@ian2018cs/agenthub 0.1.52 → 0.1.53

package/server/routes/agents.js

@@ -0,0 +1,838 @@
+import express from 'express';
+import { createHash } from 'crypto';
+import { promises as fs } from 'fs';
+import path from 'path';
+import { spawn } from 'child_process';
+import AdmZip from 'adm-zip';
+import { getUserPaths, getPublicPaths } from '../services/user-directories.js';
+import { scanAgents, ensureAgentRepo, incrementPatchVersion, publishAgentToRepo } from '../services/system-agent-repo.js';
+import { addProjectManually, loadProjectConfig, saveProjectConfig } from '../projects.js';
+import { agentSubmissionDb } from '../database/db.js';
+import { chatCompletion } from '../services/llm.js';
+
+const router = express.Router();
+
+// ─── helpers ──────────────────────────────────────────────────────────────────
+
+function isSshUrl(url) {
+  return /^[a-zA-Z0-9_-]+@[a-zA-Z0-9.-]+:.+$/.test(url);
+}
+
+function parseSshUrl(url) {
+  const match = url.match(/^[a-zA-Z0-9_-]+@([a-zA-Z0-9.-]+):(.+)$/);
+  if (!match) return null;
+  const host = match[1].toLowerCase();
+  const pathPart = match[2].replace(/\.git$/, '');
+  const parts = pathPart.split('/');
+  if (parts.length >= 2) return { host, owner: parts[0], repo: parts[1] };
+  return { host, owner: null, repo: null };
+}
+
+function parseGitUrl(url) {
+  if (isSshUrl(url)) {
+    const parsed = parseSshUrl(url);
+    if (parsed && parsed.owner && parsed.repo) return { owner: parsed.owner, repo: parsed.repo };
+    return null;
+  }
+  try {
+    const u = new URL(url);
+    const parts = u.pathname.replace(/^\//, '').replace(/\.git$/, '').split('/');
+    if (parts.length >= 2) return { owner: parts[0], repo: parts[1] };
+  } catch {}
+  return null;
+}
+
+function runGit(args, cwd = null) {
+  return new Promise((resolve, reject) => {
+    const opts = { stdio: ['ignore', 'pipe', 'pipe'], env: { ...process.env, GIT_TERMINAL_PROMPT: '0' } };
+    if (cwd) opts.cwd = cwd;
+    const proc = spawn('git', args, opts);
+    let stderr = '';
+    proc.stderr.on('data', d => { stderr += d.toString(); });
+    proc.on('close', code => {
+      if (code === 0) resolve();
+      else reject(new Error(stderr || `git ${args[0]} failed with code ${code}`));
+    });
+    proc.on('error', err => reject(err));
+  });
+}
+
+/**
+ * Ensure a skill repo is available for the user. Clone if needed.
+ * Returns the local path to the skill directory inside the repo.
+ */
+async function ensureSkillRepo(repoUrl, userUuid) {
+  const parsed = parseGitUrl(repoUrl);
+  if (!parsed) throw new Error(`Cannot parse git URL: ${repoUrl}`);
+
+  const { owner, repo } = parsed;
+  const publicPaths = getPublicPaths();
+  const userPaths = getUserPaths(userUuid);
+
+  const publicRepoPath = path.join(publicPaths.skillsRepoDir, owner, repo);
+  const userRepoPath = path.join(userPaths.skillsRepoDir, owner, repo);
+
+  // Clone to public dir if not present
+  try {
+    await fs.access(publicRepoPath);
+  } catch {
+    await fs.mkdir(path.dirname(publicRepoPath), { recursive: true });
+    await runGit(['clone', '--depth', '1', repoUrl, publicRepoPath]);
+    console.log(`[AgentInstall] Cloned skill repo ${repoUrl}`);
+  }
+
+  // Create user symlink if not present
+  try {
+    await fs.lstat(userRepoPath);
+  } catch {
+    await fs.mkdir(path.dirname(userRepoPath), { recursive: true });
+    await fs.symlink(publicRepoPath, userRepoPath);
+  }
+
+  return publicRepoPath;
+}
+
+/**
+ * Install a single skill by name from a given repo URL.
