npm - @resolveio/server-lib - Versions diffs - 22.1.23 → 22.1.25 - Mend

@resolveio/server-lib 22.1.23 → 22.1.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/collections/ai-terminal-conversation.collection.js +9 -2
package/collections/ai-terminal-conversation.collection.js.map +1 -1
package/collections/notification.collection.js.map +1 -1
package/managers/local-log.manager.js +12 -3
package/managers/local-log.manager.js.map +1 -1
package/methods/ai-terminal.js +370 -141
package/methods/ai-terminal.js.map +1 -1
package/models/ai-terminal-conversation.model.d.ts +1 -0
package/models/ai-terminal-conversation.model.js.map +1 -1
package/package.json +1 -3
package/publications/ai-terminal.js +67 -3
package/publications/ai-terminal.js.map +1 -1

package/methods/ai-terminal.js CHANGED Viewed

@@ -445,6 +445,7 @@ var AI_ASSISTANT_COLLECTION_GENERIC_TOKENS = new Set([
     'list',
     'show'
 ]);
+var AI_ASSISTANT_INVOICE_PERMISSION_PATTERN = /invoice/i;
 var AI_ASSISTANT_FIELD_TOKEN_SYNONYMS = {
     volume: ['quantity', 'qty', 'amount', 'gallons', 'gallon', 'liters', 'liter', 'litre'],
     quantity: ['volume', 'qty', 'amount', 'gallons', 'gallon'],
@@ -912,14 +913,20 @@ function loadAiTerminalMethods(methodManager) {
             }),
             function: function (payload) {
                 return __awaiter(this, void 0, void 0, function () {
-                    var now, doc, result;
+                    var idUser, now, doc, result;
                     var _a;
                     return __generator(this, function (_b) {
                         switch (_b.label) {
                             case 0:
+                                idUser = normalizeOptionalString((this === null || this === void 0 ? void 0 : this.id_user) || '');
+                                if (!idUser) {
+                                    throw new Error('Unauthorized.');
+                                }
                                 now = new Date();
-                                _a = {};
-                                return [4 /*yield*/, resolveClientIdFromConfig(payload.id_client, this === null || this === void 0 ? void 0 : this.id_user)];
+                                _a = {
+                                    id_user: idUser
+                                };
+                                return [4 /*yield*/, resolveClientIdFromConfig(payload.id_client, idUser)];
                             case 1:
                                 doc = (_a.id_client = _b.sent(),
                                     _a.id_app = normalizeOptionalString(payload.id_app),
@@ -956,10 +963,14 @@ function loadAiTerminalMethods(methodManager) {
             }),
             function: function (id_conversation, patch) {
                 return __awaiter(this, void 0, void 0, function () {
-                    var update;
+                    var idUser, update;
                     return __generator(this, function (_a) {
                         switch (_a.label) {
                             case 0:
+                                idUser = normalizeOptionalString((this === null || this === void 0 ? void 0 : this.id_user) || '');
+                                if (!idUser) {
+                                    throw new Error('Unauthorized.');
+                                }
                                 update = {
                                     updatedAt: new Date()
                                 };
@@ -981,7 +992,7 @@ function loadAiTerminalMethods(methodManager) {
                                 if (patch.metadata !== undefined) {
                                     update.metadata = patch.metadata || {};
                                 }
-                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.updateOne({ _id: id_conversation }, { $set: update })];
+                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.updateOne({ _id: id_conversation, id_user: idUser }, { $set: update })];
                             case 1:
                                 _a.sent();
                                 return [2 /*return*/, { id_conversation: id_conversation }];
@@ -998,13 +1009,25 @@ function loadAiTerminalMethods(methodManager) {
             }),
             function: function (id_conversation) {
                 return __awaiter(this, void 0, void 0, function () {
+                    var idUser, conversation;
                     return __generator(this, function (_a) {
                         switch (_a.label) {
-                            case 0: return [4 /*yield*/, ai_terminal_message_collection_1.AiTerminalMessages.deleteMany({ id_conversation: id_conversation })];
+                            case 0:
+                                idUser = normalizeOptionalString((this === null || this === void 0 ? void 0 : this.id_user) || '');
+                                if (!idUser) {
+                                    throw new Error('Unauthorized.');
+                                }
+                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.findById(id_conversation)];
                             case 1:
-                                _a.sent();
-                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.deleteOne({ _id: id_conversation })];
+                                conversation = _a.sent();
+                                if (!conversation || normalizeOptionalString(conversation.id_user) !== idUser) {
+                                    throw new Error('Conversation not found.');
+                                }
+                                return [4 /*yield*/, ai_terminal_message_collection_1.AiTerminalMessages.deleteMany({ id_conversation: id_conversation })];
                             case 2:
+                                _a.sent();
+                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.deleteOne({ _id: id_conversation, id_user: idUser })];
+                            case 3:
                                 _a.sent();
                                 return [2 /*return*/, { id_conversation: id_conversation }];
                         }
@@ -1033,10 +1056,20 @@ function loadAiTerminalMethods(methodManager) {
             }),
             function: function (id_conversation, file_name, content_base64, size, content_type) {
                 return __awaiter(this, void 0, void 0, function () {
-                    var limits, safeName, uploadRoot, targetDir, targetPath, dataBuffer, data;
+                    var idUser, conversation, limits, safeName, uploadRoot, targetDir, targetPath, dataBuffer, data;
                     return __generator(this, function (_a) {
                         switch (_a.label) {
                             case 0:
+                                idUser = normalizeOptionalString((this === null || this === void 0 ? void 0 : this.id_user) || '');
+                                if (!idUser) {
+                                    throw new Error('Unauthorized.');
+                                }
+                                return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.findById(id_conversation)];
+                            case 1:
+                                conversation = _a.sent();
+                                if (!conversation || normalizeOptionalString(conversation.id_user) !== idUser) {
+                                    throw new Error('Conversation not found.');
+                                }
                                 limits = resolveUploadLimits();
                                 if (size > limits.maxFileBytes) {
                                     throw new Error("File exceeds ".concat(limits.maxFileMb, "MB limit."));
