npm - @open-mercato/ai-assistant - Versions diffs - 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4 - Mend

@open-mercato/ai-assistant 0.6.4-develop.4382.1.6b4f656b77 → 0.6.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/dist/modules/ai_assistant/lib/tool-test-runner.js CHANGED Viewed

@@ -124,13 +124,14 @@ async function pickDefaultTenant(container) {
     );
     const tenantId = Array.isArray(tenantRows) && tenantRows[0] ? String(tenantRows[0].id) : null;
     if (!tenantId) return null;
-    const escaped = tenantId.replace(/'/g, "''");
     const orgRows = await conn.execute(
-      `SELECT id FROM organizations WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`
+      `SELECT id FROM organizations WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      [tenantId]
     );
     const organizationId = Array.isArray(orgRows) && orgRows[0] ? String(orgRows[0].id) : null;
     const userRows = await conn.execute(
-      `SELECT id FROM users WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`
+      `SELECT id FROM users WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,
+      [tenantId]
     );
     const userId = Array.isArray(userRows) && userRows[0] ? String(userRows[0].id) : null;
     return { tenantId, organizationId, userId };
@@ -413,6 +414,7 @@ async function runToolTests(options = {}) {
   };
 }
 export {
+  pickDefaultTenant,
   runToolTests
 };
 //# sourceMappingURL=tool-test-runner.js.map

package/dist/modules/ai_assistant/lib/tool-test-runner.js.map CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../../../src/modules/ai_assistant/lib/tool-test-runner.ts"],
-  "sourcesContent": ["/**\n * In-process AI tool test runner.\n *\n * Iterates every tool registered in `ai-tools.generated.ts`, invokes the\n * handler against a super-admin tenant context, and returns a structured\n * report. Used by the `mercato ai_assistant test-tools` CLI subcommand and\n * by `.ai/qa/tests/integration/TC-INT-AI-TOOLS.spec.ts`.\n *\n * Safety posture:\n *   - No HTTP exposure \u2014 runs only inside the Node process driving the CLI.\n *   - Mutation tools are exercised through `prepareMutation` and we assert a\n *     pending-action envelope is returned. The pending-action row is created\n *     in `ai_pending_actions` but never confirmed, so no real write happens.\n *   - Tools without an explicit fixture entry are skipped with reason\n *     `'no fixture'` rather than failing.\n */\nimport path from 'node:path'\nimport fs from 'node:fs'\nimport { fileURLToPath, pathToFileURL } from 'node:url'\nimport type { AwilixContainer } from 'awilix'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { McpToolContext, AiToolDefinition } from './types'\nimport type { AiAgentDefinition, AiAgentMutationPolicy } from './ai-agent-definition'\nimport { getFixture, type ToolFixture } from './tool-test-fixtures'\nimport { prepareMutation } from './prepare-mutation'\nimport { executePendingActionConfirm } from './pending-action-executor'\n\nexport type ToolTestStatus = 'pass' | 'fail' | 'skip'\n\nexport interface ToolTestRecord {\n  module: string\n  tool: string\n  isMutation: boolean\n  status: ToolTestStatus\n  durationMs: number\n  reason?: string\n  resultPreview?: unknown\n}\n\nexport interface ToolTestReport {\n  tenantId: string | null\n  organizationId: string | null\n  total: number\n  passed: number\n  failed: number\n  skipped: number\n  records: ToolTestRecord[]\n}\n\ninterface RawAiToolsModule {\n  aiToolConfigEntriesRaw?: { moduleId: string; tools: unknown[] }[]\n  aiToolConfigEntries?: { moduleId: string; tools: unknown[] }[]\n}\n\nfunction isToolDefinition(value: unknown): value is AiToolDefinition {\n  if (!value || typeof value !== 'object') return false\n  const candidate = value as Record<string, unknown>\n  return (\n    typeof candidate.name === 'string' &&\n    typeof candidate.description === 'string' &&\n    candidate.inputSchema !== undefined &&\n    typeof candidate.handler === 'function'\n  )\n}\n\n/**\n * Locate `apps/mercato/.mercato/generated/ai-tools.generated.ts` without\n * hardcoding the workspace layout. Searches upward from this file's\n * compiled location; in the monorepo dist this is\n * `packages/ai-assistant/dist/...` so we walk up until we hit a directory\n * containing `apps/mercato/.mercato/generated`.\n */\nfunction findGeneratedAiToolsPath(): string | null {\n  const here = (() => {\n    try {\n      return fileURLToPath(import.meta.url)\n    } catch {\n      return null\n    }\n  })()\n  if (!here) return null\n  let cursor = path.dirname(here)\n  for (let i = 0; i < 12; i++) {\n    const candidate = path.join(cursor, 'apps', 'mercato', '.mercato', 'generated', 'ai-tools.generated.ts')\n    if (fs.existsSync(candidate)) return candidate\n    const next = path.dirname(cursor)\n    if (next === cursor) break\n    cursor = next\n  }\n  // Fallback: cwd-based lookup (when CLI is invoked from apps/mercato).\n  const fromCwd = path.resolve(process.cwd(), 'apps', 'mercato', '.mercato', 'generated', 'ai-tools.generated.ts')\n  if (fs.existsSync(fromCwd)) return fromCwd\n  const fromCwdDirect = path.resolve(process.cwd(), '.mercato', 'generated', 'ai-tools.generated.ts')\n  if (fs.existsSync(fromCwdDirect)) return fromCwdDirect\n  return null\n}\n\n/**\n * Compile-and-import `ai-tools.generated.ts` on the fly. Mirrors the approach\n * used by `loadBootstrapData` in `@open-mercato/shared/lib/bootstrap/dynamicLoader`:\n * resolves the `@/` alias to the app root, marks every other package import as\n * external, and emits a sibling `.mjs` we can `import()` from Node. Cached on\n * mtime so repeat runs in the same process don't recompile.\n */\nasync function compileAndImportGenerated(tsPath: string): Promise<RawAiToolsModule> {\n  const jsPath = tsPath.replace(/\\.ts$/, '.mjs')\n  // appRoot is two directories up from `.mercato/generated/<file>.ts`.\n  const appRoot = path.dirname(path.dirname(path.dirname(tsPath)))\n  const tsExists = fs.existsSync(tsPath)\n  if (!tsExists) {\n    throw new Error(`Generated file not found: ${tsPath}`)\n  }\n  const jsExists = fs.existsSync(jsPath)\n  const needsCompile =\n    !jsExists || fs.statSync(tsPath).mtimeMs > fs.statSync(jsPath).mtimeMs\n  if (needsCompile) {\n    const esbuild = await import('esbuild')\n    // Transpile-only: don't bundle. Generated registry files only declare an\n    // array literal whose entries are static `import(\"\u2026\")` arrow functions \u2014\n    // we want those `import()` strings to stay as runtime imports so Node\n    // resolves them lazily through the workspace's normal module resolution.\n    // Eagerly bundling them pulls Next.js / route handler internals into the\n    // .mjs and breaks at runtime (e.g. `next/server` package-exports map).\n    const tsSource = fs.readFileSync(tsPath, 'utf-8')\n    // Rewrite `@/...` aliases to absolute paths so Node can resolve them.\n    const aliasRewritten = tsSource.replace(\n      /from\\s+[\"']@\\/([^\"']+)[\"']/g,\n      (_match, p1: string) => {\n        const target = path.join(appRoot, p1)\n        const candidate = fs.existsSync(target)\n          ? target\n          : fs.existsSync(target + '.ts')\n            ? target + '.ts'\n            : target\n        return `from ${JSON.stringify(pathToFileURL(candidate).href)}`\n      },\n    ).replace(\n      /import\\s*\\(\\s*[\"']@\\/([^\"']+)[\"']\\s*\\)/g,\n      (_match, p1: string) => {\n        const target = path.join(appRoot, p1)\n        const candidate = fs.existsSync(target)\n          ? target\n          : fs.existsSync(target + '.ts')\n            ? target + '.ts'\n            : target\n        return `import(${JSON.stringify(pathToFileURL(candidate).href)})`\n      },\n    )\n    const result = await esbuild.transform(aliasRewritten, {\n      loader: 'ts',\n      format: 'esm',\n      target: 'node18',\n      sourcemap: false,\n      sourcefile: tsPath,\n    })\n    fs.writeFileSync(jsPath, result.code)\n  }\n  return (await import(pathToFileURL(jsPath).href)) as RawAiToolsModule\n}\n\n/**\n * Compile-and-import `api-routes.generated.ts` and register its manifest with\n * the shared registry. Many tool handlers delegate to `aiApiOperationRunner`\n * which fails closed when no manifest is registered. Idempotent: registering\n * the same array twice is safe.