+ */
+async function installSkill(skillName, repoUrl, userUuid) {
+  const publicRepoPath = await ensureSkillRepo(repoUrl, userUuid);
+  const userPaths = getUserPaths(userUuid);
+
+  // Search for skill directory in repo (supports 1 level nesting)
+  const skillPath = await findSkillInRepo(publicRepoPath, skillName);
+  if (!skillPath) {
+    console.warn(`[AgentInstall] Skill "${skillName}" not found in repo`);
+    return false;
+  }
+
+  const linkPath = path.join(userPaths.skillsDir, skillName);
+  try { await fs.unlink(linkPath); } catch {}
+  await fs.symlink(skillPath, linkPath);
+  return true;
+}
+
+/** Get the git remote origin URL for a given local repo directory. */
+async function getGitRemoteUrl(repoDir) {
+  return new Promise((resolve) => {
+    const proc = spawn('git', ['remote', 'get-url', 'origin'], {
+      cwd: repoDir,
+      stdio: ['ignore', 'pipe', 'pipe']
+    });
+    let out = '';
+    proc.stdout.on('data', d => { out += d.toString(); });
+    proc.on('close', code => resolve(code === 0 ? out.trim() : ''));
+    proc.on('error', () => resolve(''));
+  });
+}
+
+/**
+ * Given a skill symlink path, resolve it and find the git repo root inside the
+ * public skills repo dir, then return its remote URL.
+ */
+async function getSkillRepoUrl(skillLinkPath, publicSkillsRepoDir) {
+  try {
+    const realTarget = await fs.realpath(skillLinkPath);
+    // Walk up from the symlink target until we find a .git directory
+    // that is still inside publicSkillsRepoDir
+    let dir = path.dirname(realTarget);
+    while (dir.startsWith(publicSkillsRepoDir) && dir !== publicSkillsRepoDir) {
+      try {
+        await fs.access(path.join(dir, '.git'));
+        return await getGitRemoteUrl(dir);
+      } catch {
+        dir = path.dirname(dir);
+      }
+    }
+  } catch {}
+  return '';
+}
+
+/**
+ * Scan the public mcp repo dir to find which cloned repo contains a given
+ * MCP service directory, and return that repo's remote URL.
+ */
+async function getMcpRepoUrl(mcpName, publicMcpRepoDir) {
+  try {
+    const owners = await fs.readdir(publicMcpRepoDir);
+    for (const owner of owners) {
+      const ownerDir = path.join(publicMcpRepoDir, owner);
+      let stat;
+      try { stat = await fs.stat(ownerDir); } catch { continue; }
+      if (!stat.isDirectory()) continue;
+      const repos = await fs.readdir(ownerDir);
+      for (const repo of repos) {
+        const repoDir = path.join(ownerDir, repo);
+        const mcpJsonPath = path.join(repoDir, mcpName, 'mcp.json');
+        try {
+          await fs.access(mcpJsonPath);
+          return await getGitRemoteUrl(repoDir);
+        } catch {}
+      }
+    }
+  } catch {}
+  return '';
+}
+
+/**
+ * Scan CLAUDE.md for referenced local files (markdown links, excluding URLs).
+ * Returns array of { path: relativePath, exists: bool }.
