npm - @lobu/gateway - Versions diffs - 3.0.9 → 3.0.13 - Mend

@lobu/gateway 3.0.9 → 3.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/dist/api/platform.d.ts.map +1 -1
package/dist/api/platform.js +7 -26
package/dist/api/platform.js.map +1 -1
package/dist/auth/mcp/proxy.d.ts +14 -0
package/dist/auth/mcp/proxy.d.ts.map +1 -1
package/dist/auth/mcp/proxy.js +149 -13
package/dist/auth/mcp/proxy.js.map +1 -1
package/dist/cli/gateway.d.ts.map +1 -1
package/dist/cli/gateway.js +29 -0
package/dist/cli/gateway.js.map +1 -1
package/dist/connections/chat-instance-manager.d.ts.map +1 -1
package/dist/connections/chat-instance-manager.js +2 -1
package/dist/connections/chat-instance-manager.js.map +1 -1
package/dist/connections/interaction-bridge.d.ts +9 -2
package/dist/connections/interaction-bridge.d.ts.map +1 -1
package/dist/connections/interaction-bridge.js +121 -261
package/dist/connections/interaction-bridge.js.map +1 -1
package/dist/gateway/index.js +1 -1
package/dist/gateway/index.js.map +1 -1
package/dist/interactions.d.ts +9 -43
package/dist/interactions.d.ts.map +1 -1
package/dist/interactions.js +10 -52
package/dist/interactions.js.map +1 -1
package/dist/routes/public/agent.d.ts +4 -0
package/dist/routes/public/agent.d.ts.map +1 -1
package/dist/routes/public/agent.js +21 -0
package/dist/routes/public/agent.js.map +1 -1
package/dist/services/core-services.d.ts.map +1 -1
package/dist/services/core-services.js +4 -0
package/dist/services/core-services.js.map +1 -1
package/package.json +9 -9
package/src/__tests__/agent-config-routes.test.ts +0 -254
package/src/__tests__/agent-history-routes.test.ts +0 -72
package/src/__tests__/agent-routes.test.ts +0 -68
package/src/__tests__/agent-schedules-routes.test.ts +0 -59
package/src/__tests__/agent-settings-store.test.ts +0 -323
package/src/__tests__/bedrock-model-catalog.test.ts +0 -40
package/src/__tests__/bedrock-openai-service.test.ts +0 -157
package/src/__tests__/bedrock-provider-module.test.ts +0 -56
package/src/__tests__/chat-instance-manager-slack.test.ts +0 -204
package/src/__tests__/chat-response-bridge.test.ts +0 -131
package/src/__tests__/config-memory-plugins.test.ts +0 -92
package/src/__tests__/config-request-store.test.ts +0 -127
package/src/__tests__/connection-routes.test.ts +0 -144
package/src/__tests__/core-services-store-selection.test.ts +0 -92
package/src/__tests__/docker-deployment.test.ts +0 -1211
package/src/__tests__/embedded-deployment.test.ts +0 -342
package/src/__tests__/grant-store.test.ts +0 -148
package/src/__tests__/http-proxy.test.ts +0 -281
package/src/__tests__/instruction-service.test.ts +0 -37
package/src/__tests__/link-buttons.test.ts +0 -112
package/src/__tests__/lobu.test.ts +0 -32
package/src/__tests__/mcp-config-service.test.ts +0 -347
package/src/__tests__/mcp-proxy.test.ts +0 -694
package/src/__tests__/message-handler-bridge.test.ts +0 -17
package/src/__tests__/model-selection.test.ts +0 -172
package/src/__tests__/oauth-templates.test.ts +0 -39
package/src/__tests__/platform-adapter-slack-send.test.ts +0 -114
package/src/__tests__/platform-helpers-model-resolution.test.ts +0 -253
package/src/__tests__/provider-inheritance.test.ts +0 -212
package/src/__tests__/routes/cli-auth.test.ts +0 -337
package/src/__tests__/routes/interactions.test.ts +0 -121
package/src/__tests__/secret-proxy.test.ts +0 -85
package/src/__tests__/session-manager.test.ts +0 -572
package/src/__tests__/setup.ts +0 -133
package/src/__tests__/skill-and-mcp-registry.test.ts +0 -203
package/src/__tests__/slack-routes.test.ts +0 -161
