@open-mercato/ai-assistant 0.5.1-develop.3036.f02c281f23 → 0.5.1-develop.3045.b4b3320cc2

package/dist/modules/ai_assistant/api/ai/agents/[agentId]/mutation-policy/route.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/ai_assistant/api/ai/agents/%5BagentId%5D/mutation-policy/route.ts"],
+  "sourcesContent": ["import { NextResponse, type NextRequest } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { getAgent, loadAgentRegistry } from '../../../../../lib/agent-registry'\nimport { hasRequiredFeatures } from '../../../../../lib/auth'\nimport {\n  isKnownMutationPolicy,\n  isMutationPolicyEscalation,\n} from '../../../../../lib/agent-policy'\nimport { AiAgentMutationPolicyOverrideRepository } from '../../../../../data/repositories/AiAgentMutationPolicyOverrideRepository'\nimport type { AiAgentMutationPolicyOverride } from '../../../../../data/entities'\nimport type {\n  AiAgentDefinition,\n  AiAgentMutationPolicy,\n} from '../../../../../lib/ai-agent-definition'\n\nconst agentIdPattern = /^[a-z0-9_]+\\.[a-z0-9_]+$/\n\nconst agentIdParamSchema = z.object({\n  agentId: z\n    .string()\n    .regex(agentIdPattern, 'agentId must match \"<module>.<agent>\" (lowercase, digits, underscores only)'),\n})\n\nconst mutationPolicySchema = z.enum([\n  'read-only',\n  'confirm-required',\n  'destructive-confirm-required',\n])\n\nconst mutationPolicyRequestSchema = z.object({\n  mutationPolicy: mutationPolicySchema,\n  notes: z.string().max(2000).optional(),\n})\n\nconst VIEW_FEATURE = 'ai_assistant.view'\nconst MANAGE_FEATURE = 'ai_assistant.settings.manage'\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'AI Assistant',\n  summary: 'Tenant-scoped mutationPolicy override for an AI agent',\n  methods: {\n    GET: {\n      operationId: 'aiAssistantGetMutationPolicyOverride',\n      summary:\n        'Read the effective mutationPolicy for an agent \u2014 code-declared value plus any tenant override.',\n      description:\n        'Returns `{ agentId, codeDeclared, override }` where `codeDeclared` is the agent\\'s ' +\n        'compiled-in `mutationPolicy` and `override` is the persisted tenant-scoped override ' +\n        '(or `null`). Requires `ai_assistant.view`.',\n      responses: [\n        {\n          status: 200,\n          description: 'Effective mutationPolicy payload.',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid agent id.' },\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 403, description: 'Caller lacks `ai_assistant.view`.' },\n        { status: 404, description: 'Unknown agent id.' },\n      ],\n    },\n    POST: {\n      operationId: 'aiAssistantSaveMutationPolicyOverride',\n      summary:\n        'Set (or replace) the tenant-scoped mutationPolicy override for this agent.',\n      description:\n        'Body: `{ mutationPolicy: \"read-only\" | \"confirm-required\" | \"destructive-confirm-required\", notes? }`. ' +\n        'The override MUST NOT escalate beyond the agent\\'s code-declared policy. Escalation attempts ' +\n        'are rejected with 400 + `code: \"escalation_not_allowed\"`. Requires `ai_assistant.settings.manage`.',\n      requestBody: {\n        contentType: 'application/json',\n        description: 'Body: `{ mutationPolicy, notes? }`.',\n        schema: mutationPolicyRequestSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Override persisted.',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid agent id, malformed body, or escalation attempt.' },\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 403, description: 'Caller lacks `ai_assistant.settings.manage`.' },\n        { status: 404, description: 'Unknown agent id.' },\n      ],\n    },\n    DELETE: {\n      operationId: 'aiAssistantClearMutationPolicyOverride',\n      summary: 'Remove the tenant-scoped mutationPolicy override for this agent.',\n      description:\n        'Deletes the override row if it exists; subsequent calls fall back to the agent\\'s ' +\n        'code-declared policy. Idempotent \u2014 returns 200 even when no override exists. Requires ' +\n        '`ai_assistant.settings.manage`.',\n      responses: [\n        {\n          status: 200,\n          description: 'Override cleared (or already absent).',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid agent id.' },\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 403, description: 'Caller lacks `ai_assistant.settings.manage`.' },\n        { status: 404, description: 'Unknown agent id.' },\n      ],\n    },\n  },\n}\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: [VIEW_FEATURE] },\n  POST: { requireAuth: true, requireFeatures: [MANAGE_FEATURE] },\n  DELETE: { requireAuth: true, requireFeatures: [MANAGE_FEATURE] },\n}\n\ninterface RouteContext {\n  params: Promise<{ agentId: string }>\n}\n\nfunction jsonError(\n  status: number,\n  message: string,\n  code: string,\n  extra?: Record<string, unknown>,\n): NextResponse {\n  return NextResponse.json({ error: message, code, ...(extra ?? {}) }, { status })\n}\n\ninterface ResolvedAuth {\n  tenantId: string | null\n  organizationId: string | null\n  userId: string\n  isSuperAdmin: boolean\n  features: string[]\n  container: Awaited<ReturnType<typeof createRequestContainer>>\n  rbacService: RbacService\n}\n\nasync function resolveAuthOrRespond(\n  req: NextRequest,\n  requiredFeature: string,\n): Promise<ResolvedAuth | NextResponse> {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return jsonError(401, 'Unauthorized', 'unauthenticated')\n  }\n  const container = await createRequestContainer()\n  const rbacService = container.resolve<RbacService>('rbacService')\n  const acl = await rbacService.loadAcl(auth.sub, {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  if (!hasRequiredFeatures([requiredFeature], acl.features, acl.isSuperAdmin, rbacService)) {\n    return jsonError(403, `Caller lacks required feature \"${requiredFeature}\".`, 'forbidden')\n  }\n  return {\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    userId: auth.sub,\n    isSuperAdmin: acl.isSuperAdmin,\n    features: acl.features,\n    container,\n    rbacService,\n  }\n}\n\nfunction serializeOverride(row: AiAgentMutationPolicyOverride) {\n  return {\n    id: row.id,\n    agentId: row.agentId,\n    mutationPolicy: row.mutationPolicy,\n    notes: row.notes ?? null,\n    createdByUserId: row.createdByUserId ?? null,\n    createdAt: row.createdAt?.toISOString?.() ?? new Date().toISOString(),\n    updatedAt: row.updatedAt?.toISOString?.() ?? new Date().toISOString(),\n  }\n}\n\nfunction codeDeclaredPolicy(agent: AiAgentDefinition): AiAgentMutationPolicy {\n  const declared = agent.mutationPolicy\n  return declared && isKnownMutationPolicy(declared) ? declared : 'read-only'\n}\n\nexport async function GET(req: NextRequest, context: RouteContext): Promise<Response> {\n  const authResult = await resolveAuthOrRespond(req, VIEW_FEATURE)\n  if (authResult instanceof NextResponse) return authResult\n\n  const rawParams = await context.params\n  const paramResult = agentIdParamSchema.safeParse(rawParams)\n  if (!paramResult.success) {\n    return jsonError(400, 'Invalid agent id.', 'validation_error', {\n      issues: paramResult.error.issues,\n    })\n  }\n\n  try {\n    await loadAgentRegistry()\n    const agent = getAgent(paramResult.data.agentId)\n    if (!agent) {\n      return jsonError(404, `Unknown agent \"${paramResult.data.agentId}\".