@@ -1045,7 +1078,7 @@ function loadAiTerminalMethods(methodManager) {
                                 uploadRoot = resolveUploadRoot();
                                 targetDir = path.join(uploadRoot, id_conversation);
                                 return [4 /*yield*/, fs_1.promises.mkdir(targetDir, { recursive: true })];
-                            case 1:
+                            case 2:
                                 _a.sent();
                                 targetPath = path.join(targetDir, safeName);
                                 dataBuffer = Buffer.from(content_base64, 'base64');
@@ -1056,7 +1089,7 @@ function loadAiTerminalMethods(methodManager) {
                                     }
                                 }
                                 return [4 /*yield*/, fs_1.promises.writeFile(targetPath, data)];
-                            case 2:
+                            case 3:
                                 _a.sent();
                                 return [2 /*return*/, {
                                         id_file: (0, common_1.objectIdHexString)(),
@@ -1264,6 +1297,9 @@ function executeAiTerminalRun(payload, context) {
                     if (!message) {
                         throw new Error('Message is required.');
                     }
+                    if (!(context === null || context === void 0 ? void 0 : context.id_user)) {
+                        throw new Error('Unauthorized.');
+                    }
                     requestId = normalizeOptionalString(input.request_id);
                     identityGuardrail = evaluateAssistantIdentityDisclosureGuardrail(message);
                     if (!(identityGuardrail === null || identityGuardrail === void 0 ? void 0 : identityGuardrail.blocked)) return [3 /*break*/, 5];
@@ -1718,7 +1754,7 @@ function executeAiAssistantCodexRun(payload, context) {
                     insertResult = _d.sent();
                     assistantMessageId = (insertResult === null || insertResult === void 0 ? void 0 : insertResult._id) || (insertResult === null || insertResult === void 0 ? void 0 : insertResult.insertedId);
                     enqueueAssistantCodexRun(function () { return __awaiter(_this, void 0, void 0, function () {
-                        var runStart, steps, recordStep, progressTracker, streamProgress, assistantContent, toolResult, assistantDebug, directiveSource, requestClassification, dataQuestion, lastDirective, heuristicDirectivePrecomputed, usedDeterministicHeuristicFastPath, requestedTimeGrain, requestedBreakdownDimensions, enforceDatedDirective, enforceGroupedDirective, datedDirectiveRetryUsed, datedDirectiveResolved, toolResponseDebug, toolError, termHints, collectionHints, fieldHints, methodHints, publicationHints, collectionTokenization, collectionRanking, collectionSelection, collectionOverride, collectionNames, plannerEnabled, plannerUsed, plannerSkipReason, plannerOutput, plannerRaw, timingBreakdown, codexUsage, accumulateCodexUsage, contextRoute, contextMode, hintSeed, termExpansion, hintText, baseTokens, expandedTokens, baseWeights, expandedWeights, dbName, db, surfaceHints, _a, allowedRoutes, rankedAllowedRoutes, routeHints, rankedCollectionHints, rankedCollections, hintCollections, assistantContext, hasDeterministicHeuristicFastPath, prompt_1, workspaceRoot, codexConfig, runOptions, plannerRunOptions, shouldRunPlanner, plannerPrompt, plannerStart, _b, preferListDirective, directiveStyleHint, directivePromptMode, responseText, directiveText, directive, heuristicDirectiveFastPath, directivePrompt, directiveStart, forcedDirective, _c, initialStart, extractedDirective, error_2, directivePrompt, forcedStart, forcedDirective, _d, strictDirectivePrompt, strictStart, strictDirectiveText, strictDirective, strictDirectiveIsDated, shouldUseStrictDirective, _e, guardDirectivePrompt, guardStart, guardDirectiveText, guardDirective, _f, groupedDirectivePrompt, groupedStart, groupedDirectiveText, groupedDirective, _g, heuristicDirective, requestedCollection, allowCollectionOverride, cleanedResponseText, effectiveDirective, toolRequest, toolStart, toolResponse, _h, toolPayload, skipFollowupCodex, followupPrompt, followupStart, followupText, _j, error_3, error_4, finishedAt, finalNow, finishedAt, codexMs, draftingMs, finalMetadata, finalUsage, usageClientId, usageError_1, finalAssistantDoc, setPayload;
+                        var runStart, steps, recordStep, progressTracker, streamProgress, assistantContent, toolResult, assistantDebug, directiveSource, requestClassification, dataQuestion, lastDirective, heuristicDirectivePrecomputed, usedDeterministicHeuristicFastPath, requestedTimeGrain, requestedBreakdownDimensions, enforceDatedDirective, enforceGroupedDirective, datedDirectiveRetryUsed, datedDirectiveResolved, toolResponseDebug, toolError, termHints, collectionHints, fieldHints, methodHints, publicationHints, collectionTokenization, collectionRanking, collectionSelection, collectionOverride, collectionNames, plannerEnabled, plannerUsed, plannerSkipReason, plannerOutput, plannerRaw, timingBreakdown, codexUsage, accumulateCodexUsage, contextRoute, contextMode, hintSeed, termExpansion, hintText, baseTokens, expandedTokens, baseWeights, expandedWeights, dbName, db, surfaceHints, _a, allowedRoutes, rankedAllowedRoutes, routeHints, rankedCollectionHints, rankedCollections, hintCollections, assistantContext, hasDeterministicHeuristicFastPath, prompt_1, workspaceRoot, codexConfig, runOptions, plannerRunOptions, shouldRunPlanner, plannerPrompt, plannerStart, _b, preferListDirective, directiveStyleHint, directivePromptMode, responseText, directiveText, directive, heuristicDirectiveFastPath, directivePrompt, directiveStart, forcedDirective, _c, initialStart, extractedDirective, error_2, directivePrompt, forcedStart, forcedDirective, _d, strictDirectivePrompt, strictStart, strictDirectiveText, strictDirective, strictDirectiveIsDated, shouldUseStrictDirective, _e, guardDirectivePrompt, guardStart, guardDirectiveText, guardDirective, _f, groupedDirectivePrompt, groupedStart, groupedDirectiveText, groupedDirective, _g, heuristicDirective, requestedCollection, allowCollectionOverride, cleanedResponseText, deniedModuleByIntent, permissionLabel, effectiveDirective, toolRequest, toolStart, toolResponse, _h, toolPayload, skipFollowupCodex, followupPrompt, followupStart, followupText, _j, error_3, error_4, finishedAt, finalNow, finishedAt, codexMs, draftingMs, finalMetadata, finalUsage, usageClientId, usageError_1, finalAssistantDoc, setPayload;
                         var _k, _l, _m, _o, _p, _q, _r, _s, _t, _u, _v, _w, _x, _y, _z, _0, _1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12;
                         return __generator(this, function (_13) {
                             switch (_13.label) {
@@ -1816,7 +1852,7 @@ function executeAiAssistantCodexRun(payload, context) {
                                     });
                                     _13.label = 1;
                                 case 1:
-                                    _13.trys.push([1, 52, 53, 54]);
+                                    _13.trys.push([1, 53, 54, 55]);
                                     hintSeed = [message, contextRoute].filter(Boolean).join(' ');
                                     termExpansion = expandAssistantTermSynonyms(hintSeed);
                                     hintText = termExpansion.expanded || hintSeed;
@@ -2329,7 +2365,22 @@ function executeAiAssistantCodexRun(payload, context) {
                                     if (cleanedResponseText) {
                                         assistantContent = sanitizeAssistantResponse(cleanedResponseText);
                                     }
