@jungjaehoon/mama-os 0.18.2 → 0.19.0

package/dist/api/graph-api.js

@@ -10,11 +10,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.VIEWER_JS_PATH = exports.VIEWER_CSS_PATH = exports.VIEWER_HTML_PATH = exports.DEFAULT_GRAPH_LIMIT = void 0;
+exports.VIEWER_CSS_PATH = exports.VIEWER_HTML_PATH = exports.DEFAULT_GRAPH_LIMIT = void 0;
 exports.createGraphHandler = createGraphHandler;
 exports.mapDecisionRowToGraphNode = mapDecisionRowToGraphNode;
 exports.parseGraphLimit = parseGraphLimit;
 exports.buildGraphMeta = buildGraphMeta;
+exports.validateConfigUpdate = validateConfigUpdate;
 exports.getAllNodes = getAllNodes;
 exports.getAllEdges = getAllEdges;
 exports.getAllCheckpoints = getAllCheckpoints;
@@ -26,6 +27,9 @@ const path_1 = __importDefault(require("path"));
 const os_1 = __importDefault(require("os"));
 const js_yaml_1 = __importDefault(require("js-yaml"));
 const auth_middleware_js_1 = require("./auth-middleware.js");
+const agent_handler_js_1 = require("./agent-handler.js");
+const ui_command_handler_js_1 = require("./ui-command-handler.js");
+const store_js_1 = require("../validation/store.js");
 // mama-core is pure JS with no .d.ts — require + any is intentional
 // eslint-disable-next-line @typescript-eslint/no-require-imports
 const { getAdapter, initDB, vectorSearch } = require('@jungjaehoon/mama-core/memory-store');
@@ -62,8 +66,6 @@ const VIEWER_HTML_PATH = path_1.default.join(VIEWER_DIR, 'viewer.html');
 exports.VIEWER_HTML_PATH = VIEWER_HTML_PATH;
 const VIEWER_CSS_PATH = path_1.default.join(VIEWER_DIR, 'viewer.css');
 exports.VIEWER_CSS_PATH = VIEWER_CSS_PATH;
-const VIEWER_JS_PATH = path_1.default.join(VIEWER_DIR, 'viewer.js');
-exports.VIEWER_JS_PATH = VIEWER_JS_PATH;
 const SW_JS_PATH = path_1.default.join(VIEWER_DIR, 'sw.js');
 const MANIFEST_JSON_PATH = path_1.default.join(VIEWER_DIR, 'manifest.json');
 const VIEWER_ICON_DIR = path_1.default.join(VIEWER_DIR, 'icons');
@@ -76,6 +78,14 @@ const SIMILAR_QUERY_DECISION_CHARS = 400;
 // Model pattern helpers (used in multiple validation functions)
 const isClaudeModel = (model) => /^claude-/i.test(model);
 const isCodexModel = (model) => /^(gpt-|o\d|codex)/i.test(model);
+const supportedManagedBackends = ['claude', 'codex', 'codex-mcp', 'gemini'];
+const isCodexFamilyBackend = (backend) => backend === 'codex' || backend === 'codex-mcp';
+const VALIDATION_TRIGGER_TYPES = new Set([
+    'agent_test',
+    'delegate_run',
+    'system_run',
+    'audit',
+]);
 const isOpus46Model = (model) => /^claude-opus-4-6(?:$|-)/i.test(model) || model.toLowerCase() === 'claude-opus-4-latest';
 const VALID_EFFORT_LEVELS = new Set(['low', 'medium', 'high', 'max']);
 // Allowed directories for persona files (security: prevent arbitrary file read)
@@ -313,9 +323,6 @@ function handleViewerRequest(_req, res) {
 function handleCssRequest(_req, res) {
     serveStaticFile(res, VIEWER_CSS_PATH, 'text/css');
 }
-function handleJsRequest(_req, res) {
-    serveStaticFile(res, VIEWER_JS_PATH, 'application/javascript');
-}
 async function handleGraphRequest(_req, res, params) {
     const startTime = Date.now();
     try {
@@ -450,6 +457,28 @@ function readBody(req) {
         req.on('error', reject);
     });
 }
+async function readBodyOrRespond(req, res) {
+    try {
+        return await readBody(req);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const statusCode = message === 'Invalid JSON'
+            ? 400
+            : message.includes('Request body too large (max 1MB)')
+                ? 413
+                : 500;
+        res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({
+            error: message === 'Invalid JSON'
+                ? 'Invalid JSON'
+                : message.includes('Request body too large (max 1MB)')
+                    ? 'Request body too large (max 1MB)'
+                    : message,