package/src/__tests__/system-config-resolver.test.ts +0 -75
package/src/__tests__/system-message-limiter.test.ts +0 -89
package/src/__tests__/system-skills-service.test.ts +0 -362
package/src/__tests__/transcription-service.test.ts +0 -222
package/src/__tests__/utils/rate-limiter.test.ts +0 -102
package/src/__tests__/worker-connection-manager.test.ts +0 -497
package/src/__tests__/worker-job-router.test.ts +0 -722
package/src/api/index.ts +0 -1
package/src/api/platform.ts +0 -292
package/src/api/response-renderer.ts +0 -157
package/src/auth/agent-metadata-store.ts +0 -168
package/src/auth/api-auth-middleware.ts +0 -69
package/src/auth/api-key-provider-module.ts +0 -213
package/src/auth/base-provider-module.ts +0 -201
package/src/auth/bedrock/provider-module.ts +0 -110
package/src/auth/chatgpt/chatgpt-oauth-module.ts +0 -185
package/src/auth/chatgpt/device-code-client.ts +0 -218
package/src/auth/chatgpt/index.ts +0 -1
package/src/auth/claude/oauth-module.ts +0 -280
package/src/auth/cli/token-service.ts +0 -249
package/src/auth/external/client.ts +0 -560
package/src/auth/external/device-code-client.ts +0 -235
package/src/auth/mcp/config-service.ts +0 -420
package/src/auth/mcp/proxy.ts +0 -1086
package/src/auth/mcp/string-substitution.ts +0 -17
package/src/auth/mcp/tool-cache.ts +0 -90
package/src/auth/oauth/base-client.ts +0 -267
package/src/auth/oauth/client.ts +0 -153
package/src/auth/oauth/credentials.ts +0 -7
package/src/auth/oauth/providers.ts +0 -69
package/src/auth/oauth/state-store.ts +0 -150
package/src/auth/oauth-templates.ts +0 -179
package/src/auth/provider-catalog.ts +0 -220
package/src/auth/provider-model-options.ts +0 -41
package/src/auth/settings/agent-settings-store.ts +0 -565
package/src/auth/settings/auth-profiles-manager.ts +0 -216
package/src/auth/settings/index.ts +0 -12
package/src/auth/settings/model-preference-store.ts +0 -52
package/src/auth/settings/model-selection.ts +0 -135
package/src/auth/settings/resolved-settings-view.ts +0 -298
package/src/auth/settings/template-utils.ts +0 -44
package/src/auth/settings/token-service.ts +0 -88
package/src/auth/system-env-store.ts +0 -98
package/src/auth/user-agents-store.ts +0 -68
package/src/channels/binding-service.ts +0 -214
package/src/channels/index.ts +0 -4
package/src/cli/gateway.ts +0 -1312
package/src/cli/index.ts +0 -74
package/src/commands/built-in-commands.ts +0 -80
package/src/commands/command-dispatcher.ts +0 -94
package/src/commands/command-reply-adapters.ts +0 -27
package/src/config/file-loader.ts +0 -618
package/src/config/index.ts +0 -588
package/src/config/network-allowlist.ts +0 -71
package/src/connections/chat-instance-manager.ts +0 -1284
package/src/connections/chat-response-bridge.ts +0 -618
package/src/connections/index.ts +0 -7
package/src/connections/interaction-bridge.ts +0 -831
package/src/connections/message-handler-bridge.ts +0 -440
package/src/connections/platform-auth-methods.ts +0 -15
package/src/connections/types.ts +0 -84
package/src/gateway/connection-manager.ts +0 -291
package/src/gateway/index.ts +0 -698
package/src/gateway/job-router.ts +0 -201
package/src/gateway-main.ts +0 -200
package/src/index.ts +0 -41
package/src/infrastructure/queue/index.ts +0 -12
package/src/infrastructure/queue/queue-producer.ts +0 -148
package/src/infrastructure/queue/redis-queue.ts +0 -361
package/src/infrastructure/queue/types.ts +0 -133
package/src/infrastructure/redis/system-message-limiter.ts +0 -94
package/src/interactions/config-request-store.ts +0 -198