`, 'agent_unknown')\n    }\n\n    const declared = codeDeclaredPolicy(agent)\n    if (!authResult.tenantId) {\n      return NextResponse.json({\n        agentId: agent.id,\n        codeDeclared: declared,\n        override: null,\n      })\n    }\n\n    const em = authResult.container.resolve<EntityManager>('em')\n    const repo = new AiAgentMutationPolicyOverrideRepository(em)\n    const current = await repo.get(agent.id, {\n      tenantId: authResult.tenantId,\n      organizationId: authResult.organizationId,\n    })\n\n    return NextResponse.json({\n      agentId: agent.id,\n      codeDeclared: declared,\n      override: current ? serializeOverride(current) : null,\n    })\n  } catch (error) {\n    console.error('[AI Mutation Policy GET] Failure:', error)\n    return jsonError(\n      500,\n      error instanceof Error ? error.message : 'Failed to load mutationPolicy override.',\n      'internal_error',\n    )\n  }\n}\n\nexport async function POST(req: NextRequest, context: RouteContext): Promise<Response> {\n  const authResult = await resolveAuthOrRespond(req, MANAGE_FEATURE)\n  if (authResult instanceof NextResponse) return authResult\n\n  const rawParams = await context.params\n  const paramResult = agentIdParamSchema.safeParse(rawParams)\n  if (!paramResult.success) {\n    return jsonError(400, 'Invalid agent id.', 'validation_error', {\n      issues: paramResult.error.issues,\n    })\n  }\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return jsonError(400, 'Request body must be valid JSON.', 'validation_error')\n  }\n\n  const bodyResult = mutationPolicyRequestSchema.safeParse(parsedBody)\n  if (!bodyResult.success) {\n    return jsonError(400, 'Invalid request body.', 'validation_error', {\n      issues: bodyResult.error.issues,\n    })\n  }\n\n  try {\n    await loadAgentRegistry()\n    const agent = getAgent(paramResult.data.agentId)\n    if (!agent) {\n      return jsonError(404, `Unknown agent \"${paramResult.data.agentId}\".`, 'agent_unknown')\n    }\n\n    const declared = codeDeclaredPolicy(agent)\n    if (isMutationPolicyEscalation(declared, bodyResult.data.mutationPolicy)) {\n      return jsonError(\n        400,\n        `Cannot set mutationPolicy=\"${bodyResult.data.mutationPolicy}\" for agent \"${agent.id}\": ` +\n          `the agent\\'s code-declared policy is \"${declared}\". Upgrading beyond the declared ` +\n          `policy is a code-level change, not a configuration change.`,\n        'escalation_not_allowed',\n        { codeDeclared: declared, requested: bodyResult.data.mutationPolicy },\n      )\n    }\n\n    if (!authResult.tenantId) {\n      return jsonError(\n        400,\n        'Caller has no tenant context; cannot persist tenant-scoped mutationPolicy override.',\n        'tenant_required',\n      )\n    }\n\n    const em = authResult.container.resolve<EntityManager>('em')\n    const repo = new AiAgentMutationPolicyOverrideRepository(em)\n    const saved = await repo.set(\n      {\n        agentId: agent.id,\n        mutationPolicy: bodyResult.data.mutationPolicy,\n        notes: bodyResult.data.notes ?? null,\n      },\n      {\n        tenantId: authResult.tenantId,\n        organizationId: authResult.organizationId,\n        userId: authResult.userId,\n      },\n    )\n\n    return NextResponse.json({\n      ok: true,\n      agentId: agent.id,\n      codeDeclared: declared,\n      override: serializeOverride(saved),\n    })\n  } catch (error) {\n    console.error('[AI Mutation Policy POST] Failure:', error)\n    return jsonError(\n      500,\n      error instanceof Error ? error.message : 'Failed to save mutationPolicy override.',\n      'internal_error',\n    )\n  }\n}\n\nexport async function DELETE(req: NextRequest, context: RouteContext): Promise<Response> {\n  const authResult = await resolveAuthOrRespond(req, MANAGE_FEATURE)\n  if (authResult instanceof NextResponse) return authResult\n\n  const rawParams = await context.params\n  const paramResult = agentIdParamSchema.safeParse(rawParams)\n  if (!paramResult.success) {\n    return jsonError(400, 'Invalid agent id.', 'validation_error', {\n      issues: paramResult.error.issues,\n    })\n  }\n\n  try {\n    await loadAgentRegistry()\n    const agent = getAgent(paramResult.data.agentId)\n    if (!agent) {\n      return jsonError(404, `Unknown agent \"${paramResult.data.agentId}\".`, 'agent_unknown')\n    }\n\n    const declared = codeDeclaredPolicy(agent)\n    if (!authResult.tenantId) {\n      return NextResponse.json({\n        ok: true,\n        agentId: agent.id,\n        codeDeclared: declared,\n        override: null,\n        cleared: false,\n      })\n    }\n\n    const em = authResult.container.resolve<EntityManager>('em')\n    const repo = new AiAgentMutationPolicyOverrideRepository(em)\n    const cleared = await repo.clear(agent.id, {\n      tenantId: authResult.tenantId,\n      organizationId: authResult.organizationId,\n    })\n\n    return NextResponse.json({\n      ok: true,\n      agentId: agent.id,\n      codeDeclared: declared,\n      override: null,\n      cleared,\n    })\n  } catch (error) {\n    console.error('[AI Mutation Policy DELETE] Failure:', error)\n    return jsonError(\n      500,\n      error instanceof Error ? error.message : 'Failed to clear mutationPolicy override.',\n      'internal_error',\n    )\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAsC;AAC/C,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,UAAU,yBAAyB;AAC5C,SAAS,2BAA2B;AACpC;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,+CAA+C;AAOxD,MAAM,iBAAiB;AAEvB,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,SAAS,EACN,OAAO,EACP,MAAM,gBAAgB,6EAA6E;AACxG,CAAC;AAED,MAAM,uBAAuB,EAAE,KAAK;AAAA,EAClC;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAED,MAAM,8BAA8B,EAAE,OAAO;AAAA,EAC3C,gBAAgB;AAAA,EAChB,OAAO,EAAE,OAAO,EAAE,IAAI,GAAI,EAAE,SAAS;AACvC,CAAC;AAED,MAAM,eAAe;AACrB,MAAM,iBAAiB;AAEhB,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,aAAa;AAAA,MACb,SACE;AAAA,MACF,aACE;AAAA,MAGF,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,oCAAoC;AAAA,QAChE,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,aAAa;AAAA,MACb,SACE;AAAA,MACF,aACE;AAAA,MAGF,aAAa;AAAA,QACX,aAAa;AAAA,QACb,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,2DAA2D;AAAA,QACvF,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,+CAA+C;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,IACA,QAAQ;AAAA,MACN,aAAa;AAAA,MACb,SAAS;AAAA,MACT,aACE;AAAA,MAGF,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,+CAA+C;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,YAAY,EAAE;AAAA,EAC1D,MAAM,EAAE,aAAa,MAAM,iBAAiB,CAAC,cAAc,EAAE;AAAA,EAC7D,QAAQ,EAAE,aAAa,MAAM,iBAAiB,CAAC,cAAc,EAAE;AACjE;AAMA,SAAS,UACP,QACA,SACA,MACA,OACc;AACd,SAAO,aAAa,KAAK,EAAE,OAAO,SAAS,MAAM,GAAI,SAAS,CAAC,EAAG,GAAG,EAAE,OAAO,CAAC;AACjF;AAYA,eAAe,qBACb,KACA,iBACsC;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,UAAU,KAAK,gBAAgB,iBAAiB;AAAA,EACzD;AACA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAqB,aAAa;AAChE,QAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK;AAAA,IAC9C,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,MAAI,CAAC,oBAAoB,CAAC,eAAe,GAAG,IAAI,UAAU,IAAI,cAAc,WAAW,GAAG;AACxF,WAAO,UAAU,KAAK,kCAAkC,eAAe,MAAM,WAAW;AAAA,EAC1F;AACA,SAAO;AAAA,IACL,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B,QAAQ,KAAK;AAAA,IACb,cAAc,IAAI;AAAA,IAClB,UAAU,IAAI;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,kBAAkB,KAAoC;AAC7D,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,SAAS,IAAI;AAAA,IACb,gBAAgB,IAAI;AAAA,IACpB,OAAO,IAAI,SAAS;AAAA,IACpB,iBAAiB,IAAI,mBAAmB;AAAA,IACxC,WAAW,IAAI,WAAW,cAAc,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpE,WAAW,IAAI,WAAW,cAAc,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,EACtE;AACF;AAEA,SAAS,mBAAmB,OAAiD;AAC3E,QAAM,WAAW,MAAM;AACvB,SAAO,YAAY,sBAAsB,QAAQ,IAAI,WAAW;AAClE;AAEA,eAAsB,IAAI,KAAkB,SAA0C;AACpF,QAAM,aAAa,MAAM,qBAAqB,KAAK,YAAY;AAC/D,MAAI,sBAAsB,aAAc,QAAO;AAE/C,QAAM,YAAY,MAAM,QAAQ;AAChC,QAAM,cAAc,mBAAmB,UAAU,SAAS;AAC1D,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,UAAU,KAAK,qBAAqB,oBAAoB;AAAA,MAC7D,QAAQ,YAAY,MAAM;AAAA,IAC5B,CAAC;AAAA,EACH;AAEA,MAAI;AACF,UAAM,kBAAkB;AACxB,UAAM,QAAQ,SAAS,YAAY,KAAK,OAAO;AAC/C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,KAAK,kBAAkB,YAAY,KAAK,OAAO,MAAM,eAAe;AAAA,IACvF;AAEA,UAAM,WAAW,mBAAmB,KAAK;AACzC,QAAI,CAAC,WAAW,UAAU;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,SAAS,MAAM;AAAA,QACf,cAAc;AAAA,QACd,UAAU;AAAA,MACZ,CAAC;AAAA,IACH;AAEA,UAAM,KAAK,WAAW,UAAU,QAAuB,IAAI;AAC3D,UAAM,OAAO,IAAI,wCAAwC,EAAE;AAC3D,UAAM,UAAU,MAAM,KAAK,IAAI,MAAM,IAAI;AAAA,MACvC,UAAU,WAAW;AAAA,MACrB,gBAAgB,WAAW;AAAA,IAC7B,CAAC;AAED,WAAO,aAAa,KAAK;AAAA,MACvB,SAAS,MAAM;AAAA,MACf,cAAc;AAAA,MACd,UAAU,UAAU,kBAAkB,OAAO,IAAI;AAAA,IACnD,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,qCAAqC,KAAK;AACxD,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,KAAK,KAAkB,SAA0C;AACrF,QAAM,aAAa,MAAM,qBAAqB,KAAK,cAAc;AACjE,MAAI,sBAAsB,aAAc,QAAO;AAE/C,QAAM,YAAY,MAAM,QAAQ;AAChC,QAAM,cAAc,mBAAmB,UAAU,SAAS;AAC1D,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,UAAU,KAAK,qBAAqB,oBAAoB;AAAA,MAC7D,QAAQ,YAAY,MAAM;AAAA,IAC5B,CAAC;AAAA,EACH;AAEA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,UAAU,KAAK,oCAAoC,kBAAkB;AAAA,EAC9E;AAEA,QAAM,aAAa,4BAA4B,UAAU,UAAU;AACnE,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO,UAAU,KAAK,yBAAyB,oBAAoB;AAAA,MACjE,QAAQ,WAAW,MAAM;AAAA,IAC3B,CAAC;AAAA,EACH;AAEA,MAAI;AACF,UAAM,kBAAkB;AACxB,UAAM,QAAQ,SAAS,YAAY,KAAK,OAAO;AAC/C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,KAAK,kBAAkB,YAAY,KAAK,OAAO,MAAM,eAAe;AAAA,IACvF;AAEA,UAAM,WAAW,mBAAmB,KAAK;AACzC,QAAI,2BAA2B,UAAU,WAAW,KAAK,cAAc,GAAG;AACxE,aAAO;AAAA,QACL;AAAA,QACA,8BAA8B,WAAW,KAAK,cAAc,gBAAgB,MAAM,EAAE,2CACzC,QAAQ;AAAA,QAEnD;AAAA,QACA,EAAE,cAAc,UAAU,WAAW,WAAW,KAAK,eAAe;AAAA,MACtE;AAAA,IACF;AAEA,QAAI,CAAC,WAAW,UAAU;AACxB,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,KAAK,WAAW,UAAU,QAAuB,IAAI;AAC3D,UAAM,OAAO,IAAI,wCAAwC,EAAE;AAC3D,UAAM,QAAQ,MAAM,KAAK;AAAA,MACvB;AAAA,QACE,SAAS,MAAM;AAAA,QACf,gBAAgB,WAAW,KAAK;AAAA,QAChC,OAAO,WAAW,KAAK,SAAS;AAAA,MAClC;AAAA,MACA;AAAA,QACE,UAAU,WAAW;AAAA,QACrB,gBAAgB,WAAW;AAAA,QAC3B,QAAQ,WAAW;AAAA,MACrB;AAAA,IACF;AAEA,WAAO,aAAa,KAAK;AAAA,MACvB,IAAI;AAAA,MACJ,SAAS,MAAM;AAAA,MACf,cAAc;AAAA,MACd,UAAU,kBAAkB,KAAK;AAAA,IACnC,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,sCAAsC,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,OAAO,KAAkB,SAA0C;AACvF,QAAM,aAAa,MAAM,qBAAqB,KAAK,cAAc;AACjE,MAAI,sBAAsB,aAAc,QAAO;AAE/C,QAAM,YAAY,MAAM,QAAQ;AAChC,QAAM,cAAc,mBAAmB,UAAU,SAAS;AAC1D,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,UAAU,KAAK,qBAAqB,oBAAoB;AAAA,MAC7D,QAAQ,YAAY,MAAM;AAAA,IAC5B,CAAC;AAAA,EACH;AAEA,MAAI;AACF,UAAM,kBAAkB;AACxB,UAAM,QAAQ,SAAS,YAAY,KAAK,OAAO;AAC/C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,KAAK,kBAAkB,YAAY,KAAK,OAAO,MAAM,eAAe;AAAA,IACvF;AAEA,UAAM,WAAW,mBAAmB,KAAK;AACzC,QAAI,CAAC,WAAW,UAAU;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,IAAI;AAAA,QACJ,SAAS,MAAM;AAAA,QACf,cAAc;AAAA,QACd,UAAU;AAAA,QACV,SAAS;AAAA,MACX,CAAC;AAAA,IACH;AAEA,UAAM,KAAK,WAAW,UAAU,QAAuB,IAAI;AAC3D,UAAM,OAAO,IAAI,wCAAwC,EAAE;AAC3D,UAAM,UAAU,MAAM,KAAK,MAAM,MAAM,IAAI;AAAA,MACzC,UAAU,WAAW;AAAA,MACrB,gBAAgB,WAAW;AAAA,IAC7B,CAAC;AAED,WAAO,aAAa,KAAK;AAAA,MACvB,IAAI;AAAA,MACJ,SAAS,MAAM;AAAA,MACf,cAAc;AAAA,MACd,UAAU;AAAA,MACV;AAAA,IACF,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,wCAAwC,KAAK;AAC3D,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/ai_assistant/api/ai/agents/[agentId]/prompt-override/route.js

@@ -0,0 +1,246 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { getAgent, loadAgentRegistry } from "../../../../../lib/agent-registry.js";
+import { hasRequiredFeatures } from "../../../../../lib/auth.js";
+import { AiAgentPromptOverrideRepository } from "../../../../../data/repositories/AiAgentPromptOverrideRepository.js";
+import { findReservedKeys } from "../../../../../lib/prompt-override-merge.js";
+const agentIdPattern = /^[a-z0-9_]+\.[a-z0-9_]+$/;
+const agentIdParamSchema = z.object({
+  agentId: z.string().regex(agentIdPattern, 'agentId must match "<module>.<agent>" (lowercase, digits, underscores only)')
+});
+const sectionsSchema = z.record(z.string(), z.string());
+const promptOverrideRequestSchema = z.object({
+  sections: sectionsSchema.optional(),
+  overrides: sectionsSchema.optional(),
+  notes: z.string().max(2e3).optional()
+}).refine((value) => value.sections !== void 0 || value.overrides !== void 0, {
+  message: "Body must include either `sections` or `overrides`."
+});
+const REQUIRED_FEATURE = "ai_assistant.settings.manage";
+const HISTORY_LIMIT = 10;
+const openApi = {
+  tag: "AI Assistant",
+  summary: "Versioned additive prompt-overrides for an AI agent",
+  methods: {
+    GET: {
+      operationId: "aiAssistantGetPromptOverride",
+      summary: "Read the latest prompt-section override for an agent plus recent version history.",
+      description: "Returns `{ agentId, override, versions }` where `override` is the latest persisted row (or `null`) and `versions` is the newest-first history capped at 10 rows. Tenant-scoped; requires `ai_assistant.settings.manage`.",
+      responses: [
+        {
+          status: 200,
+          description: "Latest override + recent version history.",
+          mediaType: "application/json"
+        }
+      ],
+      errors: [
+        { status: 400, description: "Invalid agent id." },
+        { status: 401, description: "Unauthenticated caller." },
+        { status: 403, description: "Caller lacks `ai_assistant.settings.manage`." },
+        { status: 404, description: "Unknown agent id." }
+      ]
+    },
+    POST: {
+      operationId: "aiAssistantSavePromptOverride",
+      summary: "Save a new prompt-section override version for the agent.",
+      description: "Persists an additive `{ sections: Record<sectionId, text>, notes? }` override, allocating the next monotonic version for `(tenant, org, agent)`. Reserved policy keys (`mutationPolicy`, `readOnly`, `allowedTools`, `acceptedMediaTypes`) are rejected with 400 / `reserved_key`. Requires `ai_assistant.settings.manage`.",
+      requestBody: {
+        contentType: "application/json",
+        description: "Body: `{ sections: Record<string, string>, notes?: string }`.",
+        schema: promptOverrideRequestSchema
+      },
+      responses: [
+        {
+          status: 200,
+          description: "Override persisted. Returns `{ ok: true, version, updatedAt }`.",
+          mediaType: "application/json"
+        }
+      ],
+      errors: [
+        { status: 400, description: "Invalid agent id, malformed body, or reserved policy key." },
+        { status: 401, description: "Unauthenticated caller." },
+        { status: 403, description: "Caller lacks `ai_assistant.settings.manage`." },
+        { status: 404, description: "Unknown agent id." }
+      ]
+    }
+  }
+};
+const metadata = {
+  requireAuth: true,
+  requireFeatures: [REQUIRED_FEATURE]
+};
+function jsonError(status, message, code, extra) {
+  return NextResponse.json({ error: message, code, ...extra ?? {} }, { status });
+}
+async function resolveAuthOrRespond(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth) {
+    return jsonError(401, "Unauthorized", "unauthenticated");
+  }
+  const container = await createRequestContainer();
+  const rbacService = container.resolve("rbacService");