+        }));
+        return null;
+    }
+}
 async function handleUpdateRequest(req, res) {
     try {
         const body = await readBody(req);
@@ -783,6 +812,20 @@ async function handleCheckpointsRequest(_req, res) {
     }
 }
 function createGraphHandler(options = {}) {
+    const parsePositiveInt = (value, fallback, max) => {
+        const parsed = Number.parseInt(value ?? '', 10);
+        if (!Number.isFinite(parsed) || parsed < 1) {
+            return fallback;
+        }
+        return Math.min(parsed, max);
+    };
+    const parseValidationTriggerType = (value) => {
+        if (!value) {
+            return null;
+        }
+        const normalized = value.trim().toLowerCase();
+        return VALIDATION_TRIGGER_TYPES.has(normalized) ? normalized : null;
+    };
     return async function graphHandler(req, res) {
         if (!req.url) {
             res.writeHead(400, { 'Content-Type': 'text/plain' });
@@ -826,16 +869,6 @@ function createGraphHandler(options = {}) {
             handleCssRequest(req, res);
             return true;
         }
-        // Route: GET/HEAD /viewer.css - serve stylesheet (legacy path)
-        if (pathname === '/viewer.css' && (req.method === 'GET' || req.method === 'HEAD')) {
-            handleCssRequest(req, res);
-            return true;
-        }
-        // Route: GET/HEAD /viewer.js - serve JavaScript
-        if (pathname === '/viewer.js' && (req.method === 'GET' || req.method === 'HEAD')) {
-            handleJsRequest(req, res);
-            return true;
-        }
         // Route: GET/HEAD /sw.js - serve Service Worker
         if (pathname === '/sw.js' && (req.method === 'GET' || req.method === 'HEAD')) {
             serveStaticFile(res, SW_JS_PATH, 'application/javascript');
@@ -851,11 +884,6 @@ function createGraphHandler(options = {}) {
             serveStaticFile(res, MANIFEST_JSON_PATH, 'application/json');
             return true;
         }
-        // Route: GET/HEAD /manifest.json - legacy or custom host compatibility
-        if (pathname === '/manifest.json' && (req.method === 'GET' || req.method === 'HEAD')) {
-            serveStaticFile(res, MANIFEST_JSON_PATH, 'application/json');
-            return true;
-        }
         // Route: GET/HEAD /favicon.ico - serve favicon
         if (pathname === '/favicon.ico' && (req.method === 'GET' || req.method === 'HEAD')) {
             serveStaticFile(res, VIEWER_FAVICON_PATH, 'image/x-icon');
@@ -897,24 +925,6 @@ function createGraphHandler(options = {}) {
             serveStaticFile(res, filePath, 'application/javascript');
             return true;
         }
-        // Route: GET/HEAD /js/utils/*.js - serve utility modules (legacy path)
-        if (pathname.startsWith('/js/utils/') &&
-            pathname.endsWith('.js') &&
-            (req.method === 'GET' || req.method === 'HEAD')) {
-            const fileName = pathname.split('/').pop();
-            const filePath = path_1.default.join(VIEWER_DIR, 'js', 'utils', fileName);
-            serveStaticFile(res, filePath, 'application/javascript');
-            return true;
-        }
-        // Route: GET/HEAD /js/modules/*.js - serve feature modules (legacy path)
-        if (pathname.startsWith('/js/modules/') &&
-            pathname.endsWith('.js') &&
-            (req.method === 'GET' || req.method === 'HEAD')) {
-            const fileName = pathname.split('/').pop();
-            const filePath = path_1.default.join(VIEWER_DIR, 'js', 'modules', fileName);
-            serveStaticFile(res, filePath, 'application/javascript');
-            return true;
-        }
         // ── Auth gate: all routes below require authentication ──
         // Static assets (viewer, css, js, icons) are served above without auth.
         // All data API routes below must pass isAuthenticated().
