@peonai/swarm 0.1.0

package/.dockerignore

@@ -0,0 +1,6 @@
+node_modules
+.next
+data
+*.db
+.git
+.env

package/Dockerfile

@@ -0,0 +1,9 @@
+FROM node:24-alpine
+WORKDIR /app
+COPY package.json package-lock.json ./
+RUN npm ci --production=false
+COPY . .
+RUN npm run build
+ENV NODE_ENV=production PORT=3777
+EXPOSE 3777
+CMD ["npm", "start"]

package/README.md

@@ -0,0 +1,29 @@
+# Swarm AI
+
+Cross-agent user profile sync. Let every AI agent know your user without re-teaching.
+
+## Quick Start
+
+```bash
+npx swarm-ai
+# or
+npm install -g swarm-ai
+swarm-ai
+```
+
+Server runs on `http://localhost:3777`.
+
+## Features
+
+- User profile management (layered: identity, preferences, context)
+- Shared memory across agents
+- Agent persona management
+- MCP Server for agent integration
+- Skills for OpenClaw, Claude Code, Codex, Cursor, Gemini, OpenCode
+- SQLite (dev) / PostgreSQL (prod)
+- Web dashboard
+- Audit logging
+
+## Docs
+
+See [docs/REQUIREMENTS.md](docs/REQUIREMENTS.md) for full architecture.

package/app/api/health/route.ts

@@ -0,0 +1,2 @@
+import { NextResponse } from 'next/server';
+export function GET() { return NextResponse.json({ ok: true, version: '0.1.0' }); }

package/app/api/v1/admin/agents/[id]/route.ts

@@ -0,0 +1,12 @@
+export const dynamic = "force-dynamic";
+import { NextRequest, NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+export const DELETE = withAdmin(async (req, userId) => {
+  await initSchema();
+  const id = req.nextUrl.pathname.split('/').pop() ?? '';
+  await db.prepare('DELETE FROM agents WHERE id = ? AND user_id = ?').run(id, userId);
+  return NextResponse.json({ ok: true });
+});

package/app/api/v1/admin/agents/route.ts

@@ -0,0 +1,31 @@
+export const dynamic = "force-dynamic";
+import { NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+export const GET = withAdmin(async (_req, userId) => {
+  await initSchema();
+  const rows = await db.prepare('SELECT id, name, permissions, persona, created_at FROM agents WHERE user_id = ?').all(userId) as any[];
+  return NextResponse.json(rows.map(a => ({ ...a, persona: a.persona ? JSON.parse(a.persona) : null })));
+});
+
+export const POST = withAdmin(async (req, userId) => {
+  await initSchema();
+  const { id, name, permissions = 'read,write' } = await req.json();
+  const agentId = id || crypto.randomUUID().slice(0, 12);
+  const apiKey = `swarm_${crypto.randomUUID().replace(/-/g, '')}`;
+  await db.prepare('INSERT INTO agents (id, user_id, name, api_key, permissions) VALUES (?,?,?,?,?)').run(agentId, userId, name || agentId, apiKey, permissions);
+  return NextResponse.json({ id: agentId, apiKey, permissions });
+});
+
+export const PATCH = withAdmin(async (req, userId) => {
+  await initSchema();
+  const { id, persona, name } = await req.json();
+  if (!id) return NextResponse.json({ error: 'Missing agent id' }, { status: 400 });
+  if (persona !== undefined)
+    await db.prepare('UPDATE agents SET persona = ? WHERE id = ? AND user_id = ?').run(JSON.stringify(persona), id, userId);
+  if (name !== undefined)
+    await db.prepare('UPDATE agents SET name = ? WHERE id = ? AND user_id = ?').run(name, id, userId);
+  return NextResponse.json({ ok: true });
+});

package/app/api/v1/admin/audit/route.ts

@@ -0,0 +1,23 @@
+export const dynamic = 'force-dynamic';
+import { NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+export const GET = withAdmin(async (req, userId) => {
+  await initSchema();
+  const { searchParams } = req.nextUrl;
+  const limit = Number(searchParams.get('limit') || 50);
+  const action = searchParams.get('action');
+  const agent = searchParams.get('agent');
+
+  let sql = 'SELECT * FROM audit_log WHERE user_id = ?';
+  const params: any[] = [userId];
+  if (action) { sql += ' AND action = ?'; params.push(action); }
+  if (agent) { sql += ' AND agent_id = ?'; params.push(agent); }
+  sql += ' ORDER BY created_at DESC LIMIT ?';
+  params.push(limit);
+
+  const rows = await db.prepare(sql).all(...params);
+  return NextResponse.json(rows);
+});