\n */\nasync function ensureApiRouteManifestsRegistered(generatedDir: string): Promise<void> {\n  const tsPath = path.join(generatedDir, 'api-routes.generated.ts')\n  if (!fs.existsSync(tsPath)) return\n  try {\n    const mod = (await compileAndImportGenerated(tsPath)) as Record<string, unknown>\n    const apiRoutes = (mod as { apiRoutes?: unknown }).apiRoutes\n    if (!Array.isArray(apiRoutes)) {\n      console.warn('[tool-test-runner] api-routes.generated.mjs returned no apiRoutes array')\n      return\n    }\n    const registry = await import('@open-mercato/shared/modules/registry')\n    registry.registerApiRouteManifests(\n      apiRoutes as Parameters<typeof registry.registerApiRouteManifests>[0],\n    )\n    if (process.env.OM_TOOL_TEST_DEBUG === '1') {\n      console.log(\n        `[tool-test-runner] Registered ${apiRoutes.length} api-route manifests; getApiRouteManifests().length=${registry.getApiRouteManifests().length}`,\n      )\n    }\n  } catch (error) {\n    console.warn(\n      '[tool-test-runner] Could not register api-routes manifest:',\n      error instanceof Error ? error.message : error,\n    )\n  }\n}\n\nasync function loadGeneratedTools(): Promise<{ moduleId: string; tools: AiToolDefinition[] }[]> {\n  const tsPath = findGeneratedAiToolsPath()\n  if (!tsPath) {\n    throw new Error(\n      'Could not locate apps/<app>/.mercato/generated/ai-tools.generated.ts. Run `yarn generate` first.',\n    )\n  }\n  await ensureApiRouteManifestsRegistered(path.dirname(tsPath))\n  const mod = await compileAndImportGenerated(tsPath)\n  const entries = mod.aiToolConfigEntriesRaw ?? mod.aiToolConfigEntries ?? []\n  const result: { moduleId: string; tools: AiToolDefinition[] }[] = []\n  for (const entry of entries) {\n    if (!entry || typeof entry.moduleId !== 'string') continue\n    const tools = Array.isArray(entry.tools)\n      ? entry.tools.filter(isToolDefinition)\n      : []\n    result.push({ moduleId: entry.moduleId, tools })\n  }\n  return result\n}\n\nasync function pickDefaultTenant(\n  container: AwilixContainer,\n): Promise<{ tenantId: string; organizationId: string | null; userId: string | null } | null> {\n  try {\n    const em = container.resolve<{\n      getConnection: () => { execute: (sql: string) => Promise<unknown[]> }\n    }>('em') as unknown as {\n      getConnection: () => { execute: (sql: string) => Promise<Record<string, unknown>[]> }\n    }\n    const conn = em.getConnection()\n    const tenantRows = await conn.execute(\n      `SELECT id FROM tenants WHERE deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n    )\n    const tenantId =\n      Array.isArray(tenantRows) && tenantRows[0]\n        ? String((tenantRows[0] as Record<string, unknown>).id)\n        : null\n    if (!tenantId) return null\n    const escaped = tenantId.replace(/'/g, \"''\")\n    const orgRows = await conn.execute(\n      `SELECT id FROM organizations WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n    )\n    const organizationId =\n      Array.isArray(orgRows) && orgRows[0]\n        ? String((orgRows[0] as Record<string, unknown>).id)\n        : null\n    const userRows = await conn.execute(\n      `SELECT id FROM users WHERE tenant_id = '${escaped}' AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n    )\n    const userId =\n      Array.isArray(userRows) && userRows[0]\n        ? String((userRows[0] as Record<string, unknown>).id)\n        : null\n    return { tenantId, organizationId, userId }\n  } catch (error) {\n    if (process.env.OM_TOOL_TEST_DEBUG === '1') {\n      console.warn('[tool-test-runner] pickDefaultTenant failed:', error)\n    }\n    return null\n  }\n}\n\nfunction buildSuperAdminContext(\n  container: AwilixContainer,\n  tenantId: string | null,\n  organizationId: string | null,\n  userId: string | null,\n): McpToolContext {\n  return {\n    tenantId,\n    organizationId,\n    userId,\n    container,\n    userFeatures: ['*'],\n    isSuperAdmin: true,\n  }\n}\n\nfunction clipPreview(value: unknown): unknown {\n  try {\n    const json = JSON.stringify(value)\n    if (json.length <= 400) return value\n    return `${json.slice(0, 400)}\u2026(truncated, ${json.length} bytes)`\n  } catch {\n    return '[unserializable]'\n  }\n}\n\nfunction dummyAgentForTool(tool: AiToolDefinition): AiAgentDefinition {\n  // The runner never registers this agent; it's only used as input to\n  // `prepareMutation` for shape compatibility. The id namespace is namespaced\n  // under `__test__` so it cannot collide with real agents.\n  const policy: AiAgentMutationPolicy = 'destructive-confirm-required'\n  return {\n    id: `__test__.${tool.name}`,\n    moduleId: tool.name.split('.')[0] ?? '__test__',\n    label: 'Tool Test Runner',\n    description: 'Synthetic agent used by the tool test runner',\n    systemPrompt: '',\n    allowedTools: [tool.name],\n    readOnly: false,\n    mutationPolicy: policy,\n  } as AiAgentDefinition\n}\n\nasync function executeReadTool(\n  tool: AiToolDefinition,\n  args: Record<string, unknown>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<unknown> {\n  // Mirror the dispatcher: resolve a fresh container per call so EM identity\n  // map state is clean between tools.\n  const fresh = await createRequestContainer()\n  const freshCtx: McpToolContext = { ...ctx, container: fresh, tool }\n  void container // keep arg for future use\n  return tool.handler(args as never, freshCtx)\n}\n\nasync function executeMutationTool(\n  tool: AiToolDefinition,\n  args: Record<string, unknown>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<unknown> {\n  // Route through prepareMutation so we assert the approval contract still\n  // holds \u2014 the handler must NEVER write directly. We pass a destructive\n  // policy so the runtime treats the call as a confirmation candidate and\n  // creates a pending-action row.\n  const fresh = await createRequestContainer()\n  const agent = dummyAgentForTool(tool)\n  const userId = ctx.userId ?? '00000000-0000-0000-0000-000000000000'\n  const { uiPart, pendingAction } = await prepareMutation(\n    {\n      agent,\n      tool,\n      toolCallArgs: args,\n      conversationId: null,\n      mutationPolicyOverride: null,\n    },\n    {\n      tenantId: ctx.tenantId,\n      organizationId: ctx.organizationId,\n      userId,\n      features: ctx.userFeatures,\n      isSuperAdmin: ctx.isSuperAdmin,\n      container: fresh,\n    },\n  )\n  // Exercise the actual handler via the same path the production confirm\n  // route uses. Without this, mutation tools whose handler crashes (e.g.\n  // missing `ctx.tool` for the API operation runner) would be reported as\n  // passing because `prepareMutation` never invokes the handler.\n  // `prepareMutation` already enforced `tenantId` is non-null above; cast\n  // here for the stricter `PendingActionExecuteContext` shape.\n  const confirmTenantId = ctx.tenantId as string\n  const confirmContainer = await createRequestContainer()\n  const confirmation = await executePendingActionConfirm({\n    action: pendingAction,\n    agent,\n    tool,\n    ctx: {\n      tenantId: confirmTenantId,\n      organizationId: ctx.organizationId,\n      userId,\n      container: confirmContainer,\n      userFeatures: ctx.userFeatures,\n      isSuperAdmin: ctx.isSuperAdmin,\n    },\n    emitEvent: async () => {},\n  })\n  if (!confirmation.ok) {\n    const error = (confirmation.executionResult as { error?: { message?: string } } | undefined)?.error\n    const cause = confirmation.cause\n    const causeMessage =\n      cause instanceof Error\n        ? cause.message\n        : typeof cause === 'string'\n          ? cause\n          : null\n    const message = error?.message ?? causeMessage ?? 'handler invocation failed'\n    throw new Error(message)\n  }\n  return {\n    status: 'pending-confirmation',\n    pendingActionId: pendingAction.id,\n    expiresAt: pendingAction.expiresAt.toISOString(),\n    uiPartType: (uiPart as { type?: string } | undefined)?.type ?? null,\n    handlerExecuted: true,\n  }\n}\n\nasync function resolveFixtureInput(\n  fixture: ToolFixture,\n  resolved: Map<string, AiToolDefinition>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<{ ok: true; input: Record<string, unknown> } | { ok: false; reason: string }> {\n  if (fixture.input) return { ok: true, input: { ...fixture.input } }\n  if (!fixture.idFrom) {\n    return { ok: false, reason: 'fixture has neither input nor idFrom' }\n  }\n  const sourceTool = resolved.get(fixture.idFrom)\n  if (!sourceTool) {\n    return { ok: false, reason: `idFrom tool not found: ${fixture.idFrom}` }\n  }\n  const sourceFixture = getFixture(fixture.idFrom)\n  if (!sourceFixture?.input) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} has no static input fixture`,\n    }\n  }\n  let listResult: unknown\n  try {\n    listResult = await executeReadTool(\n      sourceTool,\n      { ...sourceFixture.input },\n      container,\n      ctx,\n    )\n  } catch (error) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} threw: ${\n        error instanceof Error ? error.message : String(error)\n      }`,\n    }\n  }\n  const records = extractRecords(listResult)\n  if (!records.length) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} returned no records`,\n    }\n  }\n  const idField = 'id'\n  const id = (records[0] as Record<string, unknown>)[idField]\n  if (typeof id !== 'string' || !id) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} first record has no string id`,\n    }\n  }\n  const bindAs = fixture.bindAs ?? 'id'\n  return {\n    ok: true,\n    input: { [bindAs]: id, ...(fixture.extra ?? {}) },\n  }\n}\n\nfunction extractRecords(value: unknown): unknown[] {\n  if (!value || typeof value !