+  const acl = await rbacService.loadAcl(auth.sub, {
+    tenantId: auth.tenantId,
+    organizationId: auth.orgId
+  });
+  if (!hasRequiredFeatures([REQUIRED_FEATURE], acl.features, acl.isSuperAdmin, rbacService)) {
+    return jsonError(403, `Caller lacks required feature "${REQUIRED_FEATURE}".`, "forbidden");
+  }
+  return {
+    tenantId: auth.tenantId ?? null,
+    organizationId: auth.orgId ?? null,
+    userId: auth.sub,
+    isSuperAdmin: acl.isSuperAdmin,
+    features: acl.features,
+    container,
+    rbacService
+  };
+}
+function serializeOverride(row) {
+  return {
+    id: row.id,
+    agentId: row.agentId,
+    version: row.version,
+    sections: row.sections ?? {},
+    notes: row.notes ?? null,
+    createdByUserId: row.createdByUserId ?? null,
+    createdAt: row.createdAt?.toISOString?.() ?? (/* @__PURE__ */ new Date()).toISOString(),
+    updatedAt: row.updatedAt?.toISOString?.() ?? (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+async function GET(req, context) {
+  const authResult = await resolveAuthOrRespond(req);
+  if (authResult instanceof NextResponse) return authResult;
+  const rawParams = await context.params;
+  const paramResult = agentIdParamSchema.safeParse(rawParams);
+  if (!paramResult.success) {
+    return jsonError(400, "Invalid agent id.", "validation_error", {
+      issues: paramResult.error.issues
+    });
+  }
+  try {
+    await loadAgentRegistry();
+    const agent = getAgent(paramResult.data.agentId);
+    if (!agent) {
+      return jsonError(404, `Unknown agent "${paramResult.data.agentId}".`, "agent_unknown");
+    }
+    if (!authResult.tenantId) {
+      return NextResponse.json({
+        agentId: agent.id,
+        override: null,
+        versions: []
+      });
+    }
+    const em = authResult.container.resolve("em");
+    const repo = new AiAgentPromptOverrideRepository(em);
+    const [latest, versions] = await Promise.all([
+      repo.getLatest(agent.id, {
+        tenantId: authResult.tenantId,
+        organizationId: authResult.organizationId
+      }),
+      repo.listVersions(
+        agent.id,
+        {
+          tenantId: authResult.tenantId,
+          organizationId: authResult.organizationId
+        },
+        HISTORY_LIMIT
+      )
+    ]);
+    return NextResponse.json({
+      agentId: agent.id,
+      override: latest ? serializeOverride(latest) : null,
+      versions: versions.map(serializeOverride)
+    });
+  } catch (error) {
+    console.error("[AI Prompt Override GET] Failure:", error);
+    return jsonError(
+      500,
+      error instanceof Error ? error.message : "Failed to load prompt override.",
+      "internal_error"
+    );
+  }
+}
+async function POST(req, context) {
+  const authResult = await resolveAuthOrRespond(req);
+  if (authResult instanceof NextResponse) return authResult;
+  const rawParams = await context.params;
+  const paramResult = agentIdParamSchema.safeParse(rawParams);
+  if (!paramResult.success) {
+    return jsonError(400, "Invalid agent id.", "validation_error", {
+      issues: paramResult.error.issues
+    });
+  }
+  let parsedBody;
+  try {
+    parsedBody = await req.json();
+  } catch {
+    return jsonError(400, "Request body must be valid JSON.", "validation_error");
+  }
+  const bodyResult = promptOverrideRequestSchema.safeParse(parsedBody);
+  if (!bodyResult.success) {
+    return jsonError(400, "Invalid request body.", "validation_error", {
+      issues: bodyResult.error.issues
+    });
+  }
+  const sections = bodyResult.data.sections ?? bodyResult.data.overrides ?? {};
+  const reservedHits = findReservedKeys(sections);
+  if (reservedHits.length > 0) {
+    return jsonError(
+      400,
+      `Prompt override contains reserved policy keys: ${reservedHits.join(", ")}.`,
+      "reserved_key",
+      { reservedKeys: reservedHits }
+    );
+  }
+  try {
+    await loadAgentRegistry();
+    const agent = getAgent(paramResult.data.agentId);
+    if (!agent) {
+      return jsonError(404, `Unknown agent "${paramResult.data.agentId}".`, "agent_unknown");
+    }
+    if (!authResult.tenantId) {
+      return jsonError(
+        400,
+        "Caller has no tenant context; cannot persist tenant-scoped prompt override.",
+        "tenant_required"
+      );
+    }
+    const em = authResult.container.resolve("em");
+    const repo = new AiAgentPromptOverrideRepository(em);
+    const saved = await repo.save(
+      {
+        agentId: agent.id,
+        sections,
+        notes: bodyResult.data.notes ?? null
+      },
+      {
+        tenantId: authResult.tenantId,
+        organizationId: authResult.organizationId,
+        userId: authResult.userId
+      }
+    );
+    return NextResponse.json({
+      ok: true,
+      agentId: agent.id,
+      version: saved.version,
+      updatedAt: saved.updatedAt?.toISOString?.() ?? (/* @__PURE__ */ new Date()).toISOString()
+    });
+  } catch (error) {
+    console.error("[AI Prompt Override POST] Failure:", error);
+    return jsonError(
+      500,
+      error instanceof Error ? error.message : "Failed to save prompt override.",
+      "internal_error"
+    );
+  }
+}
+export {
+  GET,
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/ai_assistant/api/ai/agents/[agentId]/prompt-override/route.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../../../src/modules/ai_assistant/api/ai/agents/%5BagentId%5D/prompt-override/route.ts"],
+  "sourcesContent": ["import { NextResponse, type NextRequest } from 'next/server'\nimport { z } from 'zod'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport type { EntityManager } from '@mikro-orm/postgresql'\nimport { getAgent, loadAgentRegistry } from '../../../../../lib/agent-registry'\nimport { hasRequiredFeatures } from '../../../../../lib/auth'\nimport { AiAgentPromptOverrideRepository } from '../../../../../data/repositories/AiAgentPromptOverrideRepository'\nimport type { AiAgentPromptOverride } from '../../../../../data/entities'\nimport { findReservedKeys } from '../../../../../lib/prompt-override-merge'\n\nconst agentIdPattern = /^[a-z0-9_]+\\.[a-z0-9_]+$/\n\nconst agentIdParamSchema = z.object({\n  agentId: z\n    .string()\n    .regex(agentIdPattern, 'agentId must match \"<module>.<agent>\" (lowercase, digits, underscores only)'),\n})\n\nconst sectionsSchema = z.record(z.string(), z.string())\n\n/**\n * Accept both `sections` (Step 5.3 canonical shape) and the Step 4.5\n * placeholder `overrides` key so UI callers that haven't redeployed still\n * work. `sections` wins when both are present.\n */\nconst promptOverrideRequestSchema = z\n  .object({\n    sections: sectionsSchema.optional(),\n    overrides: sectionsSchema.optional(),\n    notes: z.string().max(2000).optional(),\n  })\n  .refine((value) => value.sections !== undefined || value.overrides !