package/app/api/v1/admin/cleanup/route.ts

@@ -0,0 +1,21 @@
+export const dynamic = 'force-dynamic';
+import { NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema, logAudit, ensureDefaultUser } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+const NOW = isPg ? 'NOW()' : "datetime('now')";
+
+export const POST = withAdmin(async (_req, userId) => {
+  await initSchema();
+  const expired = await db.prepare(
+    `SELECT COUNT(*) as count FROM profiles WHERE expires_at IS NOT NULL AND expires_at < ${NOW}`
+  ).get() as any;
+
+  await db.prepare(
+    `DELETE FROM profiles WHERE expires_at IS NOT NULL AND expires_at < ${NOW}`
+  ).run();
+
+  await logAudit(userId, null, 'cleanup', 'profiles', undefined, `${expired?.count || 0} expired entries removed`);
+  return NextResponse.json({ ok: true, removed: expired?.count || 0 });
+});

package/app/api/v1/admin/export/route.ts

@@ -0,0 +1,15 @@
+export const dynamic = "force-dynamic";
+import { NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+export const GET = withAdmin(async (_req, userId) => {
+  await initSchema();
+  const profiles = await db.prepare('SELECT layer, key, value, confidence, source, tags, updated_at FROM profiles WHERE user_id = ?').all(userId);
+  const agents = await db.prepare('SELECT id, name, permissions, persona, created_at FROM agents WHERE user_id = ?').all(userId);
+  const memories = await db.prepare('SELECT key, content, source, tags, type, importance, entities, created_at FROM memories WHERE user_id = ?').all(userId);
+  return NextResponse.json({ exported_at: new Date().toISOString(), profiles, agents, memories }, {
+    headers: { 'Content-Disposition': 'attachment; filename="swarm-export.json"' },
+  });
+});

package/app/api/v1/admin/history/route.ts

@@ -0,0 +1,23 @@
+export const dynamic = 'force-dynamic';
+import { NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+export const GET = withAdmin(async (req, userId) => {
+  await initSchema();
+  const { searchParams } = req.nextUrl;
+  const limit = Number(searchParams.get('limit') || 50);
+  const layer = searchParams.get('layer');
+  const key = searchParams.get('key');
+
+  let sql = 'SELECT * FROM profile_history WHERE user_id = ?';
+  const params: any[] = [userId];
+  if (layer) { sql += ' AND layer = ?'; params.push(layer); }
+  if (key) { sql += ' AND key = ?'; params.push(key); }
+  sql += ' ORDER BY created_at DESC LIMIT ?';
+  params.push(limit);
+
+  const rows = await db.prepare(sql).all(...params);
+  return NextResponse.json(rows);
+});

package/app/api/v1/admin/profile/route.ts

@@ -0,0 +1,23 @@
+export const dynamic = "force-dynamic";
+import { NextRequest, NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAdmin } from '@/lib/auth';
+
+const NOW = isPg ? 'NOW()' : "datetime('now')";
+
+export const GET = withAdmin(async (_req, userId) => {
+  await initSchema();
+  const rows = await db.prepare('SELECT * FROM profiles WHERE user_id = ? ORDER BY layer, key').all(userId) as any[];
+  return NextResponse.json(rows.map((r: any) => ({ ...r, value: JSON.parse(r.value) })));
+});
+
+export const PUT = withAdmin(async (req, userId) => {
+  await initSchema();
+  const { entries } = await req.json();
+  const sql = `INSERT INTO profiles (user_id, layer, key, value, source, updated_at)
+    VALUES (?, ?, ?, ?, 'admin', ${NOW})
+    ON CONFLICT(user_id, layer, key) DO UPDATE SET value=${isPg ? 'EXCLUDED' : 'excluded'}.value, source='admin', updated_at=${NOW}`;
+  for (const e of entries) await db.prepare(sql).run(userId, e.layer, e.key, JSON.stringify(e.value));
+  return NextResponse.json({ ok: true });
+});