== 'object') return []\n  const candidate = value as Record<string, unknown>\n  for (const key of ['records', 'items', 'people', 'companies', 'deals', 'results', 'data']) {\n    const arr = candidate[key]\n    if (Array.isArray(arr)) return arr\n  }\n  return []\n}\n\nexport interface RunToolTestsOptions {\n  tenantId?: string | null\n  organizationId?: string | null\n  userId?: string | null\n  moduleFilter?: string | null\n  includeMutations?: boolean\n}\n\nexport async function runToolTests(\n  options: RunToolTestsOptions = {},\n): Promise<ToolTestReport> {\n  const includeMutations = options.includeMutations ?? true\n  const container = await createRequestContainer()\n  let tenantId: string | null = options.tenantId ?? null\n  let organizationId: string | null = options.organizationId ?? null\n  let userId: string | null = options.userId ?? null\n  if (!tenantId) {\n    const picked = await pickDefaultTenant(container)\n    if (picked) {\n      tenantId = picked.tenantId\n      organizationId = picked.organizationId\n      userId = userId ?? picked.userId\n    }\n  }\n  const ctx = buildSuperAdminContext(container, tenantId, organizationId, userId)\n  const grouped = await loadGeneratedTools()\n\n  const flat: { moduleId: string; tool: AiToolDefinition }[] = []\n  for (const group of grouped) {\n    if (options.moduleFilter && group.moduleId !== options.moduleFilter) continue\n    for (const tool of group.tools) flat.push({ moduleId: group.moduleId, tool })\n  }\n  const resolved = new Map<string, AiToolDefinition>()\n  for (const { tool } of flat) resolved.set(tool.name, tool)\n\n  const records: ToolTestRecord[] = []\n  for (const { moduleId, tool } of flat) {\n    const start = Date.now()\n    const isMutation = tool.isMutation === true\n    const fixture = getFixture(tool.name)\n    if (!fixture) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: 'no fixture',\n      })\n      continue\n    }\n    if (fixture.skip) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: fixture.note ?? 'skip-by-fixture',\n      })\n      continue\n    }\n    if (isMutation && !includeMutations) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: 'mutations excluded',\n      })\n      continue\n    }\n    const inputResult = await resolveFixtureInput(fixture, resolved, container, ctx)\n    if (!inputResult.ok) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: inputResult.reason,\n      })\n      continue\n    }\n    try {\n      const result = isMutation\n        ? await executeMutationTool(tool, inputResult.input, container, ctx)\n        : await executeReadTool(tool, inputResult.input, container, ctx)\n      // Result must be JSON-serializable.\n      JSON.stringify(result)\n      // Mutation tools must return a pending-confirmation envelope.\n      if (\n        isMutation &&\n        (typeof result !== 'object' ||\n          result === null ||\n          (result as Record<string, unknown>).status !== 'pending-confirmation')\n      ) {\n        records.push({\n          module: moduleId,\n          tool: tool.name,\n          isMutation,\n          status: 'fail',\n          durationMs: Date.now() - start,\n          reason: 'mutation tool did not route through prepareMutation (no pending-confirmation envelope)',\n          resultPreview: clipPreview(result),\n        })\n        continue\n      }\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'pass',\n        durationMs: Date.now() - start,\n        resultPreview: clipPreview(result),\n      })\n    } catch (error) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'fail',\n        durationMs: Date.now() - start,\n        reason: error instanceof Error ? error.message : String(error),\n      })\n    }\n  }\n  const passed = records.filter((r) => r.status === 'pass').length\n  const failed = records.filter((r) => r.status === 'fail').length\n  const skipped = records.filter((r) => r.status === 'skip').length\n  return {\n    tenantId,\n    organizationId,\n    total: records.length,\n    passed,\n    failed,\n    skipped,\n    records,\n  }\n}\n"],
-  "mappings": "AAgBA,OAAO,UAAU;AACjB,OAAO,QAAQ;AACf,SAAS,eAAe,qBAAqB;AAE7C,SAAS,8BAA8B;AAGvC,SAAS,kBAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,mCAAmC;AA6B5C,SAAS,iBAAiB,OAA2C;AACnE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,YAAY;AAClB,SACE,OAAO,UAAU,SAAS,YAC1B,OAAO,UAAU,gBAAgB,YACjC,UAAU,gBAAgB,UAC1B,OAAO,UAAU,YAAY;AAEjC;AASA,SAAS,2BAA0C;AACjD,QAAM,QAAQ,MAAM;AAClB,QAAI;AACF,aAAO,cAAc,YAAY,GAAG;AAAA,IACtC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG;AACH,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,SAAS,KAAK,QAAQ,IAAI;AAC9B,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,UAAM,YAAY,KAAK,KAAK,QAAQ,QAAQ,WAAW,YAAY,aAAa,uBAAuB;AACvG,QAAI,GAAG,WAAW,SAAS,EAAG,QAAO;AACrC,UAAM,OAAO,KAAK,QAAQ,MAAM;AAChC,QAAI,SAAS,OAAQ;AACrB,aAAS;AAAA,EACX;AAEA,QAAM,UAAU,KAAK,QAAQ,QAAQ,IAAI,GAAG,QAAQ,WAAW,YAAY,aAAa,uBAAuB;AAC/G,MAAI,GAAG,WAAW,OAAO,EAAG,QAAO;AACnC,QAAM,gBAAgB,KAAK,QAAQ,QAAQ,IAAI,GAAG,YAAY,aAAa,uBAAuB;AAClG,MAAI,GAAG,WAAW,aAAa,EAAG,QAAO;AACzC,SAAO;AACT;AASA,eAAe,0BAA0B,QAA2C;AAClF,QAAM,SAAS,OAAO,QAAQ,SAAS,MAAM;AAE7C,QAAM,UAAU,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,MAAM,CAAC,CAAC;AAC/D,QAAM,WAAW,GAAG,WAAW,MAAM;AACrC,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,6BAA6B,MAAM,EAAE;AAAA,EACvD;AACA,QAAM,WAAW,GAAG,WAAW,MAAM;AACrC,QAAM,eACJ,CAAC,YAAY,GAAG,SAAS,MAAM,EAAE,UAAU,GAAG,SAAS,MAAM,EAAE;AACjE,MAAI,cAAc;AAChB,UAAM,UAAU,MAAM,OAAO,SAAS;AAOtC,UAAM,WAAW,GAAG,aAAa,QAAQ,OAAO;AAEhD,UAAM,iBAAiB,SAAS;AAAA,MAC9B;AAAA,MACA,CAAC,QAAQ,OAAe;AACtB,cAAM,SAAS,KAAK,KAAK,SAAS,EAAE;AACpC,cAAM,YAAY,GAAG,WAAW,MAAM,IAClC,SACA,GAAG,WAAW,SAAS,KAAK,IAC1B,SAAS,QACT;AACN,eAAO,QAAQ,KAAK,UAAU,cAAc,SAAS,EAAE,IAAI,CAAC;AAAA,MAC9D;AAAA,IACF,EAAE;AAAA,MACA;AAAA,MACA,CAAC,QAAQ,OAAe;AACtB,cAAM,SAAS,KAAK,KAAK,SAAS,EAAE;AACpC,cAAM,YAAY,GAAG,WAAW,MAAM,IAClC,SACA,GAAG,WAAW,SAAS,KAAK,IAC1B,SAAS,QACT;AACN,eAAO,UAAU,KAAK,UAAU,cAAc,SAAS,EAAE,IAAI,CAAC;AAAA,MAChE;AAAA,IACF;AACA,UAAM,SAAS,MAAM,QAAQ,UAAU,gBAAgB;AAAA,MACrD,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,YAAY;AAAA,IACd,CAAC;AACD,OAAG,cAAc,QAAQ,OAAO,IAAI;AAAA,EACtC;AACA,SAAQ,MAAM,OAAO,cAAc,MAAM,EAAE;AAC7C;AAQA,eAAe,kCAAkC,cAAqC;AACpF,QAAM,SAAS,KAAK,KAAK,cAAc,yBAAyB;AAChE,MAAI,CAAC,GAAG,WAAW,MAAM,EAAG;AAC5B,MAAI;AACF,UAAM,MAAO,MAAM,0BAA0B,MAAM;AACnD,UAAM,YAAa,IAAgC;AACnD,QAAI,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC7B,cAAQ,KAAK,yEAAyE;AACtF;AAAA,IACF;AACA,UAAM,WAAW,MAAM,OAAO,uCAAuC;AACrE,aAAS;AAAA,MACP;AAAA,IACF;AACA,QAAI,QAAQ,IAAI,uBAAuB,KAAK;AAC1C,cAAQ;AAAA,QACN,iCAAiC,UAAU,MAAM,uDAAuD,SAAS,qBAAqB,EAAE,MAAM;AAAA,MAChJ;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,YAAQ;AAAA,MACN;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC3C;AAAA,EACF;AACF;AAEA,eAAe,qBAAiF;AAC9F,QAAM,SAAS,yBAAyB;AACxC,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,kCAAkC,KAAK,QAAQ,MAAM,CAAC;AAC5D,QAAM,MAAM,MAAM,0BAA0B,MAAM;AAClD,QAAM,UAAU,IAAI,0BAA0B,IAAI,uBAAuB,CAAC;AAC1E,QAAM,SAA4D,CAAC;AACnE,aAAW,SAAS,SAAS;AAC3B,QAAI,CAAC,SAAS,OAAO,MAAM,aAAa,SAAU;AAClD,UAAM,QAAQ,MAAM,QAAQ,MAAM,KAAK,IACnC,MAAM,MAAM,OAAO,gBAAgB,IACnC,CAAC;AACL,WAAO,KAAK,EAAE,UAAU,MAAM,UAAU,MAAM,CAAC;AAAA,EACjD;AACA,SAAO;AACT;AAEA,eAAe,kBACb,WAC4F;AAC5F,MAAI;AACF,UAAM,KAAK,UAAU,QAElB,IAAI;AAGP,UAAM,OAAO,GAAG,cAAc;AAC9B,UAAM,aAAa,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,WACJ,MAAM,QAAQ,UAAU,KAAK,WAAW,CAAC,IACrC,OAAQ,WAAW,CAAC,EAA8B,EAAE,IACpD;AACN,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,UAAU,SAAS,QAAQ,MAAM,IAAI;AAC3C,UAAM,UAAU,MAAM,KAAK;AAAA,MACzB,mDAAmD,OAAO;AAAA,IAC5D;AACA,UAAM,iBACJ,MAAM,QAAQ,OAAO,KAAK,QAAQ,CAAC,IAC/B,OAAQ,QAAQ,CAAC,EAA8B,EAAE,IACjD;AACN,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B,2CAA2C,OAAO;AAAA,IACpD;AACA,UAAM,SACJ,MAAM,QAAQ,QAAQ,KAAK,SAAS,CAAC,IACjC,OAAQ,SAAS,CAAC,EAA8B,EAAE,IAClD;AACN,WAAO,EAAE,UAAU,gBAAgB,OAAO;AAAA,EAC5C,SAAS,OAAO;AACd,QAAI,QAAQ,IAAI,uBAAuB,KAAK;AAC1C,cAAQ,KAAK,gDAAgD,KAAK;AAAA,IACpE;AACA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,uBACP,WACA,UACA,gBACA,QACgB;AAChB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,cAAc,CAAC,GAAG;AAAA,IAClB,cAAc;AAAA,EAChB;AACF;AAEA,SAAS,YAAY,OAAyB;AAC5C,MAAI;AACF,UAAM,OAAO,KAAK,UAAU,KAAK;AACjC,QAAI,KAAK,UAAU,IAAK,QAAO;AAC/B,WAAO,GAAG,KAAK,MAAM,GAAG,GAAG,CAAC,qBAAgB,KAAK,MAAM;AAAA,EACzD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,kBAAkB,MAA2C;AAIpE,QAAM,SAAgC;AACtC,SAAO;AAAA,IACL,IAAI,YAAY,KAAK,IAAI;AAAA,IACzB,UAAU,KAAK,KAAK,MAAM,GAAG,EAAE,CAAC,KAAK;AAAA,IACrC,OAAO;AAAA,IACP,aAAa;AAAA,IACb,cAAc;AAAA,IACd,cAAc,CAAC,KAAK,IAAI;AAAA,IACxB,UAAU;AAAA,IACV,gBAAgB;AAAA,EAClB;AACF;AAEA,eAAe,gBACb,MACA,MACA,WACA,KACkB;AAGlB,QAAM,QAAQ,MAAM,uBAAuB;AAC3C,QAAM,WAA2B,EAAE,GAAG,KAAK,WAAW,OAAO,KAAK;AAClE,OAAK;AACL,SAAO,KAAK,QAAQ,MAAe,QAAQ;AAC7C;AAEA,eAAe,oBACb,MACA,MACA,WACA,KACkB;AAKlB,QAAM,QAAQ,MAAM,uBAAuB;AAC3C,QAAM,QAAQ,kBAAkB,IAAI;AACpC,QAAM,SAAS,IAAI,UAAU;AAC7B,QAAM,EAAE,QAAQ,cAAc,IAAI,MAAM;AAAA,IACtC;AAAA,MACE;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,gBAAgB;AAAA,MAChB,wBAAwB;AAAA,IAC1B;AAAA,IACA;AAAA,MACE,UAAU,IAAI;AAAA,MACd,gBAAgB,IAAI;AAAA,MACpB;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI;AAAA,MAClB,WAAW;AAAA,IACb;AAAA,EACF;AAOA,QAAM,kBAAkB,IAAI;AAC5B,QAAM,mBAAmB,MAAM,uBAAuB;AACtD,QAAM,eAAe,MAAM,4BAA4B;AAAA,IACrD,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,IACA,KAAK;AAAA,MACH,UAAU;AAAA,MACV,gBAAgB,IAAI;AAAA,MACpB;AAAA,MACA,WAAW;AAAA,MACX,cAAc,IAAI;AAAA,MAClB,cAAc,IAAI;AAAA,IACpB;AAAA,IACA,WAAW,YAAY;AAAA,IAAC;AAAA,EAC1B,CAAC;AACD,MAAI,CAAC,aAAa,IAAI;AACpB,UAAM,QAAS,aAAa,iBAAkE;AAC9F,UAAM,QAAQ,aAAa;AAC3B,UAAM,eACJ,iBAAiB,QACb,MAAM,UACN,OAAO,UAAU,WACf,QACA;AACR,UAAM,UAAU,OAAO,WAAW,gBAAgB;AAClD,UAAM,IAAI,MAAM,OAAO;AAAA,EACzB;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,iBAAiB,cAAc;AAAA,IAC/B,WAAW,cAAc,UAAU,YAAY;AAAA,IAC/C,YAAa,QAA0C,QAAQ;AAAA,IAC/D,iBAAiB;AAAA,EACnB;AACF;AAEA,eAAe,oBACb,SACA,UACA,WACA,KACuF;AACvF,MAAI,QAAQ,MAAO,QAAO,EAAE,IAAI,MAAM,OAAO,EAAE,GAAG,QAAQ,MAAM,EAAE;AAClE,MAAI,CAAC,QAAQ,QAAQ;AACnB,WAAO,EAAE,IAAI,OAAO,QAAQ,uCAAuC;AAAA,EACrE;AACA,QAAM,aAAa,SAAS,IAAI,QAAQ,MAAM;AAC9C,MAAI,CAAC,YAAY;AACf,WAAO,EAAE,IAAI,OAAO,QAAQ,0BAA0B,QAAQ,MAAM,GAAG;AAAA,EACzE;AACA,QAAM,gBAAgB,WAAW,QAAQ,MAAM;AAC/C,MAAI,CAAC,eAAe,OAAO;AACzB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM;AAAA,MACjB;AAAA,MACA,EAAE,GAAG,cAAc,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM,WACrC,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,IACF;AAAA,EACF;AACA,QAAM,UAAU,eAAe,UAAU;AACzC,MAAI,CAAC,QAAQ,QAAQ;AACnB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,QAAM,UAAU;AAChB,QAAM,KAAM,QAAQ,CAAC,EAA8B,OAAO;AAC1D,MAAI,OAAO,OAAO,YAAY,CAAC,IAAI;AACjC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,QAAM,SAAS,QAAQ,UAAU;AACjC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO,EAAE,CAAC,MAAM,GAAG,IAAI,GAAI,QAAQ,SAAS,CAAC,EAAG;AAAA,EAClD;AACF;AAEA,SAAS,eAAe,OAA2B;AACjD,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO,CAAC;AACjD,QAAM,YAAY;AAClB,aAAW,OAAO,CAAC,WAAW,SAAS,UAAU,aAAa,SAAS,WAAW,MAAM,GAAG;AACzF,UAAM,MAAM,UAAU,GAAG;AACzB,QAAI,MAAM,QAAQ,GAAG,EAAG,QAAO;AAAA,EACjC;AACA,SAAO,CAAC;AACV;AAUA,eAAsB,aACpB,UAA+B,CAAC,GACP;AACzB,QAAM,mBAAmB,QAAQ,oBAAoB;AACrD,QAAM,YAAY,MAAM,uBAAuB;AAC/C,MAAI,WAA0B,QAAQ,YAAY;AAClD,MAAI,iBAAgC,QAAQ,kBAAkB;AAC9D,MAAI,SAAwB,QAAQ,UAAU;AAC9C,MAAI,CAAC,UAAU;AACb,UAAM,SAAS,MAAM,kBAAkB,SAAS;AAChD,QAAI,QAAQ;AACV,iBAAW,OAAO;AAClB,uBAAiB,OAAO;AACxB,eAAS,UAAU,OAAO;AAAA,IAC5B;AAAA,EACF;AACA,QAAM,MAAM,uBAAuB,WAAW,UAAU,gBAAgB,MAAM;AAC9E,QAAM,UAAU,MAAM,mBAAmB;AAEzC,QAAM,OAAuD,CAAC;AAC9D,aAAW,SAAS,SAAS;AAC3B,QAAI,QAAQ,gBAAgB,MAAM,aAAa,QAAQ,aAAc;AACrE,eAAW,QAAQ,MAAM,MAAO,MAAK,KAAK,EAAE,UAAU,MAAM,UAAU,KAAK,CAAC;AAAA,EAC9E;AACA,QAAM,WAAW,oBAAI,IAA8B;AACnD,aAAW,EAAE,KAAK,KAAK,KAAM,UAAS,IAAI,KAAK,MAAM,IAAI;AAEzD,QAAM,UAA4B,CAAC;AACnC,aAAW,EAAE,UAAU,KAAK,KAAK,MAAM;AACrC,UAAM,QAAQ,KAAK,IAAI;AACvB,UAAM,aAAa,KAAK,eAAe;AACvC,UAAM,UAAU,WAAW,KAAK,IAAI;AACpC,QAAI,CAAC,SAAS;AACZ,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AACD;AAAA,IACF;AACA,QAAI,QAAQ,MAAM;AAChB,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,QAAQ,QAAQ;AAAA,MAC1B,CAAC;AACD;AAAA,IACF;AACA,QAAI,cAAc,CAAC,kBAAkB;AACnC,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AACD;AAAA,IACF;AACA,UAAM,cAAc,MAAM,oBAAoB,SAAS,UAAU,WAAW,GAAG;AAC/E,QAAI,CAAC,YAAY,IAAI;AACnB,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,YAAY;AAAA,MACtB,CAAC;AACD;AAAA,IACF;AACA,QAAI;AACF,YAAM,SAAS,aACX,MAAM,oBAAoB,MAAM,YAAY,OAAO,WAAW,GAAG,IACjE,MAAM,gBAAgB,MAAM,YAAY,OAAO,WAAW,GAAG;AAEjE,WAAK,UAAU,MAAM;AAErB,UACE,eACC,OAAO,WAAW,YACjB,WAAW,QACV,OAAmC,WAAW,yBACjD;AACA,gBAAQ,KAAK;AAAA,UACX,QAAQ;AAAA,UACR,MAAM,KAAK;AAAA,UACX;AAAA,UACA,QAAQ;AAAA,UACR,YAAY,KAAK,IAAI,IAAI;AAAA,UACzB,QAAQ;AAAA,UACR,eAAe,YAAY,MAAM;AAAA,QACnC,CAAC;AACD;AAAA,MACF;AACA,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,eAAe,YAAY,MAAM;AAAA,MACnC,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,MAC/D,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,SAAS,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC1D,QAAM,SAAS,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC1D,QAAM,UAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC3D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO,QAAQ;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
+  "sourcesContent": ["/**\n * In-process AI tool test runner.\n *\n * Iterates every tool registered in `ai-tools.generated.ts`, invokes the\n * handler against a super-admin tenant context, and returns a structured\n * report. Used by the `mercato ai_assistant test-tools` CLI subcommand and\n * by `.ai/qa/tests/integration/TC-INT-AI-TOOLS.spec.ts`.\n *\n * Safety posture:\n *   - No HTTP exposure \u2014 runs only inside the Node process driving the CLI.\n *   - Mutation tools are exercised through `prepareMutation` and we assert a\n *     pending-action envelope is returned. The pending-action row is created\n *     in `ai_pending_actions` but never confirmed, so no real write happens.\n *   - Tools without an explicit fixture entry are skipped with reason\n *     `'no fixture'` rather than failing.\n */\nimport path from 'node:path'\nimport fs from 'node:fs'\nimport { fileURLToPath, pathToFileURL } from 'node:url'\nimport type { AwilixContainer } from 'awilix'\nimport { createRequestContainer } from '@open-mercato/shared/lib/di/container'\nimport type { McpToolContext, AiToolDefinition } from './types'\nimport type { AiAgentDefinition, AiAgentMutationPolicy } from './ai-agent-definition'\nimport { getFixture, type ToolFixture } from './tool-test-fixtures'\nimport { prepareMutation } from './prepare-mutation'\nimport { executePendingActionConfirm } from './pending-action-executor'\n\nexport type ToolTestStatus = 'pass' | 'fail' | 'skip'\n\nexport interface ToolTestRecord {\n  module: string\n  tool: string\n  isMutation: boolean\n  status: ToolTestStatus\n  durationMs: number\n  reason?: string\n  resultPreview?: unknown\n}\n\nexport interface ToolTestReport {\n  tenantId: string | null\n  organizationId: string | null\n  total: number\n  passed: number\n  failed: number\n  skipped: number\n  records: ToolTestRecord[]\n}\n\ninterface RawAiToolsModule {\n  aiToolConfigEntriesRaw?: { moduleId: string; tools: unknown[] }[]\n  aiToolConfigEntries?: { moduleId: string; tools: unknown[] }[]\n}\n\nfunction isToolDefinition(value: unknown): value is AiToolDefinition {\n  if (!value || typeof value !== 'object') return false\n  const candidate = value as Record<string, unknown>\n  return (\n    typeof candidate.name === 'string' &&\n    typeof candidate.description === 'string' &&\n    candidate.inputSchema !== undefined &&\n    typeof candidate.handler === 'function'\n  )\n}\n\n/**\n * Locate `apps/mercato/.mercato/generated/ai-tools.generated.ts` without\n * hardcoding the workspace layout. Searches upward from this file's\n * compiled location; in the monorepo dist this is\n * `packages/ai-assistant/dist/...` so we walk up until we hit a directory\n * containing `apps/mercato/.mercato/generated`.\n */\nfunction findGeneratedAiToolsPath(): string | null {\n  const here = (() => {\n    try {\n      return fileURLToPath(import.meta.url)\n    } catch {\n      return null\n    }\n  })()\n  if (!here) return null\n  let cursor = path.dirname(here)\n  for (let i = 0; i < 12; i++) {\n    const candidate = path.join(cursor, 'apps', 'mercato', '.mercato', 'generated', 'ai-tools.generated.ts')\n    if (fs.existsSync(candidate)) return candidate\n    const next = path.dirname(cursor)\n    if (next === cursor) break\n    cursor = next\n  }\n  // Fallback: cwd-based lookup (when CLI is invoked from apps/mercato).\n  const fromCwd = path.resolve(process.cwd(), 'apps', 'mercato', '.mercato', 'generated', 'ai-tools.generated.ts')\n  if (fs.existsSync(fromCwd)) return fromCwd\n  const fromCwdDirect = path.resolve(process.cwd(), '.mercato', 'generated', 'ai-tools.generated.ts')\n  if (fs.existsSync(fromCwdDirect)) return fromCwdDirect\n  return null\n}\n\n/**\n * Compile-and-import `ai-tools.generated.ts` on the fly. Mirrors the approach\n * used by `loadBootstrapData` in `@open-mercato/shared/lib/bootstrap/dynamicLoader`:\n * resolves the `@/` alias to the app root, marks every other package import as\n * external, and emits a sibling `.mjs` we can `import()` from Node. Cached on\n * mtime so repeat runs in the same process don't recompile.\n */\nasync function compileAndImportGenerated(tsPath: string): Promise<RawAiToolsModule> {\n  const jsPath = tsPath.replace(/\\.ts$/, '.mjs')\n  // appRoot is two directories up from `.mercato/generated/<file>.ts`.\n  const appRoot = path.dirname(path.dirname(path.dirname(tsPath)))\n  const tsExists = fs.existsSync(tsPath)\n  if (!tsExists) {\n    throw new Error(`Generated file not found: ${tsPath}`)\n  }\n  const jsExists = fs.existsSync(jsPath)\n  const needsCompile =\n    !jsExists || fs.statSync(tsPath).mtimeMs > fs.statSync(jsPath).mtimeMs\n  if (needsCompile) {\n    const esbuild = await import('esbuild')\n    // Transpile-only: don't bundle. Generated registry files only declare an\n    // array literal whose entries are static `import(\"\u2026\")` arrow functions \u2014\n    // we want those `import()` strings to stay as runtime imports so Node\n    // resolves them lazily through the workspace's normal module resolution.\n    // Eagerly bundling them pulls Next.js / route handler internals into the\n    // .mjs and breaks at runtime (e.g. `next/server` package-exports map).\n    const tsSource = fs.readFileSync(tsPath, 'utf-8')\n    // Rewrite `@/...