-                                    if (!((directive === null || directive === void 0 ? void 0 : directive.payload) && AI_ASSISTANT_TOOL_MAX_STEPS > 0)) return [3 /*break*/, 50];
+                                    deniedModuleByIntent = resolveAssistantIntentDeniedModule({
+                                        user: user,
+                                        isSuperAdmin: isSuperAdmin,
+                                        message: message
+                                    });
+                                    if (!deniedModuleByIntent) return [3 /*break*/, 38];
+                                    permissionLabel = formatAssistantModulePermissionLabel(deniedModuleByIntent);
+                                    progressTracker.push('Grabbing Data');
+                                    recordStep('Grabbing Data: denied', {
+                                        reason: "".concat(deniedModuleByIntent, "_permission_required")
+                                    });
+                                    assistantContent = "I couldn't run that request because this account does not have ".concat(permissionLabel, " permission.");
+                                    toolError = new Error('AI assistant report builder bridge: Access denied.');
+                                    return [3 /*break*/, 52];
+                                case 38:
+                                    if (!((directive === null || directive === void 0 ? void 0 : directive.payload) && AI_ASSISTANT_TOOL_MAX_STEPS > 0)) return [3 /*break*/, 51];
                                     effectiveDirective = collectionOverride
                                         ? __assign(__assign({}, directive), { payload: __assign(__assign({}, (directive.payload || {})), { collection: collectionOverride.to }) }) : directive;
                                     toolRequest = buildAssistantToolRequest(effectiveDirective, input);
@@ -2339,20 +2390,20 @@ function executeAiAssistantCodexRun(payload, context) {
                                         collection: normalizeOptionalString(toolRequest === null || toolRequest === void 0 ? void 0 : toolRequest.collection) || undefined,
                                         permissionView: normalizeOptionalString(toolRequest === null || toolRequest === void 0 ? void 0 : toolRequest.permissionView) || undefined
                                     });
-                                    _13.label = 38;
-                                case 38:
-                                    _13.trys.push([38, 48, , 49]);
+                                    _13.label = 39;
+                                case 39:
+                                    _13.trys.push([39, 49, , 50]);
                                     toolStart = Date.now();
-                                    if (!(effectiveDirective.type === 'aggregate')) return [3 /*break*/, 40];
+                                    if (!(effectiveDirective.type === 'aggregate')) return [3 /*break*/, 41];
                                     return [4 /*yield*/, executeAiAssistantReportBuilderAggregate(toolRequest, context)];
-                                case 39:
+                                case 40:
                                     _h = _13.sent();
-                                    return [3 /*break*/, 42];
-                                case 40: return [4 /*yield*/, executeAiAssistantReportBuilderRead(toolRequest, context)];
-                                case 41:
-                                    _h = _13.sent();
-                                    _13.label = 42;
+                                    return [3 /*break*/, 43];
+                                case 41: return [4 /*yield*/, executeAiAssistantReportBuilderRead(toolRequest, context)];
                                 case 42:
+                                    _h = _13.sent();
+                                    _13.label = 43;
+                                case 43:
                                     toolResponse = _h;
                                     timingBreakdown.toolMs = Date.now() - toolStart;
                                     toolResponseDebug = (toolResponse === null || toolResponse === void 0 ? void 0 : toolResponse.debug) && typeof toolResponse.debug === 'object'
@@ -2368,54 +2419,54 @@ function executeAiAssistantCodexRun(payload, context) {
                                     progressTracker.push('Drafting response');
                                     skipFollowupCodex = usedDeterministicHeuristicFastPath
                                         || isAssistantDeterministicHeuristicDirective(effectiveDirective);
-                                    if (!skipFollowupCodex) return [3 /*break*/, 43];
+                                    if (!skipFollowupCodex) return [3 /*break*/, 44];
                                     recordStep('Drafting response: deterministic summary', {
                                         reason: normalizeOptionalString(effectiveDirective.rawLine) || 'deterministic_heuristic'
                                     });
                                     assistantContent = buildAssistantToolFallbackResponse(toolPayload.result);
                                     assistantContent = applyAssistantDisplayTableToResponse(assistantContent, toolPayload.result.output.display);
-                                    return [3 /*break*/, 47];
-                                case 43:
+                                    return [3 /*break*/, 48];
+                                case 44:
                                     recordStep('Drafting response');
                                     followupPrompt = buildAssistantCodexToolFollowupPrompt(message, attachmentData.promptText, historyLines.join('\n'), assistantContext, toolPayload.prompt);
-                                    _13.label = 44;
-                                case 44:
-                                    _13.trys.push([44, 46, , 47]);
+                                    _13.label = 45;
+                                case 45:
+                                    _13.trys.push([45, 47, , 48]);
                                     followupStart = Date.now();
                                     return [4 /*yield*/, runCodexInWorkerThread(followupPrompt, runOptions, codexConfig, streamProgress)];
-                                case 45:
+                                case 46:
                                     followupText = _13.sent();
                                     accumulateCodexUsage(followupPrompt, followupText);
                                     timingBreakdown.followupMs = Date.now() - followupStart;
                                     assistantContent = sanitizeAssistantResponse(followupText);
                                     assistantContent = applyAssistantDisplayTableToResponse(assistantContent, toolPayload.result.output.display);
-                                    return [3 /*break*/, 47];
-                                case 46:
+                                    return [3 /*break*/, 48];
+                                case 47:
                                     _j = _13.sent();
                                     assistantContent = buildAssistantToolFallbackResponse(toolPayload.result);
                                     assistantContent = applyAssistantDisplayTableToResponse(assistantContent, toolPayload.result.output.display);
-                                    return [3 /*break*/, 47];
-                                case 47: return [3 /*break*/, 49];
-                                case 48:
+                                    return [3 /*break*/, 48];
+                                case 48: return [3 /*break*/, 50];
+                                case 49:
                                     error_3 = _13.sent();
                                     assistantContent = buildAssistantToolErrorMessage(error_3);
                                     toolError = error_3;
-                                    return [3 /*break*/, 49];
-                                case 49: return [3 /*break*/, 51];
-                                case 50:
+                                    return [3 /*break*/, 50];
+                                case 50: return [3 /*break*/, 52];
+                                case 51:
                                     progressTracker.push('Drafting response');
                                     recordStep('Drafting response');
-                                    _13.label = 51;
-                                case 51: return [3 /*break*/, 54];
-                                case 52:
+                                    _13.label = 52;
+                                case 52: return [3 /*break*/, 55];
+                                case 53:
                                     error_4 = _13.sent();
                                     assistantContent = buildAssistantCodexErrorMessage(error_4);
                                     recordStep('Error', { message: normalizeOptionalString(error_4 === null || error_4 === void 0 ? void 0 : error_4.message) || 'Unknown error' });
-                                    return [3 /*break*/, 54];
-                                case 53:
+                                    return [3 /*break*/, 55];
+                                case 54:
                                     progressTracker.stop();
                                     return [7 /*endfinally*/];
-                                case 54:
+                                case 55:
                                     if (!assistantContent) {
                                         assistantContent = buildAssistantCodexErrorMessage(null);
                                     }
@@ -2515,14 +2566,14 @@ function executeAiAssistantCodexRun(payload, context) {
                                         output_tokens: codexUsage.output_tokens,
                                         total_tokens: codexUsage.total_tokens
                                     } : null;
-                                    if (!finalUsage) return [3 /*break*/, 59];
+                                    if (!finalUsage) return [3 /*break*/, 60];
                                     return [4 /*yield*/, resolveClientId(conversation, input.id_client, context === null || context === void 0 ? void 0 : context.id_user)];
-                                case 55:
-                                    usageClientId = _13.sent();
-                                    if (!usageClientId) return [3 /*break*/, 59];
-                                    _13.label = 56;
                                 case 56:
-                                    _13.trys.push([56, 58, , 59]);
+                                    usageClientId = _13.sent();
+                                    if (!usageClientId) return [3 /*break*/, 60];
+                                    _13.label = 57;
+                                case 57:
+                                    _13.trys.push([57, 59, , 60]);
                                     return [4 /*yield*/, (0, openai_usage_ledger_manager_1.recordOpenAIUsage)({
                                             id_client: usageClientId,
                                             model: finalUsage.model,
@@ -2533,16 +2584,16 @@ function executeAiAssistantCodexRun(payload, context) {
                                             id_request: requestId || undefined,
                                             id_conversation: conversation._id
                                         })];
-                                case 57:
-                                    _13.sent();
-                                    return [3 /*break*/, 59];
                                 case 58:
+                                    _13.sent();
+                                    return [3 /*break*/, 60];
+                                case 59:
                                     usageError_1 = _13.sent();
                                     console.error(new Date(), 'Failed to record codex usage', usageError_1);
-                                    return [3 /*break*/, 59];
-                                case 59:
+                                    return [3 /*break*/, 60];
+                                case 60:
                                     finalAssistantDoc = __assign(__assign(__assign(__assign({}, assistantDoc), { _id: assistantMessageId, content: assistantContent, metadata: finalMetadata }), (finalUsage ? { usage: finalUsage } : {})), { updatedAt: finalNow });
-                                    if (!assistantMessageId) return [3 /*break*/, 61];
+                                    if (!assistantMessageId) return [3 /*break*/, 62];
                                     setPayload = {
                                         content: assistantContent,
                                         metadata: finalMetadata,
@@ -2552,18 +2603,18 @@ function executeAiAssistantCodexRun(payload, context) {
                                         setPayload.usage = finalUsage;
                                     }
                                     return [4 /*yield*/, updateAssistantMessageWithFallback(assistantMessageId, setPayload)];
-                                case 60:
+                                case 61:
                                     _13.sent();
-                                    _13.label = 61;
-                                case 61: return [4 /*yield*/, touchConversation(conversation._id, finalNow, assistantMessageId ? String(assistantMessageId) : undefined)];
-                                case 62:
+                                    _13.label = 62;
+                                case 62: return [4 /*yield*/, touchConversation(conversation._id, finalNow, assistantMessageId ? String(assistantMessageId) : undefined)];
+                                case 63:
                                     _13.sent();
-                                    if (!(input.delete_files_after_run !== false)) return [3 /*break*/, 64];
+                                    if (!(input.delete_files_after_run !== false)) return [3 /*break*/, 65];
                                     return [4 /*yield*/, cleanupAttachments(attachmentData.attachments)];
-                                case 63:
+                                case 64:
                                     _13.sent();
-                                    _13.label = 64;
-                                case 64: return [2 /*return*/, finalAssistantDoc];
+                                    _13.label = 65;
+                                case 65: return [2 /*return*/, finalAssistantDoc];
                             }
                         });
                     }); });
@@ -9669,7 +9720,7 @@ function isDisplayObjectLike(value) {
 }
 function ensureAssistantReadAccess(context, permissionView, collection) {
     return __awaiter(this, void 0, void 0, function () {
-        var idUser, user, isSuperAdmin, canViewDebug, normalizedCollection, normalizedPermission, requiresInvoiceAccess, hasInvoiceAccess, hasViewAccess;
+        var idUser, user, isSuperAdmin, canViewDebug, normalizedCollection, normalizedPermission, permissionModule, collectionModule, requestedModule, requiresInvoiceAccess, hasInvoiceAccess, hasViewAccess, hasModuleAccess;
         var _a;
         return __generator(this, function (_b) {
             switch (_b.label) {