package/app/api/v1/admin/settings/route.ts

@@ -0,0 +1,44 @@
+export const dynamic = 'force-dynamic';
+import { NextResponse } from 'next/server';
+import { withAdmin } from '@/lib/auth';
+import { getEmbeddingConfig } from '@/lib/embedding';
+import { writeFileSync, readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const ENV_PATH = join(process.cwd(), '.env.local');
+
+function readEnv(): Record<string, string> {
+  if (!existsSync(ENV_PATH)) return {};
+  const lines = readFileSync(ENV_PATH, 'utf8').split('\n');
+  const env: Record<string, string> = {};
+  for (const l of lines) {
+    const m = l.match(/^([^=]+)=(.*)$/);
+    if (m) env[m[1]] = m[2];
+  }
+  return env;
+}
+
+function writeEnv(env: Record<string, string>) {
+  writeFileSync(ENV_PATH, Object.entries(env).map(([k, v]) => `${k}=${v}`).join('\n') + '\n');
+}
+
+export const GET = withAdmin(async () => {
+  return NextResponse.json({
+    embedding: getEmbeddingConfig(),
+    adminToken: process.env.SWARM_ADMIN_TOKEN || 'swarm-admin-dev',
+    port: process.env.PORT || '3777',
+  });
+});
+
+export const PATCH = withAdmin(async (req) => {
+  const { embedding } = await req.json();
+  if (!embedding) return NextResponse.json({ error: 'Missing embedding' }, { status: 400 });
+
+  const env = readEnv();
+  if (embedding.url !== undefined) env.EMBED_URL = embedding.url;
+  if (embedding.key !== undefined) env.EMBED_KEY = embedding.key;
+  if (embedding.model !== undefined) env.EMBED_MODEL = embedding.model;
+  writeEnv(env);
+
+  return NextResponse.json({ ok: true, note: 'Restart server to apply changes' });
+});

package/app/api/v1/auth/route.ts

@@ -0,0 +1,5 @@
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+  return NextResponse.json({ error: 'Auth disabled' }, { status: 410 });
+}