== undefined, {\n    message: 'Body must include either `sections` or `overrides`.',\n  })\n\nexport type AiPromptOverrideRequest = z.infer<typeof promptOverrideRequestSchema>\n\nconst REQUIRED_FEATURE = 'ai_assistant.settings.manage'\nconst HISTORY_LIMIT = 10\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'AI Assistant',\n  summary: 'Versioned additive prompt-overrides for an AI agent',\n  methods: {\n    GET: {\n      operationId: 'aiAssistantGetPromptOverride',\n      summary: 'Read the latest prompt-section override for an agent plus recent version history.',\n      description:\n        'Returns `{ agentId, override, versions }` where `override` is the latest persisted ' +\n        'row (or `null`) and `versions` is the newest-first history capped at 10 rows. ' +\n        'Tenant-scoped; requires `ai_assistant.settings.manage`.',\n      responses: [\n        {\n          status: 200,\n          description: 'Latest override + recent version history.',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid agent id.' },\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 403, description: 'Caller lacks `ai_assistant.settings.manage`.' },\n        { status: 404, description: 'Unknown agent id.' },\n      ],\n    },\n    POST: {\n      operationId: 'aiAssistantSavePromptOverride',\n      summary: 'Save a new prompt-section override version for the agent.',\n      description:\n        'Persists an additive `{ sections: Record<sectionId, text>, notes? }` override, allocating ' +\n        'the next monotonic version for `(tenant, org, agent)`. Reserved policy keys ' +\n        '(`mutationPolicy`, `readOnly`, `allowedTools`, `acceptedMediaTypes`) are rejected with ' +\n        '400 / `reserved_key`. Requires `ai_assistant.settings.manage`.',\n      requestBody: {\n        contentType: 'application/json',\n        description: 'Body: `{ sections: Record<string, string>, notes?: string }`.',\n        schema: promptOverrideRequestSchema,\n      },\n      responses: [\n        {\n          status: 200,\n          description: 'Override persisted. Returns `{ ok: true, version, updatedAt }`.',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 400, description: 'Invalid agent id, malformed body, or reserved policy key.' },\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 403, description: 'Caller lacks `ai_assistant.settings.manage`.' },\n        { status: 404, description: 'Unknown agent id.' },\n      ],\n    },\n  },\n}\n\nexport const metadata = {\n  requireAuth: true,\n  requireFeatures: [REQUIRED_FEATURE],\n}\n\ninterface RouteContext {\n  params: Promise<{ agentId: string }>\n}\n\nfunction jsonError(\n  status: number,\n  message: string,\n  code: string,\n  extra?: Record<string, unknown>,\n): NextResponse {\n  return NextResponse.json({ error: message, code, ...(extra ?? {}) }, { status })\n}\n\ninterface ResolvedAuth {\n  tenantId: string | null\n  organizationId: string | null\n  userId: string\n  isSuperAdmin: boolean\n  features: string[]\n  container: Awaited<ReturnType<typeof createRequestContainer>>\n  rbacService: RbacService\n}\n\nasync function resolveAuthOrRespond(\n  req: NextRequest,\n): Promise<ResolvedAuth | NextResponse> {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return jsonError(401, 'Unauthorized', 'unauthenticated')\n  }\n  const container = await createRequestContainer()\n  const rbacService = container.resolve<RbacService>('rbacService')\n  const acl = await rbacService.loadAcl(auth.sub, {\n    tenantId: auth.tenantId,\n    organizationId: auth.orgId,\n  })\n  if (!hasRequiredFeatures([REQUIRED_FEATURE], acl.features, acl.isSuperAdmin, rbacService)) {\n    return jsonError(403, `Caller lacks required feature \"${REQUIRED_FEATURE}\".`, 'forbidden')\n  }\n  return {\n    tenantId: auth.tenantId ?? null,\n    organizationId: auth.orgId ?? null,\n    userId: auth.sub,\n    isSuperAdmin: acl.isSuperAdmin,\n    features: acl.features,\n    container,\n    rbacService,\n  }\n}\n\nfunction serializeOverride(row: AiAgentPromptOverride) {\n  return {\n    id: row.id,\n    agentId: row.agentId,\n    version: row.version,\n    sections: row.sections ?? {},\n    notes: row.notes ?? null,\n    createdByUserId: row.createdByUserId ?? null,\n    createdAt: row.createdAt?.toISOString?.() ?? new Date().toISOString(),\n    updatedAt: row.updatedAt?.toISOString?.() ?? new Date().toISOString(),\n  }\n}\n\nexport async function GET(req: NextRequest, context: RouteContext): Promise<Response> {\n  const authResult = await resolveAuthOrRespond(req)\n  if (authResult instanceof NextResponse) return authResult\n\n  const rawParams = await context.params\n  const paramResult = agentIdParamSchema.safeParse(rawParams)\n  if (!paramResult.success) {\n    return jsonError(400, 'Invalid agent id.', 'validation_error', {\n      issues: paramResult.error.issues,\n    })\n  }\n\n  try {\n    await loadAgentRegistry()\n    const agent = getAgent(paramResult.data.agentId)\n    if (!agent) {\n      return jsonError(404, `Unknown agent \"${paramResult.data.agentId}\".`, 'agent_unknown')\n    }\n\n    if (!authResult.tenantId) {\n      return NextResponse.json({\n        agentId: agent.id,\n        override: null,\n        versions: [],\n      })\n    }\n\n    const em = authResult.container.resolve<EntityManager>('em')\n    const repo = new AiAgentPromptOverrideRepository(em)\n    const [latest, versions] = await Promise.all([\n      repo.getLatest(agent.id, {\n        tenantId: authResult.tenantId,\n        organizationId: authResult.organizationId,\n      }),\n      repo.listVersions(\n        agent.id,\n        {\n          tenantId: authResult.tenantId,\n          organizationId: authResult.organizationId,\n        },\n        HISTORY_LIMIT,\n      ),\n    ])\n\n    return NextResponse.json({\n      agentId: agent.id,\n      override: latest ? serializeOverride(latest) : null,\n      versions: versions.map(serializeOverride),\n    })\n  } catch (error) {\n    console.error('[AI Prompt Override GET] Failure:', error)\n    return jsonError(\n      500,\n      error instanceof Error ? error.message : 'Failed to load prompt override.',\n      'internal_error',\n    )\n  }\n}\n\nexport async function POST(req: NextRequest, context: RouteContext): Promise<Response> {\n  const authResult = await resolveAuthOrRespond(req)\n  if (authResult instanceof NextResponse) return authResult\n\n  const rawParams = await context.params\n  const paramResult = agentIdParamSchema.safeParse(rawParams)\n  if (!paramResult.success) {\n    return jsonError(400, 'Invalid agent id.', 'validation_error', {\n      issues: paramResult.error.issues,\n    })\n  }\n\n  let parsedBody: unknown\n  try {\n    parsedBody = await req.json()\n  } catch {\n    return jsonError(400, 'Request body must be valid JSON.', 'validation_error')\n  }\n\n  const bodyResult = promptOverrideRequestSchema.safeParse(parsedBody)\n  if (!bodyResult.success) {\n    return jsonError(400, 'Invalid request body.', 'validation_error', {\n      issues: bodyResult.error.issues,\n    })\n  }\n\n  const sections = bodyResult.data.sections ?? bodyResult.data.overrides ?? {}\n  const reservedHits = findReservedKeys(sections)\n  if (reservedHits.length > 0) {\n    return jsonError(\n      400,\n      `Prompt override contains reserved policy keys: ${reservedHits.join(', ')}.`,\n      'reserved_key',\n      { reservedKeys: reservedHits },\n    )\n  }\n\n  try {\n    await loadAgentRegistry()\n    const agent = getAgent(paramResult.data.agentId)\n    if (!agent) {\n      return jsonError(404, `Unknown agent \"${paramResult.data.agentId}\".`, 'agent_unknown')\n    }\n\n    if (!authResult.tenantId) {\n      return jsonError(\n        400,\n        'Caller has no tenant context; cannot persist tenant-scoped prompt override.',\n        'tenant_required',\n      )\n    }\n\n    const em = authResult.container.resolve<EntityManager>('em')\n    const repo = new AiAgentPromptOverrideRepository(em)\n    const saved = await repo.save(\n      {\n        agentId: agent.id,\n        sections,\n        notes: bodyResult.data.notes ?? null,\n      },\n      {\n        tenantId: authResult.tenantId,\n        organizationId: authResult.organizationId,\n        userId: authResult.userId,\n      },\n    )\n\n    return NextResponse.json({\n      ok: true,\n      agentId: agent.id,\n      version: saved.version,\n      updatedAt: saved.updatedAt?.toISOString?.