npm - @open-mercato/ai-assistant - Versions diffs - 0.4.9-develop-8c36c096d5 → 0.4.9-develop-31d1a87765 - Mend

@open-mercato/ai-assistant 0.4.9-develop-8c36c096d5 → 0.4.9-develop-31d1a87765

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/AGENTS.md CHANGED Viewed

@@ -8,15 +8,13 @@
 - Expose module tools to an AI agent via MCP (Model Context Protocol)
 - Enable dynamic API discovery so the agent can call any endpoint without hardcoded tools
 - Build the Raycast-style Command Palette UI (Cmd+K) for user interaction
-- Combine search-based and OpenAPI-based tool discovery
-Five core components to understand:
+Four core components to understand:
 1. **OpenCode Agent** — AI backend that processes natural language and executes tools
 2. **MCP HTTP Server** — Exposes tools to OpenCode via HTTP on port 3001
-3. **API Discovery Tools** — 3 meta-tools that replace 600+ individual endpoint tools
+3. **Code Mode Tools** — 2 meta-tools (`search` + `execute`) where the AI writes JavaScript that runs in a `node:vm` sandbox
 4. **Command Palette UI** — Raycast-style frontend interface
-5. **Hybrid Tool Discovery** — Merges search-based and OpenAPI introspection results
 ## Common Tasks
@@ -57,11 +55,11 @@ registerMcpTool({
 ### Add New API Endpoints to Discovery
-APIs are automatically discovered from the OpenAPI spec (`openapi.yaml`). Follow these steps:
+APIs are automatically available via the Code Mode `search` tool (reads the OpenAPI spec at runtime). To add new endpoints:
 1. Define the endpoint in your module's route file with an `openApi` export
-2. Regenerate the OpenAPI spec
-3. Restart the MCP server
+2. Regenerate the OpenAPI spec (`yarn modules:prepare`)
+3. Restart the MCP server — the `search` tool's `spec.paths` will include the new endpoint
 ### Debug Tool Calls
@@ -125,9 +123,9 @@ When modifying this stack, follow these constraints:
 │                                    ▼                                         │
 │  ┌─────────────────────────────────────────────────────────────────────┐    │
 │  │                    MCP HTTP Server (:3001)                           │    │
-│  │  • Exposes 10 tools to OpenCode                                      │    │
-│  │  • API discovery tools (api_discover, api_execute, api_schema)       │    │
-│  │  • Search tools (search, search_status, etc.)                        │    │
+│  │  • Exposes 3 tools: context_whoami + Code Mode (search, execute)    │    │
+│  │  • search: AI writes JS to query OpenAPI spec + entity schemas      │    │
+│  │  • execute: AI writes JS to make API calls via api.request()        │    │
 │  │  • Authentication via x-api-key header                               │    │
 │  └─────────────────────────────────────────────────────────────────────┘    │
 │                                                                              │
@@ -159,8 +157,12 @@ packages/ai-assistant/
 │   │   ├── lib/
 │   │   │   ├── opencode-client.ts      # OpenCode server client
 │   │   │   ├── opencode-handlers.ts    # Request handlers for OpenCode
-│   │   │   ├── api-discovery-tools.ts  # api_discover, api_execute, api_schema
-│   │   │   ├── api-endpoint-index.ts   # OpenAPI endpoint indexing
+│   │   │   ├── codemode-tools.ts       # Code Mode search + execute tools
+│   │   │   ├── sandbox.ts             # node:vm sandbox executor
+│   │   │   ├── truncate.ts            # Response size limiter
+│   │   │   ├── api-endpoint-index.ts   # OpenAPI endpoint indexing + raw spec cache
+│   │   │   ├── api-discovery-tools.ts  # (legacy, unused) old find_api/call_api
+│   │   │   ├── entity-graph-tools.ts   # (legacy, unused) old discover_schema
 │   │   │   ├── http-server.ts          # MCP HTTP server implementation
 │   │   │   ├── mcp-server.ts           # MCP stdio server implementation
 │   │   │   ├── tool-registry.ts        # Global tool registration
@@ -225,30 +227,40 @@ When you need to interact with OpenCode, follow these rules:
 }
 ```
-## Rules for Working with API Discovery Tools
+## Rules for Code Mode Tools
-Use 3 meta-tools instead of 600+ individual tools:
+Use 2 meta-tools instead of individual endpoint/schema tools. The AI writes JavaScript that runs in a `node:vm` sandbox:
-| Tool | When to use |
-|------|-------------|
-| `api_discover` | When you need to find APIs by keyword, module, or HTTP method |
-| `api_schema` | When you need detailed schema for a specific endpoint before calling it |
-| `api_execute` | When you need to execute an API call with parameters |
+| Tool | Sandbox globals | When to use |
+|------|----------------|-------------|
+| `search` | `spec` (OpenAPI paths + entity schemas) | When discovering endpoints, understanding schemas, or exploring the API surface |
+| `execute` | `api.request()`, `context` | When making API calls to read or write data |
 **Example workflow the agent follows**:
 1. Agent receives: "Find all customers in New York"
-2. Agent calls `api_discover("customers search")`
-3. Agent calls `api_schema("/api/v1/customers")` to see parameters
-4. Agent calls `api_execute({ method: "GET", path: "/api/v1/customers", query: { city: "New York" } })`
+2. Agent calls `search({ code: 'async () => Object.keys(spec.paths).filter(p => p.includes("customer"))' })`
+3. Agent calls `search({ code: 'async () => spec.paths["/api/customers/companies"]?.get' })` to see endpoint details
+4. Agent calls `execute({ code: 'async () => api.request({ method: "GET", path: "/api/customers/companies", query: { city: "New York" } })' })`
-## Rules for Hybrid Tool Discovery
+**Sandbox safety**: Code runs in `node:vm` with only whitelisted globals. `fetch`, `require`, `process`, `fs`, `Buffer`, and network APIs are blocked. Execution times out after 30 seconds. API calls are capped at 50 per execution.
-Tools are discovered through two combined sources:
+**When modifying Code Mode tools**: Edit `lib/codemode-tools.ts` for tool definitions, `lib/sandbox.ts` for the sandbox engine, `lib/truncate.ts` for response size limiting.
-1. **Search-based**: Semantic search over tool descriptions
-2. **OpenAPI-based**: Direct introspection of API endpoints
+## MANDATORY: Use AskUserQuestion for Confirmations
-When you need to modify discovery behavior, edit `api_discover` in `lib/api-discovery-tools.ts` — it merges both sources.
+> **This is the MOST IMPORTANT rule. NEVER skip this.**
+Before ANY operation that modifies data (CREATE, UPDATE, DELETE):
+1. **YOU MUST USE** the `AskUserQuestion` tool
+2. Do NOT just write "Proceed?" in text
+3. The `AskUserQuestion` tool will show buttons and WAIT for user response
+4. Only proceed after user selects confirmation option
+**Why This Matters:**
+- Text like "Shall I proceed?" does NOT pause execution
+- Only the `AskUserQuestion` tool actually waits for user input
+- Without it, the AI may proceed without real confirmation
 ## Rules for the Chat Flow
@@ -503,21 +515,24 @@ async function handleOpenCodeMessage(options: {
 function extractTextFromResponse(result: OpenCodeMessage): string
 ```
-## Rules for API Discovery Internals
+## Rules for Code Mode Internals
-Located in `lib/api-discovery-tools.ts`. When modifying discovery logic:
+Located in `lib/codemode-tools.ts`, `lib/sandbox.ts`, `lib/truncate.ts`.
