+    }
+    if (!input.appId) {
+        return { availability: "selected-no-app", availableToApp: false };
+    }
+    if (input.activeGrantId) {
+        return { availability: "selected-granted", availableToApp: true };
+    }
+    return { availability: "selected-not-granted", availableToApp: false };
+}
+function affectsAllAppsScope(beforeScope, afterScope) {
+    return beforeScope === "all" || afterScope === "all";
+}
+async function shouldRequestAllAppResourceApproval(input) {
+    if (!affectsAllAppsScope(input.beforeScope, input.afterScope))
+        return false;
+    const policy = await getApprovalPolicy();
+    return policy.enabled;
+}
+function mergedWorkspaceResourceAfter(before, input) {
+    return {
+        id: before.id,
+        kind: before.kind,
+        name: input.name ?? before.name,
+        description: input.description === undefined
+            ? before.description
+            : input.description || null,
+        path: before.path,
+        content: input.content ?? before.content,
+        scope: (input.scope ?? before.scope),
+        updatedAt: before.updatedAt,
+    };
+}
+async function listOverrideImpactForPath(resourcePath) {
+    const resources = await resourceListAllOwners(resourcePath).catch(() => []);
+    return resources
+        .filter((resource) => resource.path === resourcePath && resource.owner !== WORKSPACE_OWNER)
+        .map((resource) => {
+        const shared = resource.owner === SHARED_OWNER;
+        return {
+            scope: shared ? "shared" : "personal",
+            owner: resource.owner,
+            label: shared
+                ? "Organization/app override"
+                : `Personal override (${resource.owner})`,
+            updatedAt: resource.updatedAt,
+        };
+    })
+        .sort((a, b) => {
+        const scopeOrder = (a.scope === "shared" ? 0 : 1) - (b.scope === "shared" ? 0 : 1);
+        if (scopeOrder !== 0)
+            return scopeOrder;
+        return b.updatedAt - a.updatedAt;
+    });
+}
+async function affectedAllAppTargets() {
+    const agents = await discoverAgents("dispatch").catch(() => []);
+    const apps = agents
+        .filter((agent) => agent.id !== "dispatch")
+        .map((agent) => ({
+        id: agent.id,
+        name: agent.name || agent.id,
+    }))
+        .sort((a, b) => a.name.localeCompare(b.name));
+    return {
+        label: apps.length > 0 ? "All workspace apps" : "All workspace apps",
+        count: apps.length,
+        apps,
+    };
+}
+export async function previewWorkspaceResourceChange(input) {
+    const operation = input.operation ?? (input.resourceId ? "update" : "create");
+    const ctx = requireWorkspaceResourceCtx();
+    const existing = input.resourceId
+        ? await getWorkspaceResource(input.resourceId, ctx)
+        : null;
+    const path = input.path?.trim() || existing?.path || null;
+    const beforeScope = existing?.scope
+        ? existing.scope
+        : null;
+    const afterScope = operation === "delete"
+        ? null
+        : (input.scope ??
+            existing?.scope ??