() ?? new Date().toISOString(),\n    })\n  } catch (error) {\n    console.error('[AI Prompt Override POST] Failure:', error)\n    return jsonError(\n      500,\n      error instanceof Error ? error.message : 'Failed to save prompt override.',\n      'internal_error',\n    )\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAsC;AAC/C,SAAS,SAAS;AAElB,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAGvC,SAAS,UAAU,yBAAyB;AAC5C,SAAS,2BAA2B;AACpC,SAAS,uCAAuC;AAEhD,SAAS,wBAAwB;AAEjC,MAAM,iBAAiB;AAEvB,MAAM,qBAAqB,EAAE,OAAO;AAAA,EAClC,SAAS,EACN,OAAO,EACP,MAAM,gBAAgB,6EAA6E;AACxG,CAAC;AAED,MAAM,iBAAiB,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,OAAO,CAAC;AAOtD,MAAM,8BAA8B,EACjC,OAAO;AAAA,EACN,UAAU,eAAe,SAAS;AAAA,EAClC,WAAW,eAAe,SAAS;AAAA,EACnC,OAAO,EAAE,OAAO,EAAE,IAAI,GAAI,EAAE,SAAS;AACvC,CAAC,EACA,OAAO,CAAC,UAAU,MAAM,aAAa,UAAa,MAAM,cAAc,QAAW;AAAA,EAChF,SAAS;AACX,CAAC;AAIH,MAAM,mBAAmB;AACzB,MAAM,gBAAgB;AAEf,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,aAAa;AAAA,MACb,SAAS;AAAA,MACT,aACE;AAAA,MAGF,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,QAChD,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,+CAA+C;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,IACA,MAAM;AAAA,MACJ,aAAa;AAAA,MACb,SAAS;AAAA,MACT,aACE;AAAA,MAIF,aAAa;AAAA,QACX,aAAa;AAAA,QACb,aAAa;AAAA,QACb,QAAQ;AAAA,MACV;AAAA,MACA,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,4DAA4D;AAAA,QACxF,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,+CAA+C;AAAA,QAC3E,EAAE,QAAQ,KAAK,aAAa,oBAAoB;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,WAAW;AAAA,EACtB,aAAa;AAAA,EACb,iBAAiB,CAAC,gBAAgB;AACpC;AAMA,SAAS,UACP,QACA,SACA,MACA,OACc;AACd,SAAO,aAAa,KAAK,EAAE,OAAO,SAAS,MAAM,GAAI,SAAS,CAAC,EAAG,GAAG,EAAE,OAAO,CAAC;AACjF;AAYA,eAAe,qBACb,KACsC;AACtC,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,UAAU,KAAK,gBAAgB,iBAAiB;AAAA,EACzD;AACA,QAAM,YAAY,MAAM,uBAAuB;AAC/C,QAAM,cAAc,UAAU,QAAqB,aAAa;AAChE,QAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK;AAAA,IAC9C,UAAU,KAAK;AAAA,IACf,gBAAgB,KAAK;AAAA,EACvB,CAAC;AACD,MAAI,CAAC,oBAAoB,CAAC,gBAAgB,GAAG,IAAI,UAAU,IAAI,cAAc,WAAW,GAAG;AACzF,WAAO,UAAU,KAAK,kCAAkC,gBAAgB,MAAM,WAAW;AAAA,EAC3F;AACA,SAAO;AAAA,IACL,UAAU,KAAK,YAAY;AAAA,IAC3B,gBAAgB,KAAK,SAAS;AAAA,IAC9B,QAAQ,KAAK;AAAA,IACb,cAAc,IAAI;AAAA,IAClB,UAAU,IAAI;AAAA,IACd;AAAA,IACA;AAAA,EACF;AACF;AAEA,SAAS,kBAAkB,KAA4B;AACrD,SAAO;AAAA,IACL,IAAI,IAAI;AAAA,IACR,SAAS,IAAI;AAAA,IACb,SAAS,IAAI;AAAA,IACb,UAAU,IAAI,YAAY,CAAC;AAAA,IAC3B,OAAO,IAAI,SAAS;AAAA,IACpB,iBAAiB,IAAI,mBAAmB;AAAA,IACxC,WAAW,IAAI,WAAW,cAAc,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IACpE,WAAW,IAAI,WAAW,cAAc,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,EACtE;AACF;AAEA,eAAsB,IAAI,KAAkB,SAA0C;AACpF,QAAM,aAAa,MAAM,qBAAqB,GAAG;AACjD,MAAI,sBAAsB,aAAc,QAAO;AAE/C,QAAM,YAAY,MAAM,QAAQ;AAChC,QAAM,cAAc,mBAAmB,UAAU,SAAS;AAC1D,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,UAAU,KAAK,qBAAqB,oBAAoB;AAAA,MAC7D,QAAQ,YAAY,MAAM;AAAA,IAC5B,CAAC;AAAA,EACH;AAEA,MAAI;AACF,UAAM,kBAAkB;AACxB,UAAM,QAAQ,SAAS,YAAY,KAAK,OAAO;AAC/C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,KAAK,kBAAkB,YAAY,KAAK,OAAO,MAAM,eAAe;AAAA,IACvF;AAEA,QAAI,CAAC,WAAW,UAAU;AACxB,aAAO,aAAa,KAAK;AAAA,QACvB,SAAS,MAAM;AAAA,QACf,UAAU;AAAA,QACV,UAAU,CAAC;AAAA,MACb,CAAC;AAAA,IACH;AAEA,UAAM,KAAK,WAAW,UAAU,QAAuB,IAAI;AAC3D,UAAM,OAAO,IAAI,gCAAgC,EAAE;AACnD,UAAM,CAAC,QAAQ,QAAQ,IAAI,MAAM,QAAQ,IAAI;AAAA,MAC3C,KAAK,UAAU,MAAM,IAAI;AAAA,QACvB,UAAU,WAAW;AAAA,QACrB,gBAAgB,WAAW;AAAA,MAC7B,CAAC;AAAA,MACD,KAAK;AAAA,QACH,MAAM;AAAA,QACN;AAAA,UACE,UAAU,WAAW;AAAA,UACrB,gBAAgB,WAAW;AAAA,QAC7B;AAAA,QACA;AAAA,MACF;AAAA,IACF,CAAC;AAED,WAAO,aAAa,KAAK;AAAA,MACvB,SAAS,MAAM;AAAA,MACf,UAAU,SAAS,kBAAkB,MAAM,IAAI;AAAA,MAC/C,UAAU,SAAS,IAAI,iBAAiB;AAAA,IAC1C,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,qCAAqC,KAAK;AACxD,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;AAEA,eAAsB,KAAK,KAAkB,SAA0C;AACrF,QAAM,aAAa,MAAM,qBAAqB,GAAG;AACjD,MAAI,sBAAsB,aAAc,QAAO;AAE/C,QAAM,YAAY,MAAM,QAAQ;AAChC,QAAM,cAAc,mBAAmB,UAAU,SAAS;AAC1D,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO,UAAU,KAAK,qBAAqB,oBAAoB;AAAA,MAC7D,QAAQ,YAAY,MAAM;AAAA,IAC5B,CAAC;AAAA,EACH;AAEA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM,IAAI,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,UAAU,KAAK,oCAAoC,kBAAkB;AAAA,EAC9E;AAEA,QAAM,aAAa,4BAA4B,UAAU,UAAU;AACnE,MAAI,CAAC,WAAW,SAAS;AACvB,WAAO,UAAU,KAAK,yBAAyB,oBAAoB;AAAA,MACjE,QAAQ,WAAW,MAAM;AAAA,IAC3B,CAAC;AAAA,EACH;AAEA,QAAM,WAAW,WAAW,KAAK,YAAY,WAAW,KAAK,aAAa,CAAC;AAC3E,QAAM,eAAe,iBAAiB,QAAQ;AAC9C,MAAI,aAAa,SAAS,GAAG;AAC3B,WAAO;AAAA,MACL;AAAA,MACA,kDAAkD,aAAa,KAAK,IAAI,CAAC;AAAA,MACzE;AAAA,MACA,EAAE,cAAc,aAAa;AAAA,IAC/B;AAAA,EACF;AAEA,MAAI;AACF,UAAM,kBAAkB;AACxB,UAAM,QAAQ,SAAS,YAAY,KAAK,OAAO;AAC/C,QAAI,CAAC,OAAO;AACV,aAAO,UAAU,KAAK,kBAAkB,YAAY,KAAK,OAAO,MAAM,eAAe;AAAA,IACvF;AAEA,QAAI,CAAC,WAAW,UAAU;AACxB,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,KAAK,WAAW,UAAU,QAAuB,IAAI;AAC3D,UAAM,OAAO,IAAI,gCAAgC,EAAE;AACnD,UAAM,QAAQ,MAAM,KAAK;AAAA,MACvB;AAAA,QACE,SAAS,MAAM;AAAA,QACf;AAAA,QACA,OAAO,WAAW,KAAK,SAAS;AAAA,MAClC;AAAA,MACA;AAAA,QACE,UAAU,WAAW;AAAA,QACrB,gBAAgB,WAAW;AAAA,QAC3B,QAAQ,WAAW;AAAA,MACrB;AAAA,IACF;AAEA,WAAO,aAAa,KAAK;AAAA,MACvB,IAAI;AAAA,MACJ,SAAS,MAAM;AAAA,MACf,SAAS,MAAM;AAAA,MACf,WAAW,MAAM,WAAW,cAAc,MAAK,oBAAI,KAAK,GAAE,YAAY;AAAA,IACxE,CAAC;AAAA,EACH,SAAS,OAAO;AACd,YAAQ,MAAM,sCAAsC,KAAK;AACzD,WAAO;AAAA,MACL;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,MACzC;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/ai_assistant/api/ai/agents/route.js

@@ -0,0 +1,94 @@
+import { NextResponse } from "next/server";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { llmProviderRegistry } from "@open-mercato/shared/lib/ai/llm-provider-registry";
+import { listAgents, loadAgentRegistry } from "../../../lib/agent-registry.js";
+import { hasRequiredFeatures } from "../../../lib/auth.js";
+import { toolRegistry } from "../../../lib/tool-registry.js";
+const openApi = {
+  tag: "AI Assistant",
+  summary: "List AI agents the caller can invoke",
+  methods: {
+    GET: {
+      operationId: "aiAssistantListAgents",
+      summary: "List registered AI agents, filtered by the caller's features.",
+      description: "Returns `{ agents: [...] }` \u2014 the subset of agents from `ai-agents.generated.ts` that the authenticated caller can invoke based on each agent's `requiredFeatures`. Mirrors the `meta.list_agents` tool handler so backoffice pages (e.g. the playground) can render an agent picker without going through the MCP tool transport.",
+      responses: [
+        {
+          status: 200,
+          description: "Accessible agent summaries.",
+          mediaType: "application/json"
+        }
+      ],
+      errors: [
+        { status: 401, description: "Unauthenticated caller." },
+        { status: 500, description: "Internal failure while loading the agent registry." }
+      ]
+    }
+  }
+};
+const metadata = {
+  GET: { requireAuth: true, requireFeatures: ["ai_assistant.view"] }
+};
+async function GET(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth) {
+    return NextResponse.json({ error: "Unauthorized", code: "unauthenticated" }, { status: 401 });
+  }
+  try {
+    const container = await createRequestContainer();
+    const rbacService = container.resolve("rbacService");
+    const acl = await rbacService.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId: auth.orgId
+    });
+    const aiConfigured = llmProviderRegistry.resolveFirstConfigured() != null;