 ```typescript
-// Registered tools:
-// - api_discover: Search endpoints by keyword
-// - api_schema: Get endpoint details
-// - api_execute: Execute API call
-// Use these internal functions when extending discovery:
-function searchEndpoints(query: string, options?: SearchOptions): EndpointMatch[]
-function executeApiCall(params: ExecuteParams, ctx: McpToolContext): Promise<unknown>
+// lib/codemode-tools.ts — Tool definitions
+loadCodeModeTools(): Promise<number>  // Registers search + execute, returns 2
+// lib/sandbox.ts — Sandbox engine
+createSandbox(globals, options?): { execute: (code: string) => Promise<SandboxResult> }
+normalizeCode(code: string): string   // Strip markdown fences, validate shape
+// lib/truncate.ts — Response limiting
+truncateResult(value, maxChars?): string  // Default 40K chars (~10K tokens)
 ```
+**Legacy files kept but unused**: `lib/api-discovery-tools.ts` (old find_api/call_api) and `lib/entity-graph-tools.ts` (old discover_schema) remain in the tree but are no longer imported.
 ## Rules for the API Endpoint Index
 Located in `lib/api-endpoint-index.ts`. Use the singleton pattern — never instantiate directly:
@@ -1034,6 +1049,32 @@ if (tool.requiredFeatures?.length) {
 ## Changelog
+### 2026-02-22 - Code Mode Tools (search + execute)
+**Major change**: Replaced all individual API/schema/module tools with 2 Code Mode meta-tools following Cloudflare's Code Mode pattern.
+**What changed**:
+- Added `search` tool: AI writes JavaScript to query the OpenAPI spec + entity schemas via a `spec` global
+- Added `execute` tool: AI writes JavaScript to make API calls via `api.request()` in a `node:vm` sandbox
+- Removed `find_api`, `call_api`, `discover_schema` tools (files kept but no longer imported)
+- Removed auto-discovered module AI tools from `ai-tools.generated.ts`
+- Token savings: from ~10+ tool schemas to exactly 2, with fixed footprint regardless of API surface growth
+**Files created**:
+- `lib/codemode-tools.ts` — `search` and `execute` tool definitions
+- `lib/sandbox.ts` — `node:vm` sandbox executor with security restrictions
+- `lib/truncate.ts` — Response size limiter (40K chars / ~10K tokens)
+**Files modified**:
+- `lib/api-endpoint-index.ts` — Added `getRawOpenApiSpec()` for raw spec caching
+- `lib/tool-loader.ts` — Loads Code Mode tools instead of legacy tools + module tools
+- `lib/http-server.ts` — Pre-caches raw OpenAPI spec at startup
+- `lib/mcp-server.ts` — Generates entity graph and caches spec for stdio mode
+**Files kept but unused**:
+- `lib/api-discovery-tools.ts` — Old find_api/call_api (no longer imported)
+- `lib/entity-graph-tools.ts` — Old discover_schema (no longer imported)
 ### 2026-01-17 - Session Persistence Fix
 **Lesson learned:** Never use `Promise.race` for SSE completion — the HTTP response resolves before SSE can emit the `done` event. Always await only the SSE event promise.

package/dist/modules/ai_assistant/api/chat/route.js CHANGED Viewed

@@ -14,22 +14,102 @@ import { findWithDecryption } from "@open-mercato/shared/lib/encryption/find";
 const CHAT_SYSTEM_INSTRUCTIONS = `
 You are a helpful business assistant for Open Mercato.
-EFFICIENCY - CRITICAL:
-- MINIMIZE tool calls. If you already have the information, DO NOT call tools again.
-- When you retrieve entity info or search results, REMEMBER and REUSE that data.
-- For simple queries, use ONE search and present results - don't over-fetch.
-- For updates: search once to find the record, then call_api once to update.
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+ABSOLUTE RULES \u2014 FOLLOW THESE OR BE CUT OFF
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+1. READ = GET only. If the user says find/list/show/search/get \u2192 use only GET. NEVER call PUT/POST/DELETE for a read query.
+2. PUT path = collection path. id goes in the BODY, not the URL. Example: PUT /api/customers/companies with { id: '...', name: 'New' }. There are NO /{id} path segments.
+3. Confirm before ANY write. Before POST/PUT/DELETE: present your plan in business language, then STOP and wait for user to say "yes". Do NOT execute the write in the same turn.
+4. Maximum 4 tool calls per message. Hard limit is 10.
-STATUS UPDATES: Before each tool call, output a brief status line:
-- "\u{1F50D} Searching..." before search_query
-- "\u{1F4CB} Getting details..." before search_get or understand_entity
-- "\u{1F517} Calling API..." before call_api
+You have 2 tools \u2014 both accept a "code" parameter with an async JavaScript arrow function.
+TOOL: search \u2014 discover endpoints and schemas (READ-ONLY, fast)
+  - spec.findEndpoints(keyword) \u2192 [{ path, methods }]
+  - spec.describeEndpoint(path, method) \u2192 COMPACT: { requiredFields, optionalFields, nestedCollections, example, relatedEndpoints, relatedEntity }
+  - spec.describeEntity(keyword) \u2192 { className, fields, relationships }
+TOOL: execute \u2014 make API calls (reads and writes)
+  - api.request({ method, path, query?, body? }) \u2192 { success, statusCode, data }
+COMMON API PATHS (use directly \u2014 do NOT call findEndpoints for these):
+  /api/customers/companies      \u2014 companies (GET list, POST create, PUT update)
+  /api/customers/people         \u2014 contacts/people
+  /api/customers/deals          \u2014 deals/opportunities
+  /api/customers/activities     \u2014 activities/tasks
+  /api/sales/orders             \u2014 sales orders
+  /api/sales/quotes             \u2014 quotes
+  /api/sales/invoices           \u2014 invoices
+  /api/catalog/products         \u2014 products
+  /api/catalog/categories       \u2014 categories
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+RECIPES \u2014 follow EXACTLY for each task type
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+FIND/LIST records (1 call):
+  For COMMON PATHS: skip describeEndpoint, go straight to execute.
+  1. execute: api.request({ method: 'GET', path: '/api/<module>/<resource>' })
+  The "search" query param only matches indexed text fields \u2014 it will NOT match concepts like "Polish" or "large".
+  For conceptual/subjective queries, fetch ALL records and use YOUR reasoning to identify matches from the returned data.
+  For unknown paths: 1 search + 1 execute.
+UPDATE a record (3-4 calls):
+  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'PUT')  \u2192 learn requestBody fields AND relatedEntity
+  2. execute: GET the record \u2192 find it, get its ID
+  3. execute: PUT to the COLLECTION path with id IN THE BODY:
+     api.request({ method: 'PUT', path: '/api/<module>/<resource>', body: { id: '<uuid>', ...changes } })
+  NOTE: All CRUD endpoints use the COLLECTION path. The id goes in the request BODY, not the URL. There are NO /{id} path segments.
+CREATE a record (2-3 calls):
+  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'POST') \u2192 gives requiredFields, optionalFields, nestedCollections, and a working example
+  2. Ask user for confirmation with the field values
+  3. execute: api.request({ method: 'POST', ...body })
+  If the endpoint has nestedCollections (like lines), include them INLINE in the body \u2014 do NOT create them separately.
+  Use the "example" from describeEndpoint as your template \u2014 fill in real values.
+  Example \u2014 create a quote with line items:
+    api.request({ method: 'POST', path: '/api/sales/quotes', body: {
+      currencyCode: 'EUR', customerEntityId: '<company-uuid>',
+      lines: [{ currencyCode: 'EUR', quantity: 1, productId: '<product-uuid>', name: 'Product Name', kind: 'product' }]
+    }})
+  Do NOT create lines separately. Do NOT include id, quoteId, or total fields \u2014 the server generates them.