package/app/api/v1/memory/route.ts

@@ -0,0 +1,105 @@
+export const dynamic = "force-dynamic";
+import { NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema, logAudit } from '@/lib/schema';
+import { withAuthOrAdmin } from '@/lib/auth';
+import { embed, cosine } from '@/lib/embedding';
+
+export const GET = withAuthOrAdmin(async (req, agent) => {
+  await initSchema();
+  const { searchParams } = req.nextUrl;
+  const q = searchParams.get('q');
+  const tag = searchParams.get('tag');
+  const type = searchParams.get('type');
+  const entity = searchParams.get('entity');
+  const since = searchParams.get('since');
+  const limit = Number(searchParams.get('limit') || 50);
+
+  const mode = searchParams.get('mode'); // 'semantic' | null (default: fts)
+
+  // Semantic search mode
+  if (q && mode === 'semantic') {
+    const qVec = await embed(q);
+    const all = await db.prepare('SELECT * FROM memories WHERE user_id = ? AND embedding IS NOT NULL ORDER BY created_at DESC')
+      .all(agent.userId) as any[];
+    const scored = all.map(m => ({ ...m, score: cosine(qVec, JSON.parse(m.embedding)) }))
+      .sort((a, b) => b.score - a.score).slice(0, limit);
+    return NextResponse.json(scored.map(r => ({
+      ...r, embedding: undefined,
+      tags: r.tags?.split(',').filter(Boolean) || [],
+      entities: r.entities?.split(',').filter(Boolean) || [],
+    })));
+  }
+
+  let sql: string, params: any[];
+
+  if (q) {
+    const hasCJK = /[\u4e00-\u9fff\u3040-\u309f\u30a0-\u30ff]/.test(q);
+    if (isPg) {
+      sql = hasCJK
+        ? `SELECT * FROM memories WHERE user_id = ? AND content LIKE ? ORDER BY created_at DESC LIMIT ?`
+        : `SELECT *, ts_rank(to_tsvector('english', content), plainto_tsquery('english', ?)) AS rank
+           FROM memories WHERE user_id = ? AND to_tsvector('english', content) @@ plainto_tsquery('english', ?)
+           ORDER BY rank DESC LIMIT ?`;
+      params = hasCJK ? [agent.userId, `%${q}%`, limit] : [q, agent.userId, q, limit];
+    } else {
+      if (hasCJK) {
+        sql = `SELECT * FROM memories WHERE user_id = ? AND content LIKE ? ORDER BY created_at DESC LIMIT ?`;
+        params = [agent.userId, `%${q}%`, limit];
+      } else {
+        sql = `SELECT m.*, rank FROM memories m JOIN memories_fts ON memories_fts.rowid = m.id
+          WHERE m.user_id = ? AND memories_fts MATCH ? ORDER BY rank LIMIT ?`;
+        params = [agent.userId, q, limit];
+      }
+    }
+  } else {
+    sql = 'SELECT * FROM memories WHERE user_id = ?';
+    params = [agent.userId];
+    if (tag) { sql += ' AND tags LIKE ?'; params.push(`%${tag}%`); }
+    if (type) { sql += ' AND type = ?'; params.push(type); }
+    if (entity) { sql += ' AND entities LIKE ?'; params.push(`%${entity}%`); }
+    if (since) { sql += ' AND created_at >= ?'; params.push(since); }
+    sql += ' ORDER BY created_at DESC LIMIT ?';
+    params.push(limit);
+  }
+
+  const rows = await db.prepare(sql).all(...params) as any[];
+  return NextResponse.json(rows.map(r => ({
+    ...r,
+    tags: r.tags?.split(',').filter(Boolean) || [],
+    entities: r.entities?.split(',').filter(Boolean) || [],
+  })));
+});
+
+export const POST = withAuthOrAdmin(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+  const { key, content, tags, type, importance, entities } = await req.json();
+  if (!content) return NextResponse.json({ error: 'Missing content' }, { status: 400 });
+
+  const tagsStr = Array.isArray(tags) ? tags.join(',') : tags || null;
+  const entStr = Array.isArray(entities) ? entities.join(',') : entities || null;
+
+  await db.prepare(`INSERT INTO memories (user_id, key, content, source, tags, type, importance, entities, embedding)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`)
+    .run(agent.userId, key || null, content, agent.id, tagsStr, type || 'observation', importance ?? 0.5, entStr, null);
+
+  // Background embed — don't block response
+  embed(content).then(async vec => {
+    const rows = await db.prepare('SELECT id FROM memories WHERE user_id = ? AND content = ? ORDER BY id DESC LIMIT 1').all(agent.userId, content) as any[];
+    if (rows[0]) await db.prepare('UPDATE memories SET embedding = ? WHERE id = ?').run(JSON.stringify(vec), rows[0].id);
+  }).catch(() => {});
+
+  await logAudit(agent.userId, agent.id, 'memory.write', 'memory', key || undefined, content.slice(0, 100));
+  return NextResponse.json({ ok: true });
+});
+
+export const DELETE = withAuthOrAdmin(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+  const { id } = await req.json();
+  if (!id) return NextResponse.json({ error: 'Missing id' }, { status: 400 });
+  await db.prepare('DELETE FROM memories WHERE id = ? AND user_id = ?').run(id, agent.userId);
+  await logAudit(agent.userId, agent.id, 'memory.delete', 'memory', String(id));
+  return NextResponse.json({ ok: true });
+});

package/app/api/v1/persona/[agentId]/route.ts

@@ -0,0 +1,13 @@
+export const dynamic = "force-dynamic";
+import { NextRequest, NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAuth } from '@/lib/auth';
+
+export const GET = withAuth(async (req: NextRequest & { agentId?: string }, agent) => {
+  await initSchema();
+  const agentId = req.nextUrl.pathname.split('/').pop() ?? '';
+  const row = await db.prepare('SELECT id, name, persona FROM agents WHERE id = ? AND user_id = ?').get(agentId, agent.userId) as any;
+  if (!row) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  return NextResponse.json({ ...row, persona: row.persona ? JSON.parse(row.persona) : null });
+});

package/app/api/v1/persona/me/route.ts

@@ -0,0 +1,12 @@
+export const dynamic = "force-dynamic";
+import { NextResponse } from 'next/server';
+import db from '@/lib/db';
+import { initSchema } from '@/lib/schema';
+import { withAuth } from '@/lib/auth';
+
+export const GET = withAuth(async (_req, agent) => {
+  await initSchema();
+  const row = await db.prepare('SELECT id, name, persona, permissions FROM agents WHERE id = ?').get(agent.id) as any;
+  if (!row) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  return NextResponse.json({ ...row, persona: row.persona ? JSON.parse(row.persona) : null });
+});

package/app/api/v1/profile/observe/route.ts

@@ -0,0 +1,34 @@
+export const dynamic = "force-dynamic";
+import { NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema, logAudit } from '@/lib/schema';
+import { withAuth } from '@/lib/auth';
+
+const NOW_SQL = isPg ? 'NOW()' : "datetime('now')";
+
+export const POST = withAuth(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+  const { observations } = await req.json();
+  if (!Array.isArray(observations)) return NextResponse.json({ error: 'Missing observations array' }, { status: 400 });
+
+  const upsertSql = `INSERT INTO profiles (user_id, layer, key, value, confidence, source, tags, expires_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ${NOW_SQL})
+    ON CONFLICT(user_id, layer, key) DO UPDATE SET
+      value = CASE WHEN ${isPg ? 'EXCLUDED' : 'excluded'}.confidence > profiles.confidence THEN ${isPg ? 'EXCLUDED' : 'excluded'}.value ELSE profiles.value END,
+      confidence = ${isPg ? `GREATEST(profiles.confidence, EXCLUDED.confidence)` : `MAX(profiles.confidence, excluded.confidence)`},
+      source = CASE WHEN ${isPg ? 'EXCLUDED' : 'excluded'}.confidence > profiles.confidence THEN ${isPg ? 'EXCLUDED' : 'excluded'}.source ELSE profiles.source END,
+      tags = COALESCE(${isPg ? 'EXCLUDED' : 'excluded'}.tags, profiles.tags),
+      expires_at = COALESCE(${isPg ? 'EXCLUDED' : 'excluded'}.expires_at, profiles.expires_at),
+      updated_at = ${NOW_SQL}`;
+
+  for (const obs of observations) {
+    const tags = Array.isArray(obs.tags) ? obs.tags.join(',') : obs.tags || null;
+    const defaultExpiry = (obs.layer || 'context') === 'context' && !obs.expiresAt
+      ? new Date(Date.now() + 86400000).toISOString() : null;
+    await db.prepare(upsertSql).run(agent.userId, obs.layer || 'context', obs.key, JSON.stringify(obs.value),
+      obs.confidence ?? 0.5, agent.id, tags, obs.expiresAt || defaultExpiry);
+  }
+  await logAudit(agent.userId, agent.id, 'profile.observe', 'profile', undefined, `${observations.length} observations`);
+  return NextResponse.json({ ok: true, count: observations.length });
+});

