@tt-a1i/hive 1.7.0 → 2.0.2

package/dist/src/server/routes-team-recall.js

@@ -0,0 +1,119 @@
+import { RECALL_QUERY_MAX_CHARS } from '../shared/team-recall.js';
+import { BadRequestError } from './http-errors.js';
+import { readJsonBody, route, sendJson } from './route-helpers.js';
+import { authenticateCliAgent, requireCommandForRole } from './team-authz.js';
+const DEFAULT_RECALL_LIMIT = 10;
+const requireNonEmptyString = (value, field) => {
+    if (typeof value !== 'string' || value.trim().length === 0) {
+        throw new BadRequestError(`Missing ${field}`);
+    }
+    const trimmed = value.trim();
+    if (field === 'query' && [...trimmed].length > RECALL_QUERY_MAX_CHARS) {
+        throw new BadRequestError(`query must be ${RECALL_QUERY_MAX_CHARS} characters or fewer`);
+    }
+    return trimmed;
+};
+const optionalNonNegativeInteger = (value, field) => {
+    if (value === undefined)
+        return undefined;
+    if (!Number.isInteger(value) || Number(value) < 0) {
+        throw new BadRequestError(`${field} must be a non-negative integer`);
+    }
+    return Number(value);
+};
+const serializeContext = (item) => ({
+    created_at: item.createdAt,
+    from_agent_id: item.fromAgentId,
+    source_sequence: item.sourceSequence,
+    text: item.text,
+    to_agent_id: item.toAgentId,
+    type: item.type,
+    worker_id: item.workerId,
+});
+const serializeRecallResult = (result) => ({
+    context: result.context.map(serializeContext),
+    created_at: result.createdAt,
+    dispatch_id: result.dispatchId,
+    dispatch_status: result.dispatchStatus,
+    from_agent_id: result.fromAgentId,
+    index_name: result.indexName,
+    memory_confidence: result.memoryConfidence ?? null,
+    memory_id: result.memoryId ?? null,
+    memory_kind: result.memoryKind ?? null,
+    memory_status: result.memoryStatus ?? null,
+    memory_tags: result.memoryTags ?? [],
+    message_type: result.messageType,
+    report_text: result.reportText,
+    score: result.score,
+    source_sequence: result.sourceSequence,
+    source_type: result.sourceType,
+    text: result.text,
+    to_agent_id: result.toAgentId,
+    worker_id: result.workerId,
+});
+const memoryToRecallResult = (memory) => ({
+    context: memory.sources.map((source) => ({
+        createdAt: source.createdAt,
+        fromAgentId: source.actorAgentIdSnapshot,
+        sourceSequence: source.sourceSequence ?? 0,
+        text: source.excerpt ?? '',
+        toAgentId: null,
+        type: source.sourceType,
+        workerId: source.actorAgentIdSnapshot ?? '',
+    })),
+    createdAt: memory.updatedAt,
+    dispatchId: null,
+    dispatchStatus: null,
+    fromAgentId: null,
+    indexName: memory.indexName,
+    memoryConfidence: memory.confidence,
+    memoryId: memory.id,
+    memoryKind: memory.kind,
+    memoryStatus: memory.status,
+    memoryTags: memory.tags,
+    messageType: null,
+    reportText: null,
+    score: memory.score,
+    sourceSequence: 0,
+    sourceType: 'memory',
+    text: memory.body,
+    toAgentId: null,
+    workerId: null,
+});
+export const teamRecallRoutes = [
+    route('POST', '/api/team/recall', async ({ request, response, store }) => {
+        const body = await readJsonBody(request);
+        const projectId = requireNonEmptyString(body.project_id, 'project_id');
+        const fromAgentId = requireNonEmptyString(body.from_agent_id, 'from_agent_id');
+        const query = requireNonEmptyString(body.query, 'query');
+        const token = typeof body.token === 'string' ? body.token : undefined;
+        const agent = authenticateCliAgent({
+            fromAgentId,
+            getAgent: store.getAgent,
+            token,
+            validateToken: store.validateAgentToken,
+            workspaceId: projectId,
+        });
+        requireCommandForRole(agent, 'recall');
+        const limit = optionalNonNegativeInteger(body.limit, 'limit');
+        const window = optionalNonNegativeInteger(body.window, 'window');
+        const recallResults = store.recallMessages(projectId, query, {
+            ...(limit !== undefined ? { limit } : {}),
+            ...(window !== undefined ? { window } : {}),
+        });
+        const memoryResults = store
+            .searchMemoryEntries(projectId, query, {
+            ...(limit !== undefined ? { limit } : {}),
+            statuses: ['active'],
+        })
+            .map(memoryToRecallResult);
+        const combined = [...recallResults, ...memoryResults]
+            .sort((a, b) => a.score - b.score || b.createdAt - a.createdAt)
+            .slice(0, limit ?? DEFAULT_RECALL_LIMIT);
+        sendJson(response, 200, {
+            ok: true,
+            query,
+            results: combined.map(serializeRecallResult),
+        });
+    }),
+];