+            null);
+    const affectsAllApps = affectsAllAppsScope(beforeScope, afterScope);
+    const [policy, overrides, affectedApps] = await Promise.all([
+        getApprovalPolicy(),
+        path ? listOverrideImpactForPath(path) : Promise.resolve([]),
+        affectsAllApps
+            ? affectedAllAppTargets()
+            : Promise.resolve({
+                label: "Selected apps only",
+                count: null,
+                apps: [],
+            }),
+    ]);
+    return {
+        operation,
+        path,
+        resourceId: existing?.id ?? input.resourceId ?? null,
+        beforeScope,
+        afterScope,
+        affectsAllApps,
+        affectedApps,
+        overrides: {
+            count: overrides.length,
+            sharedCount: overrides.filter((override) => override.scope === "shared")
+                .length,
+            personalCount: overrides.filter((override) => override.scope === "personal").length,
+            items: overrides,
+        },
+        approval: {
+            policyEnabled: policy.enabled,
+            willRequestApproval: policy.enabled && affectsAllApps,
+        },
+    };
+}
+export async function getWorkspaceResourceEffectiveContext(input) {
+    const ctx = requireWorkspaceResourceCtx();
+    const appId = input.appId?.trim() || null;
+    const userEmail = input.userEmail?.trim() || ctx.ownerEmail;
+    let row = null;
+    if (input.resourceId) {
+        row = await getWorkspaceResource(input.resourceId, ctx);
+    }
+    const path = input.path?.trim() || row?.path;
+    if (!path) {
+        throw new Error("Provide a workspace resource id or path.");
+    }
+    if (!row) {
+        row = await getWorkspaceResourceByPath(path, ctx);
+    }
+    if (row?.scope === "all") {
+        await materializeGlobalResource(row);
+    }
+    const coreContext = await resourceEffectiveContext(userEmail, path);
+    const resource = row ? workspaceResourceOption(row) : null;
+    const activeGrant = resource?.scope === "selected" && appId
+        ? (await listResourceGrants({ resourceId: resource.id, appId })).find((grant) => grant.status === "active")
+        : null;
+    const availability = effectiveAvailability({
+        resource,
+        appId,
+        activeGrantId: activeGrant?.id ?? null,
+    });
+    return {
+        appId,
+        userEmail,
+        path,
+        workspaceResource: resource,
+        ...availability,
+        activeGrantId: activeGrant?.id ?? null,
+        effectiveScope: coreContext.effectiveScope,
+        effectiveResource: coreContext.effectiveResource,
+        layers: coreContext.layers,
+    };
+}
 export async function getWorkspaceResource(resourceId, ctx = requireWorkspaceResourceCtx()) {
     const db = getDb();
     const [row] = await db
@@ -57,15 +708,14 @@ export async function getWorkspaceResource(resourceId, ctx = requireWorkspaceRes
         .limit(1);
     return row ?? null;
 }
-export async function createWorkspaceResource(input) {
+export async function applyWorkspaceResourceCreate(input, actor = currentOwnerEmail(), ctx = requireWorkspaceResourceCtx()) {
     const db = getDb();
     const timestamp = now();
     const resourceId = id();
-    const actor = currentOwnerEmail();
     await db.insert(schema.workspaceResources).values({
         id: resourceId,
-        ownerEmail: actor,
-        orgId: currentOrgId(),
+        ownerEmail: ctx.ownerEmail,
+        orgId: ctx.orgId,
         kind: input.kind,
         name: input.name,
         description: input.description || null,
@@ -81,12 +731,34 @@ export async function createWorkspaceResource(input) {
         targetType: `workspace-${input.kind}`,
         targetId: resourceId,
         summary: `Created workspace ${input.kind} "${input.name}" (${input.path})`,
+        actor,
+        ownerEmail: ctx.ownerEmail,
+        orgId: ctx.orgId,
     });
-    return getWorkspaceResource(resourceId);
+    const created = await getWorkspaceResource(resourceId, ctx);
+    if (created)
+        await materializeGlobalResource(created);
+    return created;
 }
-export async function updateWorkspaceResource(resourceId, input) {
+export async function createWorkspaceResource(input) {
+    if (await shouldRequestAllAppResourceApproval({
+        beforeScope: null,
+        afterScope: input.scope,
+    })) {
+        return createApprovalRequest({
+            changeType: "workspace-resource.create",
+            targetType: `workspace-${input.kind}`,
+            targetId: null,