+    await loadAgentRegistry();
+    const all = listAgents();
+    const accessible = all.filter(
+      (agent) => hasRequiredFeatures(agent.requiredFeatures, acl.features, acl.isSuperAdmin, rbacService)
+    );
+    const agents = accessible.map((agent) => {
+      const tools = agent.allowedTools.map((toolName) => {
+        const tool = toolRegistry.getTool(toolName);
+        return {
+          name: toolName,
+          displayName: tool?.displayName ?? toolName,
+          isMutation: Boolean(tool?.isMutation),
+          registered: Boolean(tool)
+        };
+      });
+      return {
+        id: agent.id,
+        moduleId: agent.moduleId,
+        label: agent.label,
+        description: agent.description,
+        systemPrompt: agent.systemPrompt,
+        executionMode: agent.executionMode ?? "chat",
+        mutationPolicy: agent.mutationPolicy ?? "read-only",
+        readOnly: Boolean(agent.readOnly),
+        maxSteps: agent.maxSteps ?? null,
+        allowedTools: agent.allowedTools,
+        tools,
+        requiredFeatures: agent.requiredFeatures ?? [],
+        acceptedMediaTypes: agent.acceptedMediaTypes ?? [],
+        keywords: agent.keywords ?? [],
+        suggestions: agent.suggestions ?? [],
+        hasOutputSchema: Boolean(agent.output)
+      };
+    });
+    return NextResponse.json({ agents, total: agents.length, aiConfigured });
+  } catch (error) {
+    console.error("[AI Agents] Failed to list agents:", error);
+    return NextResponse.json(
+      { error: "Failed to list agents", code: "internal_error" },
+      { status: 500 }
+    );
+  }
+}
+export {
+  GET,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map

package/dist/modules/ai_assistant/api/ai/agents/route.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../../../../src/modules/ai_assistant/api/ai/agents/route.ts"],
+  "sourcesContent": ["import { NextResponse, type NextRequest } from 'next/server'\nimport type { OpenApiRouteDoc } from '@open-mercato/shared/lib/openapi'\nimport { getAuthFromRequest } from '@open-mercato/shared/lib/auth/server'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { RbacService } from '@open-mercato/core/modules/auth/services/rbacService'\nimport { llmProviderRegistry } from '@open-mercato/shared/lib/ai/llm-provider-registry'\nimport { listAgents, loadAgentRegistry } from '../../../lib/agent-registry'\nimport { hasRequiredFeatures } from '../../../lib/auth'\nimport { toolRegistry } from '../../../lib/tool-registry'\nimport type { AiToolDefinition } from '../../../lib/types'\n\nexport const openApi: OpenApiRouteDoc = {\n  tag: 'AI Assistant',\n  summary: 'List AI agents the caller can invoke',\n  methods: {\n    GET: {\n      operationId: 'aiAssistantListAgents',\n      summary: 'List registered AI agents, filtered by the caller\\'s features.',\n      description:\n        'Returns `{ agents: [...] }` \u2014 the subset of agents from `ai-agents.generated.ts` that the ' +\n        'authenticated caller can invoke based on each agent\\'s `requiredFeatures`. Mirrors the ' +\n        '`meta.list_agents` tool handler so backoffice pages (e.g. the playground) can render an ' +\n        'agent picker without going through the MCP tool transport.',\n      responses: [\n        {\n          status: 200,\n          description: 'Accessible agent summaries.',\n          mediaType: 'application/json',\n        },\n      ],\n      errors: [\n        { status: 401, description: 'Unauthenticated caller.' },\n        { status: 500, description: 'Internal failure while loading the agent registry.' },\n      ],\n    },\n  },\n}\n\nexport const metadata = {\n  GET: { requireAuth: true, requireFeatures: ['ai_assistant.view'] },\n}\n\nexport async function GET(req: NextRequest) {\n  const auth = await getAuthFromRequest(req)\n  if (!auth) {\n    return NextResponse.json({ error: 'Unauthorized', code: 'unauthenticated' }, { status: 401 })\n  }\n\n  try {\n    const container = await createRequestContainer()\n    const rbacService = container.resolve<RbacService>('rbacService')\n    const acl = await rbacService.loadAcl(auth.sub, {\n      tenantId: auth.tenantId,\n      organizationId: auth.orgId,\n    })\n\n    // No LLM provider configured (no API keys set). The launcher uses the\n    // `aiConfigured` flag to show a setup prompt; explicit `<AiChat>` mounts\n    // and playground pages still see the full registry so they can show their\n    // own configuration prompts instead of silently disappearing.\n    const aiConfigured = llmProviderRegistry.resolveFirstConfigured() != null\n\n    await loadAgentRegistry()\n    const all = listAgents()\n    const accessible = all.filter((agent) =>\n      hasRequiredFeatures(agent.requiredFeatures, acl.features, acl.isSuperAdmin, rbacService),\n    )\n\n    const agents = accessible.map((agent) => {\n      const tools = agent.allowedTools.map((toolName) => {\n        const tool = toolRegistry.getTool(toolName) as AiToolDefinition | undefined\n        return {\n          name: toolName,\n          displayName: tool?.displayName ?? toolName,\n          isMutation: Boolean(tool?.isMutation),\n          registered: Boolean(tool),\n        }\n      })\n      return {\n        id: agent.id,\n        moduleId: agent.moduleId,\n        label: agent.label,\n        description: agent.description,\n        systemPrompt: agent.systemPrompt,\n        executionMode: agent.executionMode ?? 'chat',\n        mutationPolicy: agent.mutationPolicy ?? 'read-only',\n        readOnly: Boolean(agent.readOnly),\n        maxSteps: agent.maxSteps ?? null,\n        allowedTools: agent.allowedTools,\n        tools,\n        requiredFeatures: agent.requiredFeatures ?? [],\n        acceptedMediaTypes: agent.acceptedMediaTypes ?? [],\n        keywords: agent.keywords ?? [],\n        suggestions: agent.suggestions ?? [],\n        hasOutputSchema: Boolean(agent.output),\n      }\n    })\n\n    return NextResponse.json({ agents, total: agents.length, aiConfigured })\n  } catch (error) {\n    console.error('[AI Agents] Failed to list agents:', error)\n    return NextResponse.json(\n      { error: 'Failed to list agents', code: 'internal_error' },\n      { status: 500 },\n    )\n  }\n}\n"],
+  "mappings": "AAAA,SAAS,oBAAsC;AAE/C,SAAS,0BAA0B;AACnC,SAAS,8BAA8B;AAEvC,SAAS,2BAA2B;AACpC,SAAS,YAAY,yBAAyB;AAC9C,SAAS,2BAA2B;AACpC,SAAS,oBAAoB;AAGtB,MAAM,UAA2B;AAAA,EACtC,KAAK;AAAA,EACL,SAAS;AAAA,EACT,SAAS;AAAA,IACP,KAAK;AAAA,MACH,aAAa;AAAA,MACb,SAAS;AAAA,MACT,aACE;AAAA,MAIF,WAAW;AAAA,QACT;AAAA,UACE,QAAQ;AAAA,UACR,aAAa;AAAA,UACb,WAAW;AAAA,QACb;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,EAAE,QAAQ,KAAK,aAAa,0BAA0B;AAAA,QACtD,EAAE,QAAQ,KAAK,aAAa,qDAAqD;AAAA,MACnF;AAAA,IACF;AAAA,EACF;AACF;AAEO,MAAM,WAAW;AAAA,EACtB,KAAK,EAAE,aAAa,MAAM,iBAAiB,CAAC,mBAAmB,EAAE;AACnE;AAEA,eAAsB,IAAI,KAAkB;AAC1C,QAAM,OAAO,MAAM,mBAAmB,GAAG;AACzC,MAAI,CAAC,MAAM;AACT,WAAO,aAAa,KAAK,EAAE,OAAO,gBAAgB,MAAM,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EAC9F;AAEA,MAAI;AACF,UAAM,YAAY,MAAM,uBAAuB;AAC/C,UAAM,cAAc,UAAU,QAAqB,aAAa;AAChE,UAAM,MAAM,MAAM,YAAY,QAAQ,KAAK,KAAK;AAAA,MAC9C,UAAU,KAAK;AAAA,MACf,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAMD,UAAM,eAAe,oBAAoB,uBAAuB,KAAK;AAErE,UAAM,kBAAkB;AACxB,UAAM,MAAM,WAAW;AACvB,UAAM,aAAa,IAAI;AAAA,MAAO,CAAC,UAC7B,oBAAoB,MAAM,kBAAkB,IAAI,UAAU,IAAI,cAAc,WAAW;AAAA,IACzF;AAEA,UAAM,SAAS,WAAW,IAAI,CAAC,UAAU;AACvC,YAAM,QAAQ,MAAM,aAAa,IAAI,CAAC,aAAa;AACjD,cAAM,OAAO,aAAa,QAAQ,QAAQ;AAC1C,eAAO;AAAA,UACL,MAAM;AAAA,UACN,aAAa,MAAM,eAAe;AAAA,UAClC,YAAY,QAAQ,MAAM,UAAU;AAAA,UACpC,YAAY,QAAQ,IAAI;AAAA,QAC1B;AAAA,MACF,CAAC;AACD,aAAO;AAAA,QACL,IAAI,MAAM;AAAA,QACV,UAAU,MAAM;AAAA,QAChB,OAAO,MAAM;AAAA,QACb,aAAa,MAAM;AAAA,QACnB,cAAc,MAAM;AAAA,QACpB,eAAe,MAAM,iBAAiB;AAAA,QACtC,gBAAgB,MAAM,kBAAkB;AAAA,QACxC,UAAU,QAAQ,MAAM,QAAQ;AAAA,QAChC,UAAU,MAAM,YAAY;AAAA,QAC5B,cAAc,MAAM;AAAA,QACpB;AAAA,QACA,kBAAkB,MAAM,oBAAoB,CAAC;AAAA,QAC7C,oBAAoB,MAAM,sBAAsB,CAAC;AAAA,QACjD,UAAU,MAAM,YAAY,CAAC;AAAA,QAC7B,aAAa,MAAM,eAAe,CAAC;AAAA,QACnC,iBAAiB,QAAQ,MAAM,MAAM;AAAA,MACvC;AAAA,IACF,CAAC;AAED,WAAO,aAAa,KAAK,EAAE,QAAQ,OAAO,OAAO,QAAQ,aAAa,CAAC;AAAA,EACzE,SAAS,OAAO;AACd,YAAQ,MAAM,sCAAsC,KAAK;AACzD,WAAO,aAAa;AAAA,MAClB,EAAE,OAAO,yBAAyB,MAAM,iBAAiB;AAAA,MACzD,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/modules/ai_assistant/api/ai/chat/route.js