+ */
+async function scanClaudeMdRefs(projectPath) {
+  let content;
+  try {
+    content = await fs.readFile(path.join(projectPath, 'CLAUDE.md'), 'utf-8');
+  } catch {
+    return [];
+  }
+
+  // Match [text](path) — skip http/https/mailto/# links and anchors
+  const linkRe = /\[[^\]]*\]\(([^)]+)\)/g;
+  const seen = new Set();
+  const results = [];
+  let m;
+  while ((m = linkRe.exec(content)) !== null) {
+    let ref = m[1].split('#')[0].trim(); // strip fragment
+    if (!ref) continue;
+    if (/^https?:\/\/|^mailto:|^\/\//.test(ref)) continue; // skip absolute URLs
+    if (path.isAbsolute(ref)) continue; // skip absolute paths
+    if (seen.has(ref)) continue;
+    seen.add(ref);
+
+    const absPath = path.join(projectPath, ref);
+    let exists = false;
+    try { await fs.access(absPath); exists = true; } catch {}
+    results.push({ path: ref, exists });
+  }
+  return results;
+}
+
+async function findSkillInRepo(repoPath, skillName) {
+  // Direct match
+  const direct = path.join(repoPath, skillName);
+  try {
+    await fs.access(path.join(direct, 'SKILL.md'));
+    return direct;
+  } catch {}
+  // Nested under skills/
+  const nested = path.join(repoPath, 'skills', skillName);
+  try {
+    await fs.access(path.join(nested, 'SKILL.md'));
+    return nested;
+  } catch {}
+  return null;
+}
+
+/**
+ * Ensure an MCP repo is available for the user. Clone if needed.
+ */
+async function ensureMcpRepo(repoUrl, userUuid) {
+  const parsed = parseGitUrl(repoUrl);
+  if (!parsed) throw new Error(`Cannot parse git URL: ${repoUrl}`);
+
+  const { owner, repo } = parsed;
+  const publicPaths = getPublicPaths();
+  const userPaths = getUserPaths(userUuid);
+
+  const publicRepoPath = path.join(publicPaths.mcpRepoDir, owner, repo);
+  const userRepoPath = path.join(userPaths.mcpRepoDir, owner, repo);
+
+  try {
+    await fs.access(publicRepoPath);
+  } catch {
+    await fs.mkdir(path.dirname(publicRepoPath), { recursive: true });
+    await runGit(['clone', '--depth', '1', repoUrl, publicRepoPath]);
+    console.log(`[AgentInstall] Cloned MCP repo ${repoUrl}`);
+  }
+
+  try {
+    await fs.lstat(userRepoPath);
+  } catch {
+    await fs.mkdir(path.dirname(userRepoPath), { recursive: true });
+    await fs.symlink(publicRepoPath, userRepoPath);
+  }
+
+  return publicRepoPath;
+}
+
+/**
+ * Install a single MCP server by service dir name from a given repo URL.
+ */
+async function installMcp(mcpName, repoUrl, userUuid) {
+  const publicRepoPath = await ensureMcpRepo(repoUrl, userUuid);
+  const userPaths = getUserPaths(userUuid);
+
+  // Find service directory
+  const servicePath = path.join(publicRepoPath, mcpName);
+  const mcpJsonPath = path.join(servicePath, 'mcp.json');
+  let mcpJson;
+  try {
+    mcpJson = JSON.parse(await fs.readFile(mcpJsonPath, 'utf-8'));
+  } catch {
+    console.warn(`[AgentInstall] mcp.json not found for "${mcpName}"`);
+    return false;
+  }
+
+  // Write to user's .claude.json
+  const claudeJsonPath = path.join(userPaths.claudeDir, '.claude.json');
+  let claudeConfig = {};
+  try {
+    claudeConfig = JSON.parse(await fs.readFile(claudeJsonPath, 'utf-8'));
+  } catch {
+    claudeConfig = { hasCompletedOnboarding: true };
+  }
+  claudeConfig.mcpServers = { ...(claudeConfig.mcpServers || {}), ...mcpJson };
+  await fs.writeFile(claudeJsonPath, JSON.stringify(claudeConfig, null, 2), 'utf-8');
+  return true;
+}
+
+// ─── Routes ──────────────────────────────────────────────────────────────────
+
+/**
+ * GET /api/agents
+ * List all available agents from the system agent repo
+ */
+router.get('/', async (_req, res) => {
+  try {
+    const agents = await scanAgents();
+    res.json({ agents });
+  } catch (error) {
+    console.error('Error listing agents:', error);
+    res.status(500).json({ error: 'Failed to list agents', details: error.message });
+  }
+});
+
+/**
+ * POST /api/agents/refresh
+ * Pull the latest changes from the agent repo
+ */
+router.post('/refresh', async (_req, res) => {
