@treeseed/core 0.8.3 → 0.8.4

package/dist/api/agent-routes.js

@@ -1,327 +0,0 @@
-import { listRegisteredAgentHandlers as listCoreRegisteredAgentHandlers } from "../agents/registry.js";
-import { buildTaskContext, enqueueTaskFromSdk } from "../services/common.js";
-import { jsonError, requireScope } from "./http.js";
-async function listRegisteredHandlers() {
-  return listCoreRegisteredAgentHandlers();
-}
-async function safeListRegisteredHandlers() {
-  try {
-    return {
-      handlers: await listRegisteredHandlers(),
-      error: null
-    };
-  } catch (error) {
-    return {
-      handlers: [],
-      error: error instanceof Error ? error.message : String(error)
-    };
-  }
-}
-function withPrefix(prefix, path) {
-  return `${prefix}${path}`.replace(/\/{2,}/g, "/");
-}
-function actor(body, fallback) {
-  return String(body.actor ?? fallback);
-}
-function authorizeRequest(c, options) {
-  const routeUnauthorized = options.authorize?.(c);
-  if (routeUnauthorized) {
-    return routeUnauthorized;
-  }
-  if (options.scope) {
-    return requireScope(c, options.scope);
-  }
-  return null;
-}
-function registerAgentRoutes(app, options) {
-  const prefix = options.prefix ?? "/agent";
-  const defaultActor = options.defaultActor ?? "api";
-  app.get(withPrefix(prefix, "/healthz"), async (c) => {
-    const registration = await safeListRegisteredHandlers();
-    return c.json({
-      ok: true,
-      service: "treeseed-agent-api",
-      handlerCount: registration.handlers.length,
-      registrationError: registration.error
-    });
-  });
-  app.get(withPrefix(prefix, "/specs"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const payload = await options.sdk.listAgentSpecs({ enabled: true });
-    return c.json({
-      ok: true,
-      payload,
-      handlers: await listRegisteredHandlers()
-    });
-  });
-  app.post(withPrefix(prefix, "/workdays/start"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    return jsonError(c, 410, "Starting workdays through /agent/workdays/start is deprecated. Use project workday policy and workday requests instead.");
-  });
-  app.post(withPrefix(prefix, "/workdays/:id/close"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.closeWorkDay({
-      id: c.req.param("id"),
-      state: body.state,
-      summary: body.summary ?? null,
-      actor: actor(body, defaultActor)
-    });
-    return result.payload ? c.json(result) : jsonError(c, 404, "Unknown work day.");
-  });
-  app.post(withPrefix(prefix, "/tasks"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.createTask({
-      id: typeof body.id === "string" ? body.id : void 0,
-      workDayId: String(body.workDayId ?? ""),
-      agentId: String(body.agentId ?? ""),
-      type: String(body.type ?? ""),
-      state: typeof body.state === "string" ? body.state : "pending",
-      priority: body.priority === void 0 ? void 0 : Number(body.priority),
-      idempotencyKey: String(body.idempotencyKey ?? ""),
-      payload: body.payload ?? {},
-      payloadHash: typeof body.payloadHash === "string" ? body.payloadHash : null,
-      maxAttempts: body.maxAttempts === void 0 ? void 0 : Number(body.maxAttempts),
-      availableAt: typeof body.availableAt === "string" ? body.availableAt : void 0,
-      graphVersion: typeof body.graphVersion === "string" ? body.graphVersion : null,
-      parentTaskId: typeof body.parentTaskId === "string" ? body.parentTaskId : null,
-      actor: actor(body, defaultActor)
-    });
-    return c.json(result);
-  });
-  app.post(withPrefix(prefix, "/tasks/search"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.searchTasks({
-      workDayId: typeof body.workDayId === "string" ? body.workDayId : void 0,
-      agentId: typeof body.agentId === "string" ? body.agentId : void 0,
-      state: Array.isArray(body.state) || typeof body.state === "string" ? body.state : void 0,
-      limit: body.limit === void 0 ? void 0 : Number(body.limit)
-    });
-    return c.json(result);
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/claim"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.claimTask({
-      id: c.req.param("id"),
-      workerId: String(body.workerId ?? "worker"),
-      leaseSeconds: Number(body.leaseSeconds ?? 120),
-      actor: actor(body, defaultActor)
-    });
-    return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/progress"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.recordTaskProgress({
