@open-mercato/ai-assistant 0.6.3-develop.3809.1.bde5459e65 → 0.6.3-develop.3811.1.be22750402

package/AGENTS.md

@@ -2,6 +2,36 @@
 
 > **IMPORTANT**: Update this file with every major change to this module. When implementing new features, modifying architecture, or changing key interfaces, update the relevant sections to keep guidance accurate for future agents.
 
+## Always
+
+- Treat the public AI assistant docs linked below as the source of truth when they disagree with this file.
+- Use `registerMcpTool`/`defineAiTool` with Zod schemas, `moduleId`, `requiredFeatures`, and serializable handler results.
+- Run `yarn generate` after adding or changing agents, tools, API discovery metadata, or tool packs.
+- Route model selection through `createModelFactory(container)` instead of ad hoc provider clients.
+- Route mutation-capable AI tools through the mutation approval path before execution.
+
+## Ask First
+
+- Use `AskUserQuestion` before any AI operation that creates, updates, or deletes data.
+- Ask before changing OpenCode Docker configuration, MCP authentication, provider/model resolution precedence, or session-token semantics.
+- Ask before widening tool allowlists, relaxing mutation policies, or exposing new data surfaces to an agent.
+
+## Never
+
+- Never leave `requiredFeatures` empty for tools that access tenant data.
+- Never bypass endpoint-level RBAC in Code Mode or MCP tool execution.
+- Never call the OpenCode HTTP API directly from chat flows; use the module handlers.
+- Never log credentials, session tokens, API keys, prompt secrets, or raw tenant data.
+- Never cache MCP server instances across requests or skip per-tool ACL checks.
+
+## Validation Commands
+
+```bash
+yarn generate
+yarn workspace @open-mercato/ai-assistant test
+yarn workspace @open-mercato/ai-assistant build
+```
+
 ## Where to look first
 
 Before editing this module — and especially before writing or reviewing a new agent — read the public framework docs. They are the source of truth and stay in sync with this AGENTS.md by review:
@@ -599,7 +629,7 @@ when the registry has no configured provider and `code: 'api_key_missing'`
 when the picked provider returns an empty key — every current call site
 already relies on the throw bubbling up, do not swallow it.
 
-## MANDATORY: Use AskUserQuestion for Confirmations
+## Ask First: Use AskUserQuestion for Confirmations
 
 > **This is the MOST IMPORTANT rule. NEVER skip this.**
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/ai-assistant",
-  "version": "0.6.3-develop.3809.1.bde5459e65",
+  "version": "0.6.3-develop.3811.1.be22750402",
   "type": "module",
   "engines": {
     "node": ">=22.0.0"
@@ -98,16 +98,16 @@
     "zod-to-json-schema": "^3.25.2"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.6.3-develop.3809.1.bde5459e65",
-    "@open-mercato/ui": "0.6.3-develop.3809.1.bde5459e65",
+    "@open-mercato/shared": "0.6.3-develop.3811.1.be22750402",
+    "@open-mercato/ui": "0.6.3-develop.3811.1.be22750402",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "zod": ">=3.23.0"
   },
   "devDependencies": {
-    "@open-mercato/cli": "0.6.3-develop.3809.1.bde5459e65",
-    "@open-mercato/shared": "0.6.3-develop.3809.1.bde5459e65",
-    "@open-mercato/ui": "0.6.3-develop.3809.1.bde5459e65",
+    "@open-mercato/cli": "0.6.3-develop.3811.1.be22750402",
+    "@open-mercato/shared": "0.6.3-develop.3811.1.be22750402",
+    "@open-mercato/ui": "0.6.3-develop.3811.1.be22750402",
     "@types/react": "^19.2.15",
     "@types/react-dom": "^19.2.3",
     "react": "19.2.6",