+  try {
+    await ensureAgentRepo();
+    const agents = await scanAgents();
+    res.json({ success: true, agentCount: agents.length });
+  } catch (error) {
+    console.error('Error refreshing agent repo:', error);
+    res.status(500).json({ error: 'Failed to refresh agent repo', details: error.message });
+  }
+});
+
+/**
+ * POST /api/agents/install
+ * Install an agent: create project, copy CLAUDE.md, install Skills + MCPs
+ */
+router.post('/install', async (req, res) => {
+  try {
+    const userUuid = req.user?.uuid;
+    if (!userUuid) return res.status(401).json({ error: 'User authentication required' });
+
+    const { agentName, force = false } = req.body;
+    if (!agentName) return res.status(400).json({ error: 'agentName is required' });
+
+    // Scan to find the agent
+    const agents = await scanAgents();
+    const agent = agents.find(a => a.name === agentName || a.dirName === agentName);
+    if (!agent) return res.status(404).json({ error: `Agent "${agentName}" not found` });
+
+    const userPaths = getUserPaths(userUuid);
+    const projectDir = path.join(userPaths.projectsDir, agentName);
+
+    // Create project directory
+    await fs.mkdir(projectDir, { recursive: true });
+
+    // Register project (idempotent)
+    let project;
+    try {
+      project = await addProjectManually(projectDir, agent.display_name || agentName, userUuid);
+    } catch (err) {
+      // Project already exists — load from config
+      const config = await loadProjectConfig(userUuid);
+      const projectKey = projectDir.replace(/\//g, '-');
+      const entry = config[projectKey] || {};
+      project = {
+        name: projectKey,
+        path: projectDir,
+        fullPath: projectDir,
+        displayName: entry.displayName || agentName,
+        isManuallyAdded: true,
+        sessions: []
+      };
+    }
+
+    // CLAUDE.md conflict check (only when updating an existing install)
+    let claudeMdHash = '';
+    if (agent.hasClaudeMd && !force) {
+      const existingConfig = await loadProjectConfig(userUuid);
+      const existingKey = projectDir.replace(/\//g, '-');
+      const storedHash = existingConfig[existingKey]?.agentInfo?.claudeMdHash;
+      if (storedHash) {
+        try {
+          const localContent = await fs.readFile(path.join(projectDir, 'CLAUDE.md'), 'utf-8');
+          const localHash = createHash('sha256').update(localContent).digest('hex');
+          if (localHash !== storedHash) {
+            let repoContent = '';
+            try { repoContent = await fs.readFile(path.join(agent.path, 'CLAUDE.md'), 'utf-8'); } catch {}
+            return res.status(409).json({
+              conflict: true,
+              error: '本地 CLAUDE.md 已被修改，更新将覆盖本地改动',
+              localContent,
+              repoContent
+            });
+          }
+        } catch {}
+      }
+    }
+
+    // Copy all agent files to project directory (excluding agent.yaml metadata)
+    // This includes CLAUDE.md and any referenced files in subdirectories
+    try {
+      const agentEntries = await fs.readdir(agent.path, { withFileTypes: true });
+      for (const entry of agentEntries) {
+        if (entry.name === 'agent.yaml') continue;
+        const src = path.join(agent.path, entry.name);
+        const dst = path.join(projectDir, entry.name);
+        if (entry.isDirectory()) {
+          await fs.cp(src, dst, { recursive: true, force: true });
+        } else {
+          await fs.copyFile(src, dst);
+          if (entry.name === 'CLAUDE.md') {
+            try {
+              const content = await fs.readFile(dst, 'utf-8');
+              claudeMdHash = createHash('sha256').update(content).digest('hex');
+            } catch {}
+          }
+        }
+      }
+    } catch (err) {
+      console.error('[AgentInstall] Failed to copy agent files:', err.message);
+    }
+
+    // Install skills
+    const skillResults = [];
+    for (const skill of agent.skills || []) {
+      if (!skill.name || !skill.repo) continue;
+      try {