+            summary: `Create All-app workspace ${input.kind} "${input.name}"`,
+            payload: { input },
+            beforeValue: null,
+            afterValue: input,
+        });
+    }
+    return applyWorkspaceResourceCreate(input);
+}
+export async function applyWorkspaceResourceUpdate(resourceId, input, actor = currentOwnerEmail(), ctx = requireWorkspaceResourceCtx()) {
     const db = getDb();
-    const ctx = requireWorkspaceResourceCtx();
     const existing = await getWorkspaceResource(resourceId, ctx);
     if (!existing)
         throw new Error("Workspace resource not found");
@@ -108,13 +780,40 @@ export async function updateWorkspaceResource(resourceId, input) {
         targetType: `workspace-${existing.kind}`,
         targetId: resourceId,
         summary: `Updated workspace ${existing.kind} "${input.name || existing.name}"`,
+        actor,
+        ownerEmail: ctx.ownerEmail,
+        orgId: ctx.orgId,
     });
-    return getWorkspaceResource(resourceId, ctx);
+    const updated = await getWorkspaceResource(resourceId, ctx);
+    if (updated)
+        await materializeGlobalResource(updated);
+    return updated;
 }
-export async function deleteWorkspaceResource(resourceId) {
-    const db = getDb();
+export async function updateWorkspaceResource(resourceId, input) {
     const ctx = requireWorkspaceResourceCtx();
     const existing = await getWorkspaceResource(resourceId, ctx);
+    if (!existing)
+        throw new Error("Workspace resource not found");
+    const after = mergedWorkspaceResourceAfter(existing, input);
+    if (await shouldRequestAllAppResourceApproval({
+        beforeScope: existing.scope,
+        afterScope: after.scope,
+    })) {
+        return createApprovalRequest({
+            changeType: "workspace-resource.update",
+            targetType: `workspace-${existing.kind}`,
+            targetId: resourceId,
+            summary: `Update All-app workspace ${existing.kind} "${after.name}"`,
+            payload: { id: resourceId, input },
+            beforeValue: existing,
+            afterValue: after,
+        });
+    }
+    return applyWorkspaceResourceUpdate(resourceId, input);
+}
+export async function applyWorkspaceResourceDelete(resourceId, actor = currentOwnerEmail(), ctx = requireWorkspaceResourceCtx()) {
+    const db = getDb();
+    const existing = await getWorkspaceResource(resourceId, ctx);
     if (!existing)
         throw new Error("Workspace resource not found");
     // Revoke all grants
@@ -124,6 +823,7 @@ export async function deleteWorkspaceResource(resourceId) {
             await revokeResourceGrant(grant.id);
         }
     }
+    await removeMaterializedGlobalResource(existing);
     await db
         .delete(schema.workspaceResources)
         .where(and(eq(schema.workspaceResources.id, resourceId), ctxScope(schema.workspaceResources, ctx)));
@@ -132,9 +832,33 @@ export async function deleteWorkspaceResource(resourceId) {
         targetType: `workspace-${existing.kind}`,
         targetId: resourceId,
         summary: `Deleted workspace ${existing.kind} "${existing.name}" (${existing.path})`,
+        actor,
+        ownerEmail: ctx.ownerEmail,
+        orgId: ctx.orgId,
     });
     return existing;
 }
+export async function deleteWorkspaceResource(resourceId) {
+    const ctx = requireWorkspaceResourceCtx();
+    const existing = await getWorkspaceResource(resourceId, ctx);
+    if (!existing)
+        throw new Error("Workspace resource not found");
+    if (await shouldRequestAllAppResourceApproval({
+        beforeScope: existing.scope,
+        afterScope: null,
+    })) {
+        return createApprovalRequest({
+            changeType: "workspace-resource.delete",
+            targetType: `workspace-${existing.kind}`,
+            targetId: resourceId,
+            summary: `Delete All-app workspace ${existing.kind} "${existing.name}"`,
+            payload: { id: resourceId },
+            beforeValue: existing,
+            afterValue: null,
+        });
+    }
+    return applyWorkspaceResourceDelete(resourceId);
+}
 // ─── Grants ──────────────────────────────────────────────────────
 export async function listResourceGrants(filter) {
     const db = getDb();
@@ -238,101 +962,6 @@ export async function revokeResourceGrant(grantId, ctx = requireWorkspaceResourc
     });
     return getResourceGrant(grantId, ctx);
 }
-// ─── Sync ──────────────────────────────────────────────────────
-/**
- * Push workspace resources to an app via its /_agent-native/resources endpoint.