` aliases to absolute paths so Node can resolve them.\n    const aliasRewritten = tsSource.replace(\n      /from\\s+[\"']@\\/([^\"']+)[\"']/g,\n      (_match, p1: string) => {\n        const target = path.join(appRoot, p1)\n        const candidate = fs.existsSync(target)\n          ? target\n          : fs.existsSync(target + '.ts')\n            ? target + '.ts'\n            : target\n        return `from ${JSON.stringify(pathToFileURL(candidate).href)}`\n      },\n    ).replace(\n      /import\\s*\\(\\s*[\"']@\\/([^\"']+)[\"']\\s*\\)/g,\n      (_match, p1: string) => {\n        const target = path.join(appRoot, p1)\n        const candidate = fs.existsSync(target)\n          ? target\n          : fs.existsSync(target + '.ts')\n            ? target + '.ts'\n            : target\n        return `import(${JSON.stringify(pathToFileURL(candidate).href)})`\n      },\n    )\n    const result = await esbuild.transform(aliasRewritten, {\n      loader: 'ts',\n      format: 'esm',\n      target: 'node18',\n      sourcemap: false,\n      sourcefile: tsPath,\n    })\n    fs.writeFileSync(jsPath, result.code)\n  }\n  return (await import(pathToFileURL(jsPath).href)) as RawAiToolsModule\n}\n\n/**\n * Compile-and-import `api-routes.generated.ts` and register its manifest with\n * the shared registry. Many tool handlers delegate to `aiApiOperationRunner`\n * which fails closed when no manifest is registered. Idempotent: registering\n * the same array twice is safe.\n */\nasync function ensureApiRouteManifestsRegistered(generatedDir: string): Promise<void> {\n  const tsPath = path.join(generatedDir, 'api-routes.generated.ts')\n  if (!fs.existsSync(tsPath)) return\n  try {\n    const mod = (await compileAndImportGenerated(tsPath)) as Record<string, unknown>\n    const apiRoutes = (mod as { apiRoutes?: unknown }).apiRoutes\n    if (!Array.isArray(apiRoutes)) {\n      console.warn('[tool-test-runner] api-routes.generated.mjs returned no apiRoutes array')\n      return\n    }\n    const registry = await import('@open-mercato/shared/modules/registry')\n    registry.registerApiRouteManifests(\n      apiRoutes as Parameters<typeof registry.registerApiRouteManifests>[0],\n    )\n    if (process.env.OM_TOOL_TEST_DEBUG === '1') {\n      console.log(\n        `[tool-test-runner] Registered ${apiRoutes.length} api-route manifests; getApiRouteManifests().length=${registry.getApiRouteManifests().length}`,\n      )\n    }\n  } catch (error) {\n    console.warn(\n      '[tool-test-runner] Could not register api-routes manifest:',\n      error instanceof Error ? error.message : error,\n    )\n  }\n}\n\nasync function loadGeneratedTools(): Promise<{ moduleId: string; tools: AiToolDefinition[] }[]> {\n  const tsPath = findGeneratedAiToolsPath()\n  if (!tsPath) {\n    throw new Error(\n      'Could not locate apps/<app>/.mercato/generated/ai-tools.generated.ts. Run `yarn generate` first.',\n    )\n  }\n  await ensureApiRouteManifestsRegistered(path.dirname(tsPath))\n  const mod = await compileAndImportGenerated(tsPath)\n  const entries = mod.aiToolConfigEntriesRaw ?? mod.aiToolConfigEntries ?? []\n  const result: { moduleId: string; tools: AiToolDefinition[] }[] = []\n  for (const entry of entries) {\n    if (!entry || typeof entry.moduleId !== 'string') continue\n    const tools = Array.isArray(entry.tools)\n      ? entry.tools.filter(isToolDefinition)\n      : []\n    result.push({ moduleId: entry.moduleId, tools })\n  }\n  return result\n}\n\nexport async function pickDefaultTenant(\n  container: AwilixContainer,\n): Promise<{ tenantId: string; organizationId: string | null; userId: string | null } | null> {\n  try {\n    const em = container.resolve<{\n      getConnection: () => {\n        execute: (sql: string, params?: unknown[]) => Promise<Record<string, unknown>[]>\n      }\n    }>('em') as unknown as {\n      getConnection: () => {\n        execute: (sql: string, params?: unknown[]) => Promise<Record<string, unknown>[]>\n      }\n    }\n    const conn = em.getConnection()\n    const tenantRows = await conn.execute(\n      `SELECT id FROM tenants WHERE deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n    )\n    const tenantId =\n      Array.isArray(tenantRows) && tenantRows[0]\n        ? String((tenantRows[0] as Record<string, unknown>).id)\n        : null\n    if (!tenantId) return null\n    const orgRows = await conn.execute(\n      `SELECT id FROM organizations WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n      [tenantId],\n    )\n    const organizationId =\n      Array.isArray(orgRows) && orgRows[0]\n        ? String((orgRows[0] as Record<string, unknown>).id)\n        : null\n    const userRows = await conn.execute(\n      `SELECT id FROM users WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at ASC LIMIT 1`,\n      [tenantId],\n    )\n    const userId =\n      Array.isArray(userRows) && userRows[0]\n        ? String((userRows[0] as Record<string, unknown>).id)\n        : null\n    return { tenantId, organizationId, userId }\n  } catch (error) {\n    if (process.env.OM_TOOL_TEST_DEBUG === '1') {\n      console.warn('[tool-test-runner] pickDefaultTenant failed:', error)\n    }\n    return null\n  }\n}\n\nfunction buildSuperAdminContext(\n  container: AwilixContainer,\n  tenantId: string | null,\n  organizationId: string | null,\n  userId: string | null,\n): McpToolContext {\n  return {\n    tenantId,\n    organizationId,\n    userId,\n    container,\n    userFeatures: ['*'],\n    isSuperAdmin: true,\n  }\n}\n\nfunction clipPreview(value: unknown): unknown {\n  try {\n    const json = JSON.stringify(value)\n    if (json.length <= 400) return value\n    return `${json.slice(0, 400)}\u2026(truncated, ${json.length} bytes)`\n  } catch {\n    return '[unserializable]'\n  }\n}\n\nfunction dummyAgentForTool(tool: AiToolDefinition): AiAgentDefinition {\n  // The runner never registers this agent; it's only used as input to\n  // `prepareMutation` for shape compatibility. The id namespace is namespaced\n  // under `__test__` so it cannot collide with real agents.\n  const policy: AiAgentMutationPolicy = 'destructive-confirm-required'\n  return {\n    id: `__test__.${tool.name}`,\n    moduleId: tool.name.split('.')[0] ?? '__test__',\n    label: 'Tool Test Runner',\n    description: 'Synthetic agent used by the tool test runner',\n    systemPrompt: '',\n    allowedTools: [tool.name],\n    readOnly: false,\n    mutationPolicy: policy,\n  } as AiAgentDefinition\n}\n\nasync function executeReadTool(\n  tool: AiToolDefinition,\n  args: Record<string, unknown>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<unknown> {\n  // Mirror the dispatcher: resolve a fresh container per call so EM identity\n  // map state is clean between tools.\n  const fresh = await createRequestContainer()\n  const freshCtx: McpToolContext = { ...ctx, container: fresh, tool }\n  void container // keep arg for future use\n  return tool.handler(args as never, freshCtx)\n}\n\nasync function executeMutationTool(\n  tool: AiToolDefinition,\n  args: Record<string, unknown>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<unknown> {\n  // Route through prepareMutation so we assert the approval contract still\n  // holds \u2014 the handler must NEVER write directly. We pass a destructive\n  // policy so the runtime treats the call as a confirmation candidate and\n  // creates a pending-action row.\n  const fresh = await createRequestContainer()\n  const agent = dummyAgentForTool(tool)\n  const userId = ctx.userId ?? '00000000-0000-0000-0000-000000000000'\n  const { uiPart, pendingAction } = await prepareMutation(\n    {\n      agent,\n      tool,\n      toolCallArgs: args,\n      conversationId: null,\n      mutationPolicyOverride: null,\n    },\n    {\n      tenantId: ctx.tenantId,\n      organizationId: ctx.organizationId,\n      userId,\n      features: ctx.userFeatures,\n      isSuperAdmin: ctx.isSuperAdmin,\n      container: fresh,\n    },\n  )\n  // Exercise the actual handler via the same path the production confirm\n  // route uses. Without this, mutation tools whose handler crashes (e.g.\n  // missing `ctx.tool` for the API operation runner) would be reported as\n  // passing because `prepareMutation` never invokes the handler.\n  // `prepareMutation` already enforced `tenantId` is non-null above; cast\n  // here for the stricter `PendingActionExecuteContext` shape.\n  const confirmTenantId = ctx.tenantId as string\n  const confirmContainer = await createRequestContainer()\n  const confirmation = await executePendingActionConfirm({\n    action: pendingAction,\n    agent,\n    tool,\n    ctx: {\n      tenantId: confirmTenantId,\n      organizationId: ctx.organizationId,\n      userId,\n      container: confirmContainer,\n      userFeatures: ctx.userFeatures,\n      isSuperAdmin: ctx.isSuperAdmin,\n    },\n    emitEvent: async () => {},\n  })\n  if (!confirmation.ok) {\n    const error = (confirmation.executionResult as { error?: { message?: string } } | undefined)?.error\n    const cause = confirmation.cause\n    const causeMessage =\n      cause instanceof Error\n        ? cause.message\n        : typeof cause === 'string'\n          ? cause\n          : null\n    const message = error?.message ?? causeMessage ?? 