-      id: c.req.param("id"),
-      workerId: typeof body.workerId === "string" ? body.workerId : null,
-      state: typeof body.state === "string" ? body.state : void 0,
-      appendEvent: body.appendEvent,
-      patch: body.patch,
-      actor: actor(body, defaultActor)
-    });
-    return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/complete"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.completeTask({
-      id: c.req.param("id"),
-      output: body.output ?? null,
-      outputRef: typeof body.outputRef === "string" ? body.outputRef : null,
-      summary: body.summary ?? null,
-      actor: actor(body, defaultActor)
-    });
-    return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/fail"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.failTask({
-      id: c.req.param("id"),
-      errorCode: typeof body.errorCode === "string" ? body.errorCode : null,
-      errorMessage: String(body.errorMessage ?? "Task failed"),
-      retryable: Boolean(body.retryable),
-      nextVisibleAt: typeof body.nextVisibleAt === "string" ? body.nextVisibleAt : null,
-      actor: actor(body, defaultActor)
-    });
-    return result.payload ? c.json(result) : jsonError(c, 404, "Unknown task.");
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/requeue"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      return c.json(await enqueueTaskFromSdk(options.sdk, {
-        taskId: c.req.param("id"),
-        queueName: typeof body.queueName === "string" ? body.queueName : void 0,
-        deliveryDelaySeconds: body.delaySeconds === void 0 ? void 0 : Number(body.delaySeconds),
-        actor: actor(body, defaultActor)
-      }));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      return jsonError(c, /Unknown task/.test(message) ? 404 : /Queue producer/.test(message) ? 501 : 500, message);
-    }
-  });
-  app.post(withPrefix(prefix, "/tasks/:id/followups"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const current = await options.sdk.get({ model: "task", id: c.req.param("id") });
-    if (!current.payload) {
-      return jsonError(c, 404, "Unknown task.");
-    }
-    const currentTask = current.payload;
-    const followups = Array.isArray(body.followups) ? body.followups : [];
-    const created = [];
-    for (const followup of followups) {
-      created.push(await options.sdk.createTask({
-        workDayId: String(followup.workDayId ?? currentTask.workDayId ?? ""),
-        agentId: String(followup.agentId ?? currentTask.agentId ?? ""),
-        type: String(followup.type ?? "followup"),
-        priority: followup.priority === void 0 ? void 0 : Number(followup.priority),
-        idempotencyKey: String(followup.idempotencyKey ?? `${c.req.param("id")}:${created.length}`),
-        payload: followup.payload ?? {},
-        graphVersion: typeof followup.graphVersion === "string" ? followup.graphVersion : null,
-        parentTaskId: c.req.param("id"),
-        actor: actor(followup, defaultActor)
-      }));
-    }
-    return c.json({ ok: true, payload: created.map((entry) => entry.payload) });
-  });
-  app.post(withPrefix(prefix, "/queue/enqueue"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      return c.json(await enqueueTaskFromSdk(options.sdk, {
-        taskId: String(body.taskId ?? ""),
-        queueName: typeof body.queueName === "string" ? body.queueName : void 0,
-        deliveryDelaySeconds: body.deliveryDelaySeconds === void 0 ? void 0 : Number(body.deliveryDelaySeconds),
-        actor: actor(body, defaultActor)
-      }));
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      return jsonError(c, /Unknown task/.test(message) ? 404 : /Queue push client/.test(message) ? 501 : 500, message);
-    }
-  });
-  app.post(withPrefix(prefix, "/reports"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const result = await options.sdk.createReport({
-      id: typeof body.id === "string" ? body.id : void 0,
-      workDayId: String(body.workDayId ?? ""),
-      kind: String(body.kind ?? "workday_summary"),
-      body: body.body ?? {},
-      renderedRef: typeof body.renderedRef === "string" ? body.renderedRef : null,
-      sentAt: typeof body.sentAt === "string" ? body.sentAt : null,
-      actor: actor(body, defaultActor)
-    });
-    return c.json(result);
-  });
-  app.post(withPrefix(prefix, "/context/resolve-task"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    return c.json({