@@ -9694,10 +9745,17 @@ function ensureAssistantReadAccess(context, permissionView, collection) {
                     if (!normalizedPermission) {
                         throw new Error('AI assistant report builder bridge: Permission scope required.');
                     }
-                    requiresInvoiceAccess = normalizedCollection ? requiresInvoicePermission(normalizedCollection) : false;
+                    permissionModule = resolveAssistantPrimaryModuleFromText(normalizedPermission);
+                    collectionModule = permissionModule ? null : resolveAssistantPrimaryModuleFromText(normalizedCollection);
+                    requestedModule = permissionModule || collectionModule;
+                    requiresInvoiceAccess = (normalizedCollection ? requiresInvoicePermission(normalizedCollection) : false)
+                        || AI_ASSISTANT_INVOICE_PERMISSION_PATTERN.test(normalizedPermission);
                     hasInvoiceAccess = requiresInvoiceAccess && userHasInvoiceAccess(user);
                     hasViewAccess = userHasViewPermission(user, normalizedPermission);
-                    if (!hasViewAccess && !hasInvoiceAccess) {
+                    hasModuleAccess = requestedModule
+                        ? userHasAssistantChangeModuleAccess(user, requestedModule)
+                        : false;
+                    if (!hasViewAccess && !hasInvoiceAccess && !hasModuleAccess) {
                         throw new Error('AI assistant report builder bridge: Access denied.');
                     }
                     if (requiresInvoiceAccess && !hasInvoiceAccess) {
@@ -16281,27 +16339,166 @@ function fetchAssistantProbeDocs(params) {
     })
         .toArray();
 }
-function userHasViewPermission(user, view) {
-    var _a, _b, _c;
-    if (!user || !view) {
+var AI_ASSISTANT_PERMISSION_ACTION_TOKENS = new Set([
+    'list',
+    'detail',
+    'new',
+    'edit',
+    'delete',
+    'create',
+    'dashboard',
+    'report',
+    'reports',
+    'calendar',
+    'board',
+    'timeline',
+    'settings',
+    'setting',
+    'view'
+]);
+function tokenizeAssistantPermissionScope(value) {
+    var normalizedRoute = normalizeRouteMatchKey(value);
+    if (!normalizedRoute) {
+        return [];
+    }
+    var rawTokens = normalizedRoute
+        .split(/[^a-z0-9]+/g)
+        .map(function (token) { return token.trim(); })
+        .filter(Boolean);
+    var tokens = [];
+    rawTokens.forEach(function (token) {
+        normalizeCollectionToken(token).forEach(function (normalized) {
+            if (!normalized) {
+                return;
+            }
+            tokens.push(normalized);
+        });
+    });
+    return Array.from(new Set(tokens));
+}
+function splitAssistantPermissionTokenSets(value) {
+    var tokens = tokenizeAssistantPermissionScope(value);
+    var actionTokens = new Set();
+    var domainTokens = new Set();
+    tokens.forEach(function (token) {
+        if (AI_ASSISTANT_PERMISSION_ACTION_TOKENS.has(token)) {
+            actionTokens.add(token);
+            return;
+        }
+        domainTokens.add(token);
+    });
+    return {
+        tokens: new Set(tokens),
+        domainTokens: domainTokens,
+        actionTokens: actionTokens
+    };
+}
+function isAssistantTokenSetSubset(subset, superset) {
+    var e_43, _a;
+    if (!subset.size) {
         return false;
     }
-    if ((_a = user.roles) === null || _a === void 0 ? void 0 : _a.super_admin) {
+    try {
+        for (var subset_1 = __values(subset), subset_1_1 = subset_1.next(); !subset_1_1.done; subset_1_1 = subset_1.next()) {
+            var token = subset_1_1.value;
+            if (!superset.has(token)) {
+                return false;
+            }
+        }
+    }
+    catch (e_43_1) { e_43 = { error: e_43_1 }; }
+    finally {
+        try {
+            if (subset_1_1 && !subset_1_1.done && (_a = subset_1.return)) _a.call(subset_1);
+        }
+        finally { if (e_43) throw e_43.error; }
+    }
+    return true;
+}
+function buildAssistantPermissionRegex(value) {
+    var tokens = tokenizeAssistantPermissionScope(value);
+    if (!tokens.length) {
+        return null;
+    }
+    var _a = __read(tokens), first = _a[0], rest = _a.slice(1);
+    var pattern = "(?:^|[^a-z0-9])".concat(escapeRegexValue(first), "s?");
+    rest.forEach(function (token) {
+        pattern += "(?:[^a-z0-9]+".concat(escapeRegexValue(token), "s?)");
+    });
+    pattern += '(?:$|[^a-z0-9])';
+    return new RegExp(pattern, 'i');
+}
+function isAssistantViewPermissionMatch(grantedPermission, requestedView) {
+    var grantedRoute = normalizeRouteMatchKey(grantedPermission);
+    var requestedRoute = normalizeRouteMatchKey(requestedView);
+    if (!grantedRoute || !requestedRoute) {
+        return false;
+    }
+    if (grantedRoute === requestedRoute
+        || grantedRoute.startsWith("".concat(requestedRoute, "/"))
+        || requestedRoute.startsWith("".concat(grantedRoute, "/"))) {
         return true;
     }
-    var groups = Array.isArray((_b = user.roles) === null || _b === void 0 ? void 0 : _b.groups) ? user.roles.groups : [];
-    var miscs = Array.isArray((_c = user.roles) === null || _c === void 0 ? void 0 : _c.miscs) ? user.roles.miscs : [];
-    if (groups.some(function (group) { return Array.isArray(group.views) && group.views.some(function (v) { return v.startsWith(view); }); })) {
+    var grantedTokens = splitAssistantPermissionTokenSets(grantedRoute);
+    var requestedTokens = splitAssistantPermissionTokenSets(requestedRoute);
+    if (!grantedTokens.tokens.size || !requestedTokens.tokens.size) {
+        return false;
+    }
+    if (grantedTokens.actionTokens.size && requestedTokens.actionTokens.size) {
+        var hasSharedAction = Array.from(requestedTokens.actionTokens)
+            .some(function (token) { return grantedTokens.actionTokens.has(token); });
+        if (!hasSharedAction) {
+            return false;
+        }
+    }
+    if (!grantedTokens.domainTokens.size || !requestedTokens.domainTokens.size) {
+        return false;
+    }
+    if (isAssistantTokenSetSubset(requestedTokens.domainTokens, grantedTokens.domainTokens)) {
+        return true;
+    }
+    if (requestedTokens.domainTokens.size > 1
+        && grantedTokens.domainTokens.size > 1
+        && isAssistantTokenSetSubset(grantedTokens.domainTokens, requestedTokens.domainTokens)) {
         return true;
     }
-    if (miscs.some(function (v) { return v.startsWith(view); })) {
+    var sharedTokenCount = 0;
+    requestedTokens.tokens.forEach(function (token) {
+        if (grantedTokens.tokens.has(token)) {
+            sharedTokenCount += 1;
+        }
+    });
+    var requestedCoverage = requestedTokens.tokens.size
+        ? sharedTokenCount / requestedTokens.tokens.size
+        : 0;
+    if (sharedTokenCount >= 2 && requestedCoverage >= 0.8) {
         return true;
     }
-    if (groups.some(function (group) { return group.name === view; })) {
+    var requestedRegex = buildAssistantPermissionRegex(requestedRoute);
+    if (requestedRegex && requestedRegex.test(grantedRoute)) {
+        return true;
+    }
+    var grantedRegex = buildAssistantPermissionRegex(grantedRoute);
+    if (grantedRegex && grantedRegex.test(requestedRoute)) {
         return true;
     }
     return false;
 }
+function userHasViewPermission(user, view) {
+    var _a, _b;
+    if (!user || !view) {
+        return false;
+    }
+    if ((_a = user.roles) === null || _a === void 0 ? void 0 : _a.super_admin) {
+        return true;
+    }
+    var permissions = collectUserViewPermissions(user);
+    if (permissions.some(function (permission) { return isAssistantViewPermissionMatch(permission, view); })) {
+        return true;
+    }