package/src/interactions.ts +0 -363
package/src/lobu.ts +0 -311
package/src/metrics/prometheus.ts +0 -159
package/src/modules/module-system.ts +0 -179
package/src/orchestration/base-deployment-manager.ts +0 -900
package/src/orchestration/deployment-utils.ts +0 -98
package/src/orchestration/impl/docker-deployment.ts +0 -620
package/src/orchestration/impl/embedded-deployment.ts +0 -268
package/src/orchestration/impl/index.ts +0 -8
package/src/orchestration/impl/k8s/deployment.ts +0 -1061
package/src/orchestration/impl/k8s/helpers.ts +0 -610
package/src/orchestration/impl/k8s/index.ts +0 -1
package/src/orchestration/index.ts +0 -333
package/src/orchestration/message-consumer.ts +0 -584
package/src/orchestration/scheduled-wakeup.ts +0 -704
package/src/permissions/approval-policy.ts +0 -36
package/src/permissions/grant-store.ts +0 -219
package/src/platform/file-handler.ts +0 -66
package/src/platform/link-buttons.ts +0 -57
package/src/platform/renderer-utils.ts +0 -44
package/src/platform/response-renderer.ts +0 -84
package/src/platform/unified-thread-consumer.ts +0 -194
package/src/platform.ts +0 -318
package/src/proxy/http-proxy.ts +0 -752
package/src/proxy/proxy-manager.ts +0 -81
package/src/proxy/secret-proxy.ts +0 -402
package/src/proxy/token-refresh-job.ts +0 -143
package/src/routes/internal/audio.ts +0 -141
package/src/routes/internal/device-auth.ts +0 -652
package/src/routes/internal/files.ts +0 -226
package/src/routes/internal/history.ts +0 -69
package/src/routes/internal/images.ts +0 -127
package/src/routes/internal/interactions.ts +0 -84
package/src/routes/internal/middleware.ts +0 -23
package/src/routes/internal/schedule.ts +0 -226
package/src/routes/internal/types.ts +0 -22
package/src/routes/openapi-auto.ts +0 -239
package/src/routes/public/agent-access.ts +0 -23
package/src/routes/public/agent-config.ts +0 -675
package/src/routes/public/agent-history.ts +0 -422
package/src/routes/public/agent-schedules.ts +0 -296
package/src/routes/public/agent.ts +0 -1086
package/src/routes/public/agents.ts +0 -373
package/src/routes/public/channels.ts +0 -191
package/src/routes/public/cli-auth.ts +0 -896
package/src/routes/public/connections.ts +0 -574
package/src/routes/public/landing.ts +0 -16
package/src/routes/public/oauth.ts +0 -147
package/src/routes/public/settings-auth.ts +0 -104
package/src/routes/public/slack.ts +0 -173
package/src/routes/shared/agent-ownership.ts +0 -101
package/src/routes/shared/token-verifier.ts +0 -34
package/src/services/bedrock-model-catalog.ts +0 -217
package/src/services/bedrock-openai-service.ts +0 -658
package/src/services/core-services.ts +0 -1072
package/src/services/image-generation-service.ts +0 -257
package/src/services/instruction-service.ts +0 -318
package/src/services/mcp-registry.ts +0 -94
package/src/services/platform-helpers.ts +0 -287
package/src/services/session-manager.ts +0 -262
package/src/services/settings-resolver.ts +0 -74
package/src/services/system-config-resolver.ts +0 -89
package/src/services/system-skills-service.ts +0 -229
package/src/services/transcription-service.ts +0 -684
package/src/session.ts +0 -110
package/src/spaces/index.ts +0 -1
package/src/spaces/space-resolver.ts +0 -17
package/src/stores/in-memory-agent-store.ts +0 -403
package/src/stores/redis-agent-store.ts +0 -279
package/src/utils/public-url.ts +0 -44
package/src/utils/rate-limiter.ts +0 -94
package/tsconfig.json +0 -33
package/tsconfig.tsbuildinfo +0 -1

package/src/routes/public/agent-config.ts DELETED Viewed

@@ -1,675 +0,0 @@
-/**
- * Agent Config Routes