+CREATE MULTIPLE records (2-3 calls):
+  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'POST') \u2192 learn fields + example
+  2. execute: loop in one call:
+     async () => {
+       const results = [];
+       for (const item of items) {
+         results.push(await api.request({ method: 'POST', path: '...', body: item }));
+       }
+       return results;
+     }
+DISCOVER (what endpoints/entities exist) (1 call):
+  1. search: spec.findEndpoints('<keyword>') or spec.describeEntity('<keyword>')
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+HARD RULES
+\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550
+- MAXIMUM 4 tool calls per user message. You WILL be cut off after 10.
+- NEVER call findEndpoints or describeEndpoint for COMMON PATHS listed above \u2014 use them directly with execute.
+- NEVER call describeEntity if describeEndpoint already returned relatedEntity.
+- NEVER repeat a search from earlier in the conversation \u2014 reuse previous results.
+- NEVER make N+1 API calls (1 call per record). Fetch a list and reason about the results yourself.
+- When you already have the data you need from a previous call, use it \u2014 do NOT fetch more data to "enrich" it.
+- Do NOT write JavaScript filters/regex to match records. Fetch data with a simple api.request() call and use YOUR knowledge to interpret the results.
+- The "search" query param is fulltext only \u2014 it won't match nationalities, categories, or subjective criteria. For those, fetch all and reason.
+- describeEndpoint returns a COMPACT summary with requiredFields, optionalFields, and an example. Use the example as your template \u2014 fill in real values and send it.
+- For fields you don't know, OMIT them \u2014 the API uses defaults for optional fields.
+- NEVER try to set computed/total fields (amounts, totals, counts) \u2014 the server calculates them.
+- For updates: describeEndpoint gives you the field names. Go straight to GET + PUT. PUT path is the COLLECTION path, id in BODY.
+- For creates with children (e.g. quote + lines): include children INLINE in the body using the nestedCollections field name.
 RESPONSE RULES:
-- Be proactive - fetch data and present results, don't ask what the user wants to see
-- Never show technical terms, IDs, JSON, or internal reasoning
-- Present results in clean business language with **bold names** and bullet points
-- Only ask for confirmation before create/update/delete operations
+- Be proactive \u2014 fetch data and present results, don't ask what the user wants to see.
+- Never show technical terms, IDs, JSON, or internal reasoning.
+- Present results in clean business language with **bold names** and bullet points.
+- Only ask for confirmation before create/update/delete operations.
 `.trim();
 const metadata = {
   POST: { requireAuth: true, requireFeatures: ["ai_assistant.view"] }
@@ -97,6 +177,9 @@ async function POST(req) {
     if (!lastUserMessage) {
       return NextResponse.json({ error: "No user message found" }, { status: 400 });
     }
+    const chatStartTime = Date.now();
+    const messagePreview = lastUserMessage.slice(0, 80).replace(/\n/g, " ");
+    console.error(`[AI Usage] Chat request: user=${auth.sub} session=${sessionId ? sessionId.slice(0, 16) + "..." : "new"} message="${messagePreview}${lastUserMessage.length > 80 ? "..." : ""}"`);
     let sessionToken = null;
     if (!sessionId) {
       try {
@@ -130,6 +213,9 @@ async function POST(req) {
     }
     messageToSend += lastUserMessage;
     (async () => {
+      let toolCallCount = 0;
+      let lastTokens;
+      let resultSessionId;
       try {
         if (sessionToken) {
           console.log("[AI Chat] Emitting session-authorized event");
@@ -145,6 +231,9 @@ async function POST(req) {
             sessionId
           },
           async (event) => {
+            if (event.type === "tool-call") toolCallCount++;
+            if (event.type === "metadata" && "tokens" in event) lastTokens = event.tokens;
+            if (event.type === "done" && "sessionId" in event) resultSessionId = event.sessionId;
             await writeSSE(event);
           }
         );
@@ -155,6 +244,8 @@ async function POST(req) {
           error: error instanceof Error ? error.message : "OpenCode request failed"
         });
       } finally {
+        const durationMs = Date.now() - chatStartTime;
+        console.error(`[AI Usage] Chat complete: user=${auth.sub} session=${(resultSessionId || sessionId || "unknown").slice(0, 16)}... duration=${durationMs}ms toolCalls=${toolCallCount}${lastTokens ? ` tokens={in:${lastTokens.input || 0},out:${lastTokens.output || 0}}` : ""}`);
         await closeWriter();
       }
     })();

package/dist/modules/ai_assistant/api/chat/route.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../../src/modules/ai_assistant/api/chat/route.ts"],
-  "sourcesContent": ["import { NextResponse, type NextRequest } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport {\n  handleOpenCodeMessageStreaming,\n  type OpenCodeStreamEvent,\n} from '../../lib/opencode-handlers'\nimport { createOpenCodeClient } from '../../lib/opencode-client'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport {\n  generateSessionToken,\n  createSessionApiKey,\n} from '@open-mercato/core/modules/api_keys/services/apiKeyService'\nimport { UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\n/**\n * System instructions injected at the start of new chat sessions.\n * These ensure the AI follows the correct workflow for data operations.\n */\nconst CHAT_SYSTEM_INSTRUCTIONS = `\nYou are a helpful business assistant for Open Mercato.\n\nEFFICIENCY - CRITICAL:\n- MINIMIZE tool calls. If you already have the information, DO NOT call tools again.\n- When you retrieve entity info or search results, REMEMBER and REUSE that data.\n- For simple queries, use ONE search and present results - don't over-fetch.\n- For updates: search once to find the record, then call_api once to update.\n\nSTATUS UPDATES: Before each tool call, output a brief status line:\n- \"\uD83D\uDD0D Searching...\" before search_query\n- \"\uD83D\uDCCB Getting details...\" before search_get or understand_entity\n- \"\uD83D\uDD17 Calling API...\" before call_api\n\nRESPONSE RULES:\n- Be proactive - fetch data and present results, don't ask what the user wants to see\n- Never show technical terms, IDs, JSON, or internal reasoning\n- Present results in clean business language with **bold names** and bullet points\n- Only ask for confirmation before create/update/delete operations\n`.trim()\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['ai_assistant.view'] },\n}\n\n/**\n * Get user's role IDs from the database.