@@ -1269,6 +1279,425 @@ function createGraphHandler(options = {}) {
             await handleExportRequest(req, res, params);
             return true;
         }
+        // ── UI Command API (SmartStore bidirectional communication) ──
+        // Route: GET /api/ui/commands — viewer polls for pending commands
+        if (pathname === '/api/ui/commands' && req.method === 'GET') {
+            if (options.uiCommandQueue) {
+                (0, ui_command_handler_js_1.handleGetUICommands)(res, options.uiCommandQueue);
+            }
+            else {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ commands: [] }));
+            }
+            return true;
+        }
+        // Route: GET /api/ui/page-context — agent reads current viewer state
+        if (pathname === '/api/ui/page-context' && req.method === 'GET') {
+            if (options.uiCommandQueue) {
+                const { handleGetPageContext } = await import('./ui-command-handler.js');
+                handleGetPageContext(res, options.uiCommandQueue);
+            }
+            else {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ success: true, context: null }));
+            }
+            return true;
+        }
+        // Route: POST /api/ui/page-context — viewer reports current page state
+        if (pathname === '/api/ui/page-context' && req.method === 'POST') {
+            if (options.uiCommandQueue) {
+                const body = await readBodyOrRespond(req, res);
+                if (!body) {
+                    return true;
+                }
+                (0, ui_command_handler_js_1.handlePostPageContext)(res, body, options.uiCommandQueue);
+            }
+            else {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ success: true }));
+            }
+            return true;
+        }
+        // Route: POST /api/ui/commands — agent pushes UI commands
+        if (pathname === '/api/ui/commands' && req.method === 'POST') {
+            if (options.uiCommandQueue) {
+                const body = await readBodyOrRespond(req, res);
+                if (!body) {
+                    return true;
+                }
+                (0, ui_command_handler_js_1.handlePostUICommand)(res, body, options.uiCommandQueue);
+            }
+            else {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ success: true }));
+            }
+            return true;
+        }
+        // Route: POST /api/ui/commands/ack — viewer acknowledges applied commands
+        if (pathname === '/api/ui/commands/ack' && req.method === 'POST') {
+            if (options.uiCommandQueue) {
+                const body = await readBodyOrRespond(req, res);
+                if (!body) {
+                    return true;
+                }
+                const { handlePostUICommandAck } = await import('./ui-command-handler.js');
+                handlePostUICommandAck(res, body, options.uiCommandQueue);
+            }
+            else {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ success: true, acknowledged: 0 }));
+            }
+            return true;
+        }
+        // ── Agent Management API (Managed Agents pattern) ──
+        // Route: GET /api/agents/:id/versions/:v1/compare/:v2 — before/after (must be before /api/agents/:id)
+        if (pathname.match(/^\/api\/agents\/[^/]+\/versions\/\d+\/compare\/\d+$/) &&
+            req.method === 'GET') {
+            const parts = pathname.split('/');
+            const agentId = decodeURIComponent(parts[3]);
+            const v1 = parseInt(parts[5], 10);
+            const v2 = parseInt(parts[7], 10);
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleCompareVersions)(res, agentId, v1, v2, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id/versions — version history
+        if (pathname.match(/^\/api\/agents\/[^/]+\/versions$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleListVersions)(res, agentId, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id/metrics?from=&to= — metrics for period
+        if (pathname.match(/^\/api\/agents\/[^/]+\/metrics$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            // Parse query params from raw URL
+            const rawUrl = req.url || pathname;
+            const qIdx = rawUrl.indexOf('?');
+            const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+            const from = params.get('from') || '2020-01-01';
+            const to = params.get('to') || '2099-12-31';
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleGetAgentMetrics)(res, agentId, from, to, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id/activity?limit= — activity log
+        if (pathname.match(/^\/api\/agents\/[^/]+\/activity$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            const rawUrl = req.url || pathname;
+            const qIdx = rawUrl.indexOf('?');
+            const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+            const limit = parsePositiveInt(params.get('limit'), 20, 100);
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleGetAgentActivity)(res, agentId, options.sessionsDb, limit);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: POST /api/agents/:id/archive — archive agent
+        if (pathname.match(/^\/api\/agents\/[^/]+\/archive$/) && req.method === 'POST') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleArchiveAgent)(res, agentId, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // ── Validation API ──────────────────────────────────────────────────