- *
- * Configuration endpoints mounted under /api/v1/agents/{agentId}/config
- */
-import { createRoute, OpenAPIHono, z } from "@hono/zod-openapi";
-import type { AgentConfigStore, AuthProfile, SkillConfig } from "@lobu/core";
-import type { ProviderCatalogService } from "../../auth/provider-catalog";
-import { collectProviderModelOptions } from "../../auth/provider-model-options";
-import type { AgentSettings, AgentSettingsStore } from "../../auth/settings";
-import type { AuthProfilesManager } from "../../auth/settings/auth-profiles-manager";
-import { getModelSelectionState } from "../../auth/settings/model-selection";
-import {
-  canEditSettingsSection,
-  type ResolvedProviderView,
-  type ResolvedSectionView,
-  SETTINGS_SECTION_KEYS,
-  type SettingsSectionKey,
-} from "../../auth/settings/resolved-settings-view";
-import type { SettingsTokenPayload } from "../../auth/settings/token-service";
-import type { UserAgentsStore } from "../../auth/user-agents-store";
-import type { WorkerConnectionManager } from "../../gateway/connection-manager";
-import type { IMessageQueue } from "../../infrastructure/queue";
-import {
-  getModelProviderModules,
-  type ModelOption,
-  type ModelProviderModule,
-} from "../../modules/module-system";
-import type { ScheduledWakeupService } from "../../orchestration/scheduled-wakeup";
-import type { GrantStore } from "../../permissions/grant-store";
-import { createTokenVerifier } from "../shared/token-verifier";
-import { verifySettingsSessionOrToken } from "./settings-auth";
-const TAG = "Configuration";
-const ErrorResponse = z.object({ error: z.string() });
-const TokenQuery = z.object({ token: z.string().optional() });
-const REDACTED_VALUE = "__LOBU_REDACTED__";
-export interface ConfigChangeEntry {
-  category:
-    | "mcp"
-    | "provider"
-    | "model"
-    | "packages"
-    | "skills"
-    | "instructions"
-    | "env"
-    | "plugins"
-    | "logging";
-  action: "added" | "removed" | "updated" | "reordered";
-  summary: string;
-  details?: string[];
-}
-const SENSITIVE_KEY_PATTERN =
-  /(?:credential|secret|token|password|api(?:_|-)?key|authorization)/i;
-type SanitizedAuthProfile = Omit<AuthProfile, "credential" | "metadata"> & {
-  credential: string;
-  credentialRedacted: true;
-  metadata?: Omit<NonNullable<AuthProfile["metadata"]>, "refreshToken"> & {
-    refreshToken?: string;
-    refreshTokenRedacted?: true;
-  };
-};
-type PublicAgentSettings = Omit<AgentSettings, "authProfiles"> & {
-  authProfiles?: SanitizedAuthProfile[];
-};
-// --- Route Definitions ---
-const getConfigRoute = createRoute({
-  method: "get",
-  path: "/",
-  tags: [TAG],
-  summary: "Get agent configuration",
-  request: { query: TokenQuery },
-  responses: {
-    200: {
-      description: "Configuration",
-      content: {
-        "application/json": {
-          schema: z.any(),
-        },
-      },
-    },
-    401: {
-      description: "Unauthorized",
-      content: { "application/json": { schema: ErrorResponse } },
-    },
-  },
-});
-export interface ProviderCredentialStore {
-  hasCredentials(agentId: string): Promise<boolean>;
-}
-export interface AgentConfigRoutesConfig {
-  agentSettingsStore: AgentSettingsStore;
-  agentConfigStore: Pick<AgentConfigStore, "getMetadata" | "getSettings">;
-  userAgentsStore?: UserAgentsStore;
-  providerStores?: Record<string, ProviderCredentialStore>;
-  /**
-   * Provider connectivity overrides (e.g., system token means "connected" even if no user credentials are stored).