package/dist/src/server/routes-team.js

@@ -26,6 +26,26 @@ const requireNonEmptyString = (value, field) => {
     return value;
 };
 const getArtifacts = (value) => Array.isArray(value) ? value.filter((item) => typeof item === 'string') : [];
+const REPORT_STATUSES = new Set(['success', 'failed']);
+const getReportStatus = (value) => {
+    if (value === undefined)
+        return undefined;
+    if (typeof value !== 'string' || !REPORT_STATUSES.has(value)) {
+        throw new BadRequestError('Invalid status; expected success or failed');
+    }
+    return value;
+};
+const resolveSpawnLaunchConfig = (store, cli) => {
+    if (cli === undefined || cli === null || cli === '') {
+        return (resolveCommandPresetLaunchConfig(store.settings, 'claude') ?? { command: 'claude', args: [] });
+    }
+    const cliId = requireNonEmptyString(cli, 'cli');
+    const launchConfig = resolveCommandPresetLaunchConfig(store.settings, cliId);
+    if (!launchConfig) {
+        throw new BadRequestError(`Unsupported cli '${cliId}'`);
+    }
+    return launchConfig;
+};
 export const teamRoutes = [
     route('POST', '/api/team/send', async ({ request, response, store }) => {
         const body = await readJsonBody(request);
@@ -42,14 +62,13 @@ export const teamRoutes = [
         });
         requireCommandForRole(agent, 'send');
         const dispatch = await store.dispatchTaskByWorkerName(projectId, to, text, {
+            autoStartWorker: false,
             fromAgentId,
             hivePort: String(request.socket.localPort ?? ''),
         });
-        /* `restarted_worker` makes the silent auto-wake transparent — when
-           the worker had no active run at dispatch time, ensureWorkerRun
-           spawned a fresh PTY for it. The orchestrator's CLI prints a
-           stderr notice on this flag so the agent can explain the wake-up
-           to the user instead of being out of sync with worker state. */
+        /* The user-facing team send route queues work for stopped workers without
+           auto-starting them; internal workflow dispatches may still surface
+           restarted_worker when they intentionally wake a worker. */
         sendJson(response, 202, {
             dispatch_id: dispatch.id,
             ok: true,
@@ -72,8 +91,7 @@ export const teamRoutes = [
         const name = typeof body.name === 'string' && body.name.trim().length > 0
             ? body.name.trim()
             : `${role}-${randomUUID()}`;
-        const launchConfig = (body.cli ? resolveCommandPresetLaunchConfig(store.settings, body.cli) : undefined) ??
-            { command: body.cli ?? 'claude', args: [] };
+        const launchConfig = resolveSpawnLaunchConfig(store, body.cli);
         // M11: default is persistent (acts like a normal member); --ephemeral
         // opts into auto-dismiss-after-first-report (mirrors workflow workers,
         // but orchestrator-spawned). Existing M1-D cascade-on-orchestrator-exit
@@ -289,16 +307,18 @@ export const teamRoutes = [
             requireActiveRun: true,
             text: resultText,
         };
-        if (typeof body.status === 'string') {
+        const status = getReportStatus(body.status);
+        if (status !== undefined) {
             const result = store.reportTask(projectId, fromAgentId, {
                 ...reportInput,
-                status: body.status,
+                status,
             });
             sendJson(response, 202, {
                 dispatch_id: result.dispatch?.id ?? null,
                 forward_error: result.forwardError,
                 forwarded: result.forwarded,
                 ok: true,
+                ...(result.pendingWarning ? { pending_warning: result.pendingWarning } : {}),
             });
             return;
         }
@@ -309,6 +329,7 @@ export const teamRoutes = [
                 forward_error: result.forwardError,
                 forwarded: result.forwarded,
                 ok: true,
+                ...(result.pendingWarning ? { pending_warning: result.pendingWarning } : {}),
             });
             return;
         }
@@ -336,6 +357,7 @@ export const teamRoutes = [
             forward_error: result.forwardError,
             forwarded: result.forwarded,
             ok: true,
+            ...(result.pendingWarning ? { pending_warning: result.pendingWarning } : {}),
         });
         return;
     }),