\n */\nasync function getUserRoleIds(\n  em: EntityManager,\n  userId: string,\n  tenantId: string | null\n): Promise<string[]> {\n  if (!tenantId) return []\n\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as any, role: { tenantId } } as any,\n    { populate: ['role'] },\n    { tenantId, organizationId: null },\n  )\n  const linkList = Array.isArray(links) ? links : []\n  return linkList\n    .map((l) => (l.role as any)?.id)\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\n/**\n * Chat endpoint that routes messages to OpenCode agent.\n * OpenCode connects to MCP server for tool access (api_discover, api_execute, api_schema).\n *\n * Emits verbose SSE events for debugging:\n * - thinking: Agent started processing\n * - metadata: Model, tokens, timing info\n * - tool-call: Tool invocation with args\n * - tool-result: Tool response\n * - text: Response text\n * - question: Confirmation question from agent\n * - done: Complete with session ID\n * - error: Error occurred\n */\nexport async function POST(req: NextRequest) {\n  const auth = await getAuthFromRequest(req)\n\n  if (!auth) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  try {\n    const body = await req.json()\n    const { messages, sessionId, answerQuestion } = body as {\n      messages?: Array<{ role: string; content: string }>\n      sessionId?: string\n      // For answering a question\n      answerQuestion?: {\n        questionId: string\n        answer: number\n        sessionId: string\n      }\n    }\n\n    // Create SSE stream for frontend compatibility\n    const encoder = new TextEncoder()\n    const stream = new TransformStream()\n    const writer = stream.writable.getWriter()\n    let writerClosed = false\n\n    const writeSSE = async (event: OpenCodeStreamEvent | { type: string; [key: string]: unknown }) => {\n      if (writerClosed) return // Guard against writes after close\n      try {\n        const jsonStr = JSON.stringify(event)\n        await writer.write(encoder.encode(`data: ${jsonStr}\\n\\n`))\n      } catch (err) {\n        // Writer may have been closed by client disconnect\n        console.warn('[AI Chat] Failed to write SSE event:', event.type)\n      }\n    }\n\n    const closeWriter = async () => {\n      if (writerClosed) return\n      writerClosed = true\n      try {\n        await writer.close()\n      } catch {\n        // Already closed\n      }\n    }\n\n    // Handle question answer - simple JSON response, not SSE\n    // The original SSE stream continues and will receive the follow-up response\n    if (answerQuestion) {\n      try {\n        const client = createOpenCodeClient()\n        await client.answerQuestion(answerQuestion.questionId, answerQuestion.answer)\n        return NextResponse.json({ success: true })\n      } catch (error) {\n        console.error('[AI Chat] Answer error:', error)\n        return NextResponse.json(\n          { error: error instanceof Error ? error.message : 'Failed to answer question' },\n          { status: 500 }\n        )\n      }\n    }\n\n    // Handle regular message\n    if (!messages || !Array.isArray(messages)) {\n      return NextResponse.json({ error: 'messages array is required' }, { status: 400 })\n    }\n\n    // Get the latest user message\n    const lastUserMessage = messages.filter((m) => m.role === 'user').pop()?.content\n    if (!lastUserMessage) {\n      return NextResponse.json({ error: 'No user message found' }, { status: 400 })\n    }\n\n    // For new sessions, create an ephemeral API key that inherits user permissions\n    // The API key secret is encrypted and stored; MCP server recovers it via session token\n    let sessionToken: string | null = null\n    if (!sessionId) {\n      try {\n        const container = await createRequestContainer()\n        const em = container.resolve<EntityManager>('em')\n\n        // Get user's role IDs from database\n        const userRoleIds = await getUserRoleIds(em, auth.sub, auth.tenantId)\n\n        // Generate session token and create ephemeral key\n        sessionToken = generateSessionToken()\n        await createSessionApiKey(em, {\n          sessionToken,\n          userId: auth.sub,\n          userRoles: userRoleIds,\n          tenantId: auth.tenantId,\n          organizationId: auth.orgId,\n          ttlMinutes: 120,\n        })\n        console.log('[AI Chat] Created session token:', sessionToken.slice(0, 12) + '...')\n      } catch (error) {\n        console.error('[AI Chat] Failed to create session key:', error)\n        // Continue without session key - tools will use static API key auth\n      }\n    }\n\n    // Build the message to send to OpenCode\n    // For NEW sessions: inject system instructions + session token\n    // For existing sessions: only inject session token if available\n    let messageToSend = ''\n\n    // For NEW sessions only, prepend system instructions\n    if (!sessionId) {\n      messageToSend = `${CHAT_SYSTEM_INSTRUCTIONS}\\n\\n`\n    }\n\n    // If we have a session token, prepend explicit instructions for the AI to include it in tool calls\n    if (sessionToken) {\n      messageToSend += `[Session Authorization: ${sessionToken}. Include \"_sessionToken\": \"${sessionToken}\" in EVERY tool call.]\\n\\n`\n    }\n\n    messageToSend += lastUserMessage\n\n    // Process in background - starts AFTER Response is returned so there's a reader for the stream\n    ;(async () => {\n      try {\n        // Emit session-authorized event first (if we have a token)\n        if (sessionToken) {\n          console.log('[AI Chat] Emitting session-authorized event')\n          await writeSSE({\n            type: 'session-authorized',\n            sessionToken: sessionToken.slice(0, 12) + '...',\n          })\n        }\n\n        // Emit thinking event for UX feedback\n        await writeSSE({ type: 'thinking' })\n\n        // Use streaming handler that supports questions\n        await handleOpenCodeMessageStreaming(\n          {\n            message: messageToSend,\n            sessionId,\n          },\n          async (event) => {\n            await writeSSE(event)\n          }\n        )\n      } catch (error) {\n        console.error('[AI Chat] OpenCode error:', error)\n        await writeSSE({\n          type: 'error',\n          error: error instanceof Error ? error.message : 'OpenCode request failed',\n        })\n      } finally {\n        await closeWriter()\n      }\n    })()\n\n    return new Response(stream.readable, {\n      headers: {\n        'Content-Type': 'text/event-stream',\n        'Cache-Control': 'no-cache',\n        Connection: 'keep-alive',\n      },\n    })\n  } catch (error) {\n    console.error('[AI Chat] Error:', error)\n    return NextResponse.json({ error: 'Chat request failed' }, { status: 500 })\n  }\n}\n"],