+        const ok = await installSkill(skill.name, skill.repo, userUuid);
+        skillResults.push({ name: skill.name, success: ok });
+      } catch (err) {
+        console.error(`[AgentInstall] Failed to install skill "${skill.name}":`, err.message);
+        skillResults.push({ name: skill.name, success: false, error: err.message });
+      }
+    }
+
+    // Install MCPs
+    const mcpResults = [];
+    for (const mcp of agent.mcps || []) {
+      if (!mcp.name || !mcp.repo) continue;
+      try {
+        const ok = await installMcp(mcp.name, mcp.repo, userUuid);
+        mcpResults.push({ name: mcp.name, success: ok });
+      } catch (err) {
+        console.error(`[AgentInstall] Failed to install MCP "${mcp.name}":`, err.message);
+        mcpResults.push({ name: mcp.name, success: false, error: err.message });
+      }
+    }
+
+    // Mark project as agent in project-config.json
+    const config = await loadProjectConfig(userUuid);
+    const projectKey = projectDir.replace(/\//g, '-');
+    config[projectKey] = {
+      ...(config[projectKey] || {}),
+      agentInfo: {
+        agentName: agent.dirName || agentName,
+        installedVersion: agent.version,
+        installedAt: new Date().toISOString(),
+        isAgent: true,
+        claudeMdHash
+      }
+    };
+    await saveProjectConfig(config, userUuid);
+
+    res.json({
+      success: true,
+      project: { ...project, agentInfo: config[projectKey].agentInfo },
+      skills: skillResults,
+      mcps: mcpResults
+    });
+  } catch (error) {
+    console.error('Error installing agent:', error);
+    res.status(500).json({ error: 'Failed to install agent', details: error.message });
+  }
+});
+
+/**
+ * GET /api/agents/preview
+ * Preview what files/skills/MCPs a project would include if submitted as an Agent
+ */
+router.get('/preview', async (req, res) => {
+  try {
+    const userUuid = req.user?.uuid;
+    if (!userUuid) return res.status(401).json({ error: 'User authentication required' });
+
+    const { projectKey } = req.query;
+    if (!projectKey) return res.status(400).json({ error: 'projectKey is required' });
+
+    const config = await loadProjectConfig(userUuid);
+    const entry = config[projectKey];
+    if (!entry) return res.status(404).json({ error: 'Project not found' });
+
+    const projectPath = entry.originalPath || projectKey.replace(/-/g, '/');
+    const userPaths = getUserPaths(userUuid);
+
+    // Check CLAUDE.md
+    let hasClaudeMd = false;
+    try { await fs.access(path.join(projectPath, 'CLAUDE.md')); hasClaudeMd = true; } catch {}
+
+    // Get installed skills with repo URLs
+    const skills = [];
+    const publicPaths = getPublicPaths();
+    try {
+      const skillNames = await fs.readdir(userPaths.skillsDir);
+      for (const name of skillNames) {
+        if (name.startsWith('.')) continue;
+        const linkPath = path.join(userPaths.skillsDir, name);
+        const repo = await getSkillRepoUrl(linkPath, publicPaths.skillsRepoDir);
+        skills.push({ name, repo });
+      }
+    } catch {}
+
+    // Get configured MCPs from .claude.json with repo URLs
+    const mcps = [];
+    try {
+      const claudeJsonPath = path.join(userPaths.claudeDir, '.claude.json');
+      const claudeConfig = JSON.parse(await fs.readFile(claudeJsonPath, 'utf-8'));
+      for (const name of Object.keys(claudeConfig.mcpServers || {})) {
+        const repo = await getMcpRepoUrl(name, publicPaths.mcpRepoDir);
+        mcps.push({ name, repo });
+      }
+    } catch {}
+
+    // Scan CLAUDE.md for referenced local files
+    const refFiles = await scanClaudeMdRefs(projectPath);
+
+    res.json({ hasClaudeMd, skills, mcps, refFiles });
+  } catch (error) {
+    console.error('Error getting agent preview:', error);
+    res.status(500).json({ error: 'Failed to get preview', details: error.message });
+  }
+});
+
+/**
+ * POST /api/agents/generate-description
+ * Use LLM to generate an Agent description based on CLAUDE.md + selected skills/MCPs.