package/app/api/v1/profile/route.ts

@@ -0,0 +1,72 @@
+export const dynamic = "force-dynamic";
+import { NextRequest, NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema, logAudit, logProfileHistory } from '@/lib/schema';
+import { withAuth } from '@/lib/auth';
+
+const NOW = isPg ? 'NOW()' : "datetime('now')";
+
+export const GET = withAuth(async (req, agent) => {
+  await initSchema();
+  const layer = req.nextUrl.searchParams.get('layer');
+  const tag = req.nextUrl.searchParams.get('tag');
+
+  let sql = 'SELECT layer, key, value, confidence, source, tags, expires_at, updated_at FROM profiles WHERE user_id = ?';
+  const params: any[] = [agent.userId];
+  sql += ` AND (expires_at IS NULL OR expires_at > ${NOW})`;
+  if (layer) { sql += ' AND layer = ?'; params.push(layer); }
+  if (tag) { sql += ' AND tags LIKE ?'; params.push(`%${tag}%`); }
+  sql += ' ORDER BY layer, key';
+
+  const rows = await db.prepare(sql).all(...params) as any[];
+  const profile: Record<string, Record<string, any>> = {};
+  for (const r of rows) {
+    if (!profile[r.layer]) profile[r.layer] = {};
+    profile[r.layer][r.key] = {
+      value: JSON.parse(r.value), confidence: r.confidence,
+      source: r.source, tags: r.tags?.split(',').filter(Boolean) || [],
+      expiresAt: r.expires_at, updatedAt: r.updated_at,
+    };
+  }
+  return NextResponse.json(profile);
+});
+
+export const PATCH = withAuth(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+  const { layer, entries } = await req.json();
+  if (!layer || !entries) return NextResponse.json({ error: 'Missing layer or entries' }, { status: 400 });
+
+  const upsertSql = isPg
+    ? `INSERT INTO profiles (user_id, layer, key, value, confidence, source, tags, expires_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, NOW())
+       ON CONFLICT(user_id, layer, key) DO UPDATE SET value=EXCLUDED.value, confidence=EXCLUDED.confidence,
+       source=EXCLUDED.source, tags=EXCLUDED.tags, expires_at=EXCLUDED.expires_at, updated_at=NOW()`
+    : `INSERT INTO profiles (user_id, layer, key, value, confidence, source, tags, expires_at, updated_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, datetime('now'))
+       ON CONFLICT(user_id, layer, key) DO UPDATE SET value=excluded.value, confidence=excluded.confidence,
+       source=excluded.source, tags=excluded.tags, expires_at=excluded.expires_at, updated_at=excluded.updated_at`;
+
+  for (const [key, val] of Object.entries(entries)) {
+    const v = typeof val === 'object' && val !== null && 'value' in (val as any) ? (val as any) : { value: val };
+    const tags = Array.isArray(v.tags) ? v.tags.join(',') : v.tags || null;
+    // Get old value for history
+    const old = await db.prepare('SELECT value FROM profiles WHERE user_id = ? AND layer = ? AND key = ?').get(agent.userId, layer, key) as any;
+    await db.prepare(upsertSql).run(agent.userId, layer, key, JSON.stringify(v.value), v.confidence ?? 1.0, agent.id, tags, v.expiresAt || null);
+    await logProfileHistory(agent.userId, layer, key, old?.value || null, JSON.stringify(v.value), agent.id);
+  }
+  await logAudit(agent.userId, agent.id, 'profile.update', 'profile', layer, `${Object.keys(entries).length} entries`);
+  return NextResponse.json({ ok: true });
+});
+
+export const DELETE = withAuth(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+  const { layer, key } = await req.json();
+  if (!layer || !key) return NextResponse.json({ error: 'Missing layer or key' }, { status: 400 });
+  const old = await db.prepare('SELECT value FROM profiles WHERE user_id = ? AND layer = ? AND key = ?').get(agent.userId, layer, key) as any;
+  await db.prepare('DELETE FROM profiles WHERE user_id = ? AND layer = ? AND key = ?').run(agent.userId, layer, key);
+  if (old) await logProfileHistory(agent.userId, layer, key, old.value, '(deleted)', agent.id);
+  await logAudit(agent.userId, agent.id, 'profile.delete', 'profile', `${layer}.${key}`);
+  return NextResponse.json({ ok: true });
+});