package/dist/src/server/routes-ui.js

@@ -1,6 +1,16 @@
+import { ForbiddenError } from './http-errors.js';
 import { route, sendJson } from './route-helpers.js';
 export const uiRoutes = [
-    route('GET', '/api/ui/session', ({ response, store }) => {
+    route('GET', '/api/ui/session', ({ request, response, store }) => {
+        // HARDEN (defense in depth, layer 3): this route mints the master
+        // hive_ui_token cookie, the single credential for every /api/* route + WS
+        // upgrade. The bridge whitelist already hard-denies /api/ui/session, but if
+        // that ever regresses, a tunnel-tagged request must STILL never mint a
+        // cookie for a remote device. The tunnel is authorized by the per-boot
+        // secret, so it has zero need for the UI cookie — refuse it outright.
+        if (store.authorizeRemoteTunnelRequest(request)) {
+            throw new ForbiddenError('UI session cookie is not available over the remote tunnel');
+        }
         response.setHeader('set-cookie', `hive_ui_token=${store.getUiToken()}; Path=/; HttpOnly; SameSite=Strict`);
         sendJson(response, 200, { ok: true });
     }),

package/dist/src/server/routes-workflow-schedules.js

@@ -8,7 +8,7 @@ import { serializeWorkflowSchedule } from './workflow-http-serializers.js';
 // no human create route here.
 export const workflowScheduleRoutes = [
     route('GET', '/api/workspaces/:workspaceId/workflow-schedules', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
         if (!workspaceId)
             return;
@@ -17,7 +17,7 @@ export const workflowScheduleRoutes = [
         });
     }),
     route('PATCH', '/api/workflow-schedules/:scheduleId', async ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const scheduleId = getRequiredParam(response, params, 'scheduleId', 'Missing scheduleId');
         if (!scheduleId)
             return;
@@ -43,7 +43,7 @@ export const workflowScheduleRoutes = [
         });
     }),
     route('DELETE', '/api/workflow-schedules/:scheduleId', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const scheduleId = getRequiredParam(response, params, 'scheduleId', 'Missing scheduleId');
         if (!scheduleId)
             return;

package/dist/src/server/routes-workflows.js

@@ -8,7 +8,7 @@ import { serializeWorkflowDispatch, serializeWorkflowRun } from './workflow-http
 // start-by-path, template-install, or source-editor route.
 export const workflowRoutes = [
     route('GET', '/api/workspaces/:workspaceId/workflows/runs', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
         if (!workspaceId)
             return;
@@ -17,7 +17,7 @@ export const workflowRoutes = [
         });
     }),
     route('GET', '/api/workflows/runs/:runId', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const runId = getRequiredParam(response, params, 'runId', 'Missing runId');
         if (!runId)
             return;
@@ -29,7 +29,7 @@ export const workflowRoutes = [
         sendJson(response, 200, { run: serializeWorkflowRun(run) });
     }),
     route('POST', '/api/workflows/runs/:runId/stop', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const runId = getRequiredParam(response, params, 'runId', 'Missing runId');
         if (!runId)
             return;
@@ -45,7 +45,7 @@ export const workflowRoutes = [
         });
     }),
     route('GET', '/api/workflows/runs/:runId/dispatches', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const runId = getRequiredParam(response, params, 'runId', 'Missing runId');
         if (!runId)
             return;
@@ -70,7 +70,7 @@ export const workflowRoutes = [
     /* TIER 2 #3 — narrator lane. Drawer polls this alongside dispatches.
        Same auth path; same 404 semantics. */
     route('GET', '/api/workflows/runs/:runId/logs', ({ params, request, response, store }) => {
-        requireUiTokenFromRequest(request, store.validateUiToken);
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
         const runId = getRequiredParam(response, params, 'runId', 'Missing runId');
         if (!runId)
             return;

package/dist/src/server/routes-workspace-memory-dreams.d.ts

@@ -0,0 +1,2 @@
+import type { RouteDefinition } from './route-types.js';
+export declare const workspaceMemoryDreamRoutes: RouteDefinition[];