+ */
+router.post('/generate-description', async (req, res) => {
+  try {
+    const userUuid = req.user?.uuid;
+    if (!userUuid) return res.status(401).json({ error: 'User authentication required' });
+
+    const { projectKey, skills = [], mcps = [] } = req.body;
+    if (!projectKey) return res.status(400).json({ error: 'projectKey is required' });
+
+    const config = await loadProjectConfig(userUuid);
+    const entry = config[projectKey];
+    if (!entry) return res.status(404).json({ error: 'Project not found' });
+
+    const projectPath = entry.originalPath || projectKey.replace(/-/g, '/');
+
+    // Read CLAUDE.md if available
+    let claudeMdContent = '';
+    try {
+      claudeMdContent = await fs.readFile(path.join(projectPath, 'CLAUDE.md'), 'utf-8');
+    } catch { /* optional */ }
+
+    // Build context for LLM
+    const skillList = skills.length > 0 ? skills.map(s => `- ${s}`).join('\n') : '(无)';
+    const mcpList = mcps.length > 0 ? mcps.map(m => `- ${m}`).join('\n') : '(无)';
+
+    const systemPrompt = `你是一个技术文档专家，专门为 AI Agent 编写简洁、清晰的功能描述。
+描述应该：
+- 简明扼要，2-4 句话
+- 说明 Agent 的主要用途和能力
+- 自然流畅，不使用模板化套话
+- 使用中文
+只输出描述内容，不要有前缀或标题。`;
+
+    const userPrompt = `请根据以下信息，为这个 Claude Agent 生成一段功能描述：
+
+${claudeMdContent ? `## CLAUDE.md 内容\n${claudeMdContent.slice(0, 3000)}\n` : '## CLAUDE.md\n(未找到)\n'}
+## 已集成的 Skills
+${skillList}
+
+## 已集成的 MCP 服务
+${mcpList}`;
+
+    const description = await chatCompletion({
+      systemPrompt,
+      userPrompt,
+      model: process.env.LLM_DEFAULT_MODEL || 'gemini-3.1-flash-lite-preview',
+      maxTokens: 300,
+      temperature: 0.7
+    });
+
+    res.json({ description });
+  } catch (error) {
+    console.error('Error generating description:', error);
+    res.status(500).json({ error: error.message || 'Failed to generate description' });
+  }
+});
+
+/**
+ * POST /api/agents/submit
+ * Submit a project as an agent for review.
+ * Builds the ZIP server-side from the project's CLAUDE.md + agent.yaml (provided in body).
+ */
+router.post('/submit', async (req, res) => {
+  try {
+    const userUuid = req.user?.uuid;
+    const userId = req.user?.id;
+    if (!userUuid || !userId) return res.status(401).json({ error: 'User authentication required' });
+
+    const { agentName, displayName, description, projectKey, agentYaml, refFiles = [] } = req.body;
+    if (!agentName) return res.status(400).json({ error: 'agentName is required' });
+    if (!displayName) return res.status(400).json({ error: 'displayName is required' });
+    if (!projectKey) return res.status(400).json({ error: 'projectKey is required' });
+    if (!agentYaml) return res.status(400).json({ error: 'agentYaml is required' });
+    if (!/^[a-zA-Z0-9_-]{1,100}$/.test(agentName)) {
+      return res.status(400).json({ error: 'agentName must be 1-100 alphanumeric, hyphen, or underscore characters' });
+    }
+
+    // Resolve project path from config
+    const config = await loadProjectConfig(userUuid);
+    const entry = config[projectKey];
+    if (!entry) return res.status(404).json({ error: 'Project not found' });
+    const projectPath = entry.originalPath || projectKey.replace(/-/g, '/');
+
+    // Build ZIP: agent.yaml + CLAUDE.md (if exists)
+    const zip = new AdmZip();
+    zip.addFile('agent.yaml', Buffer.from(agentYaml, 'utf-8'));
+
+    try {
+      const claudeMdContent = await fs.readFile(path.join(projectPath, 'CLAUDE.md'), 'utf-8');
+      zip.addFile('CLAUDE.md', Buffer.from(claudeMdContent, 'utf-8'));
+    } catch {
+      // CLAUDE.md is optional - add a placeholder
+      zip.addFile('CLAUDE.md', Buffer.from('# Agent\n', 'utf-8'));
+    }
+
+    // Include selected referenced files, preserving relative paths