package/app/api/v1/reflect/route.ts

@@ -0,0 +1,96 @@
+export const dynamic = 'force-dynamic';
+import { NextResponse } from 'next/server';
+import db, { isPg } from '@/lib/db';
+import { initSchema, logAudit } from '@/lib/schema';
+import { withAuth } from '@/lib/auth';
+
+const LLM_URL = process.env.LLM_URL || process.env.EMBED_URL?.replace('/embeddings', '/chat/completions') || '';
+const LLM_KEY = process.env.LLM_KEY || process.env.EMBED_KEY || '';
+const LLM_MODEL = process.env.LLM_MODEL || 'gpt-4o-mini';
+
+const SYSTEM_PROMPT = `You are a profile extraction engine. Given a list of user memories/observations, extract structured profile updates.
+
+Output ONLY a JSON array of objects with: {"layer", "key", "value", "confidence"}
+- layer: "identity" | "work" | "preferences" | "communication" | custom
+- key: snake_case identifier (e.g. "preferred_language", "tech_stack")
+- value: extracted value (string, array, or object)
+- confidence: 0.0-1.0 based on how certain the information is
+
+Rules:
+- Merge related memories into single profile entries
+- Use high confidence (0.8-1.0) for explicit statements, low (0.3-0.5) for inferences
+- Skip trivial or transient information
+- Output valid JSON array only, no markdown`;
+
+async function llmExtract(memories: any[]): Promise<{ layer: string; key: string; value: any; confidence: number }[]> {
+  if (!LLM_URL || !LLM_KEY) return [];
+  const content = memories.map((m, i) => `[${i + 1}] (${m.type || 'observation'}) ${m.content}`).join('\n');
+  const res = await fetch(LLM_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${LLM_KEY}` },
+    body: JSON.stringify({ model: LLM_MODEL, messages: [
+      { role: 'system', content: SYSTEM_PROMPT },
+      { role: 'user', content },
+    ], temperature: 0.1 }),
+  });
+  if (!res.ok) throw new Error(`LLM API ${res.status}`);
+  const data = await res.json();
+  const text = data.choices?.[0]?.message?.content || '[]';
+  // Extract JSON from possible markdown fence
+  const match = text.match(/\[[\s\S]*\]/);
+  return match ? JSON.parse(match[0]) : [];
+}
+
+export const POST = withAuth(async (req, agent) => {
+  await initSchema();
+  if (!agent.permissions.includes('write')) return NextResponse.json({ error: 'No write permission' }, { status: 403 });
+
+  const { since, limit: maxMemories } = await req.json().catch(() => ({}));
+  const sinceDate = since || new Date(Date.now() - 7 * 86400000).toISOString();
+  const lim = maxMemories || 100;
+
+  const memories = await db.prepare(
+    'SELECT * FROM memories WHERE user_id = ? AND created_at >= ? ORDER BY created_at DESC LIMIT ?'
+  ).all(agent.userId, sinceDate, lim) as any[];
+
+  if (memories.length === 0) return NextResponse.json({ reflected: 0, updates: [] });
+
+  let updates: { layer: string; key: string; value: any; confidence: number }[];
+  let method: string;
+
+  try {
+    updates = await llmExtract(memories);
+    method = 'llm';
+  } catch {
+    // Fallback: rule-based
+    updates = [];
+    for (const m of memories) {
+      const tags = m.tags?.split(',') || [];
+      if (m.type === 'preference' || tags.includes('preference'))
+        updates.push({ layer: 'preferences', key: m.key || `pref_${m.id}`, value: m.content, confidence: 0.6 });
+      if (m.type === 'fact' || tags.includes('fact'))
+        updates.push({ layer: 'identity', key: m.key || `fact_${m.id}`, value: m.content, confidence: 0.7 });
+    }
+    method = 'rules';
+  }
+
+  // Deduplicate
+  const deduped = new Map<string, typeof updates[0]>();
+  for (const u of updates) deduped.set(`${u.layer}:${u.key}`, u);
+  const final = [...deduped.values()];
+
+  const NOW = isPg ? 'NOW()' : "datetime('now')";
+  const EXCL = isPg ? 'EXCLUDED' : 'excluded';
+  for (const u of final) {
+    await db.prepare(`INSERT INTO profiles (user_id, layer, key, value, confidence, source, updated_at)
+      VALUES (?, ?, ?, ?, ?, 'reflect', ${NOW})
+      ON CONFLICT(user_id, layer, key) DO UPDATE SET
+        value = CASE WHEN ${EXCL}.confidence > profiles.confidence THEN ${EXCL}.value ELSE profiles.value END,
+        confidence = CASE WHEN ${EXCL}.confidence > profiles.confidence THEN ${EXCL}.confidence ELSE profiles.confidence END,
+        source = 'reflect', updated_at = ${NOW}`)
+      .run(agent.userId, u.layer, u.key, JSON.stringify(u.value), u.confidence ?? 0.6);
+  }
+
+  await logAudit(agent.userId, agent.id, 'reflect', 'profile', undefined, `${final.length} updates from ${memories.length} memories (${method})`);
+  return NextResponse.json({ reflected: memories.length, updates: final.map(u => ({ layer: u.layer, key: u.key })), method });
+});