package/dist/src/server/routes-workspace-memory-dreams.js

@@ -0,0 +1,105 @@
+import { BadRequestError, ConflictError } from './http-errors.js';
+import { getRequiredParam, readJsonBody, route, sendJson } from './route-helpers.js';
+import { serializeDreamRun } from './team-memory-dream-http-serializers.js';
+import { DreamRunAlreadyRunningError, DreamRunNotFoundError, DreamRunRevertDataError, DreamRunRevertStatusError, DreamWorkspaceMissingError, } from './team-memory-dream-store.js';
+import { readWorkspaceMemoryDreamEnabled, readWorkspaceMemoryEnabled, workspaceMemoryDreamEnabledKey, workspaceMemoryEnabledKey, } from './team-memory-feature.js';
+import { requireUiTokenFromRequest } from './ui-auth-helpers.js';
+const DREAM_RUN_LIST_MAX_LIMIT = 50;
+const requireWorkspace = (response, store, workspaceId) => {
+    if (store.listWorkspaces().some((workspace) => workspace.id === workspaceId))
+        return true;
+    sendJson(response, 404, { error: `Workspace not found: ${workspaceId}` });
+    return false;
+};
+const requireDreamEnabled = (store, workspaceId) => {
+    const memoryEnabled = readWorkspaceMemoryEnabled(store.settings.getAppState(workspaceMemoryEnabledKey(workspaceId))?.value);
+    const dreamEnabled = readWorkspaceMemoryDreamEnabled(store.settings.getAppState(workspaceMemoryDreamEnabledKey(workspaceId))?.value);
+    if (!memoryEnabled)
+        throw new ConflictError('Workspace memory is disabled');
+    if (!dreamEnabled)
+        throw new ConflictError('Workspace memory dream is disabled');
+};
+const hasRequestBody = (request) => {
+    const rawContentLength = request.headers['content-length'];
+    const contentLength = Array.isArray(rawContentLength) ? rawContentLength[0] : rawContentLength;
+    return contentLength !== undefined && Number(contentLength) > 0;
+};
+const parseLimit = (value) => {
+    if (value === null)
+        return 20;
+    if (!/^(0|[1-9][0-9]*)$/.test(value)) {
+        throw new BadRequestError('limit must be a non-negative integer');
+    }
+    return Math.min(Number(value), DREAM_RUN_LIST_MAX_LIMIT);
+};
+export const workspaceMemoryDreamRoutes = [
+    route('GET', '/api/ui/workspaces/:workspaceId/memory/dream-runs', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        const url = new URL(request.url ?? '/', 'http://127.0.0.1');
+        const runs = store.listMemoryDreamRuns(workspaceId, parseLimit(url.searchParams.get('limit')));
+        sendJson(response, 200, { ok: true, runs: runs.map(serializeDreamRun) });
+    }),
+    route('POST', '/api/ui/workspaces/:workspaceId/memory/dream-runs', async ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        requireDreamEnabled(store, workspaceId);
+        if (hasRequestBody(request))
+            await readJsonBody(request);
+        try {
+            const run = await store.runMemoryDream(workspaceId);
+            sendJson(response, 200, { ok: true, run: serializeDreamRun(run) });
+        }
+        catch (error) {
+            if (error instanceof DreamRunAlreadyRunningError) {
+                sendJson(response, 409, { error: 'Workspace already has a running dream run' });
+                return;
+            }
+            if (error instanceof DreamWorkspaceMissingError) {
+                sendJson(response, 404, { error: `Workspace not found: ${error.workspaceId}` });
+                return;
+            }
+            throw error;
+        }
+    }),
+    route('POST', '/api/ui/workspaces/:workspaceId/memory/dream-runs/:runId/revert', async ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        const runId = getRequiredParam(response, params, 'runId', 'Missing runId');
+        if (!workspaceId || !runId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        if (hasRequestBody(request))
+            await readJsonBody(request);
+        try {
+            const run = store.revertMemoryDream(workspaceId, runId);
+            sendJson(response, 200, { ok: true, run: serializeDreamRun(run) });
+        }
+        catch (error) {
+            if (error instanceof DreamRunNotFoundError) {
+                sendJson(response, 404, { error: `Dream run not found: ${error.runId}` });
+                return;
+            }
+            if (error instanceof DreamRunRevertDataError) {
+                sendJson(response, 409, { error: 'Dream run cannot be reverted from stored data' });
+                return;
+            }
+            if (error instanceof DreamRunRevertStatusError) {
+                sendJson(response, 409, {
+                    error: `Dream run has status ${error.actualStatus}; expected ${error.expectedStatus}`,
+                });
+                return;
+            }
+            throw error;
+        }
+    }),
+];