-   */
-  providerConnectedOverrides?: Record<string, boolean>;
-  providerCatalogService?: ProviderCatalogService;
-  authProfilesManager?: AuthProfilesManager;
-  queue?: IMessageQueue;
-  connectionManager?: WorkerConnectionManager;
-  grantStore?: GrantStore;
-  scheduledWakeupService?: ScheduledWakeupService;
-}
-function getViewer(payload: SettingsTokenPayload | null | undefined): {
-  settingsMode?: "admin" | "user";
-  allowedScopes?: string[];
-  isAdmin?: boolean;
-} {
-  return {
-    settingsMode: payload?.settingsMode,
-    allowedScopes: payload?.allowedScopes,
-    isAdmin: payload?.isAdmin,
-  };
-}
-function getProviderModelPreferencesFromSettings(
-  settings: AgentSettings | null | undefined
-): Record<string, string> {
-  const directPreferences = Object.fromEntries(
-    Object.entries(settings?.providerModelPreferences || {})
-      .map(([providerId, modelRef]) => [providerId.trim(), modelRef.trim()])
-      .filter(([providerId, modelRef]) => providerId && modelRef)
-  );
-  if (Object.keys(directPreferences).length > 0) {
-    return directPreferences;
-  }
-  const fallbackPreferences: Record<string, string> = {};
-  for (const ip of settings?.installedProviders || []) {
-    if (ip.config?.modelPreference) {
-      fallbackPreferences[ip.providerId] = String(ip.config.modelPreference);
-    }
-  }
-  return fallbackPreferences;
-}
-function hasOwnSetting(
-  settings: AgentSettings | null | undefined,
-  key: keyof AgentSettings
-): boolean {
-  return !!settings && Object.hasOwn(settings, key);
-}
-const SECTION_SETTING_KEYS: Record<
-  Exclude<SettingsSectionKey, "permissions" | "schedules">,
-  Array<keyof AgentSettings>
-> = {
-  model: [
-    "installedProviders",
-    "authProfiles",
-    "model",
-    "modelSelection",
-    "providerModelPreferences",
-  ],
-  "system-prompt": ["identityMd", "soulMd", "userMd"],
-  skills: ["skillsConfig", "mcpServers", "pluginsConfig"],
-  packages: ["nixConfig"],
-  logging: ["verboseLogging"],
-};
-function sectionHasLocalOverride(
-  section: SettingsSectionKey,
-  localSettings: AgentSettings | null | undefined
-): boolean {
-  if (section === "permissions" || section === "schedules") {
-    return false;
-  }
-  return SECTION_SETTING_KEYS[section].some((key) =>
-    hasOwnSetting(localSettings, key)
-  );
-}
-function sectionHasTemplateValue(
-  section: SettingsSectionKey,
-  templateSettings: AgentSettings | null | undefined
-): boolean {
-  if (section === "permissions" || section === "schedules") {
-    return false;
-  }
-  return SECTION_SETTING_KEYS[section].some((key) =>
-    hasOwnSetting(templateSettings, key)
-  );
-}
-function resolveSectionSource(
-  isSandbox: boolean,
-  hasLocalOverride: boolean,
-  hasTemplateValue: boolean
-): "local" | "inherited" | "mixed" {
-  if (!isSandbox) return "local";
-  if (!hasLocalOverride && hasTemplateValue) return "inherited";
-  if (hasLocalOverride && hasTemplateValue) return "mixed";
-  return "local";
-}
-function resolveProviderSources(
-  localSettings: AgentSettings | null,
-  effectiveSettings: AgentSettings | null,
-  templateSettings: AgentSettings | null,
-  isSandbox: boolean,
-  viewer: ReturnType<typeof getViewer>
-): Record<string, ResolvedProviderView> {
-  const effectiveProviderIds = (
-    effectiveSettings?.installedProviders || []
-  ).map((provider) => provider.providerId);
-  const localProviderIds = new Set(
-    (localSettings?.installedProviders || []).map(
-      (provider) => provider.providerId
-    )
-  );
-  const localProfileProviders = new Set(
-    (localSettings?.authProfiles || []).map((profile) => profile.provider)
-  );
-  const localPreferenceProviders = new Set(
-    Object.keys(localSettings?.providerModelPreferences || {})
-  );
-  const templateProviderIds = new Set(
-    (templateSettings?.installedProviders || []).map(
-      (provider) => provider.providerId
-    )
-  );
-  return Object.fromEntries(
-    effectiveProviderIds.map((providerId) => {
-      const hasLocalOverride =
-        localProviderIds.has(providerId) ||
-        localProfileProviders.has(providerId) ||
-        localPreferenceProviders.has(providerId);