-      ok: true,
-      payload: await buildTaskContext(options.sdk, String(body.taskId ?? ""))
-    });
-  });
-  app.post(withPrefix(prefix, "/graph/search"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const query = String(body.query ?? "");
-    const scope = String(body.scope ?? "sections");
-    const payload = scope === "files" ? await options.sdk.searchFiles(query, body.options) : scope === "entities" ? await options.sdk.searchEntities(query, body.options) : await options.sdk.searchSections(query, body.options);
-    return c.json({ ok: true, payload });
-  });
-  app.post(withPrefix(prefix, "/graph/subgraph"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const payload = await options.sdk.getSubgraph(
-      Array.isArray(body.seedIds) ? body.seedIds.map(String) : [],
-      body.options
-    );
-    return c.json({ ok: true, payload });
-  });
-  app.post(withPrefix(prefix, "/graph/query"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const payload = await options.sdk.queryGraph(body);
-    if (typeof body.workDayId === "string" && body.workDayId) {
-      await options.sdk.create({
-        model: "graph_run",
-        data: {
-          workDayId: body.workDayId,
-          corpusHash: String(body.corpusHash ?? "query-graph"),
-          graphVersion: String(body.graphVersion ?? ""),
-          queryJson: JSON.stringify(body),
-          seedIdsJson: JSON.stringify(payload.seedIds),
-          selectedNodeIdsJson: JSON.stringify(payload.nodes.map((entry) => entry.node.id)),
-          statsJson: JSON.stringify({ nodeCount: payload.nodes.length, edgeCount: payload.edges.length })
-        },
-        actor: actor(body, defaultActor)
-      });
-    }
-    return c.json({ ok: true, payload });
-  });
-  app.post(withPrefix(prefix, "/graph/context-pack"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const payload = await options.sdk.buildContextPack(body);
-    if (typeof body.workDayId === "string" && body.workDayId) {
-      await options.sdk.create({
-        model: "graph_run",
-        data: {
-          workDayId: body.workDayId,
-          corpusHash: String(body.corpusHash ?? "context-pack"),
-          graphVersion: String(body.graphVersion ?? ""),
-          queryJson: JSON.stringify(body),
-          seedIdsJson: JSON.stringify(payload.seedIds),
-          selectedNodeIdsJson: JSON.stringify(payload.includedNodeIds),
-          statsJson: JSON.stringify({
-            nodeCount: payload.nodes.length,
-            edgeCount: payload.edges.length,
-            totalTokenEstimate: payload.totalTokenEstimate
-          })
-        },
-        actor: actor(body, defaultActor)
-      });
-    }
-    return c.json({ ok: true, payload });
-  });
-  app.post(withPrefix(prefix, "/graph/parse-dsl"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    const payload = await options.sdk.parseGraphDsl(String(body.source ?? body.query ?? ""));
-    return c.json({ ok: true, payload });
-  });
-  app.get(withPrefix(prefix, "/graph/node/:id"), async (c) => {
-    const unauthorized = authorizeRequest(c, options);
-    if (unauthorized) return unauthorized;
-    const payload = await options.sdk.getGraphNode(c.req.param("id"));
-    return payload ? c.json({ ok: true, payload }) : jsonError(c, 404, "Unknown graph node.");
-  });
-}
-export {
-  registerAgentRoutes
-};

package/dist/api/app.d.ts

@@ -1,5 +0,0 @@
-import { Hono } from 'hono';
-import type { ApiServerOptions, AppVariables } from './types.ts';
-export declare function createTreeseedApiApp(options?: ApiServerOptions): Hono<{
-    Variables: AppVariables;
-}, import("hono/types").BlankSchema, "/">;

package/dist/api/app.js

@@ -1,361 +0,0 @@
-import crypto from "node:crypto";
-import { AgentSdk, TREESEED_REMOTE_CONTRACT_HEADER, TREESEED_REMOTE_CONTRACT_VERSION } from "@treeseed/sdk";
-import { Hono } from "hono";
-import { registerAgentRoutes } from "./agent-routes.js";
-import { resolveApiConfig } from "./config.js";
-import { bearerTokenFromRequest, jsonError, requirePermission, requireScope } from "./http.js";
-import { registerOperationRoutes } from "./operations-routes.js";
-import { resolveApiRuntimeProviders } from "./providers.js";
-import { registerProjectRoutes } from "./project-routes.js";
-import { registerSdkRoutes } from "./sdk-routes.js";
-import { loadTemplateCatalog } from "./templates.js";