package/dist/src/server/routes-workspace-memory.d.ts

@@ -0,0 +1,2 @@
+import type { RouteDefinition } from './route-types.js';
+export declare const workspaceMemoryRoutes: RouteDefinition[];

package/dist/src/server/routes-workspace-memory.js

@@ -0,0 +1,215 @@
+import { MEMORY_QUERY_MAX_CHARS, MEMORY_SEARCH_MAX_LIMIT } from '../shared/team-memory.js';
+import { BadRequestError } from './http-errors.js';
+import { getRequiredParam, readJsonBody, route, sendJson } from './route-helpers.js';
+import { readWorkspaceMemoryDreamEnabled, readWorkspaceMemoryEnabled, serializeWorkspaceMemoryDreamEnabled, serializeWorkspaceMemoryEnabled, workspaceMemoryDreamEnabledKey, workspaceMemoryEnabledKey, } from './team-memory-feature.js';
+import { serializeMemoryEntry, serializeMemoryInjection } from './team-memory-http-serializers.js';
+import { MemoryEntryNotFoundError, MemoryEntryStatusError, } from './team-memory-store.js';
+import { requireUiTokenFromRequest } from './ui-auth-helpers.js';
+const MEMORY_STATUSES = ['active', 'candidate', 'archived', 'rejected'];
+const parseLimit = (value) => {
+    if (value === null)
+        return MEMORY_SEARCH_MAX_LIMIT;
+    if (!/^(0|[1-9][0-9]*)$/.test(value)) {
+        throw new BadRequestError('limit must be a non-negative integer');
+    }
+    return Math.min(Number(value), MEMORY_SEARCH_MAX_LIMIT);
+};
+const parseStatuses = (value) => {
+    if (value === null)
+        return ['active'];
+    if (value === 'all')
+        return MEMORY_STATUSES;
+    if (MEMORY_STATUSES.includes(value))
+        return [value];
+    throw new BadRequestError('status must be active, candidate, archived, rejected, or all');
+};
+const parseQuery = (value) => {
+    const query = value?.trim() ?? '';
+    if ([...query].length > MEMORY_QUERY_MAX_CHARS) {
+        throw new BadRequestError(`query must be ${MEMORY_QUERY_MAX_CHARS} characters or fewer`);
+    }
+    return query;
+};
+const requireBoolean = (value, field) => {
+    if (typeof value !== 'boolean')
+        throw new BadRequestError(`${field} must be a boolean`);
+    return value;
+};
+const sendMemoryMutationError = (response, error) => {
+    if (error instanceof MemoryEntryNotFoundError) {
+        sendJson(response, 404, { error: `Memory entry not found: ${error.memoryId}` });
+        return true;
+    }
+    if (error instanceof MemoryEntryStatusError) {
+        sendJson(response, 409, {
+            error: `Memory entry has status ${error.actualStatus}; expected ${Array.isArray(error.expectedStatus)
+                ? error.expectedStatus.join(' or ')
+                : error.expectedStatus}`,
+        });
+        return true;
+    }
+    return false;
+};
+const getMemoryId = (response, params) => getRequiredParam(response, params, 'memoryId', 'Missing memoryId');
+const requireWorkspace = (response, store, workspaceId) => {
+    if (store.listWorkspaces().some((workspace) => workspace.id === workspaceId))
+        return true;
+    sendJson(response, 404, { error: `Workspace not found: ${workspaceId}` });
+    return false;
+};
+export const workspaceMemoryRoutes = [
+    route('GET', '/api/ui/workspaces/:workspaceId/memory', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        const url = new URL(request.url ?? '/', 'http://127.0.0.1');
+        const statuses = parseStatuses(url.searchParams.get('status'));
+        const limit = parseLimit(url.searchParams.get('limit'));
+        const query = parseQuery(url.searchParams.get('query'));
+        const memories = query
+            ? store.searchMemoryEntries(workspaceId, query, {
+                includeDisabled: true,
+                limit,
+                statuses,
+            })
+            : store.listMemoryEntries(workspaceId, { limit, statuses });
+        sendJson(response, 200, { memories: memories.map(serializeMemoryEntry), ok: true });
+    }),
+    route('GET', '/api/ui/workspaces/:workspaceId/memory/injections', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        const url = new URL(request.url ?? '/', 'http://127.0.0.1');
+        const dispatchId = url.searchParams.get('dispatch_id')?.trim();
+        if (!dispatchId)
+            throw new BadRequestError('Missing dispatch_id');
+        sendJson(response, 200, {
+            injections: store
+                .listMemoryInjectionsForDispatch(workspaceId, dispatchId)
+                .map(serializeMemoryInjection),
+            ok: true,
+        });
+    }),
+    route('GET', '/api/ui/workspaces/:workspaceId/memory/settings', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        sendJson(response, 200, {