@@ -0,0 +1,173 @@
+import { NextResponse } from "next/server";
+import { z } from "zod";
+import { getAuthFromRequest } from "@open-mercato/shared/lib/auth/server";
+import { createRequestContainer } from "@open-mercato/shared/lib/di/container";
+import { loadAgentRegistry } from "../../../lib/agent-registry.js";
+import { checkAgentPolicy } from "../../../lib/agent-policy.js";
+import { runAiAgentText } from "../../../lib/agent-runtime.js";
+import { AgentPolicyError } from "../../../lib/agent-tools.js";
+const MAX_MESSAGES = 100;
+const agentIdPattern = /^[a-z0-9_]+\.[a-z0-9_]+$/;
+const chatMessageSchema = z.object({
+  role: z.enum(["user", "assistant", "system"]),
+  content: z.string()
+});
+const pageContextSchema = z.object({
+  pageId: z.string().nullable().optional(),
+  entityType: z.string().nullable().optional(),
+  recordId: z.string().nullable().optional()
+}).passthrough();
+const chatRequestSchema = z.object({
+  messages: z.array(chatMessageSchema).min(1, "messages must contain at least one message").max(MAX_MESSAGES, `messages must contain at most ${MAX_MESSAGES} entries`),
+  attachmentIds: z.array(z.string()).optional(),
+  debug: z.boolean().optional(),
+  pageContext: pageContextSchema.optional(),
+  /**
+   * Optional stable conversation id forwarded from `<AiChat>`. Bridged into
+   * the Step 5.6 `prepareMutation` idempotency hash so repeated turns within
+   * the same chat collapse onto the same pending action. Additive; omitted
+   * bodies continue to work as before.
+   */
+  conversationId: z.string().min(1).max(128).optional()
+});
+const agentQuerySchema = z.object({
+  agent: z.string().regex(agentIdPattern, 'agent must match "<module>.<agent>" (lowercase, digits, underscores only)')
+});
+const openApi = {
+  tag: "AI Assistant",
+  summary: "AI agent dispatcher",
+  methods: {
+    POST: {
+      operationId: "aiAssistantChatAgent",
+      summary: "Stream a chat turn for a registered AI agent",
+      description: "Dispatches a chat turn to the focused AI agent identified by `?agent=<module>.<agent>`. Enforces agent-level `requiredFeatures`, tool whitelisting, read-only / mutationPolicy, execution-mode compatibility, and attachment media-type policy. The streaming response body uses an AI SDK-compatible `text/event-stream` transport.",
+      query: agentQuerySchema,
+      requestBody: {
+        contentType: "application/json",
+        description: "Chat turn payload. `messages` is required; `attachmentIds`, `debug`, and `pageContext` are optional.",
+        schema: chatRequestSchema
+      },
+      responses: [
+        { status: 200, description: "Streaming text/event-stream response compatible with AI SDK chat transports.", mediaType: "text/event-stream" }
+      ],
+      errors: [
+        { status: 400, description: "Invalid query param, malformed payload, or message count above the cap." },
+        { status: 401, description: "Unauthenticated caller." },
+        { status: 403, description: "Caller lacks agent-level or tool-level required features." },
+        { status: 404, description: "Unknown agent id." },
+        { status: 409, description: "Agent/tool/execution-mode policy violation." },
+        { status: 500, description: "Internal runtime failure." }
+      ]
+    }
+  }
+};
+const metadata = {
+  POST: { requireAuth: true, requireFeatures: ["ai_assistant.view"] }
+};
+function jsonError(status, message, code, extra) {
+  return NextResponse.json({ error: message, code, ...extra ?? {} }, { status });
+}
+function statusForDenyCode(code) {
+  switch (code) {
+    case "agent_unknown":
+      return 404;
+    case "agent_features_denied":
+    case "tool_features_denied":
+      return 403;
+    case "tool_not_whitelisted":
+    case "tool_unknown":
+    case "mutation_blocked_by_readonly":
+    case "mutation_blocked_by_policy":
+    case "execution_mode_not_supported":
+      return 409;
+    case "attachment_type_not_accepted":
+      return 400;
+    default:
+      return 409;
+  }
+}
+async function POST(req) {
+  const auth = await getAuthFromRequest(req);
+  if (!auth) {
+    return jsonError(401, "Unauthorized", "unauthenticated");
+  }
+  const requestUrl = new URL(req.url);
+  const queryResult = agentQuerySchema.safeParse({
+    agent: requestUrl.searchParams.get("agent") ?? void 0
+  });
+  if (!queryResult.success) {
+    return jsonError(400, 'Invalid or missing "agent" query parameter.', "validation_error", {
+      issues: queryResult.error.issues
+    });
+  }
+  const agentId = queryResult.data.agent;
+  let parsedBody;
+  try {
+    parsedBody = await req.json();
+  } catch {
+    return jsonError(400, "Request body must be valid JSON.", "validation_error");
+  }
+  const bodyResult = chatRequestSchema.safeParse(parsedBody);
+  if (!bodyResult.success) {
+    return jsonError(400, "Invalid request body.", "validation_error", {
+      issues: bodyResult.error.issues
+    });
+  }
+  try {
+    await loadAgentRegistry();
+    const container = await createRequestContainer();
+    const rbacService = container.resolve("rbacService");
+    const acl = await rbacService.loadAcl(auth.sub, {
+      tenantId: auth.tenantId,
+      organizationId: auth.orgId
+    });
+    const decision = checkAgentPolicy({
+      agentId,
+      authContext: {
+        userFeatures: acl.features,
+        isSuperAdmin: acl.isSuperAdmin
+      },
+      requestedExecutionMode: "chat",
+      // TODO(step-3.7): resolve attachmentIds -> media types via attachment-bridge
+      // once the attachment-to-model conversion bridge lands. Until then the
+      // policy gate skips attachment-type validation because media types are
+      // not known at dispatch time.
+      attachmentMediaTypes: void 0
+    });
+    if (!decision.ok) {
+      return jsonError(statusForDenyCode(decision.code), decision.message, decision.code);
+    }
+    return await runAiAgentText({
+      agentId,
+      messages: bodyResult.data.messages,
+      attachmentIds: bodyResult.data.attachmentIds,
+      pageContext: bodyResult.data.pageContext,
+      debug: bodyResult.data.debug,
+      conversationId: bodyResult.data.conversationId ?? null,
+      authContext: {
+        tenantId: auth.tenantId ?? null,
+        organizationId: auth.orgId ?? null,
+        userId: auth.sub,
+        features: acl.features,
+        isSuperAdmin: acl.isSuperAdmin
+      },
+      container
+    });
+  } catch (error) {
+    if (error instanceof AgentPolicyError) {
+      return jsonError(statusForDenyCode(error.code), error.message, error.code);
+    }
+    console.error("[AI Chat Agent] Dispatch failure:", error);
+    return jsonError(
+      500,
+      error instanceof Error ? error.message : "Agent dispatch failed.",
+      "internal_error"
+    );
+  }
+}
+export {
+  POST,
+  metadata,
+  openApi
+};
+//# sourceMappingURL=route.js.map