'handler invocation failed'\n    throw new Error(message)\n  }\n  return {\n    status: 'pending-confirmation',\n    pendingActionId: pendingAction.id,\n    expiresAt: pendingAction.expiresAt.toISOString(),\n    uiPartType: (uiPart as { type?: string } | undefined)?.type ?? null,\n    handlerExecuted: true,\n  }\n}\n\nasync function resolveFixtureInput(\n  fixture: ToolFixture,\n  resolved: Map<string, AiToolDefinition>,\n  container: AwilixContainer,\n  ctx: McpToolContext,\n): Promise<{ ok: true; input: Record<string, unknown> } | { ok: false; reason: string }> {\n  if (fixture.input) return { ok: true, input: { ...fixture.input } }\n  if (!fixture.idFrom) {\n    return { ok: false, reason: 'fixture has neither input nor idFrom' }\n  }\n  const sourceTool = resolved.get(fixture.idFrom)\n  if (!sourceTool) {\n    return { ok: false, reason: `idFrom tool not found: ${fixture.idFrom}` }\n  }\n  const sourceFixture = getFixture(fixture.idFrom)\n  if (!sourceFixture?.input) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} has no static input fixture`,\n    }\n  }\n  let listResult: unknown\n  try {\n    listResult = await executeReadTool(\n      sourceTool,\n      { ...sourceFixture.input },\n      container,\n      ctx,\n    )\n  } catch (error) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} threw: ${\n        error instanceof Error ? error.message : String(error)\n      }`,\n    }\n  }\n  const records = extractRecords(listResult)\n  if (!records.length) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} returned no records`,\n    }\n  }\n  const idField = 'id'\n  const id = (records[0] as Record<string, unknown>)[idField]\n  if (typeof id !== 'string' || !id) {\n    return {\n      ok: false,\n      reason: `idFrom source ${fixture.idFrom} first record has no string id`,\n    }\n  }\n  const bindAs = fixture.bindAs ?? 'id'\n  return {\n    ok: true,\n    input: { [bindAs]: id, ...(fixture.extra ?? {}) },\n  }\n}\n\nfunction extractRecords(value: unknown): unknown[] {\n  if (!value || typeof value !== 'object') return []\n  const candidate = value as Record<string, unknown>\n  for (const key of ['records', 'items', 'people', 'companies', 'deals', 'results', 'data']) {\n    const arr = candidate[key]\n    if (Array.isArray(arr)) return arr\n  }\n  return []\n}\n\nexport interface RunToolTestsOptions {\n  tenantId?: string | null\n  organizationId?: string | null\n  userId?: string | null\n  moduleFilter?: string | null\n  includeMutations?: boolean\n}\n\nexport async function runToolTests(\n  options: RunToolTestsOptions = {},\n): Promise<ToolTestReport> {\n  const includeMutations = options.includeMutations ?? true\n  const container = await createRequestContainer()\n  let tenantId: string | null = options.tenantId ?? null\n  let organizationId: string | null = options.organizationId ?? null\n  let userId: string | null = options.userId ?? null\n  if (!tenantId) {\n    const picked = await pickDefaultTenant(container)\n    if (picked) {\n      tenantId = picked.tenantId\n      organizationId = picked.organizationId\n      userId = userId ?? picked.userId\n    }\n  }\n  const ctx = buildSuperAdminContext(container, tenantId, organizationId, userId)\n  const grouped = await loadGeneratedTools()\n\n  const flat: { moduleId: string; tool: AiToolDefinition }[] = []\n  for (const group of grouped) {\n    if (options.moduleFilter && group.moduleId !== options.moduleFilter) continue\n    for (const tool of group.tools) flat.push({ moduleId: group.moduleId, tool })\n  }\n  const resolved = new Map<string, AiToolDefinition>()\n  for (const { tool } of flat) resolved.set(tool.name, tool)\n\n  const records: ToolTestRecord[] = []\n  for (const { moduleId, tool } of flat) {\n    const start = Date.now()\n    const isMutation = tool.isMutation === true\n    const fixture = getFixture(tool.name)\n    if (!fixture) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: 'no fixture',\n      })\n      continue\n    }\n    if (fixture.skip) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: fixture.note ?? 'skip-by-fixture',\n      })\n      continue\n    }\n    if (isMutation && !includeMutations) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: 'mutations excluded',\n      })\n      continue\n    }\n    const inputResult = await resolveFixtureInput(fixture, resolved, container, ctx)\n    if (!inputResult.ok) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'skip',\n        durationMs: Date.now() - start,\n        reason: inputResult.reason,\n      })\n      continue\n    }\n    try {\n      const result = isMutation\n        ? await executeMutationTool(tool, inputResult.input, container, ctx)\n        : await executeReadTool(tool, inputResult.input, container, ctx)\n      // Result must be JSON-serializable.\n      JSON.stringify(result)\n      // Mutation tools must return a pending-confirmation envelope.\n      if (\n        isMutation &&\n        (typeof result !== 'object' ||\n          result === null ||\n          (result as Record<string, unknown>).status !== 'pending-confirmation')\n      ) {\n        records.push({\n          module: moduleId,\n          tool: tool.name,\n          isMutation,\n          status: 'fail',\n          durationMs: Date.now() - start,\n          reason: 'mutation tool did not route through prepareMutation (no pending-confirmation envelope)',\n          resultPreview: clipPreview(result),\n        })\n        continue\n      }\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'pass',\n        durationMs: Date.now() - start,\n        resultPreview: clipPreview(result),\n      })\n    } catch (error) {\n      records.push({\n        module: moduleId,\n        tool: tool.name,\n        isMutation,\n        status: 'fail',\n        durationMs: Date.now() - start,\n        reason: error instanceof Error ? error.message : String(error),\n      })\n    }\n  }\n  const passed = records.filter((r) => r.status === 'pass').length\n  const failed = records.filter((r) => r.status === 'fail').length\n  const skipped = records.filter((r) => r.status === 'skip').length\n  return {\n    tenantId,\n    organizationId,\n    total: records.length,\n    passed,\n    failed,\n    skipped,\n    records,\n  }\n}\n"],
+  "mappings": "AAgBA,OAAO,UAAU;AACjB,OAAO,QAAQ;AACf,SAAS,eAAe,qBAAqB;AAE7C,SAAS,8BAA8B;AAGvC,SAAS,kBAAoC;AAC7C,SAAS,uBAAuB;AAChC,SAAS,mCAAmC;AA6B5C,SAAS,iBAAiB,OAA2C;AACnE,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO;AAChD,QAAM,YAAY;AAClB,SACE,OAAO,UAAU,SAAS,YAC1B,OAAO,UAAU,gBAAgB,YACjC,UAAU,gBAAgB,UAC1B,OAAO,UAAU,YAAY;AAEjC;AASA,SAAS,2BAA0C;AACjD,QAAM,QAAQ,MAAM;AAClB,QAAI;AACF,aAAO,cAAc,YAAY,GAAG;AAAA,IACtC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF,GAAG;AACH,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,SAAS,KAAK,QAAQ,IAAI;AAC9B,WAAS,IAAI,GAAG,IAAI,IAAI,KAAK;AAC3B,UAAM,YAAY,KAAK,KAAK,QAAQ,QAAQ,WAAW,YAAY,aAAa,uBAAuB;AACvG,QAAI,GAAG,WAAW,SAAS,EAAG,QAAO;AACrC,UAAM,OAAO,KAAK,QAAQ,MAAM;AAChC,QAAI,SAAS,OAAQ;AACrB,aAAS;AAAA,EACX;AAEA,QAAM,UAAU,KAAK,QAAQ,QAAQ,IAAI,GAAG,QAAQ,WAAW,YAAY,aAAa,uBAAuB;AAC/G,MAAI,GAAG,WAAW,OAAO,EAAG,QAAO;AACnC,QAAM,gBAAgB,KAAK,QAAQ,QAAQ,IAAI,GAAG,YAAY,aAAa,uBAAuB;AAClG,MAAI,GAAG,WAAW,aAAa,EAAG,QAAO;AACzC,SAAO;AACT;AASA,eAAe,0BAA0B,QAA2C;AAClF,QAAM,SAAS,OAAO,QAAQ,SAAS,MAAM;AAE7C,QAAM,UAAU,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,MAAM,CAAC,CAAC;AAC/D,QAAM,WAAW,GAAG,WAAW,MAAM;AACrC,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,6BAA6B,MAAM,EAAE;AAAA,EACvD;AACA,QAAM,WAAW,GAAG,WAAW,MAAM;AACrC,QAAM,eACJ,CAAC,YAAY,GAAG,SAAS,MAAM,EAAE,UAAU,GAAG,SAAS,MAAM,EAAE;AACjE,MAAI,cAAc;AAChB,UAAM,UAAU,MAAM,OAAO,SAAS;AAOtC,UAAM,WAAW,GAAG,aAAa,QAAQ,OAAO;AAEhD,UAAM,iBAAiB,SAAS;AAAA,MAC9B;AAAA,MACA,CAAC,QAAQ,OAAe;AACtB,cAAM,SAAS,KAAK,KAAK,SAAS,EAAE;AACpC,cAAM,YAAY,GAAG,WAAW,MAAM,IAClC,SACA,GAAG,WAAW,SAAS,KAAK,IAC1B,SAAS,QACT;AACN,eAAO,QAAQ,KAAK,UAAU,cAAc,SAAS,EAAE,IAAI,CAAC;AAAA,MAC9D;AAAA,IACF,EAAE;AAAA,MACA;AAAA,MACA,CAAC,QAAQ,OAAe;AACtB,cAAM,SAAS,KAAK,KAAK,SAAS,EAAE;AACpC,cAAM,YAAY,GAAG,WAAW,MAAM,IAClC,SACA,GAAG,WAAW,SAAS,KAAK,IAC1B,SAAS,QACT;AACN,eAAO,UAAU,KAAK,UAAU,cAAc,SAAS,EAAE,IAAI,CAAC;AAAA,MAChE;AAAA,IACF;AACA,UAAM,SAAS,MAAM,QAAQ,UAAU,gBAAgB;AAAA,MACrD,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,YAAY;AAAA,IACd,CAAC;AACD,OAAG,cAAc,QAAQ,OAAO,IAAI;AAAA,EACtC;AACA,SAAQ,MAAM,OAAO,cAAc,MAAM,EAAE;AAC7C;AAQA,eAAe,kCAAkC,cAAqC;AACpF,QAAM,SAAS,KAAK,KAAK,cAAc,yBAAyB;AAChE,MAAI,CAAC,GAAG,WAAW,MAAM,EAAG;AAC5B,MAAI;AACF,UAAM,MAAO,MAAM,0BAA0B,MAAM;AACnD,UAAM,YAAa,IAAgC;AACnD,QAAI,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC7B,cAAQ,KAAK,yEAAyE;AACtF;AAAA,IACF;AACA,UAAM,WAAW,MAAM,OAAO,uCAAuC;AACrE,aAAS;AAAA,MACP;AAAA,IACF;AACA,QAAI,QAAQ,IAAI,uBAAuB,KAAK;AAC1C,cAAQ;AAAA,QACN,iCAAiC,UAAU,MAAM,uDAAuD,SAAS,qBAAqB,EAAE,MAAM;AAAA,MAChJ;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,YAAQ;AAAA,MACN;AAAA,MACA,iBAAiB,QAAQ,MAAM,UAAU;AAAA,IAC3C;AAAA,EACF;AACF;AAEA,eAAe,qBAAiF;AAC9F,QAAM,SAAS,yBAAyB;AACxC,MAAI,CAAC,QAAQ;AACX,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