+    for (const refPath of refFiles) {
+      if (!refPath || path.isAbsolute(refPath)) continue;
+      const absRef = path.resolve(projectPath, refPath);
+      // Security: ensure the resolved path stays within the project directory
+      if (!absRef.startsWith(path.resolve(projectPath) + path.sep)) continue;
+      try {
+        const content = await fs.readFile(absRef);
+        zip.addFile(refPath, content);
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+
+    // Save ZIP to disk
+    const publicPaths = getPublicPaths();
+    const userSubmitDir = path.join(publicPaths.agentSubmissionsDir, String(userId));
+    await fs.mkdir(userSubmitDir, { recursive: true });
+
+    const timestamp = Date.now();
+    const zipPath = path.join(userSubmitDir, `${agentName}-${timestamp}.zip`);
+    await fs.writeFile(zipPath, zip.toBuffer());
+
+    // Save to DB
+    const submissionId = agentSubmissionDb.create({
+      userId,
+      agentName,
+      displayName,
+      description: description || '',
+      zipPath
+    });
+
+    res.json({
+      success: true,
+      submissionId,
+      message: 'Agent 已提交审核，管理员审核通过后将发布到仓库。'
+    });
+  } catch (error) {
+    console.error('Error submitting agent:', error);
+    res.status(500).json({ error: 'Failed to submit agent', details: error.message });
+  }
+});
+
+/**
+ * GET /api/agents/submissions/my
+ * Get current user's submissions
+ */
+router.get('/submissions/my', async (req, res) => {
+  try {
+    const userId = req.user?.id;
+    if (!userId) return res.status(401).json({ error: 'User authentication required' });
+
+    const submissions = agentSubmissionDb.listByUser(userId);
+    res.json({ submissions });
+  } catch (error) {
+    console.error('Error fetching submissions:', error);
+    res.status(500).json({ error: 'Failed to fetch submissions', details: error.message });
+  }
+});
+
+/**
+ * GET /api/agents/submissions
+ * List all submissions (admin only)
+ */
+router.get('/submissions', async (req, res) => {
+  try {
+    const userRole = req.user?.role;
+    if (userRole !== 'admin' && userRole !== 'super_admin') {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const { status } = req.query;
+    const submissions = agentSubmissionDb.listAll(status || null);
+    res.json({ submissions });
+  } catch (error) {
+    console.error('Error fetching submissions:', error);
+    res.status(500).json({ error: 'Failed to fetch submissions', details: error.message });
+  }
+});
+
+/**
+ * GET /api/agents/submissions/:id/contents
+ * Return the text content of files inside the submission ZIP (admin only)
+ */
+router.get('/submissions/:id/contents', async (req, res) => {
+  try {
+    const userRole = req.user?.role;
+    if (userRole !== 'admin' && userRole !== 'super_admin') {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const submission = agentSubmissionDb.getById(req.params.id);
+    if (!submission) return res.status(404).json({ error: 'Submission not found' });
+
+    let zipBuffer;
+    try {
+      zipBuffer = await fs.readFile(submission.zip_path);
+    } catch {
+      return res.status(404).json({ error: 'Submission ZIP file not found' });
+    }
+
+    const zip = new AdmZip(zipBuffer);
+    const files = [];
+    for (const entry of zip.getEntries()) {
+      if (entry.isDirectory) continue;
+      const name = entry.entryName;
+      const content = entry.getData().toString('utf-8');
+      files.push({ name, content });
+    }
+    // Sort: agent.yaml first, CLAUDE.md second, rest alphabetically
+    files.sort((a, b) => {
+      const order = { 'agent.yaml': 0, 'CLAUDE.md': 1 };
+      const oa = order[a.name] ?? 99;
+      const ob = order[b.name] ?? 99;