-function mergeApiOptions(options) {
-  const baseConfig = resolveApiConfig();
-  return {
-    config: {
-      ...baseConfig,
-      ...options.config ?? {},
-      providers: {
-        ...baseConfig.providers,
-        ...options.config?.providers ?? {},
-        agents: {
-          ...baseConfig.providers.agents,
-          ...options.config?.providers?.agents ?? {}
-        }
-      }
-    },
-    surfaces: {
-      auth: true,
-      templates: true,
-      sdk: true,
-      agent: true,
-      operations: true,
-      project: true,
-      ...options.surfaces ?? {}
-    },
-    scopes: {
-      authMe: "auth:me",
-      sdk: "sdk",
-      agent: "agent",
-      operations: "operations",
-      ...options.scopes ?? {}
-    }
-  };
-}
-function normalizePrefix(prefix) {
-  if (!prefix?.trim()) return "";
-  const normalized = prefix.trim().replace(/\/+$/u, "");
-  return normalized.startsWith("/") ? normalized : `/${normalized}`;
-}
-function principalScopes(permissions) {
-  const scopes = /* @__PURE__ */ new Set(["auth:me"]);
-  if (permissions.includes("*:*:*") || permissions.includes("sdk:execute:global")) scopes.add("sdk");
-  if (permissions.includes("*:*:*") || permissions.includes("agent:execute:global")) scopes.add("agent");
-  if (permissions.includes("*:*:*") || permissions.includes("operations:execute:global")) scopes.add("operations");
-  return [...scopes];
-}
-function buildProjectApiPrincipal(config) {
-  return {
-    id: `project:${config.projectId}`,
-    displayName: config.projectApiLabel,
-    roles: ["project_api"],
-    permissions: [...config.projectApiPermissions],
-    scopes: principalScopes(config.projectApiPermissions),
-    metadata: {
-      projectId: config.projectId
-    }
-  };
-}
-function matchesProjectApiKey(token, projectApiKey) {
-  if (!projectApiKey) return false;
-  const left = Buffer.from(token);
-  const right = Buffer.from(projectApiKey);
-  return left.length === right.length && crypto.timingSafeEqual(left, right);
-}
-function createTreeseedApiApp(options = {}) {
-  const resolved = mergeApiOptions(options);
-  const runtimeProviders = resolveApiRuntimeProviders(resolved.config, options.runtimeProviders);
-  const sharedSdk = options.sdk ?? new AgentSdk({ repoRoot: resolved.config.repoRoot });
-  const app = new Hono();
-  const internalPrefix = normalizePrefix(options.internalPrefix);
-  app.use("*", async (c, next) => {
-    c.set("requestId", crypto.randomUUID());
-    c.set("config", resolved.config);
-    c.set("principal", null);
-    c.set("actingUser", null);
-    c.set("credential", null);
-    c.set("actorType", "anonymous");
-    c.set("permissionGrants", []);
-    c.header(TREESEED_REMOTE_CONTRACT_HEADER, String(TREESEED_REMOTE_CONTRACT_VERSION));
-    await next();
-  });
-  app.use("*", async (c, next) => {
-    const serviceId = c.req.header("x-treeseed-service-id");
-    const serviceSecret = c.req.header("x-treeseed-service-secret");
-    if (serviceId && serviceSecret) {
-      const result = await runtimeProviders.auth.authenticateServiceCredential(serviceId, serviceSecret);
-      if (!result) {
-        return jsonError(c, 401, "Invalid internal service credential.");
-      }
-      c.set("principal", result.principal);
-      c.set("credential", result.credential);
-      c.set("actorType", "service");
-      c.set("permissionGrants", result.principal.permissions);
-    }
-    await next();
-  });
-  app.use("*", async (c, next) => {
-    const token = bearerTokenFromRequest(c.req.raw);
-    if (token) {
-      if (matchesProjectApiKey(token, resolved.config.projectApiKey)) {
-        const principal = buildProjectApiPrincipal(resolved.config);
-        c.set("principal", principal);
-        c.set("credential", {
-          type: "project_api_key",
-          id: resolved.config.projectId,
-          label: resolved.config.projectApiLabel
-        });
-        c.set("actorType", "project");
-        c.set("permissionGrants", principal.permissions);
-        await next();
-        return;
-      }
-      const result = await runtimeProviders.auth.authenticateBearerToken(token);
-      if (result) {
-        c.set("principal", result.principal);
-        c.set("credential", result.credential);
-        c.set("actorType", result.credential.type === "service_token" ? "service" : "user");
-        c.set("permissionGrants", result.principal.permissions);