+    var groups = Array.isArray((_b = user.roles) === null || _b === void 0 ? void 0 : _b.groups) ? user.roles.groups : [];
+    return groups.some(function (group) { return isAssistantViewPermissionMatch(normalizeOptionalString(group === null || group === void 0 ? void 0 : group.name), view); });
+}
 function collectUserViewPermissions(user) {
     var _a, _b;
     if (!user) {
@@ -16338,7 +16535,7 @@ function userHasViewTokenPermission(user, tokenRegex) {
     return permissions.some(function (view) { return tokenRegex.test(view); });
 }
 function userHasInvoiceAccess(user) {
-    return userHasViewTokenPermission(user, /invoice/i);
+    return userHasViewTokenPermission(user, AI_ASSISTANT_INVOICE_PERMISSION_PATTERN);
 }
 function resolveAssistantUserAccessTier(user) {
     var _a, _b;
@@ -16353,7 +16550,29 @@ function requiresInvoicePermission(collection) {
     if (!normalized) {
         return false;
     }
-    return normalized.includes('invoice');
+    return AI_ASSISTANT_INVOICE_PERMISSION_PATTERN.test(normalized);
+}
+function resolveAssistantPrimaryModuleFromText(text) {
+    var modules = resolveAssistantChangeModulesFromText(text)
+        .filter(function (module) { return module !== 'general' && module !== 'internal'; });
+    return modules.length ? modules[0] : null;
+}
+function formatAssistantModulePermissionLabel(module) {
+    var normalized = normalizeOptionalString(module).replace(/[_-]+/g, ' ').trim();
+    return normalized || 'module';
+}
+function resolveAssistantIntentDeniedModule(params) {
+    if (!(params === null || params === void 0 ? void 0 : params.user) || (params === null || params === void 0 ? void 0 : params.isSuperAdmin)) {
+        return null;
+    }
+    var requestedModule = resolveAssistantPrimaryModuleFromText((params === null || params === void 0 ? void 0 : params.message) || '');
+    if (!requestedModule) {
+        return null;
+    }
+    if (userHasAssistantChangeModuleAccess(params.user, requestedModule)) {
+        return null;
+    }
+    return requestedModule;
 }
 function redactSensitiveFields(value) {
     if (Array.isArray(value)) {
@@ -16566,8 +16785,8 @@ function applyCodexStreamStatusHandler(runOptions, streamStatusHandler) {
 }
 function waitForCodexWorkerMessage(worker, streamStatusHandler) {
     return __awaiter(this, void 0, void 0, function () {
-        var _a, _b, _c, _d, message, payload, status_1, e_43_1;
-        var _e, e_43, _f, _g;
+        var _a, _b, _c, _d, message, payload, status_1, e_44_1;
+        var _e, e_44, _f, _g;
         return __generator(this, function (_h) {
             switch (_h.label) {
                 case 0:
@@ -16594,8 +16813,8 @@ function waitForCodexWorkerMessage(worker, streamStatusHandler) {
                     return [3 /*break*/, 1];
                 case 4: return [3 /*break*/, 11];
                 case 5:
-                    e_43_1 = _h.sent();
-                    e_43 = { error: e_43_1 };
+                    e_44_1 = _h.sent();
+                    e_44 = { error: e_44_1 };
                     return [3 /*break*/, 11];
                 case 6:
                     _h.trys.push([6, , 9, 10]);
@@ -16606,7 +16825,7 @@ function waitForCodexWorkerMessage(worker, streamStatusHandler) {
                     _h.label = 8;
                 case 8: return [3 /*break*/, 10];
                 case 9:
-                    if (e_43) throw e_43.error;
+                    if (e_44) throw e_44.error;
                     return [7 /*endfinally*/];
                 case 10: return [7 /*endfinally*/];
                 case 11: throw new CodexWorkerBootstrapError('Codex worker exited before completing.');
@@ -16950,8 +17169,8 @@ function buildAssistantWorkspaceRootCandidates(params) {
 }
 function resolveAssistantWorkspaceRoot() {
     return __awaiter(this, void 0, void 0, function () {
-        var candidates, firstExisting, firstNestedGitRoot, candidates_8, candidates_8_1, candidate, _a, gitRoot, nestedGitRoots, e_44_1;
-        var e_44, _b;
+        var candidates, firstExisting, firstNestedGitRoot, candidates_8, candidates_8_1, candidate, _a, gitRoot, nestedGitRoots, e_45_1;
+        var e_45, _b;
         return __generator(this, function (_c) {
             switch (_c.label) {
                 case 0:
@@ -16998,14 +17217,14 @@ function resolveAssistantWorkspaceRoot() {
                     return [3 /*break*/, 2];
                 case 8: return [3 /*break*/, 11];
                 case 9:
-                    e_44_1 = _c.sent();
-                    e_44 = { error: e_44_1 };
+                    e_45_1 = _c.sent();
+                    e_45 = { error: e_45_1 };
                     return [3 /*break*/, 11];
                 case 10:
                     try {
                         if (candidates_8_1 && !candidates_8_1.done && (_b = candidates_8.return)) _b.call(candidates_8);
                     }
-                    finally { if (e_44) throw e_44.error; }
+                    finally { if (e_45) throw e_45.error; }
                     return [7 /*endfinally*/];
                 case 11:
                     if (firstNestedGitRoot) {
@@ -17408,7 +17627,7 @@ var AI_ASSISTANT_BREAKDOWN_DIMENSION_STOPWORDS = new Set([
     'by'
 ]);
 function normalizeAssistantBreakdownDimension(value) {
-    var e_45, _a;
+    var e_46, _a;
     var normalized = normalizeOptionalString(value)
         .toLowerCase()
         .replace(/[^a-z0-9_\s-]+/g, ' ')
@@ -17440,12 +17659,12 @@ function normalizeAssistantBreakdownDimension(value) {
             }
         }
     }
-    catch (e_45_1) { e_45 = { error: e_45_1 }; }
+    catch (e_46_1) { e_46 = { error: e_46_1 }; }
     finally {
         try {
             if (tokens_1_1 && !tokens_1_1.done && (_a = tokens_1.return)) _a.call(tokens_1);
         }
-        finally { if (e_45) throw e_45.error; }
+        finally { if (e_46) throw e_46.error; }
     }
     if (!kept.length) {
         return '';
@@ -17643,7 +17862,7 @@ function resolveAssistantPlannerEnabled() {
     return raw === undefined ? true : raw === true;
 }
 function resolveAssistantPlannerKnownRoutes(user, isSuperAdmin) {
-    var e_46, _a;
+    var e_47, _a;
     var _b;
     if (isSuperAdmin === void 0) { isSuperAdmin = false; }
     var routes = ((_b = resolveio_server_app_1.ResolveIOServer.getClientRoutes) === null || _b === void 0 ? void 0 : _b.call(resolveio_server_app_1.ResolveIOServer)) || [];
@@ -17657,12 +17876,12 @@ function resolveAssistantPlannerKnownRoutes(user, isSuperAdmin) {
             }
         }
     }
-    catch (e_46_1) { e_46 = { error: e_46_1 }; }
+    catch (e_47_1) { e_47 = { error: e_47_1 }; }
     finally {
         try {
             if (routes_1_1 && !routes_1_1.done && (_a = routes_1.return)) _a.call(routes_1);
         }
-        finally { if (e_46) throw e_46.error; }
+        finally { if (e_47) throw e_47.error; }
     }
     var normalizedRoutes = Array.from(unique);
     var allowedRoutes = collectAssistantAllowedRoutesForUser(user, normalizedRoutes, isSuperAdmin);
@@ -17901,7 +18120,7 @@ function normalizeRouteMatchKey(value) {
     return normalizeRouteKey(value).toLowerCase();
 }
 function buildClientRouteIndex() {
-    var e_47, _a;
+    var e_48, _a;
     var _b;
     var routes = ((_b = resolveio_server_app_1.ResolveIOServer.getClientRoutes) === null || _b === void 0 ? void 0 : _b.call(resolveio_server_app_1.ResolveIOServer)) || [];
     var set = new Set();
@@ -17920,12 +18139,12 @@ function buildClientRouteIndex() {
             }
         }
     }
-    catch (e_47_1) { e_47 = { error: e_47_1 }; }
+    catch (e_48_1) { e_48 = { error: e_48_1 }; }
     finally {
         try {
             if (routes_2_1 && !routes_2_1.done && (_a = routes_2.return)) _a.call(routes_2);
         }