-      const source = resolveSectionSource(
-        isSandbox,
-        hasLocalOverride,
-        templateProviderIds.has(providerId)
-      );
-      return [
-        providerId,
-        {
-          id: providerId,
-          source,
-          canEdit: canEditSettingsSection("model", viewer),
-          canReset: isSandbox && hasLocalOverride,
-          hasLocalOverride,
-        } satisfies ResolvedProviderView,
-      ];
-    })
-  );
-}
-async function resolveSettingsView(
-  config: AgentConfigRoutesConfig,
-  agentId: string,
-  payload: SettingsTokenPayload | null
-): Promise<{
-  scope: "agent" | "sandbox";
-  templateAgentId?: string;
-  templateAgentName?: string;
-  sections: Record<SettingsSectionKey, ResolvedSectionView>;
-  providerSources: Record<string, ResolvedProviderView>;
-  effectiveSettings: AgentSettings | null;
-}> {
-  const viewer = getViewer(payload);
-  const localSettings = await config.agentSettingsStore.getSettings(agentId);
-  const effectiveSettings =
-    await config.agentSettingsStore.getEffectiveSettings(agentId);
-  const templateAgentId =
-    effectiveSettings?.templateAgentId || localSettings?.templateAgentId;
-  const templateSettings = templateAgentId
-    ? await config.agentSettingsStore.getSettings(templateAgentId)
-    : null;
-  const templateAgentName = templateAgentId
-    ? (await config.agentConfigStore.getMetadata(templateAgentId))?.name
-    : undefined;
-  const isSandbox = !!templateAgentId;
-  const sections = Object.fromEntries(
-    SETTINGS_SECTION_KEYS.map((section) => {
-      const hasLocalOverride = sectionHasLocalOverride(section, localSettings);
-      const hasTemplateValue = sectionHasTemplateValue(
-        section,
-        templateSettings
-      );
-      return [
-        section,
-        {
-          source: resolveSectionSource(
-            isSandbox,
-            hasLocalOverride,
-            hasTemplateValue
-          ),
-          editable: canEditSettingsSection(section, viewer),
-          canReset: isSandbox && hasLocalOverride,
-          hasLocalOverride,
-        } satisfies ResolvedSectionView,
-      ];
-    })
-  ) as Record<SettingsSectionKey, ResolvedSectionView>;
-  return {
-    scope: isSandbox ? "sandbox" : "agent",
-    templateAgentId,
-    templateAgentName,
-    sections,
-    providerSources: resolveProviderSources(
-      localSettings,
-      effectiveSettings,
-      templateSettings,
-      isSandbox,
-      viewer
-    ),
-    effectiveSettings,
-  };
-}
-async function buildResolvedConfigResponse(
-  config: AgentConfigRoutesConfig,
-  agentId: string,
-  payload: SettingsTokenPayload | null,
-  providerModels: Record<string, ModelOption[]>
-): Promise<any> {
-  const [settingsView, grants, schedules] = await Promise.all([
-    resolveSettingsView(config, agentId, payload),
-    config.grantStore?.listGrants(agentId) ?? Promise.resolve([]),
-    config.scheduledWakeupService?.listPendingForAgent(agentId) ??
-      Promise.resolve([]),
-  ]);
-  const settings = settingsView.effectiveSettings;
-  const providers: Record<
-    string,
-    {
-      connected: boolean;
-      userConnected: boolean;
-      systemConnected: boolean;
-      activeAuthType?: string;
-      authMethods?: string[];
-    }
-  > = {};
-  if (config.providerStores) {
-    for (const [name, store] of Object.entries(config.providerStores)) {
-      try {
-        const hasSystemCredentials =
-          config.providerConnectedOverrides?.[name] === true;
-        const hasUserCredentials = await store.hasCredentials(agentId);
-        const profiles = config.authProfilesManager
-          ? await config.authProfilesManager.getProviderProfiles(agentId, name)
-          : [];
-        const now = Date.now();
-        const validProfiles = profiles.filter(
-          (profile) =>
-            !profile.metadata?.expiresAt || profile.metadata.expiresAt > now
-        );
-        providers[name] = {
-          connected: hasUserCredentials || hasSystemCredentials,
-          userConnected: hasUserCredentials,
-          systemConnected: hasSystemCredentials,
-          activeAuthType: validProfiles[0]?.authType,