-  "mappings": "AAAA,SAAS,oBAAsC;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EACE;AAAA,OAEK;AACP,SAAS,4BAA4B;AACrC,SAAS,8BAA8B;AAEvC;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,gBAAgB;AACzB,SAAS,0BAA0B;AAMnC,MAAM,2BAA2B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmB/B,KAAK;AAEA,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAKA,eAAe,eACb,IACA,QACA,UACmB;AACnB,MAAI,CAAC,SAAU,QAAO,CAAC;AAEvB,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAe,MAAM,EAAE,SAAS,EAAE;AAAA,IAC1C,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,QAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,SAAO,SACJ,IAAI,CAAC,MAAO,EAAE,MAAc,EAAE,EAC9B,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAgBA,eAAsB,KAAK,KAAkB;AAC3C,QAAM,OAAO,MAAM,mBAAmB,GAAG;AAEzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,MAAI;AACF,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,EAAE,UAAU,WAAW,eAAe,IAAI;AAYhD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,SAAS,IAAI,gBAAgB;AACnC,UAAM,SAAS,OAAO,SAAS,UAAU;AACzC,QAAI,eAAe;AAEnB,UAAM,WAAW,OAAO,UAA0E;AAChG,UAAI,aAAc;AAClB,UAAI;AACF,cAAM,UAAU,KAAK,UAAU,KAAK;AACpC,cAAM,OAAO,MAAM,QAAQ,OAAO,SAAS,OAAO;AAAA;AAAA,CAAM,CAAC;AAAA,MAC3D,SAAS,KAAK;AAEZ,gBAAQ,KAAK,wCAAwC,MAAM,IAAI;AAAA,MACjE;AAAA,IACF;AAEA,UAAM,cAAc,YAAY;AAC9B,UAAI,aAAc;AAClB,qBAAe;AACf,UAAI;AACF,cAAM,OAAO,MAAM;AAAA,MACrB,QAAQ;AAAA,MAER;AAAA,IACF;AAIA,QAAI,gBAAgB;AAClB,UAAI;AACF,cAAM,SAAS,qBAAqB;AACpC,cAAM,OAAO,eAAe,eAAe,YAAY,eAAe,MAAM;AAC5E,eAAO,aAAa,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,MAC5C,SAAS,OAAO;AACd,gBAAQ,MAAM,2BAA2B,KAAK;AAC9C,eAAO,aAAa;AAAA,UAClB,EAAE,OAAO,iBAAiB,QAAQ,MAAM,UAAU,4BAA4B;AAAA,UAC9E,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAGA,QAAI,CAAC,YAAY,CAAC,MAAM,QAAQ,QAAQ,GAAG;AACzC,aAAO,aAAa,KAAK,EAAE,OAAO,6BAA6B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACnF;AAGA,UAAM,kBAAkB,SAAS,OAAO,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,IAAI,GAAG;AACzE,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC9E;AAIA,QAAI,eAA8B;AAClC,QAAI,CAAC,WAAW;AACd,UAAI;AACF,cAAM,YAAY,MAAM,uBAAuB;AAC/C,cAAM,KAAK,UAAU,QAAuB,IAAI;AAGhD,cAAM,cAAc,MAAM,eAAe,IAAI,KAAK,KAAK,KAAK,QAAQ;AAGpE,uBAAe,qBAAqB;AACpC,cAAM,oBAAoB,IAAI;AAAA,UAC5B;AAAA,UACA,QAAQ,KAAK;AAAA,UACb,WAAW;AAAA,UACX,UAAU,KAAK;AAAA,UACf,gBAAgB,KAAK;AAAA,UACrB,YAAY;AAAA,QACd,CAAC;AACD,gBAAQ,IAAI,oCAAoC,aAAa,MAAM,GAAG,EAAE,IAAI,KAAK;AAAA,MACnF,SAAS,OAAO;AACd,gBAAQ,MAAM,2CAA2C,KAAK;AAAA,MAEhE;AAAA,IACF;AAKA,QAAI,gBAAgB;AAGpB,QAAI,CAAC,WAAW;AACd,sBAAgB,GAAG,wBAAwB;AAAA;AAAA;AAAA,IAC7C;AAGA,QAAI,cAAc;AAChB,uBAAiB,2BAA2B,YAAY,+BAA+B,YAAY;AAAA;AAAA;AAAA,IACrG;AAEA,qBAAiB;AAGhB,KAAC,YAAY;AACZ,UAAI;AAEF,YAAI,cAAc;AAChB,kBAAQ,IAAI,6CAA6C;AACzD,gBAAM,SAAS;AAAA,YACb,MAAM;AAAA,YACN,cAAc,aAAa,MAAM,GAAG,EAAE,IAAI;AAAA,UAC5C,CAAC;AAAA,QACH;AAGA,cAAM,SAAS,EAAE,MAAM,WAAW,CAAC;AAGnC,cAAM;AAAA,UACJ;AAAA,YACE,SAAS;AAAA,YACT;AAAA,UACF;AAAA,UACA,OAAO,UAAU;AACf,kBAAM,SAAS,KAAK;AAAA,UACtB;AAAA,QACF;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ,MAAM,6BAA6B,KAAK;AAChD,cAAM,SAAS;AAAA,UACb,MAAM;AAAA,UACN,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,CAAC;AAAA,MACH,UAAE;AACA,cAAM,YAAY;AAAA,MACpB;AAAA,IACF,GAAG;AAEH,WAAO,IAAI,SAAS,OAAO,UAAU;AAAA,MACnC,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,iBAAiB;AAAA,QACjB,YAAY;AAAA,MACd;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,oBAAoB,KAAK;AACvC,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACF;",
+  "sourcesContent": ["import { NextResponse, type NextRequest } from 'next/server'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport {\n  handleOpenCodeMessageStreaming,\n  type OpenCodeStreamEvent,\n} from '../../lib/opencode-handlers'\nimport { createOpenCodeClient } from '../../lib/opencode-client'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport {\n  generateSessionToken,\n  createSessionApiKey,\n} from '@open-mercato/core/modules/api_keys/services/apiKeyService'\nimport { UserRole } from '@open-mercato/core/modules/auth/data/entities'\nimport { findWithDecryption } from '@open-mercato/shared/lib/encryption/find'\n\n/**\n * System instructions injected at the start of new chat sessions.\n * These ensure the AI follows the correct workflow for data operations.\n */\nconst CHAT_SYSTEM_INSTRUCTIONS = `\nYou are a helpful business assistant for Open Mercato.\n\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nABSOLUTE RULES \u2014 FOLLOW THESE OR BE CUT OFF\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n1. READ = GET only. If the user says find/list/show/search/get \u2192 use only GET. NEVER call PUT/POST/DELETE for a read query.\n2. PUT path = collection path. id goes in the BODY, not the URL. Example: PUT /api/customers/companies with { id: '...', name: 'New' }. There are NO /{id} path segments.\n3. Confirm before ANY write. Before POST/PUT/DELETE: present your plan in business language, then STOP and wait for user to say \"yes\". Do NOT execute the write in the same turn.\n4. Maximum 4 tool calls per message. Hard limit is 10.\n\nYou have 2 tools \u2014 both accept a \"code\" parameter with an async JavaScript arrow function.\n\nTOOL: search \u2014 discover endpoints and schemas (READ-ONLY, fast)\n  - spec.findEndpoints(keyword) \u2192 [{ path, methods }]\n  - spec.describeEndpoint(path, method) \u2192 COMPACT: { requiredFields, optionalFields, nestedCollections, example, relatedEndpoints, relatedEntity }\n  - spec.describeEntity(keyword) \u2192 { className, fields, relationships }\n\nTOOL: execute \u2014 make API calls (reads and writes)\n  - api.request({ method, path, query?, body? }) \u2192 { success, statusCode, data }\n\nCOMMON API PATHS (use directly \u2014 do NOT call findEndpoints for these):\n  /api/customers/companies      \u2014 companies (GET list, POST create, PUT update)\n  /api/customers/people         \u2014 contacts/people\n  /api/customers/deals          \u2014 deals/opportunities\n  /api/customers/activities     \u2014 activities/tasks\n  /api/sales/orders             \u2014 sales orders\n  /api/sales/quotes             \u2014 quotes\n  /api/sales/invoices           \u2014 invoices\n  /api/catalog/products         \u2014 products\n  /api/catalog/categories       \u2014 categories\n\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nRECIPES \u2014 follow EXACTLY for each task type\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n\nFIND/LIST records (1 call):\n  For COMMON PATHS: skip describeEndpoint, go straight to execute.\n  1. execute: api.request({ method: 'GET', path: '/api/<module>/<resource>' })\n  The \"search\" query param only matches indexed text fields \u2014 it will NOT match concepts like \"Polish\" or \"large\".\n  For conceptual/subjective queries, fetch ALL records and use YOUR reasoning to identify matches from the returned data.\n  For unknown paths: 1 search + 1 execute.