,kCAAkC,KAAK,QAAQ,MAAM,CAAC;AAC5D,QAAM,MAAM,MAAM,0BAA0B,MAAM;AAClD,QAAM,UAAU,IAAI,0BAA0B,IAAI,uBAAuB,CAAC;AAC1E,QAAM,SAA4D,CAAC;AACnE,aAAW,SAAS,SAAS;AAC3B,QAAI,CAAC,SAAS,OAAO,MAAM,aAAa,SAAU;AAClD,UAAM,QAAQ,MAAM,QAAQ,MAAM,KAAK,IACnC,MAAM,MAAM,OAAO,gBAAgB,IACnC,CAAC;AACL,WAAO,KAAK,EAAE,UAAU,MAAM,UAAU,MAAM,CAAC;AAAA,EACjD;AACA,SAAO;AACT;AAEA,eAAsB,kBACpB,WAC4F;AAC5F,MAAI;AACF,UAAM,KAAK,UAAU,QAIlB,IAAI;AAKP,UAAM,OAAO,GAAG,cAAc;AAC9B,UAAM,aAAa,MAAM,KAAK;AAAA,MAC5B;AAAA,IACF;AACA,UAAM,WACJ,MAAM,QAAQ,UAAU,KAAK,WAAW,CAAC,IACrC,OAAQ,WAAW,CAAC,EAA8B,EAAE,IACpD;AACN,QAAI,CAAC,SAAU,QAAO;AACtB,UAAM,UAAU,MAAM,KAAK;AAAA,MACzB;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AACA,UAAM,iBACJ,MAAM,QAAQ,OAAO,KAAK,QAAQ,CAAC,IAC/B,OAAQ,QAAQ,CAAC,EAA8B,EAAE,IACjD;AACN,UAAM,WAAW,MAAM,KAAK;AAAA,MAC1B;AAAA,MACA,CAAC,QAAQ;AAAA,IACX;AACA,UAAM,SACJ,MAAM,QAAQ,QAAQ,KAAK,SAAS,CAAC,IACjC,OAAQ,SAAS,CAAC,EAA8B,EAAE,IAClD;AACN,WAAO,EAAE,UAAU,gBAAgB,OAAO;AAAA,EAC5C,SAAS,OAAO;AACd,QAAI,QAAQ,IAAI,uBAAuB,KAAK;AAC1C,cAAQ,KAAK,gDAAgD,KAAK;AAAA,IACpE;AACA,WAAO;AAAA,EACT;AACF;AAEA,SAAS,uBACP,WACA,UACA,gBACA,QACgB;AAChB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,cAAc,CAAC,GAAG;AAAA,IAClB,cAAc;AAAA,EAChB;AACF;AAEA,SAAS,YAAY,OAAyB;AAC5C,MAAI;AACF,UAAM,OAAO,KAAK,UAAU,KAAK;AACjC,QAAI,KAAK,UAAU,IAAK,QAAO;AAC/B,WAAO,GAAG,KAAK,MAAM,GAAG,GAAG,CAAC,qBAAgB,KAAK,MAAM;AAAA,EACzD,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,SAAS,kBAAkB,MAA2C;AAIpE,QAAM,SAAgC;AACtC,SAAO;AAAA,IACL,IAAI,YAAY,KAAK,IAAI;AAAA,IACzB,UAAU,KAAK,KAAK,MAAM,GAAG,EAAE,CAAC,KAAK;AAAA,IACrC,OAAO;AAAA,IACP,aAAa;AAAA,IACb,cAAc;AAAA,IACd,cAAc,CAAC,KAAK,IAAI;AAAA,IACxB,UAAU;AAAA,IACV,gBAAgB;AAAA,EAClB;AACF;AAEA,eAAe,gBACb,MACA,MACA,WACA,KACkB;AAGlB,QAAM,QAAQ,MAAM,uBAAuB;AAC3C,QAAM,WAA2B,EAAE,GAAG,KAAK,WAAW,OAAO,KAAK;AAClE,OAAK;AACL,SAAO,KAAK,QAAQ,MAAe,QAAQ;AAC7C;AAEA,eAAe,oBACb,MACA,MACA,WACA,KACkB;AAKlB,QAAM,QAAQ,MAAM,uBAAuB;AAC3C,QAAM,QAAQ,kBAAkB,IAAI;AACpC,QAAM,SAAS,IAAI,UAAU;AAC7B,QAAM,EAAE,QAAQ,cAAc,IAAI,MAAM;AAAA,IACtC;AAAA,MACE;AAAA,MACA;AAAA,MACA,cAAc;AAAA,MACd,gBAAgB;AAAA,MAChB,wBAAwB;AAAA,IAC1B;AAAA,IACA;AAAA,MACE,UAAU,IAAI;AAAA,MACd,gBAAgB,IAAI;AAAA,MACpB;AAAA,MACA,UAAU,IAAI;AAAA,MACd,cAAc,IAAI;AAAA,MAClB,WAAW;AAAA,IACb;AAAA,EACF;AAOA,QAAM,kBAAkB,IAAI;AAC5B,QAAM,mBAAmB,MAAM,uBAAuB;AACtD,QAAM,eAAe,MAAM,4BAA4B;AAAA,IACrD,QAAQ;AAAA,IACR;AAAA,IACA;AAAA,IACA,KAAK;AAAA,MACH,UAAU;AAAA,MACV,gBAAgB,IAAI;AAAA,MACpB;AAAA,MACA,WAAW;AAAA,MACX,cAAc,IAAI;AAAA,MAClB,cAAc,IAAI;AAAA,IACpB;AAAA,IACA,WAAW,YAAY;AAAA,IAAC;AAAA,EAC1B,CAAC;AACD,MAAI,CAAC,aAAa,IAAI;AACpB,UAAM,QAAS,aAAa,iBAAkE;AAC9F,UAAM,QAAQ,aAAa;AAC3B,UAAM,eACJ,iBAAiB,QACb,MAAM,UACN,OAAO,UAAU,WACf,QACA;AACR,UAAM,UAAU,OAAO,WAAW,gBAAgB;AAClD,UAAM,IAAI,MAAM,OAAO;AAAA,EACzB;AACA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,iBAAiB,cAAc;AAAA,IAC/B,WAAW,cAAc,UAAU,YAAY;AAAA,IAC/C,YAAa,QAA0C,QAAQ;AAAA,IAC/D,iBAAiB;AAAA,EACnB;AACF;AAEA,eAAe,oBACb,SACA,UACA,WACA,KACuF;AACvF,MAAI,QAAQ,MAAO,QAAO,EAAE,IAAI,MAAM,OAAO,EAAE,GAAG,QAAQ,MAAM,EAAE;AAClE,MAAI,CAAC,QAAQ,QAAQ;AACnB,WAAO,EAAE,IAAI,OAAO,QAAQ,uCAAuC;AAAA,EACrE;AACA,QAAM,aAAa,SAAS,IAAI,QAAQ,MAAM;AAC9C,MAAI,CAAC,YAAY;AACf,WAAO,EAAE,IAAI,OAAO,QAAQ,0BAA0B,QAAQ,MAAM,GAAG;AAAA,EACzE;AACA,QAAM,gBAAgB,WAAW,QAAQ,MAAM;AAC/C,MAAI,CAAC,eAAe,OAAO;AACzB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,MAAI;AACJ,MAAI;AACF,iBAAa,MAAM;AAAA,MACjB;AAAA,MACA,EAAE,GAAG,cAAc,MAAM;AAAA,MACzB;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,OAAO;AACd,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM,WACrC,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CACvD;AAAA,IACF;AAAA,EACF;AACA,QAAM,UAAU,eAAe,UAAU;AACzC,MAAI,CAAC,QAAQ,QAAQ;AACnB,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,QAAM,UAAU;AAChB,QAAM,KAAM,QAAQ,CAAC,EAA8B,OAAO;AAC1D,MAAI,OAAO,OAAO,YAAY,CAAC,IAAI;AACjC,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,iBAAiB,QAAQ,MAAM;AAAA,IACzC;AAAA,EACF;AACA,QAAM,SAAS,QAAQ,UAAU;AACjC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO,EAAE,CAAC,MAAM,GAAG,IAAI,GAAI,QAAQ,SAAS,CAAC,EAAG;AAAA,EAClD;AACF;AAEA,SAAS,eAAe,OAA2B;AACjD,MAAI,CAAC,SAAS,OAAO,UAAU,SAAU,QAAO,CAAC;AACjD,QAAM,YAAY;AAClB,aAAW,OAAO,CAAC,WAAW,SAAS,UAAU,aAAa,SAAS,WAAW,MAAM,GAAG;AACzF,UAAM,MAAM,UAAU,GAAG;AACzB,QAAI,MAAM,QAAQ,GAAG,EAAG,QAAO;AAAA,EACjC;AACA,SAAO,CAAC;AACV;AAUA,eAAsB,aACpB,UAA+B,CAAC,GACP;AACzB,QAAM,mBAAmB,QAAQ,oBAAoB;AACrD,QAAM,YAAY,MAAM,uBAAuB;AAC/C,MAAI,WAA0B,QAAQ,YAAY;AAClD,MAAI,iBAAgC,QAAQ,kBAAkB;AAC9D,MAAI,SAAwB,QAAQ,UAAU;AAC9C,MAAI,CAAC,UAAU;AACb,UAAM,SAAS,MAAM,kBAAkB,SAAS;AAChD,QAAI,QAAQ;AACV,iBAAW,OAAO;AAClB,uBAAiB,OAAO;AACxB,eAAS,UAAU,OAAO;AAAA,IAC5B;AAAA,EACF;AACA,QAAM,MAAM,uBAAuB,WAAW,UAAU,gBAAgB,MAAM;AAC9E,QAAM,UAAU,MAAM,mBAAmB;AAEzC,QAAM,OAAuD,CAAC;AAC9D,aAAW,SAAS,SAAS;AAC3B,QAAI,QAAQ,gBAAgB,MAAM,aAAa,QAAQ,aAAc;AACrE,eAAW,QAAQ,MAAM,MAAO,MAAK,KAAK,EAAE,UAAU,MAAM,UAAU,KAAK,CAAC;AAAA,EAC9E;AACA,QAAM,WAAW,oBAAI,IAA8B;AACnD,aAAW,EAAE,KAAK,KAAK,KAAM,UAAS,IAAI,KAAK,MAAM,IAAI;AAEzD,QAAM,UAA4B,CAAC;AACnC,aAAW,EAAE,UAAU,KAAK,KAAK,MAAM;AACrC,UAAM,QAAQ,KAAK,IAAI;AACvB,UAAM,aAAa,KAAK,eAAe;AACvC,UAAM,UAAU,WAAW,KAAK,IAAI;AACpC,QAAI,CAAC,SAAS;AACZ,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AACD;AAAA,IACF;AACA,QAAI,QAAQ,MAAM;AAChB,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,QAAQ,QAAQ;AAAA,MAC1B,CAAC;AACD;AAAA,IACF;AACA,QAAI,cAAc,CAAC,kBAAkB;AACnC,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ;AAAA,MACV,CAAC;AACD;AAAA,IACF;AACA,UAAM,cAAc,MAAM,oBAAoB,SAAS,UAAU,WAAW,GAAG;AAC/E,QAAI,CAAC,YAAY,IAAI;AACnB,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,YAAY;AAAA,MACtB,CAAC;AACD;AAAA,IACF;AACA,QAAI;AACF,YAAM,SAAS,aACX,MAAM,oBAAoB,MAAM,YAAY,OAAO,WAAW,GAAG,IACjE,MAAM,gBAAgB,MAAM,YAAY,OAAO,WAAW,GAAG;AAEjE,WAAK,UAAU,MAAM;AAErB,UACE,eACC,OAAO,WAAW,YACjB,WAAW,QACV,OAAmC,WAAW,yBACjD;AACA,gBAAQ,KAAK;AAAA,UACX,QAAQ;AAAA,UACR,MAAM,KAAK;AAAA,UACX;AAAA,UACA,QAAQ;AAAA,UACR,YAAY,KAAK,IAAI,IAAI;AAAA,UACzB,QAAQ;AAAA,UACR,eAAe,YAAY,MAAM;AAAA,QACnC,CAAC;AACD;AAAA,MACF;AACA,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,eAAe,YAAY,MAAM;AAAA,MACnC,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,KAAK;AAAA,QACX,QAAQ;AAAA,QACR,MAAM,KAAK;AAAA,QACX;AAAA,QACA,QAAQ;AAAA,QACR,YAAY,KAAK,IAAI,IAAI;AAAA,QACzB,QAAQ,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,MAC/D,CAAC;AAAA,IACH;AAAA,EACF;AACA,QAAM,SAAS,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC1D,QAAM,SAAS,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC1D,QAAM,UAAU,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM,EAAE;AAC3D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,OAAO,QAAQ;AAAA,IACf;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;",
   "names": []
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@open-mercato/ai-assistant",
-  "version": "0.6.4-develop.4382.1.6b4f656b77",
+  "version": "0.6.4",
   "type": "module",
   "engines": {
     "node": ">=22.0.0"
@@ -87,9 +87,9 @@
   "dependencies": {
     "@ai-sdk/anthropic": "^3.0.81",
     "@ai-sdk/google": "^3.0.80",
-    "@ai-sdk/openai": "^3.0.67",
+    "@ai-sdk/openai": "^3.0.68",
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "ai": "^6.0.194",
+    "ai": "^6.0.197",
     "cmdk": "^1.0.0",
     "framer-motion": "^12.40.0",
     "isolated-vm": "^7.0.0",
@@ -98,17 +98,17 @@
     "zod-to-json-schema": "^3.25.2"
   },
   "peerDependencies": {
-    "@open-mercato/shared": "0.6.4-develop.4382.1.6b4f656b77",
-    "@open-mercato/ui": "0.6.4-develop.4382.1.6b4f656b77",
+    "@open-mercato/shared": "0.6.4",
+    "@open-mercato/ui": "0.6.4",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "zod": ">=3.23.0"
   },
   "devDependencies": {
-    "@open-mercato/cli": "0.6.4-develop.4382.1.6b4f656b77",
-    "@open-mercato/shared": "0.6.4-develop.4382.1.6b4f656b77",
-    "@open-mercato/ui": "0.6.4-develop.4382.1.6b4f656b77",
-    "@types/react": "^19.2.16",
+    "@open-mercato/cli": "0.6.4",
+    "@open-mercato/shared": "0.6.4",
+    "@open-mercato/ui": "0.6.4",
+    "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
     "react": "19.2.7",
     "react-dom": "19.2.7",
@@ -122,6 +122,5 @@
     "type": "git",
     "url": "https://github.com/open-mercato/open-mercato",
     "directory": "packages/ai-assistant"
-  },
-  "stableVersion": "0.6.3"
+  }
 }

package/src/modules/ai_assistant/__integration__/TC-AI-ACTIONS-PENDING-004-confirm-cancel-mutations.spec.ts ADDED Viewed

@@ -0,0 +1,209 @@
+import { test, expect, request as playwrightRequest } from '@playwright/test';
+import { randomUUID } from 'node:crypto';
+import { apiRequest, getAuthToken } from '@open-mercato/core/helpers/integration/api';
+import {
+  createRoleFixture,
+  deleteRoleIfExists,
+  createUserFixture,
+  deleteUserIfExists,
+  setUserAclVisibility,
+} from '@open-mercato/core/helpers/integration/authFixtures';
+import { deleteUserAclInDb } from '@open-mercato/core/helpers/integration/dbFixtures';
+import { getTokenScope, readJsonSafe } from '@open-mercato/core/helpers/integration/generalFixtures';
+import {
+  seedPendingActionInDb,
+  deletePendingActionInDb,
+  type SeedPendingActionInput,
+} from './helpers/aiAssistantFixtures';
+/**
+ * TC-AI-ACTIONS-PENDING-004 — Pending action confirm/cancel (mutation-approval gate).