-      }
-    }
-    await next();
-  });
-  app.use("*", async (c, next) => {
-    const assertion = c.req.header("x-treeseed-user-assertion");
-    if (c.get("actorType") === "service" && assertion) {
-      const claims = runtimeProviders.auth.verifyTrustedUserAssertion(assertion);
-      if (!claims) {
-        return jsonError(c, 401, "Invalid trusted user assertion.");
-      }
-      const exchange = await runtimeProviders.auth.exchangeTrustedUserAssertion(claims);
-      c.set("actingUser", exchange.principal);
-      c.set("principal", exchange.principal);
-      c.set("actorType", "user");
-      c.set("permissionGrants", exchange.principal.permissions);
-    }
-    await next();
-  });
-  app.get("/healthz", (c) => c.json({
-    ok: true,
-    service: resolved.config.name,
-    status: "ok",
-    requestId: c.get("requestId")
-  }));
-  app.get("/readyz", (c) => c.json({
-    ok: true,
-    ready: true,
-    providers: runtimeProviders.selections,
-    surfaces: resolved.surfaces
-  }));
-  if (resolved.surfaces.templates) {
-    app.get("/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
-    app.get("/search/templates", (c) => c.json(loadTemplateCatalog(resolved.config)));
-    app.get("/templates/:id", (c) => {
-      const catalog = loadTemplateCatalog(resolved.config);
-      const item = catalog.items.find((entry) => entry.id === c.req.param("id"));
-      return item ? c.json({ ok: true, payload: item }) : jsonError(c, 404, `Unknown template "${c.req.param("id")}".`);
-    });
-  }
-  if (resolved.surfaces.auth) {
-    app.post("/auth/device/start", async (c) => {
-      const body = await c.req.json().catch(() => ({}));
-      return c.json(await runtimeProviders.auth.startDeviceFlow(body));
-    });
-    app.post("/auth/device/poll", async (c) => {
-      const body = await c.req.json().catch(() => ({}));
-      const response = await runtimeProviders.auth.pollDeviceFlow(body);
-      return c.json(response, { status: response.ok ? 200 : response.status === "expired" ? 410 : 400 });
-    });
-    app.post("/auth/device/approve", async (c) => {
-      const body = await c.req.json().catch(() => ({}));
-      try {
-        return c.json(await runtimeProviders.auth.approveDeviceFlow(body));
-      } catch (error) {
-        return jsonError(c, 400, error instanceof Error ? error.message : String(error));
-      }
-    });
-    app.post("/auth/token/refresh", async (c) => {
-      const body = await c.req.json().catch(() => ({}));
-      try {
-        return c.json(await runtimeProviders.auth.refreshAccessToken(body));
-      } catch (error) {
-        return jsonError(c, 401, error instanceof Error ? error.message : String(error));
-      }
-    });
-    app.get("/auth/me", (c) => {
-      const unauthorized = requireScope(c, resolved.scopes.authMe);
-      if (unauthorized) return unauthorized;
-      return c.json({
-        ok: true,
-        payload: c.get("principal")
-      });
-    });
-    app.post("/auth/pat", async (c) => {
-      const unauthorized = requirePermission(c, "api_tokens:create:self");
-      if (unauthorized) return unauthorized;
-      const principal = c.get("principal");
-      const body = await c.req.json().catch(() => ({}));
-      if (!body.name?.trim() || !principal) {
-        return jsonError(c, 400, "Token name is required.");
-      }
-      return c.json({
-        ok: true,
-        payload: await runtimeProviders.auth.createPersonalAccessToken(principal.id, {
-          name: body.name.trim(),
-          scopes: body.scopes,
-          expiresAt: body.expiresAt ?? null
-        })
-      });
-    });
-    app.get("/auth/pat", async (c) => {
-      const unauthorized = requirePermission(c, "api_tokens:read:self");
-      if (unauthorized) return unauthorized;
-      const principal = c.get("principal");
-      if (!principal) return jsonError(c, 401, "Authentication required.");
-      return c.json({
-        ok: true,
-        payload: await runtimeProviders.auth.listPersonalAccessTokens(principal.id)
-      });
-    });
-    app.delete("/auth/pat/:id", async (c) => {
-      const unauthorized = requirePermission(c, "api_tokens:delete:self");
-      if (unauthorized) return unauthorized;
-      const principal = c.get("principal");
-      if (!principal) return jsonError(c, 401, "Authentication required.");