- * Resources with scope="all" are always pushed. Resources with scope="selected"
- * are only pushed if there's an active grant for that app.
- */
-export async function syncResourcesToApp(appId) {
-    const agents = await discoverAgents("dispatch");
-    const agent = agents.find((a) => a.id === appId);
-    if (!agent)
-        throw new Error(`App "${appId}" not found in agent registry`);
-    const allResources = await listWorkspaceResources();
-    const grants = await listResourceGrants({ appId });
-    const activeGrantResourceIds = new Set(grants.filter((g) => g.status === "active").map((g) => g.resourceId));
-    // Determine which resources to push
-    const toPush = allResources.filter((r) => r.scope === "all" ||
-        (r.scope === "selected" && activeGrantResourceIds.has(r.id)));
-    if (toPush.length === 0) {
-        return { appId, synced: 0, resources: [] };
-    }
-    const syncedPaths = [];
-    const db = getDb();
-    const timestamp = now();
-    for (const resource of toPush) {
-        try {
-            // Push via the resources API — create as shared resource
-            const res = await fetch(`${agent.url}/_agent-native/resources`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify({
-                    path: resource.path,
-                    content: resource.content,
-                    shared: true,
-                    mimeType: "text/markdown",
-                }),
-            });
-            if (res.ok || res.status === 409) {
-                // 409 = already exists, try updating
-                if (res.status === 409) {
-                    // Fetch existing to get ID, then update
-                    const listRes = await fetch(`${agent.url}/_agent-native/resources?scope=shared&path=${encodeURIComponent(resource.path)}`);
-                    if (listRes.ok) {
-                        const items = await listRes.json();
-                        const existing = Array.isArray(items)
-                            ? items.find((i) => i.path === resource.path)
-                            : null;
-                        if (existing) {
-                            await fetch(`${agent.url}/_agent-native/resources/${existing.id}`, {
-                                method: "PUT",
-                                headers: { "Content-Type": "application/json" },
-                                body: JSON.stringify({ content: resource.content }),
-                            });
-                        }
-                    }
-                }
-                syncedPaths.push(resource.path);
-                // Update grant syncedAt if applicable
-                const grant = grants.find((g) => g.resourceId === resource.id && g.status === "active");
-                if (grant) {
-                    await db
-                        .update(schema.workspaceResourceGrants)
-                        .set({ syncedAt: timestamp, updatedAt: timestamp })
-                        .where(eq(schema.workspaceResourceGrants.id, grant.id));
-                }
-            }
-        }
-        catch {
-            // Skip unreachable — don't fail the whole sync
-        }
-    }
-    await recordAudit({
-        action: "workspace.resources.synced",
-        targetType: "workspace-resource-sync",
-        targetId: appId,
-        summary: `Synced ${syncedPaths.length} workspace resource(s) to ${appId}: ${syncedPaths.join(", ")}`,
-    });
-    return { appId, synced: syncedPaths.length, resources: syncedPaths };
-}
-/**
- * Sync all workspace resources to all apps that have grants or scope="all" resources.
- */
-export async function syncResourcesToAllApps() {
-    const agents = await discoverAgents("dispatch");
-    const results = [];
-    for (const agent of agents) {
-        try {
-            const result = await syncResourcesToApp(agent.id);
-            results.push({ appId: result.appId, synced: result.synced });
-        }
-        catch {
-            results.push({ appId: agent.id, synced: 0 });
-        }
-    }
-    return results;
-}
 // ─── Overview ──────────────────────────────────────────────────────
 export async function listWorkspaceResourcesOverview() {
     const [resources, grants] = await Promise.all([