+ * Source: GitHub issue #2495.
+ *
+ * Surfaces under test:
+ *   - /api/ai_assistant/ai/actions/{id}            (GET)
+ *   - /api/ai_assistant/ai/actions/{id}/confirm     (POST)
+ *   - /api/ai_assistant/ai/actions/{id}/cancel       (POST)
+ *
+ * Contract notes verified against the route handlers:
+ *   - there is NO public route to CREATE a pending action (it is born only from
+ *     the internal `prepareMutation` path), so rows are seeded directly via SQL.
+ *   - GET strips `normalizedInput`, `createdByUserId`, `idempotencyKey`,
+ *     `tenantId`, `organizationId` from the client serialization.
+ *   - confirm/cancel are idempotent at the route layer; an already-terminal row
+ *     short-circuits (200) rather than throwing.
+ *   - cancelling an expired row -> 409 `expired`; confirming a cancelled row ->
+ *     409 `invalid_status`; unknown id -> 404 `pending_action_not_found`.
+ *   - all three require `ai_assistant.view`.
+ *
+ * The confirm HAPPY path is exercised via the terminal short-circuit (a seeded
+ * `confirmed` row) so the test stays deterministic and provider-free — driving a
+ * real `pending -> confirmed` transition would execute a live tool mutation that
+ * depends on the agent/tool registry and an LLM-proposed payload.
+ */
+const ACTIONS = '/api/ai_assistant/ai/actions';
+interface SerializedPendingAction {
+  id: string;
+  agentId: string;
+  toolName: string;
+  status: string;
+  createdAt: string;
+  expiresAt: string;
+  executionResult: unknown;
+  normalizedInput?: unknown;
+  createdByUserId?: unknown;
+  idempotencyKey?: unknown;
+  tenantId?: unknown;
+  organizationId?: unknown;
+}
+test.describe('TC-AI-ACTIONS-PENDING-004: Pending action confirm/cancel', () => {
+  test('GET serialization, cancel + confirm idempotency, and state-machine guards', async ({ request }) => {
+    test.slow();
+    const adminToken = await getAuthToken(request, 'admin');
+    const { tenantId, organizationId, userId: adminId } = getTokenScope(adminToken);
+    const seededIds: string[] = [];
+    const seed = async (overrides: Partial<SeedPendingActionInput>) => {
+      const row = await seedPendingActionInDb({
+        tenantId,
+        organizationId: organizationId || null,
+        createdByUserId: adminId,
+        ...overrides,
+      });
+      seededIds.push(row.id);
+      return row;
+    };
+    try {
+      // GET returns the client serialization with privileged fields stripped.
+      const pending = await seed({ status: 'pending' });
+      const getRes = await apiRequest(request, 'GET', `${ACTIONS}/${pending.id}`, { token: adminToken });
+      expect(getRes.status()).toBe(200);
+      const body = await readJsonSafe<SerializedPendingAction>(getRes);
+      expect(body?.id).toBe(pending.id);
+      expect(body?.status).toBe('pending');
+      expect(typeof body?.agentId).toBe('string');
+      expect(typeof body?.expiresAt).toBe('string');
+      expect(body?.normalizedInput, 'normalizedInput is stripped').toBeUndefined();
+      expect(body?.createdByUserId, 'createdByUserId is stripped').toBeUndefined();
+      expect(body?.idempotencyKey, 'idempotencyKey is stripped').toBeUndefined();
+      expect(body?.tenantId, 'tenantId is stripped').toBeUndefined();
+      expect(body?.organizationId, 'organizationId is stripped').toBeUndefined();
+      // Cancel happy path + idempotency.
+      const cancelable = await seed({ status: 'pending' });
+      const cancel = await apiRequest(request, 'POST', `${ACTIONS}/${cancelable.id}/cancel`, {
+        token: adminToken,
+        data: { reason: 'user_rejected' },
+      });
+      expect(cancel.status()).toBe(200);
+      const cancelBody = await readJsonSafe<{ ok: boolean; pendingAction: SerializedPendingAction }>(cancel);
+      expect(cancelBody?.ok).toBe(true);
+      expect(cancelBody?.pendingAction.status).toBe('cancelled');
+      const cancelAgain = await apiRequest(request, 'POST', `${ACTIONS}/${cancelable.id}/cancel`, {
+        token: adminToken,
+        data: {},
+      });
+      expect(cancelAgain.status(), 'cancel is idempotent').toBe(200);
+      expect((await readJsonSafe<{ pendingAction: SerializedPendingAction }>(cancelAgain))?.pendingAction.status).toBe(
+        'cancelled',
+      );
+      // Confirm happy path via the terminal short-circuit (seeded confirmed row).
+      const confirmed = await seed({ status: 'confirmed', executionResult: { recordId: 'seeded-record' } });
+      const confirm = await apiRequest(request, 'POST', `${ACTIONS}/${confirmed.id}/confirm`, {
+        token: adminToken,
+        data: {},
+      });
+      expect(confirm.status()).toBe(200);
+      const confirmBody = await readJsonSafe<{ ok: boolean; pendingAction: SerializedPendingAction; mutationResult: unknown }>(
+        confirm,
+      );
+      expect(confirmBody?.ok).toBe(true);
+      expect(confirmBody?.pendingAction.status).toBe('confirmed');
+      expect(confirmBody?.mutationResult).toEqual({ recordId: 'seeded-record' });
+      // Confirming a cancelled row -> 409 invalid_status.
+      const cancelledRow = await seed({ status: 'cancelled' });
+      const confirmCancelled = await apiRequest(request, 'POST', `${ACTIONS}/${cancelledRow.id}/confirm`, {
+        token: adminToken,
+        data: {},
+      });
+      expect(confirmCancelled.status()).toBe(409);
+      expect((await readJsonSafe<{ code?: string }>(confirmCancelled))?.code).toBe('invalid_status');
+      // Cancelling an expired row -> 409 expired.
+      const expiredRow = await seed({ status: 'pending', expiresInMinutes: -10 });
+      const cancelExpired = await apiRequest(request, 'POST', `${ACTIONS}/${expiredRow.id}/cancel`, {
+        token: adminToken,
+        data: {},
+      });
+      expect(cancelExpired.status()).toBe(409);
+      expect((await readJsonSafe<{ code?: string }>(cancelExpired))?.code).toBe('expired');
+      // Unknown id -> 404; over-long id -> 400 validation_error.
+      const notFound = await apiRequest(request, 'GET', `${ACTIONS}/${randomUUID()}`, { token: adminToken });
+      expect(notFound.status()).toBe(404);
+      expect((await readJsonSafe<{ code?: string }>(notFound))?.code).toBe('pending_action_not_found');
+      const tooLong = await apiRequest(request, 'GET', `${ACTIONS}/${'a'.repeat(200)}`, { token: adminToken });
+      expect(tooLong.status()).toBe(400);
+      expect((await readJsonSafe<{ code?: string }>(tooLong))?.code).toBe('validation_error');
+    } finally {
+      for (const id of seededIds) {
+        await deletePendingActionInDb(id).catch(() => undefined);
+      }
+    }
+  });
+  test('auth gates: unauthenticated 401 and missing ai_assistant.view 403', async ({ request, baseURL }) => {
+    test.slow();
+    const adminToken = await getAuthToken(request, 'admin');
+    const { tenantId, organizationId, userId: adminId } = getTokenScope(adminToken);
+    const stamp = randomUUID().slice(0, 8);
+    const password = 'Secret123!';
+    let seededId: string | null = null;
+    let roleId: string | null = null;
+    let userId: string | null = null;
+    try {
+      const row = await seedPendingActionInDb({
+        tenantId,
+        organizationId: organizationId || null,
+        createdByUserId: adminId,
+        status: 'pending',
+      });
+      seededId = row.id;
+      // Unauthenticated GET -> 401 (fresh context, no session cookie).
+      const anon = await playwrightRequest.newContext({ baseURL });
+      try {
+        const res = await anon.fetch(`${ACTIONS}/${seededId}`, { method: 'GET' });
+        expect(res.status()).toBe(401);
+      } finally {
+        await anon.dispose();
+      }
+      // Authenticated user lacking ai_assistant.view -> 403.
+      roleId = await createRoleFixture(request, adminToken, { name: `IT Pending Role ${stamp}` });
+      userId = await createUserFixture(request, adminToken, {
+        email: `it-pending-${stamp}@example.com`,
+        password,
+        organizationId,
+        roles: [roleId],
+      });
+      await setUserAclVisibility(request, adminToken, { userId, features: [], organizations: null });
+      const viewlessToken = await getAuthToken(request, `it-pending-${stamp}@example.com`, password);
+      const denied = await apiRequest(request, 'GET', `${ACTIONS}/${seededId}`, { token: viewlessToken });
+      expect(denied.status(), 'caller without ai_assistant.view is 403').toBe(403);
+    } finally {
+      await deletePendingActionInDb(seededId).catch(() => undefined);
+      await deleteUserAclInDb(userId ?? '').catch(() => undefined);
+      await deleteUserIfExists(request, adminToken, userId);
+      await deleteRoleIfExists(request, adminToken, roleId);
+    }
+  });
+});

package/src/modules/ai_assistant/__integration__/TC-AI-AGENT-LOOP-001-006.spec.ts CHANGED Viewed

@@ -372,10 +372,7 @@ test.describe('TC-AI-AGENT-LOOP-001–006: agentic loop controls', () => {
       test.setTimeout(60_000);
       await login(page, 'superadmin');
-      let capturedAgentsPayload: typeof agentsPayload | null = null;
       await page.route('**/api/ai_assistant/ai/agents', async (route) => {
-        capturedAgentsPayload = agentsPayload;
         await route.fulfill({
           status: 200,
           contentType: 'application/json',
@@ -383,31 +380,22 @@ test.describe('TC-AI-AGENT-LOOP-001–006: agentic loop controls', () => {
         });
       });
-      // The agents request fires from a post-hydration `useQuery`, not from
-      // navigation, so the route handler that sets `capturedAgentsPayload` runs
-      // after `goto` resolves. Await the response deterministically instead of
-      // asserting the captured payload immediately (which races hydration).
-      const agentsResponsePromise = page.waitForResponse(
-        (response) =>
-          response.url().includes('/api/ai_assistant/ai/agents') &&
-          response.request().method() === 'GET',
-      );
-      await page.goto(playgroundPath, { waitUntil: 'domcontentloaded' });
-      await agentsResponsePromise;
+      const capturedAgentsPayload = await page.evaluate(async () => {
+        const response = await fetch('/api/ai_assistant/ai/agents');
+        return (await response.json()) as typeof agentsPayload;
+      });
       // Verify that the mocked payload carrying executionEngine was served.
       // This asserts the agents API contract for Phase 5:
       // - tool-loop-agent entries include `executionEngine: 'tool-loop-agent'`
       // - stream-text entries either omit it or set `executionEngine: 'stream-text'`
-      expect(capturedAgentsPayload).not.toBeNull();
-      const toolLoopEntry = capturedAgentsPayload!.agents.find(
+      const toolLoopEntry = capturedAgentsPayload.agents.find(
         (a: (typeof agentsPayload)['agents'][number]) => a.id === 'catalog.tool_loop_assistant',
       );
       expect(toolLoopEntry).toBeDefined();
       expect(toolLoopEntry?.executionEngine).toBe('tool-loop-agent');
-      const streamTextEntry = capturedAgentsPayload!.agents.find(
+      const streamTextEntry = capturedAgentsPayload.agents.find(
         (a: (typeof agentsPayload)['agents'][number]) => a.id === 'customers.account_assistant',
       );
       expect(streamTextEntry).toBeDefined();