+      if (oa !== ob) return oa - ob;
+      return a.name.localeCompare(b.name);
+    });
+
+    res.json({ files });
+  } catch (error) {
+    console.error('Error reading submission contents:', error);
+    res.status(500).json({ error: 'Failed to read submission contents', details: error.message });
+  }
+});
+
+/**
+ * POST /api/agents/submissions/:id/approve
+ * Approve a submission and publish to git repo (admin only)
+ */
+router.post('/submissions/:id/approve', async (req, res) => {
+  try {
+    const userRole = req.user?.role;
+    const reviewerId = req.user?.id;
+    if (userRole !== 'admin' && userRole !== 'super_admin') {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const submission = agentSubmissionDb.getById(req.params.id);
+    if (!submission) return res.status(404).json({ error: 'Submission not found' });
+    if (submission.status !== 'pending') {
+      return res.status(400).json({ error: 'Submission is not pending' });
+    }
+
+    // Read ZIP and extract
+    let zipBuffer;
+    try {
+      zipBuffer = await fs.readFile(submission.zip_path);
+    } catch {
+      return res.status(500).json({ error: 'Could not read submission ZIP' });
+    }
+
+    const zip = new AdmZip(zipBuffer);
+    const publicPaths = getPublicPaths();
+    const extractDir = path.join(publicPaths.agentSubmissionsDir, 'extracted', String(submission.id));
+    await fs.mkdir(extractDir, { recursive: true });
+    zip.extractAllTo(extractDir, true);
+
+    // Determine new version
+    const agents = await scanAgents();
+    const existing = agents.find(a => a.dirName === submission.agent_name || a.name === submission.agent_name);
+    const newVersion = existing ? incrementPatchVersion(existing.version) : '1.0.0';
+
+    // Get submitter name for commit message
+    const submitter = submission.username || submission.email || `user-${submission.user_id}`;
+
+    // Publish to git repo
+    try {
+      await publishAgentToRepo(submission.agent_name, extractDir, newVersion, submitter);
+    } catch (err) {
+      return res.status(500).json({ error: 'Failed to publish to git repo', details: err.message });
+    }
+
+    // Update DB
+    agentSubmissionDb.updateStatus(submission.id, 'approved', {
+      version: newVersion,
+      reviewedBy: reviewerId
+    });
+
+    // Cleanup extracted dir
+    fs.rm(extractDir, { recursive: true, force: true }).catch(() => {});
+
+    res.json({ success: true, version: newVersion });
+  } catch (error) {
+    console.error('Error approving submission:', error);
+    res.status(500).json({ error: 'Failed to approve submission', details: error.message });
+  }
+});
+
+/**
+ * POST /api/agents/submissions/:id/reject
+ * Reject a submission (admin only)
+ */
+router.post('/submissions/:id/reject', async (req, res) => {
+  try {
+    const userRole = req.user?.role;
+    const reviewerId = req.user?.id;
+    if (userRole !== 'admin' && userRole !== 'super_admin') {
+      return res.status(403).json({ error: 'Admin access required' });
+    }
+
+    const submission = agentSubmissionDb.getById(req.params.id);
+    if (!submission) return res.status(404).json({ error: 'Submission not found' });
+    if (submission.status !== 'pending') {
+      return res.status(400).json({ error: 'Submission is not pending' });
+    }
+
+    const { reason } = req.body;
+
+    agentSubmissionDb.updateStatus(submission.id, 'rejected', {
+      rejectReason: reason || '',
+      reviewedBy: reviewerId
+    });
+
+    res.json({ success: true });
+  } catch (error) {
+    console.error('Error rejecting submission:', error);
+    res.status(500).json({ error: 'Failed to reject submission', details: error.message });
+  }
+});
+
+export default router;