-          authMethods: validProfiles.map((profile) => profile.authType),
-        };
-      } catch {
-        providers[name] = {
-          connected: false,
-          userConnected: false,
-          systemConnected: false,
-        };
-      }
-    }
-  }
-  const allModules = getModelProviderModules();
-  const allProviderMeta = allModules
-    .filter((module) => module.catalogVisible !== false)
-    .map((module: ModelProviderModule) => ({
-      id: module.providerId,
-      name: module.providerDisplayName,
-      iconUrl: module.providerIconUrl || "",
-      authType: (module.authType || "oauth") as
-        | "oauth"
-        | "device-code"
-        | "api-key",
-      supportedAuthTypes: (module.supportedAuthTypes as (
-        | "oauth"
-        | "device-code"
-        | "api-key"
-      )[]) || [
-        (module.authType || "oauth") as "oauth" | "device-code" | "api-key",
-      ],
-      apiKeyInstructions: module.apiKeyInstructions || "",
-      apiKeyPlaceholder: module.apiKeyPlaceholder || "",
-      capabilities: [] as string[],
-    }));
-  const installedIds = (settings?.installedProviders || []).map(
-    (provider) => provider.providerId
-  );
-  const installedIdSet = new Set(installedIds);
-  const catalogProviders = allProviderMeta.filter(
-    (provider) => !installedIdSet.has(provider.id)
-  );
-  const providerIconUrls: Record<string, string> = {};
-  for (const provider of allProviderMeta) {
-    if (provider.iconUrl) {
-      providerIconUrls[provider.id] = provider.iconUrl;
-    }
-  }
-  const providerMeta: Record<string, object> = {};
-  for (const provider of allProviderMeta) {
-    providerMeta[provider.id] = {
-      name: provider.name,
-      authType: provider.authType,
-      supportedAuthTypes: provider.supportedAuthTypes,
-      apiKeyInstructions: provider.apiKeyInstructions,
-      apiKeyPlaceholder: provider.apiKeyPlaceholder,
-      capabilities: provider.capabilities,
-    };
-  }
-  const sanitized = sanitizeSettingsForResponse(settings);
-  return {
-    agentId,
-    scope: settingsView.scope,
-    templateAgentId: settingsView.templateAgentId,
-    templateAgentName: settingsView.templateAgentName,
-    sections: settingsView.sections,
-    providerViews: settingsView.providerSources,
-    instructions: {
-      identity: sanitized.identityMd || "",
-      soul: sanitized.soulMd || "",
-      user: sanitized.userMd || "",
-    },
-    providers: {
-      order: installedIds,
-      status: providers,
-      catalog: catalogProviders,
-      meta: providerMeta,
-      models: providerModels,
-      preferences: getProviderModelPreferencesFromSettings(settings),
-      icons: providerIconUrls,
-      modelSelection: getModelSelectionState(settings || undefined),
-      configManaged: [] as string[],
-    },
-    skills: sanitized.skillsConfig?.skills || [],
-    mcpServers: sanitized.mcpServers || {},
-    tools: {
-      nixPackages: sanitized.nixConfig?.packages || [],
-      permissions: grants,
-      schedules: schedules.map((schedule) => ({
-        scheduleId: schedule.id,
-        task: schedule.task,
-        scheduledFor: schedule.triggerAt,
-        status: schedule.status,
-        isRecurring: schedule.isRecurring,
-        cron: schedule.cron,
-        iteration: schedule.iteration,
-        maxIterations: schedule.maxIterations,
-      })),
-      registries: [],
-      globalRegistries: [],
-    },
-    settings: {
-      verboseLogging: !!sanitized.verboseLogging,
-      memoryEnabled: !!process.env.MEMORY_URL,
-    },
-  };
-}
-export function createAgentConfigRoutes(
-  config: AgentConfigRoutesConfig
-): OpenAPIHono {
-  const app = new OpenAPIHono();
-  const baseVerifyToken = createTokenVerifier({
-    userAgentsStore: config.userAgentsStore,
-    agentMetadataStore: config.agentConfigStore,
-  });
-  /**
-   * Verify settings token against agentId.
-   * Admin sessions bypass ownership checks.
-   * Owner-scoped browser sessions get admin-equivalent access for their own
-   * agents, while exact agent-scoped tokens remain limited unless they were
-   * explicitly minted as admin/user-mode sessions.