+            dream_enabled: readWorkspaceMemoryDreamEnabled(store.settings.getAppState(workspaceMemoryDreamEnabledKey(workspaceId))?.value),
+            enabled: readWorkspaceMemoryEnabled(store.settings.getAppState(workspaceMemoryEnabledKey(workspaceId))?.value),
+            ok: true,
+        });
+    }),
+    route('PUT', '/api/ui/workspaces/:workspaceId/memory/settings', async ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        if (!workspaceId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        const body = await readJsonBody(request);
+        if (body.enabled !== undefined) {
+            store.settings.setAppState(workspaceMemoryEnabledKey(workspaceId), serializeWorkspaceMemoryEnabled(requireBoolean(body.enabled, 'enabled')));
+        }
+        if (body.dream_enabled !== undefined) {
+            store.settings.setAppState(workspaceMemoryDreamEnabledKey(workspaceId), serializeWorkspaceMemoryDreamEnabled(requireBoolean(body.dream_enabled, 'dream_enabled')));
+        }
+        sendJson(response, 200, {
+            dream_enabled: readWorkspaceMemoryDreamEnabled(store.settings.getAppState(workspaceMemoryDreamEnabledKey(workspaceId))?.value),
+            enabled: readWorkspaceMemoryEnabled(store.settings.getAppState(workspaceMemoryEnabledKey(workspaceId))?.value),
+            ok: true,
+        });
+    }),
+    route('PATCH', '/api/ui/workspaces/:workspaceId/memory/:memoryId', async ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        const memoryId = getMemoryId(response, params);
+        if (!workspaceId || !memoryId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        const body = await readJsonBody(request);
+        try {
+            let memory = store.getMemoryEntry(workspaceId, memoryId);
+            if (!memory)
+                throw new MemoryEntryNotFoundError(memoryId, workspaceId);
+            if (body.pinned !== undefined) {
+                memory = store.setMemoryPinned(workspaceId, memoryId, requireBoolean(body.pinned, 'pinned'));
+            }
+            if (body.disabled !== undefined) {
+                memory = store.setMemoryDisabled(workspaceId, memoryId, requireBoolean(body.disabled, 'disabled'));
+            }
+            sendJson(response, 200, { memory: serializeMemoryEntry(memory), ok: true });
+        }
+        catch (error) {
+            if (!sendMemoryMutationError(response, error))
+                throw error;
+        }
+    }),
+    route('POST', '/api/ui/workspaces/:workspaceId/memory/:memoryId/approve', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        const memoryId = getMemoryId(response, params);
+        if (!workspaceId || !memoryId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        try {
+            sendJson(response, 200, {
+                memory: serializeMemoryEntry(store.approveMemoryCandidate(workspaceId, memoryId)),
+                ok: true,
+            });
+        }
+        catch (error) {
+            if (!sendMemoryMutationError(response, error))
+                throw error;
+        }
+    }),
+    route('POST', '/api/ui/workspaces/:workspaceId/memory/:memoryId/reject', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        const memoryId = getMemoryId(response, params);
+        if (!workspaceId || !memoryId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        try {
+            sendJson(response, 200, {
+                memory: serializeMemoryEntry(store.rejectMemoryCandidate(workspaceId, memoryId)),
+                ok: true,
+            });
+        }
+        catch (error) {
+            if (!sendMemoryMutationError(response, error))
+                throw error;
+        }
+    }),
+    route('POST', '/api/ui/workspaces/:workspaceId/memory/:memoryId/archive', ({ params, request, response, store }) => {
+        requireUiTokenFromRequest(request, store.validateUiToken, store.authorizeRemoteTunnelRequest);
+        const workspaceId = getRequiredParam(response, params, 'workspaceId', 'Missing workspaceId');
+        const memoryId = getMemoryId(response, params);
+        if (!workspaceId || !memoryId)
+            return;
+        if (!requireWorkspace(response, store, workspaceId))
+            return;
+        try {
+            sendJson(response, 200, {
+                memory: serializeMemoryEntry(store.archiveMemoryEntry(workspaceId, memoryId)),
+                ok: true,
+            });
+        }
+        catch (error) {
+            if (!sendMemoryMutationError(response, error))
+                throw error;
+        }
+    }),
+];