\n\nUPDATE a record (3-4 calls):\n  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'PUT')  \u2192 learn requestBody fields AND relatedEntity\n  2. execute: GET the record \u2192 find it, get its ID\n  3. execute: PUT to the COLLECTION path with id IN THE BODY:\n     api.request({ method: 'PUT', path: '/api/<module>/<resource>', body: { id: '<uuid>', ...changes } })\n  NOTE: All CRUD endpoints use the COLLECTION path. The id goes in the request BODY, not the URL. There are NO /{id} path segments.\n\nCREATE a record (2-3 calls):\n  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'POST') \u2192 gives requiredFields, optionalFields, nestedCollections, and a working example\n  2. Ask user for confirmation with the field values\n  3. execute: api.request({ method: 'POST', ...body })\n  If the endpoint has nestedCollections (like lines), include them INLINE in the body \u2014 do NOT create them separately.\n  Use the \"example\" from describeEndpoint as your template \u2014 fill in real values.\n  Example \u2014 create a quote with line items:\n    api.request({ method: 'POST', path: '/api/sales/quotes', body: {\n      currencyCode: 'EUR', customerEntityId: '<company-uuid>',\n      lines: [{ currencyCode: 'EUR', quantity: 1, productId: '<product-uuid>', name: 'Product Name', kind: 'product' }]\n    }})\n  Do NOT create lines separately. Do NOT include id, quoteId, or total fields \u2014 the server generates them.\n\nCREATE MULTIPLE records (2-3 calls):\n  1. search: spec.describeEndpoint('/api/<module>/<resource>', 'POST') \u2192 learn fields + example\n  2. execute: loop in one call:\n     async () => {\n       const results = [];\n       for (const item of items) {\n         results.push(await api.request({ method: 'POST', path: '...', body: item }));\n       }\n       return results;\n     }\n\nDISCOVER (what endpoints/entities exist) (1 call):\n  1. search: spec.findEndpoints('<keyword>') or spec.describeEntity('<keyword>')\n\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\nHARD RULES\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\n- MAXIMUM 4 tool calls per user message. You WILL be cut off after 10.\n- NEVER call findEndpoints or describeEndpoint for COMMON PATHS listed above \u2014 use them directly with execute.\n- NEVER call describeEntity if describeEndpoint already returned relatedEntity.\n- NEVER repeat a search from earlier in the conversation \u2014 reuse previous results.\n- NEVER make N+1 API calls (1 call per record). Fetch a list and reason about the results yourself.\n- When you already have the data you need from a previous call, use it \u2014 do NOT fetch more data to \"enrich\" it.\n- Do NOT write JavaScript filters/regex to match records. Fetch data with a simple api.request() call and use YOUR knowledge to interpret the results.\n- The \"search\" query param is fulltext only \u2014 it won't match nationalities, categories, or subjective criteria. For those, fetch all and reason.\n- describeEndpoint returns a COMPACT summary with requiredFields, optionalFields, and an example. Use the example as your template \u2014 fill in real values and send it.\n- For fields you don't know, OMIT them \u2014 the API uses defaults for optional fields.\n- NEVER try to set computed/total fields (amounts, totals, counts) \u2014 the server calculates them.\n- For updates: describeEndpoint gives you the field names. Go straight to GET + PUT. PUT path is the COLLECTION path, id in BODY.\n- For creates with children (e.g. quote + lines): include children INLINE in the body using the nestedCollections field name.\n\nRESPONSE RULES:\n- Be proactive \u2014 fetch data and present results, don't ask what the user wants to see.\n- Never show technical terms, IDs, JSON, or internal reasoning.\n- Present results in clean business language with **bold names** and bullet points.\n- Only ask for confirmation before create/update/delete operations.\n`.trim()\n\nexport const metadata = {\n  POST: { requireAuth: true, requireFeatures: ['ai_assistant.view'] },\n}\n\n/**\n * Get user's role IDs from the database.\n */\nasync function getUserRoleIds(\n  em: EntityManager,\n  userId: string,\n  tenantId: string | null\n): Promise<string[]> {\n  if (!tenantId) return []\n\n  const links = await findWithDecryption(\n    em,\n    UserRole,\n    { user: userId as any, role: { tenantId } } as any,\n    { populate: ['role'] },\n    { tenantId, organizationId: null },\n  )\n  const linkList = Array.isArray(links) ? links : []\n  return linkList\n    .map((l) => (l.role as any)?.id)\n    .filter((id): id is string => typeof id === 'string' && id.length > 0)\n}\n\n/**\n * Chat endpoint that routes messages to OpenCode agent.\n * OpenCode connects to MCP server for tool access (search, execute, context_whoami).\n *\n * Emits verbose SSE events for debugging:\n * - thinking: Agent started processing\n * - metadata: Model, tokens, timing info\n * - tool-call: Tool invocation with args\n * - tool-result: Tool response\n * - text: Response text\n * - question: Confirmation question from agent\n * - done: Complete with session ID\n * - error: Error occurred\n */\nexport async function POST(req: NextRequest) {\n  const auth = await getAuthFromRequest(req)\n\n  if (!auth) {\n    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })\n  }\n\n  try {\n    const body = await req.json()\n    const { messages, sessionId, answerQuestion } = body as {\n      messages?: Array<{ role: string; content: string }>\n      sessionId?: string\n      // For answering a question\n      answerQuestion?: {\n        questionId: string\n        answer: number\n        sessionId: string\n      }\n    }\n\n    // Create SSE stream for frontend compatibility\n    const encoder = new TextEncoder()\n    const stream = new TransformStream()\n    const writer = stream.writable.getWriter()\n    let writerClosed = false\n\n    const writeSSE = async (event: OpenCodeStreamEvent | { type: string; [key: string]: unknown }) => {\n      if (writerClosed) return // Guard against writes after close\n      try {\n        const jsonStr = JSON.stringify(event)\n        await writer.write(encoder.encode(`data: ${jsonStr}\\n\\n`))\n      } catch (err) {\n        // Writer may have been closed by client disconnect\n        console.warn('[AI Chat] Failed to write SSE event:', event.type)\n      }\n    }\n\n    const closeWriter = async () => {\n      if (writerClosed) return\n      writerClosed = true\n      try {\n        await writer.close()\n      } catch {\n        // Already closed\n      }\n    }\n\n    // Handle question answer - simple JSON response, not SSE\n    // The original SSE stream continues and will receive the follow-up response\n    if (answerQuestion) {\n      try {\n        const client = createOpenCodeClient()\n        await client.answerQuestion(answerQuestion.questionId, answerQuestion.answer)\n        return NextResponse.json({ success: true })\n      } catch (error) {\n        console.error('[AI Chat] Answer error:', error)\n        return NextResponse.json(\n          { error: error instanceof Error ? error.message : 'Failed to answer question' },\n          { status: 500 }\n        )\n      }\n    }\n\n    // Handle regular message\n    if (!messages || !Array.isArray(messages)) {\n      return NextResponse.json({ error: 'messages array is required' }, { status: 400 })\n    }\n\n    // Get the latest user message\n    const lastUserMessage = messages.filter((m) => m.role === 'user').pop()?.content\n    if (!lastUserMessage) {\n      return NextResponse.json({ error: 'No user message found' }, { status: 400 })\n    }\n\n    const chatStartTime = Date.now()\n    const messagePreview = lastUserMessage.slice(0, 80).replace(/\\n/g, ' ')\n    console.error(`[AI Usage] Chat request: user=${auth.sub} session=${sessionId ? sessionId.slice(0, 16) + '...' : 'new'} message=\"${messagePreview}${lastUserMessage.length > 80 ? '...' : ''}\"`)\n\n\n    // For new sessions, create an ephemeral API key that inherits user permissions\n    // The API key secret is encrypted and stored; MCP server recovers it via session token\n    let sessionToken: string | null = null\n    if (!sessionId) {\n      try {\n        const container = await createRequestContainer()\n        const em = container.resolve<EntityManager>('em')\n\n        // Get user's role IDs from database\n        const userRoleIds = await getUserRoleIds(em, auth.sub, auth.tenantId)\n\n        // Generate session token and create ephemeral key\n        sessionToken = generateSessionToken()\n        await createSessionApiKey(em, {\n          sessionToken,\n          userId: auth.sub,\n          userRoles: userRoleIds,\n          tenantId: auth.tenantId,\n          organizationId: auth.orgId,\n          ttlMinutes: 120,\n        })\n        console.log('[AI Chat] Created session token:', sessionToken.slice(0, 12) + '...')\n      } catch (error) {\n        console.error('[AI Chat] Failed to create session key:', error)\n        // Continue without session key - tools will use static API key auth\n      }\n    }\n\n    // Build the message to send to OpenCode\n    // For NEW sessions: inject system instructions + session token\n    // For existing sessions: only inject session token if available\n    let messageToSend = ''\n\n    // For NEW sessions only, prepend system instructions\n    if (!sessionId) {\n      messageToSend = `${CHAT_SYSTEM_INSTRUCTIONS}\\n\\n`\n    }\n\n    // If we have a session token, prepend explicit instructions for the AI to include it in tool calls\n    if (sessionToken) {\n      messageToSend += `[Session Authorization: ${sessionToken}. Include \"_sessionToken\": \"${sessionToken}\" in EVERY tool call.]\\n\\n`\n    }\n\n    messageToSend += lastUserMessage\n\n    // Process in background - starts AFTER Response is returned so there's a reader for the stream\n    ;(async () => {\n      let toolCallCount = 0\n      let lastTokens: { input?: number; output?: number } | undefined\n      let resultSessionId: string | undefined\n\n      try {\n        // Emit session-authorized event first (if we have a token)\n        if (sessionToken) {\n          console.log('[AI Chat] Emitting session-authorized event')\n          await writeSSE({\n            type: 'session-authorized',\n            sessionToken: sessionToken.slice(0, 12) + '...',\n          })\n        }\n\n        // Emit thinking event for UX feedback\n        await writeSSE({ type: 'thinking' })\n\n        // Use streaming handler that supports questions\n        await handleOpenCodeMessageStreaming(\n          {\n            message: messageToSend,\n            sessionId,\n          },\n          async (event) => {\n            // Track usage from stream events\n            if (event.type === 'tool-call') toolCallCount++\n            if (event.type === 'metadata' && 'tokens' in event) lastTokens = event.tokens\n            if (event.type === 'done' && 'sessionId' in event) resultSessionId = event.sessionId\n\n            await writeSSE(event)\n          }\n        )\n      } catch (error) {\n        console.error('[AI Chat] OpenCode error:', error)\n        await writeSSE({\n          type: 'error',\n          error: error instanceof Error ? error.message : 'OpenCode request failed',\n        })\n      } finally {\n        const durationMs = Date.now() - chatStartTime\n        console.error(`[AI Usage] Chat complete: user=${auth.sub} session=${(resultSessionId || sessionId || 'unknown').slice(0, 16)}... duration=${durationMs}ms toolCalls=${toolCallCount}${lastTokens ? ` tokens={in:${lastTokens.input || 0},out:${lastTokens.output || 0}}` : ''}`)\n        await closeWriter()\n      }\n    })()\n\n    return new Response(stream.readable, {\n      headers: {\n        'Content-Type': 'text/event-stream',\n        'Cache-Control': 'no-cache',\n        Connection: 'keep-alive',\n      },\n    })\n  } catch (error) {\n    console.error('[AI Chat] Error:', error)\n    return NextResponse.json({ error: 'Chat request failed' }, { status: 500 })\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAsC;AAC/C,SAAS,0BAA0B;AACnC;AAAA,EACE;AAAA,OAEK;AACP,SAAS,4BAA4B;AACrC,SAAS,8BAA8B;AAEvC;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,gBAAgB;AACzB,SAAS,0BAA0B;AAMnC,MAAM,2BAA2B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmG/B,KAAK;AAEA,MAAM,WAAW;AAAA,EACtB,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACpE;AAKA,eAAe,eACb,IACA,QACA,UACmB;AACnB,MAAI,CAAC,SAAU,QAAO,CAAC;AAEvB,QAAM,QAAQ,MAAM;AAAA,IAClB;AAAA,IACA;AAAA,IACA,EAAE,MAAM,QAAe,MAAM,EAAE,SAAS,EAAE;AAAA,IAC1C,EAAE,UAAU,CAAC,MAAM,EAAE;AAAA,IACrB,EAAE,UAAU,gBAAgB,KAAK;AAAA,EACnC;AACA,QAAM,WAAW,MAAM,QAAQ,KAAK,IAAI,QAAQ,CAAC;AACjD,SAAO,SACJ,IAAI,CAAC,MAAO,EAAE,MAAc,EAAE,EAC9B,OAAO,CAAC,OAAqB,OAAO,OAAO,YAAY,GAAG,SAAS,CAAC;AACzE;AAgBA,eAAsB,KAAK,KAAkB;AAC3C,QAAM,OAAO,MAAM,mBAAmB,GAAG;AAEzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACrE;AAEA,MAAI;AACF,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,UAAM,EAAE,UAAU,WAAW,eAAe,IAAI;AAYhD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,SAAS,IAAI,gBAAgB;AACnC,UAAM,SAAS,OAAO,SAAS,UAAU;AACzC,QAAI,eAAe;AAEnB,UAAM,WAAW,OAAO,UAA0E;AAChG,UAAI,aAAc;AAClB,UAAI;AACF,cAAM,UAAU,KAAK,UAAU,KAAK;AACpC,cAAM,OAAO,MAAM,QAAQ,OAAO,SAAS,OAAO;AAAA;AAAA,CAAM,CAAC;AAAA,MAC3D,SAAS,KAAK;AAEZ,gBAAQ,KAAK,wCAAwC,MAAM,IAAI;AAAA,MACjE;AAAA,IACF;AAEA,UAAM,cAAc,YAAY;AAC9B,UAAI,aAAc;AAClB,qBAAe;AACf,UAAI;AACF,cAAM,OAAO,MAAM;AAAA,MACrB,QAAQ;AAAA,MAER;AAAA,IACF;AAIA,QAAI,gBAAgB;AAClB,UAAI;AACF,cAAM,SAAS,qBAAqB;AACpC,cAAM,OAAO,eAAe,eAAe,YAAY,eAAe,MAAM;AAC5E,eAAO,aAAa,KAAK,EAAE,SAAS,KAAK,CAAC;AAAA,MAC5C,SAAS,OAAO;AACd,gBAAQ,MAAM,2BAA2B,KAAK;AAC9C,eAAO,aAAa;AAAA,UAClB,EAAE,OAAO,iBAAiB,QAAQ,MAAM,UAAU,4BAA4B;AAAA,UAC9E,EAAE,QAAQ,IAAI;AAAA,QAChB;AAAA,MACF;AAAA,IACF;AAGA,QAAI,CAAC,YAAY,CAAC,MAAM,QAAQ,QAAQ,GAAG;AACzC,aAAO,aAAa,KAAK,EAAE,OAAO,6BAA6B,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACnF;AAGA,UAAM,kBAAkB,SAAS,OAAO,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,IAAI,GAAG;AACzE,QAAI,CAAC,iBAAiB;AACpB,aAAO,aAAa,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IAC9E;AAEA,UAAM,gBAAgB,KAAK,IAAI;AAC/B,UAAM,iBAAiB,gBAAgB,MAAM,GAAG,EAAE,EAAE,QAAQ,OAAO,GAAG;AACtE,YAAQ,MAAM,iCAAiC,KAAK,GAAG,YAAY,YAAY,UAAU,MAAM,GAAG,EAAE,IAAI,QAAQ,KAAK,aAAa,cAAc,GAAG,gBAAgB,SAAS,KAAK,QAAQ,EAAE,GAAG;AAK9L,QAAI,eAA8B;AAClC,QAAI,CAAC,WAAW;AACd,UAAI;AACF,cAAM,YAAY,MAAM,uBAAuB;AAC/C,cAAM,KAAK,UAAU,QAAuB,IAAI;AAGhD,cAAM,cAAc,MAAM,eAAe,IAAI,KAAK,KAAK,KAAK,QAAQ;AAGpE,uBAAe,qBAAqB;AACpC,cAAM,oBAAoB,IAAI;AAAA,UAC5B;AAAA,UACA,QAAQ,KAAK;AAAA,UACb,WAAW;AAAA,UACX,UAAU,KAAK;AAAA,UACf,gBAAgB,KAAK;AAAA,UACrB,YAAY;AAAA,QACd,CAAC;AACD,gBAAQ,IAAI,oCAAoC,aAAa,MAAM,GAAG,EAAE,IAAI,KAAK;AAAA,MACnF,SAAS,OAAO;AACd,gBAAQ,MAAM,2CAA2C,KAAK;AAAA,MAEhE;AAAA,IACF;AAKA,QAAI,gBAAgB;AAGpB,QAAI,CAAC,WAAW;AACd,sBAAgB,GAAG,wBAAwB;AAAA;AAAA;AAAA,IAC7C;AAGA,QAAI,cAAc;AAChB,uBAAiB,2BAA2B,YAAY,+BAA+B,YAAY;AAAA;AAAA;AAAA,IACrG;AAEA,qBAAiB;AAGhB,KAAC,YAAY;AACZ,UAAI,gBAAgB;AACpB,UAAI;AACJ,UAAI;AAEJ,UAAI;AAEF,YAAI,cAAc;AAChB,kBAAQ,IAAI,6CAA6C;AACzD,gBAAM,SAAS;AAAA,YACb,MAAM;AAAA,YACN,cAAc,aAAa,MAAM,GAAG,EAAE,IAAI;AAAA,UAC5C,CAAC;AAAA,QACH;AAGA,cAAM,SAAS,EAAE,MAAM,WAAW,CAAC;AAGnC,cAAM;AAAA,UACJ;AAAA,YACE,SAAS;AAAA,YACT;AAAA,UACF;AAAA,UACA,OAAO,UAAU;AAEf,gBAAI,MAAM,SAAS,YAAa;AAChC,gBAAI,MAAM,SAAS,cAAc,YAAY,MAAO,cAAa,MAAM;AACvE,gBAAI,MAAM,SAAS,UAAU,eAAe,MAAO,mBAAkB,MAAM;AAE3E,kBAAM,SAAS,KAAK;AAAA,UACtB;AAAA,QACF;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ,MAAM,6BAA6B,KAAK;AAChD,cAAM,SAAS;AAAA,UACb,MAAM;AAAA,UACN,OAAO,iBAAiB,QAAQ,MAAM,UAAU;AAAA,QAClD,CAAC;AAAA,MACH,UAAE;AACA,cAAM,aAAa,KAAK,IAAI,IAAI;AAChC,gBAAQ,MAAM,kCAAkC,KAAK,GAAG,aAAa,mBAAmB,aAAa,WAAW,MAAM,GAAG,EAAE,CAAC,gBAAgB,UAAU,gBAAgB,aAAa,GAAG,aAAa,eAAe,WAAW,SAAS,CAAC,QAAQ,WAAW,UAAU,CAAC,MAAM,EAAE,EAAE;AAC/Q,cAAM,YAAY;AAAA,MACpB;AAAA,IACF,GAAG;AAEH,WAAO,IAAI,SAAS,OAAO,UAAU;AAAA,MACnC,SAAS;AAAA,QACP,gBAAgB;AAAA,QAChB,iBAAiB;AAAA,QACjB,YAAY;AAAA,MACd;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,oBAAoB,KAAK;AACvC,WAAO,aAAa,KAAK,EAAE,OAAO,sBAAsB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC5E;AACF;",
   "names": []
 }

package/dist/modules/ai_assistant/lib/api-endpoint-index.js CHANGED Viewed

@@ -9,6 +9,7 @@ import {
 const API_ENDPOINT_ENTITY = API_ENDPOINT_ENTITY_ID;
 let endpointsCache = null;
 let endpointsByOperationId = null;
+let rawSpecCache = null;
 async function getApiEndpoints() {
   if (endpointsCache) {
     return endpointsCache;
@@ -21,6 +22,97 @@ async function getEndpointByOperationId(operationId) {
   await getApiEndpoints();
   return endpointsByOperationId?.get(operationId) ?? null;
 }
+async function getRawOpenApiSpec() {
+  if (rawSpecCache) return rawSpecCache;
+  rawSpecCache = await loadRawOpenApiSpec();
+  return rawSpecCache;
+}
+function setRawSpecCache(doc) {
+  rawSpecCache = doc;
+}
+function clearRawSpecCache() {
+  rawSpecCache = null;
+}
+async function loadRichOpenApiSpec() {
+  if (rawSpecCache) return rawSpecCache;
+  try {
+    const { getModules } = await import("@open-mercato/shared/lib/modules/registry");
+    const modules = getModules();
+    const modulesWithApis = modules.filter((m) => m.apis && m.apis.length > 0);
+    if (modulesWithApis.length > 0) {
+      const doc = buildOpenApiDocument(modules, {
+        title: "Open Mercato API",
+        version: "1.0.0",
+        servers: [{ url: process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000" }]
+      });
+      console.error(`[API Index] Rich OpenAPI spec built from ${modulesWithApis.length} modules (Tier 2)`);
+      rawSpecCache = doc;
+      return doc;
+    }
+  } catch {
+  }
+  rawSpecCache = await loadRawOpenApiSpec();
+  return rawSpecCache;
+}
+async function loadRawOpenApiSpec() {
+  try {
+    const fs = await import("node:fs");
+    const path = await import("node:path");
+    const { findAppRoot, findAllApps } = await import("@open-mercato/shared/lib/bootstrap/appResolver");
+    let appRoot = findAppRoot();
+    if (!appRoot) {
+      let current = process.cwd();
+      while (current !== path.dirname(current)) {
+        const appsDir = path.join(current, "apps");
+        if (fs.existsSync(appsDir)) {
+          const apps = findAllApps(current);
+          if (apps.length > 0) {
+            appRoot = apps[0];
+            break;
+          }
+        }
+        current = path.dirname(current);
+      }
+    }
+    if (appRoot) {
+      const jsonPath = path.join(appRoot.generatedDir, "openapi.generated.json");
+      if (fs.existsSync(jsonPath)) {
+        const doc = JSON.parse(fs.readFileSync(jsonPath, "utf-8"));
+        console.error(`[API Index] Raw OpenAPI spec loaded from ${jsonPath}`);
+        return doc;
+      }
+    }
+  } catch (error) {
+    console.error("[API Index] Raw spec from JSON failed:", error instanceof Error ? error.message : error);
+  }
+  try {
+    const { getModules } = await import("@open-mercato/shared/lib/modules/registry");
+    const modules = getModules();
+    const modulesWithApis = modules.filter((m) => m.apis && m.apis.length > 0);
+    if (modulesWithApis.length > 0) {
+      const doc = buildOpenApiDocument(modules, {
+        title: "Open Mercato API",
+        version: "1.0.0",
+        servers: [{ url: process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000" }]
+      });
+      console.error(`[API Index] Raw OpenAPI spec built from ${modulesWithApis.length} modules`);
+      return doc;
+    }
+  } catch {
+  }
+  const baseUrl = process.env.NEXT_PUBLIC_API_BASE_URL || process.env.NEXT_PUBLIC_APP_URL || process.env.APP_URL || "http://localhost:3000";
+  try {
+    const response = await fetch(`${baseUrl}/api/docs/openapi`);
+    if (response.ok) {
+      const doc = await response.json();
+      console.error("[API Index] Raw OpenAPI spec fetched via HTTP");
+      return doc;
+    }
+  } catch (error) {
+    console.error("[API Index] Raw spec HTTP fetch failed:", error instanceof Error ? error.message : error);
+  }
+  return null;
+}
 async function parseApiEndpointsFromGeneratedJson() {
   try {
     const fs = await import("node:fs");
@@ -270,6 +362,7 @@ function searchEndpointsFallback(query, options = {}) {
 function clearEndpointCache() {
   endpointsCache = null;
   endpointsByOperationId = null;
+  rawSpecCache = null;
 }
 function simplifyRequestBodySchema(schema) {
   if (!schema) return null;
@@ -293,10 +386,14 @@ function simplifyRequestBodySchema(schema) {
 export {
   API_ENDPOINT_ENTITY,
   clearEndpointCache,
+  clearRawSpecCache,
   getApiEndpoints,
   getEndpointByOperationId,
+  getRawOpenApiSpec,
   indexApiEndpoints,
+  loadRichOpenApiSpec,
   searchEndpoints,
+  setRawSpecCache,
   simplifyRequestBodySchema
 };
 //# sourceMappingURL=api-endpoint-index.js.map