+        // Route: GET /api/agents/:id/validation/summary?trigger_type=
+        if (pathname.match(/^\/api\/agents\/[^/]+\/validation\/summary$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                const triggerType = parseValidationTriggerType(params.get('trigger_type'));
+                if (!triggerType) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'trigger_type required' }));
+                    return true;
+                }
+                const summary = (0, store_js_1.getValidationSummary)(options.sessionsDb, agentId, triggerType);
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ summary }));
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id/validation/history?trigger_type=
+        if (pathname.match(/^\/api\/agents\/[^/]+\/validation\/history$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                const rawUrl = req.url || pathname;
+                const qIdx = rawUrl.indexOf('?');
+                const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+                const limit = parsePositiveInt(params.get('limit'), 50, 200);
+                const triggerType = parseValidationTriggerType(params.get('trigger_type'));
+                if (!triggerType) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'trigger_type required' }));
+                    return true;
+                }
+                const history = (0, store_js_1.listValidationHistory)(options.sessionsDb, agentId, limit, triggerType);
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ history }));
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/validation-sessions/:id
+        if (pathname.match(/^\/api\/validation-sessions\/[^/]+$/) && req.method === 'GET') {
+            const sessionId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                const detail = (0, store_js_1.getValidationSessionDetail)(options.sessionsDb, sessionId);
+                if (!detail) {
+                    res.writeHead(404, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'Session not found' }));
+                }
+                else {
+                    res.writeHead(200, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify(detail));
+                }
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: POST /api/agents/:id/validation/approve
+        if (pathname.match(/^\/api\/agents\/[^/]+\/validation\/approve$/) && req.method === 'POST') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                const rawUrl = req.url || pathname;
+                const qIdx = rawUrl.indexOf('?');
+                const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+                let sessionId = params.get('session_id');
+                if (!sessionId) {
+                    const body = await readBodyOrRespond(req, res);
+                    if (!body) {
+                        return true;
+                    }
+                    sessionId = body?.session_id;
+                }
+                if (!sessionId) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'session_id required' }));
+                }
+                else {
+                    const detail = (0, store_js_1.getValidationSessionDetail)(options.sessionsDb, sessionId);
+                    if (!detail) {
+                        res.writeHead(404, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'Session not found' }));
+                        return true;
+                    }
+                    if (detail.session.agent_id !== agentId) {
+                        res.writeHead(403, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'session does not belong to requested agent' }));
+                        return true;
+                    }
+                    try {
+                        (0, store_js_1.approveValidationSession)(options.sessionsDb, sessionId);
+                        res.writeHead(200, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ success: true, approved_session: sessionId }));
+                    }
+                    catch (error) {
+                        const message = error instanceof Error ? error.message : String(error);
+                        const statusCode = /not found|required|invalid/i.test(message) ? 400 : 500;
+                        res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: message }));
+                    }
+                }
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id/validation/compare?session=X&baseline=approved
+        if (pathname.match(/^\/api\/agents\/[^/]+\/validation\/compare$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            if (options.sessionsDb) {
+                const rawUrl = req.url || pathname;
+                const qIdx = rawUrl.indexOf('?');
+                const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+                const sessionId = params.get('session');
+                const baselineMode = params.get('baseline') || 'approved';
+                if (!sessionId) {
+                    res.writeHead(400, { 'Content-Type': 'application/json' });
+                    res.end(JSON.stringify({ error: 'session query parameter required' }));
+                }
+                else {
+                    const current = (0, store_js_1.getValidationSessionDetail)(options.sessionsDb, sessionId);
+                    if (!current) {