-        finally { if (e_47) throw e_47.error; }
+        finally { if (e_48) throw e_48.error; }
     }
     return { set: set, map: map, size: routes.length };
 }
@@ -18091,16 +18310,15 @@ function collectAssistantAllowedRoutesForUser(user, allRoutes, isSuperAdmin) {
         seen.add(normalized);
         allowed.push(normalized);
     };
-    var allRouteEntries = normalizedRoutes.map(function (route) { return ({ route: route, routeKey: route.toLowerCase() }); });
+    var allRouteEntries = normalizedRoutes.map(function (route) { return ({ route: route }); });
     views.forEach(function (view) {
-        var viewKey = view.toLowerCase();
-        var canonical = normalizedRoutes.find(function (route) { return route.toLowerCase() === viewKey; });
+        var canonical = normalizedRoutes.find(function (route) { return normalizeRouteMatchKey(route) === normalizeRouteMatchKey(view); });
         if (canonical) {
             push(canonical);
         }
         var matched = false;
         allRouteEntries.forEach(function (entry) {
-            if (entry.routeKey === viewKey || entry.routeKey.startsWith("".concat(viewKey, "/"))) {
+            if (isAssistantViewPermissionMatch(view, entry.route)) {
                 push(entry.route);
                 matched = true;
             }
@@ -18565,7 +18783,7 @@ function userHasAssistantChangeModuleAccess(user, module) {
         case 'delivery':
             return userHasViewTokenPermission(user, /delivery|route|dispatch|work[-_/ ]?order|bol|pso|sales[-_/ ]?order|truck[-_/ ]?treat(?:ing)?|treater|specialty|batch[-_/ ]?(?:treat(?:ing)?|job)|continuous|ats|automated[-_/ ]?treatment[-_/ ]?system|isotank|chemical[-_/ ]?trailer|vac[-_/ ]?truck|asset|treatment[-_/ ]?plan|treatments?/i);
         case 'blend':
-            return userHasViewTokenPermission(user, /blend|chemical|mix/i);
+            return userHasViewTokenPermission(user, /blend|mix/i);
         case 'chemical':
             return userHasViewTokenPermission(user, /chemical|blend|product|item|inventory/i);
         case 'job':
@@ -18705,8 +18923,8 @@ function shouldSkipAssistantGitDiscoveryDirectory(name) {
 }
 function resolveAssistantWorkspaceGitRoots(workspaceRoot) {
     return __awaiter(this, void 0, void 0, function () {
-        var roots, seen, push, _a, configuredRoots, configuredRoots_1, configuredRoots_1_1, configuredRoot, _b, e_48_1, queue, queued, enqueue, next, entries, _c, entries_1, entries_1_1, entry, childName, candidate, gitPath, _d, e_49_1;
-        var e_48, _e, e_49, _f;
+        var roots, seen, push, _a, configuredRoots, configuredRoots_1, configuredRoots_1_1, configuredRoot, _b, e_49_1, queue, queued, enqueue, next, entries, _c, entries_1, entries_1_1, entry, childName, candidate, gitPath, _d, e_50_1;
+        var e_49, _e, e_50, _f;
         var _g;
         return __generator(this, function (_h) {
             switch (_h.label) {
@@ -18751,14 +18969,14 @@ function resolveAssistantWorkspaceGitRoots(workspaceRoot) {
                     return [3 /*break*/, 3];
                 case 6: return [3 /*break*/, 9];
                 case 7:
-                    e_48_1 = _h.sent();
-                    e_48 = { error: e_48_1 };
+                    e_49_1 = _h.sent();
+                    e_49 = { error: e_49_1 };
                     return [3 /*break*/, 9];
                 case 8:
                     try {
                         if (configuredRoots_1_1 && !configuredRoots_1_1.done && (_e = configuredRoots_1.return)) _e.call(configuredRoots_1);
                     }
-                    finally { if (e_48) throw e_48.error; }
+                    finally { if (e_49) throw e_49.error; }
                     return [7 /*endfinally*/];
                 case 9:
                     queue = [];
@@ -18798,7 +19016,7 @@ function resolveAssistantWorkspaceGitRoots(workspaceRoot) {
                     return [3 /*break*/, 14];
                 case 14:
                     _h.trys.push([14, 21, 22, 23]);
-                    entries_1 = (e_49 = void 0, __values(entries)), entries_1_1 = entries_1.next();
+                    entries_1 = (e_50 = void 0, __values(entries)), entries_1_1 = entries_1.next();
                     _h.label = 15;
                 case 15:
                     if (!!entries_1_1.done) return [3 /*break*/, 20];
@@ -18837,14 +19055,14 @@ function resolveAssistantWorkspaceGitRoots(workspaceRoot) {
                     return [3 /*break*/, 15];
                 case 20: return [3 /*break*/, 23];
                 case 21:
-                    e_49_1 = _h.sent();
-                    e_49 = { error: e_49_1 };
+                    e_50_1 = _h.sent();
+                    e_50 = { error: e_50_1 };
                     return [3 /*break*/, 23];
                 case 22:
                     try {
                         if (entries_1_1 && !entries_1_1.done && (_f = entries_1.return)) _f.call(entries_1);
                     }
-                    finally { if (e_49) throw e_49.error; }
+                    finally { if (e_50) throw e_50.error; }
                     return [7 /*endfinally*/];
                 case 23: return [3 /*break*/, 10];
                 case 24: return [2 /*return*/, roots];
@@ -19147,8 +19365,8 @@ function syncAssistantGitMirror(repoUrl) {
 }
 function resolveAssistantChangeHistoryGitRoots(workspaceRoot) {
     return __awaiter(this, void 0, void 0, function () {
-        var roots, repoUrls, mirroredRoots, repoUrls_1, repoUrls_1_1, repoUrl, mirrorRoot, e_50_1;
-        var e_50, _a;
+        var roots, repoUrls, mirroredRoots, repoUrls_1, repoUrls_1_1, repoUrl, mirrorRoot, e_51_1;
+        var e_51, _a;
         return __generator(this, function (_b) {
             switch (_b.label) {
                 case 0: return [4 /*yield*/, resolveAssistantWorkspaceGitRoots(workspaceRoot)];
@@ -19182,14 +19400,14 @@ function resolveAssistantChangeHistoryGitRoots(workspaceRoot) {
                     return [3 /*break*/, 3];
                 case 6: return [3 /*break*/, 9];
                 case 7:
-                    e_50_1 = _b.sent();
-                    e_50 = { error: e_50_1 };
+                    e_51_1 = _b.sent();
+                    e_51 = { error: e_51_1 };
                     return [3 /*break*/, 9];
                 case 8:
                     try {
                         if (repoUrls_1_1 && !repoUrls_1_1.done && (_a = repoUrls_1.return)) _a.call(repoUrls_1);
                     }
-                    finally { if (e_50) throw e_50.error; }
+                    finally { if (e_51) throw e_51.error; }
                     return [7 /*endfinally*/];
                 case 9: return [2 /*return*/, mirroredRoots];
             }
@@ -19198,8 +19416,8 @@ function resolveAssistantChangeHistoryGitRoots(workspaceRoot) {
 }
 function resolveAssistantChangeHistoryFastPathResponse(params) {
     return __awaiter(this, void 0, void 0, function () {
-        var workspaceRoot, _a, gitRoots, featureKeywords, sawExecutionError, bestFallback, gitRoots_1, gitRoots_1_1, gitRoot, _b, branch, _c, _d, limit, historyDepth, rawHistory, commits, summary, hasKeywordMatches, _e, e_51_1;
-        var e_51, _f;
+        var workspaceRoot, _a, gitRoots, featureKeywords, sawExecutionError, bestFallback, gitRoots_1, gitRoots_1_1, gitRoot, _b, branch, _c, _d, limit, historyDepth, rawHistory, commits, summary, hasKeywordMatches, _e, e_52_1;
+        var e_52, _f;
         return __generator(this, function (_g) {
             switch (_g.label) {
                 case 0:
@@ -19321,14 +19539,14 @@ function resolveAssistantChangeHistoryFastPathResponse(params) {
                     return [3 /*break*/, 7];
                 case 20: return [3 /*break*/, 23];
                 case 21:
-                    e_51_1 = _g.sent();
-                    e_51 = { error: e_51_1 };
+                    e_52_1 = _g.sent();
+                    e_52 = { error: e_52_1 };
                     return [3 /*break*/, 23];
                 case 22:
                     try {
                         if (gitRoots_1_1 && !gitRoots_1_1.done && (_f = gitRoots_1.return)) _f.call(gitRoots_1);
                     }
-                    finally { if (e_51) throw e_51.error; }
+                    finally { if (e_52) throw e_52.error; }
                     return [7 /*endfinally*/];
                 case 23:
                     if (bestFallback) {
@@ -19509,7 +19727,7 @@ function sanitizeAssistantResponse(value) {
     return normalizeAssistantRoutes(normalizedCurrency);
 }
 function evaluateAssistantGuardrails(message) {
-    var e_52, _a;
+    var e_53, _a;
     var normalized = String(message || '').toLowerCase();
     var identityGuardrail = evaluateAssistantIdentityDisclosureGuardrail(normalized);
     if (identityGuardrail === null || identityGuardrail === void 0 ? void 0 : identityGuardrail.blocked) {
@@ -19559,12 +19777,12 @@ function evaluateAssistantGuardrails(message) {
             }
         }
     }
-    catch (e_52_1) { e_52 = { error: e_52_1 }; }
+    catch (e_53_1) { e_53 = { error: e_53_1 }; }
     finally {
         try {
             if (patterns_2_1 && !patterns_2_1.done && (_a = patterns_2.return)) _a.call(patterns_2);
         }
-        finally { if (e_52) throw e_52.error; }
+        finally { if (e_53) throw e_53.error; }
     }
     return null;
 }
@@ -19679,7 +19897,7 @@ function tokenizeArithmeticExpression(expression) {
     return tokens;
 }
 function evaluateArithmeticExpression(expression) {
-    var e_53, _a, e_54, _b;
+    var e_54, _a, e_55, _b;
     var tokens = tokenizeArithmeticExpression(expression);
     if (!tokens || !tokens.length) {
         return null;
@@ -19736,12 +19954,12 @@ function evaluateArithmeticExpression(expression) {
             prevToken = token;
         }
     }
-    catch (e_53_1) { e_53 = { error: e_53_1 }; }
+    catch (e_54_1) { e_54 = { error: e_54_1 }; }
     finally {
         try {
             if (tokens_2_1 && !tokens_2_1.done && (_a = tokens_2.return)) _a.call(tokens_2);
         }
-        finally { if (e_53) throw e_53.error; }
+        finally { if (e_54) throw e_54.error; }
     }
     while (ops.length) {
         var op = ops.pop();
@@ -19781,12 +19999,12 @@ function evaluateArithmeticExpression(expression) {
             stack.push(Number(token));
         }
     }
-    catch (e_54_1) { e_54 = { error: e_54_1 }; }
+    catch (e_55_1) { e_55 = { error: e_55_1 }; }
     finally {
         try {
             if (output_1_1 && !output_1_1.done && (_b = output_1.return)) _b.call(output_1);
         }
-        finally { if (e_54) throw e_54.error; }
+        finally { if (e_55) throw e_55.error; }
     }
     if (stack.length !== 1 || Number.isNaN(stack[0])) {
         return null;
@@ -19970,8 +20188,8 @@ function handleCodexUpload(id_conversation, file_name, content_base64, size, con
 }
 function readAttachmentContents(attachments) {
     return __awaiter(this, void 0, void 0, function () {
-        var limits, totalBytes, totalChars, chunks, cleaned, attachments_1, attachments_1_1, attachment, localPath, safe, stat, ext, name_1, type, readable, content, _a, e_55_1;
-        var e_55, _b;
+        var limits, totalBytes, totalChars, chunks, cleaned, attachments_1, attachments_1_1, attachment, localPath, safe, stat, ext, name_1, type, readable, content, _a, e_56_1;
+        var e_56, _b;
         return __generator(this, function (_c) {
             switch (_c.label) {
                 case 0:
@@ -20050,14 +20268,14 @@ function readAttachmentContents(attachments) {
                     return [3 /*break*/, 2];
                 case 10: return [3 /*break*/, 13];
                 case 11:
-                    e_55_1 = _c.sent();
-                    e_55 = { error: e_55_1 };
+                    e_56_1 = _c.sent();
+                    e_56 = { error: e_56_1 };
                     return [3 /*break*/, 13];
                 case 12:
                     try {
                         if (attachments_1_1 && !attachments_1_1.done && (_b = attachments_1.return)) _b.call(attachments_1);
                     }
-                    finally { if (e_55) throw e_55.error; }
+                    finally { if (e_56) throw e_56.error; }
                     return [7 /*endfinally*/];
                 case 13: return [2 /*return*/, {
                         promptText: chunks.length ? "\n\nAttachments:\n".concat(chunks.join('\n\n')) : '',
@@ -20153,25 +20371,36 @@ function resolveClientIdFromConfig(explicit, contextUserId) {
 }
 function ensureConversation(input, mode, contextUserId) {
     return __awaiter(this, void 0, void 0, function () {
-        var idConversation, existing, now, resolvedClientId, doc, result;
+        var idUser, idConversation, existing, existingUserId, now, resolvedClientId, doc, result;
         return __generator(this, function (_a) {
             switch (_a.label) {
                 case 0:
+                    idUser = normalizeOptionalString(contextUserId);
+                    if (!idUser) {
+                        throw new Error('Unauthorized.');
+                    }
                     idConversation = normalizeOptionalString(input.id_conversation);
                     if (!idConversation) return [3 /*break*/, 2];
                     return [4 /*yield*/, ai_terminal_conversation_collection_1.AiTerminalConversations.findById(idConversation)];
                 case 1:
                     existing = _a.sent();
                     if (existing) {
-                        return [2 /*return*/, existing];
+                        existingUserId = normalizeOptionalString(existing.id_user);
+                        if (existingUserId && existingUserId === idUser) {
+                            return [2 /*return*/, existing];
+                        }
+                        if (existingUserId && existingUserId !== idUser) {
+                            throw new Error('Conversation access denied.');
+                        }
                     }
                     _a.label = 2;
                 case 2:
                     now = new Date();
-                    return [4 /*yield*/, resolveClientIdFromConfig(input.id_client, contextUserId)];
+                    return [4 /*yield*/, resolveClientIdFromConfig(input.id_client, idUser)];
                 case 3:
                     resolvedClientId = _a.sent();
                     doc = {
+                        id_user: idUser,
                         id_client: resolvedClientId,
                         id_app: normalizeOptionalString(input.id_app),
                         title: 'New Conversation',
@@ -20381,7 +20610,7 @@ function estimateUsage(messages, responseText, model) {
     };
 }
 function evaluateGuardrails(message) {
-    var e_56, _a;
+    var e_57, _a;
     var normalized = String(message || '').toLowerCase();
     var identityGuardrail = evaluateAssistantIdentityDisclosureGuardrail(normalized);
     if (identityGuardrail === null || identityGuardrail === void 0 ? void 0 : identityGuardrail.blocked) {
@@ -20407,12 +20636,12 @@ function evaluateGuardrails(message) {
             }
         }
     }
-    catch (e_56_1) { e_56 = { error: e_56_1 }; }
+    catch (e_57_1) { e_57 = { error: e_57_1 }; }
     finally {
         try {
             if (patterns_3_1 && !patterns_3_1.done && (_a = patterns_3.return)) _a.call(patterns_3);
         }
-        finally { if (e_56) throw e_56.error; }
+        finally { if (e_57) throw e_57.error; }
     }
     return null;
 }