-   */
-  const verifyToken = async (
-    payload: SettingsTokenPayload | null,
-    agentId: string
-  ): Promise<SettingsTokenPayload | null> => {
-    if (!payload) return null;
-    if (payload.isAdmin || payload.settingsMode === "admin") {
-      return {
-        ...payload,
-        isAdmin: true,
-        settingsMode: "admin",
-      };
-    }
-    const verified = await baseVerifyToken(payload, agentId);
-    if (!verified) return null;
-    if (verified.agentId || verified.settingsMode === "user") {
-      return verified;
-    }
-    return {
-      ...verified,
-      isAdmin: true,
-      settingsMode: "admin",
-    };
-  };
-  app.openapi(getConfigRoute, async (c): Promise<any> => {
-    const agentId = c.req.param("agentId") || "";
-    const payload = await verifyToken(verifySettingsSessionOrToken(c), agentId);
-    if (!payload) return c.json({ error: "Unauthorized" }, 401);
-    const providerModels = await collectProviderModelOptions(
-      agentId,
-      payload.userId
-    );
-    return c.json(
-      await buildResolvedConfigResponse(
-        config,
-        agentId,
-        payload,
-        providerModels
-      )
-    );
-  });
-  // --- Provider Catalog Endpoints ---
-  // GET /providers/catalog
-  app.get("/providers/catalog", async (c): Promise<any> => {
-    const agentId = c.req.param("agentId") || "";
-    const payload = await verifyToken(verifySettingsSessionOrToken(c), agentId);
-    if (!payload) return c.json({ error: "Unauthorized" }, 401);
-    if (!config.providerCatalogService) {
-      return c.json({ error: "Provider catalog not available" }, 503);
-    }
-    const allProviders = config.providerCatalogService.listCatalogProviders();
-    const effectiveSettings =
-      await config.agentSettingsStore.getEffectiveSettings(agentId);
-    const installed = effectiveSettings?.installedProviders || [];
-    const installedIds = new Set(installed.map((ip) => ip.providerId));
-    const catalog = allProviders.map((p) => ({
-      providerId: p.providerId,
-      name: p.providerDisplayName,
-      iconUrl: p.providerIconUrl || "",
-      authType: p.authType || "api-key",
-      description: p.catalogDescription || "",
-      installed: installedIds.has(p.providerId),
-    }));
-    return c.json({ catalog, installedProviders: installed });
-  });
-  // ===== Grant Endpoints (read-only) =====
-  if (config.grantStore) {
-    const grantStore = config.grantStore;
-    // GET /grants - List all active grants
-    app.get("/grants", async (c) => {
-      const agentId = c.req.param("agentId") || "";
-      const payload = await verifyToken(
-        verifySettingsSessionOrToken(c),
-        agentId
-      );
-      if (!payload) return c.json({ error: "Unauthorized" }, 401);
-      const grants = await grantStore.listGrants(agentId);
-      return c.json(grants);
-    });
-  }
-  return app;
-}
-function sanitizeSettingsForResponse(
-  settings: AgentSettings | null
-): PublicAgentSettings | Record<string, never> {
-  if (!settings) return {};
-  const sanitized = redactSensitiveFields(settings) as PublicAgentSettings;
-  if (sanitized.skillsConfig?.skills) {
-    sanitized.skillsConfig = {
-      skills: sanitized.skillsConfig.skills.map((skill) => {
-        const legacySkill = skill as SkillConfig & {
-          integrations?: unknown;
-        };
-        const {
-          integrations: _integrations,
-          modelPreference: _modelPreference,
-          thinkingLevel: _thinkingLevel,
-          ...rest
-        } = legacySkill;
-        return rest;
-      }),
-    };
-  }
-  if (Array.isArray(settings.authProfiles)) {
-    sanitized.authProfiles = settings.authProfiles.map(sanitizeAuthProfile);
-  }
-  return sanitized;
-}
-function sanitizeAuthProfile(profile: AuthProfile): SanitizedAuthProfile {
-  const hadRefreshToken = !!profile.metadata?.refreshToken;
-  const metadata = profile.metadata
-    ? (redactSensitiveFields(
-        profile.metadata
-      ) as SanitizedAuthProfile["metadata"])
-    : undefined;
-  if (metadata && hadRefreshToken) {
-    metadata.refreshTokenRedacted = true;
-  }
-  return {
-    ...profile,
-    credential: REDACTED_VALUE,
-    credentialRedacted: true,
-    metadata,
-  };
-}
-function redactSensitiveFields(value: unknown): unknown {
-  if (Array.isArray(value)) {
-    return value.map((entry) => redactSensitiveFields(entry));
-  }
-  if (!value || typeof value !== "object") {
-    return value;
-  }
-  const input = value as Record<string, unknown>;
-  const output: Record<string, unknown> = {};
-  for (const [key, rawValue] of Object.entries(input)) {
-    if (
-      typeof rawValue === "string" &&
-      rawValue.length > 0 &&
-      SENSITIVE_KEY_PATTERN.test(key)
-    ) {
-      output[key] = REDACTED_VALUE;
-      continue;
-    }
-    output[key] = redactSensitiveFields(rawValue);
-  }
-  return output;
-}