-      await runtimeProviders.auth.revokePersonalAccessToken(principal.id, c.req.param("id"));
-      return c.json({ ok: true });
-    });
-    app.post("/auth/admin/users", async (c) => {
-      const unauthorized = requirePermission(c, "users:manage:global");
-      if (unauthorized) return unauthorized;
-      if (!runtimeProviders.auth.createUser) {
-        return jsonError(c, 501, "User management is unavailable for this auth provider.");
-      }
-      const body = await c.req.json().catch(() => ({}));
-      return c.json({
-        ok: true,
-        payload: await runtimeProviders.auth.createUser({
-          email: body.email ?? null,
-          displayName: body.displayName ?? null,
-          metadata: typeof body.metadata === "object" && body.metadata ? body.metadata : {}
-        })
-      });
-    });
-    app.post("/auth/admin/users/:userId/roles", async (c) => {
-      const unauthorized = requirePermission(c, "roles:manage:global");
-      if (unauthorized) return unauthorized;
-      if (!runtimeProviders.auth.setUserRoles) {
-        return jsonError(c, 501, "Role management is unavailable for this auth provider.");
-      }
-      const body = await c.req.json().catch(() => ({}));
-      const roles = Array.isArray(body.roles) ? body.roles.map(String) : [];
-      return c.json({
-        ok: true,
-        payload: await runtimeProviders.auth.setUserRoles(c.req.param("userId"), roles)
-      });
-    });
-  }
-  app.post("/internal/auth/web/sync-user", async (c) => {
-    if (c.get("actorType") !== "service") {
-      return jsonError(c, 401, "Trusted service authentication required.");
-    }
-    const unauthorized = requirePermission(c, "services:impersonate:global");
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    return c.json({
-      ok: true,
-      payload: await runtimeProviders.auth.syncUserIdentity(body)
-    });
-  });
-  app.post("/internal/auth/web/exchange", async (c) => {
-    if (c.get("actorType") !== "service") {
-      return jsonError(c, 401, "Trusted service authentication required.");
-    }
-    const unauthorized = requirePermission(c, "services:impersonate:global");
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    return c.json(await runtimeProviders.auth.exchangeTrustedUserAssertion(body));
-  });
-  app.post("/internal/auth/service/token", async (c) => {
-    const unauthorized = requirePermission(c, "services:manage:global");
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    if (!body.serviceId?.trim() || !body.name?.trim()) {
-      return jsonError(c, 400, "serviceId and name are required.");
-    }
-    return c.json({
-      ok: true,
-      payload: await runtimeProviders.auth.createServiceToken({
-        serviceId: body.serviceId.trim(),
-        name: body.name.trim(),
-        roles: body.roles,
-        permissions: body.permissions
-      })
-    });
-  });
-  app.post("/internal/auth/service/rotate", async (c) => {
-    const unauthorized = requirePermission(c, "services:manage:global");
-    if (unauthorized) return unauthorized;
-    const body = await c.req.json().catch(() => ({}));
-    if (!body.serviceId?.trim()) {
-      return jsonError(c, 400, "serviceId is required.");
-    }
-    return c.json({
-      ok: true,
-      payload: await runtimeProviders.auth.rotateServiceToken(body.serviceId.trim())
-    });
-  });
-  if (resolved.surfaces.sdk) {
-    registerSdkRoutes(app, {
-      config: resolved.config,
-      sharedSdk,
-      scope: resolved.scopes.sdk,
-      prefix: internalPrefix
-    });
-  }
-  if (resolved.surfaces.agent) {
-    registerAgentRoutes(app, {
-      sdk: sharedSdk,
-      prefix: `${internalPrefix}/agent`,
-      scope: resolved.scopes.agent,
-      projectId: resolved.config.projectId,
-      defaultActor: "api"
-    });
-  }
-  if (resolved.surfaces.operations) {
-    registerOperationRoutes(app, {
-      config: resolved.config,
-      scope: resolved.scopes.operations,
-      prefix: internalPrefix,
-      sdk: sharedSdk,
-      executeOperation: options.workflowExecutor
-    });
-  }
-  if (resolved.surfaces.project) {
-    registerProjectRoutes(app, {
-      config: resolved.config,
-      sharedSdk
-    });
-  }
-  options.extendApp?.(app, {
-    resolved,
-    runtimeProviders,
-    sharedSdk,
-    internalPrefix
-  });
-  app.notFound((c) => jsonError(c, 404, "Not found."));
-  return app;
-}
-export {
-  createTreeseedApiApp
-};