+                        res.writeHead(404, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'Session not found' }));
+                    }
+                    else if (current.session.agent_id !== agentId) {
+                        res.writeHead(403, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'session does not belong to requested agent' }));
+                    }
+                    else {
+                        let baselineSessionId = null;
+                        if (baselineMode === 'approved') {
+                            const state = (0, store_js_1.getAgentValidationState)(options.sessionsDb, agentId, current.session.trigger_type);
+                            baselineSessionId = state?.approved_session_id ?? null;
+                        }
+                        else {
+                            baselineSessionId = baselineMode;
+                        }
+                        const baseline = baselineSessionId
+                            ? (0, store_js_1.getValidationSessionDetail)(options.sessionsDb, baselineSessionId)
+                            : null;
+                        if (baselineMode !== 'approved' && baselineSessionId && !baseline) {
+                            res.writeHead(404, { 'Content-Type': 'application/json' });
+                            res.end(JSON.stringify({ error: 'baseline session not found' }));
+                            return true;
+                        }
+                        if (baseline && baseline.session.agent_id !== agentId) {
+                            res.writeHead(403, { 'Content-Type': 'application/json' });
+                            res.end(JSON.stringify({ error: 'baseline session does not belong to requested agent' }));
+                            return true;
+                        }
+                        if (baseline && baseline.session.trigger_type !== current.session.trigger_type) {
+                            res.writeHead(400, { 'Content-Type': 'application/json' });
+                            res.end(JSON.stringify({
+                                error: 'baseline session trigger_type does not match current session',
+                            }));
+                            return true;
+                        }
+                        const baselineMetrics = new Map((baseline?.metrics ?? []).map((m) => [
+                            m.name,
+                            m.value,
+                        ]));
+                        const deltas = current.metrics.map((m) => {
+                            const bVal = baselineMetrics.get(m.name);
+                            return {
+                                name: m.name,
+                                current: m.value,
+                                baseline: bVal ?? null,
+                                delta: bVal !== undefined ? m.value - bVal : null,
+                                direction: m.direction,
+                            };
+                        });
+                        res.writeHead(200, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ current, baseline, deltas }));
+                    }
+                }
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/activity-summary — aggregated activity with alerts
+        if (pathname === '/api/agents/activity-summary' && req.method === 'GET') {
+            const rawUrl = req.url || pathname;
+            const qIdx = rawUrl.indexOf('?');
+            const params = qIdx >= 0 ? new URLSearchParams(rawUrl.slice(qIdx)) : new URLSearchParams();
+            const since = params.get('since') || new Date(Date.now() - 86400000).toISOString().slice(0, 10);
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleGetActivitySummary)(res, options.sessionsDb, since);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents — list all agents
+        if (pathname === '/api/agents' && req.method === 'GET') {
+            const config = loadMAMAConfig();
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleGetAgents)(res, config, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: POST /api/agents — create new agent
+        if (pathname === '/api/agents' && req.method === 'POST') {
+            const body = await readBodyOrRespond(req, res);
+            if (!body) {
+                return true;
+            }
+            if (options.sessionsDb) {
+                await (0, agent_handler_js_1.handleCreateAgent)(res, body, options.sessionsDb, {
+                    loadConfig: async () => loadMAMAConfig(),
+                    saveConfig: async (config) => saveMAMAConfig(config),
+                    applyMultiAgentConfig: options.applyMultiAgentConfig ?? null,
+                    restartMultiAgentAgent: options.restartMultiAgentAgent ?? null,
+                });
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: GET /api/agents/:id — single agent detail (must be after /api/agents/:id/*)
+        if (pathname.match(/^\/api\/agents\/[^/]+$/) && req.method === 'GET') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            const config = loadMAMAConfig();
+            if (options.sessionsDb) {
+                (0, agent_handler_js_1.handleGetAgent)(res, agentId, config, options.sessionsDb);
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // Route: POST /api/agents/:id — update agent (Managed Agents: version required)
+        if (pathname.match(/^\/api\/agents\/[^/]+$/) && req.method === 'POST') {
+            const agentId = decodeURIComponent(pathname.split('/')[3]);
+            const body = await readBodyOrRespond(req, res);
+            if (!body) {
+                return true;
+            }
+            if (options.sessionsDb) {
+                await (0, agent_handler_js_1.handleUpdateAgent)(res, agentId, body, options.sessionsDb, {
+                    loadConfig: async () => loadMAMAConfig(),
+                    saveConfig: async (config) => saveMAMAConfig(config),
+                    applyMultiAgentConfig: options.applyMultiAgentConfig ?? null,
+                    restartMultiAgentAgent: options.restartMultiAgentAgent ?? null,
+                });
+            }
+            else {
+                res.writeHead(503, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ error: 'Sessions DB not available' }));
+            }
+            return true;
+        }
+        // ── Legacy Multi-Agent API (redirect-compatible) ──
         // Route: GET /api/multi-agent/status - get multi-agent system status
         if (pathname === '/api/multi-agent/status' && req.method === 'GET') {
             await handleMultiAgentStatusRequest(req, res, options);
@@ -1968,8 +2397,8 @@ function validateConfigUpdate(config) {
             errors.push('timeout must be at least 1000ms');
         }
         if (config.agent.backend &&
-            !['claude', 'codex-mcp'].includes(String(config.agent.backend).toLowerCase())) {
-            errors.push('agent.backend must be "claude" or "codex-mcp"');
+            !supportedManagedBackends.includes(String(config.agent.backend).toLowerCase())) {
+            errors.push('agent.backend must be "claude", "codex", "codex-mcp", or "gemini"');
         }
         if (config.agent.backend && config.agent.model && typeof config.agent.model === 'string') {
             const backend = String(config.agent.backend).toLowerCase();
@@ -1977,8 +2406,8 @@ function validateConfigUpdate(config) {
             if (backend === 'claude' && !isClaudeModel(model)) {
                 errors.push('agent.model must be a Claude model when agent.backend is "claude"');
             }
-            if (backend === 'codex-mcp' && !isCodexModel(model)) {
-                errors.push('agent.model must be a Codex/OpenAI model when agent.backend is "codex-mcp"');
+            if (isCodexFamilyBackend(backend) && !isCodexModel(model)) {
+                errors.push(`agent.model must be a Codex/OpenAI model when agent.backend is "${backend}"`);
             }
         }
     }
@@ -2002,16 +2431,16 @@ function validateConfigUpdate(config) {
             const modelRaw = cfg.model;
             if (backendRaw !== undefined) {
                 const backend = String(backendRaw).toLowerCase();
-                if (!['claude', 'codex-mcp'].includes(backend)) {
-                    errors.push(`multi_agent.agents.${agentId}.backend must be "claude" or "codex-mcp"`);
+                if (!supportedManagedBackends.includes(backend)) {
+                    errors.push(`multi_agent.agents.${agentId}.backend must be "claude", "codex", "codex-mcp", or "gemini"`);
                     continue;
                 }
                 if (typeof modelRaw === 'string' && modelRaw.trim()) {
                     if (backend === 'claude' && !isClaudeModel(modelRaw)) {
                         errors.push(`multi_agent.agents.${agentId}.model must be a Claude model when backend is "claude"`);
                     }
-                    if (backend === 'codex-mcp' && !isCodexModel(modelRaw)) {
-                        errors.push(`multi_agent.agents.${agentId}.model must be a Codex/OpenAI model when backend is "codex-mcp"`);
+                    if (isCodexFamilyBackend(backend) && !isCodexModel(modelRaw)) {
+                        errors.push(`multi_agent.agents.${agentId}.model must be a Codex/OpenAI model when backend is "${backend}"`);
                     }
                 }
             }
@@ -2318,8 +2747,8 @@ async function handleMultiAgentUpdateAgentRequest(req, res, pathname, options =
         }
         if (body.backend !== undefined &&
             (typeof body.backend !== 'string' ||
-                !['claude', 'codex-mcp'].includes(String(body.backend).toLowerCase()))) {
-            validationErrors.push('backend must be "claude" or "codex-mcp"');
+                !supportedManagedBackends.includes(String(body.backend).toLowerCase()))) {
+            validationErrors.push('backend must be "claude", "codex", "codex-mcp", or "gemini"');
         }
         const nextBackend = (body.backend !== undefined ? String(body.backend).toLowerCase() : currentAgent.backend);
         const nextModel = (body.model !== undefined ? body.model : currentAgent.model);
@@ -2327,8 +2756,8 @@ async function handleMultiAgentUpdateAgentRequest(req, res, pathname, options =
             if (nextBackend === 'claude' && !isClaudeModel(nextModel)) {
                 validationErrors.push('model must be a Claude model when backend is "claude"');
             }
-            if (nextBackend === 'codex-mcp' && !isCodexModel(nextModel)) {
-                validationErrors.push('model must be a Codex/OpenAI model when backend is "codex-mcp"');
+            if (isCodexFamilyBackend(nextBackend) && !isCodexModel(nextModel)) {
+                validationErrors.push(`model must be a Codex/OpenAI model when backend is "${nextBackend}"`);
             }
         }
         if (body.effort !== undefined) {