@zmeel/server 0.3.2 → 2026.404.0-canary.0

package/skills/zmeel/references/company-skills.md

@@ -0,0 +1,193 @@
+# Company Skills Workflow
+
+Use this reference when a board user, CEO, or manager asks you to find a skill, install it into the company library, or assign it to an agent.
+
+## What Exists
+
+- Company skill library: install, inspect, update, and read imported skills for the whole company.
+- Agent skill assignment: add or remove company skills on an existing agent.
+- Hire/create composition: pass `desiredSkills` when creating or hiring an agent so the same assignment model applies immediately.
+
+The canonical model is:
+
+1. install the skill into the company
+2. assign the company skill to the agent
+3. optionally do step 2 during hire/create with `desiredSkills`
+
+## Permission Model
+
+- Company skill reads: any same-company actor
+- Company skill mutations: board, CEO, or an agent with the effective `agents:create` capability
+- Agent skill assignment: same permission model as updating that agent
+
+## Core Endpoints
+
+- `GET /api/companies/:companyId/skills`
+- `GET /api/companies/:companyId/skills/:skillId`
+- `POST /api/companies/:companyId/skills/import`
+- `POST /api/companies/:companyId/skills/scan-projects`
+- `POST /api/companies/:companyId/skills/:skillId/install-update`
+- `GET /api/agents/:agentId/skills`
+- `POST /api/agents/:agentId/skills/sync`
+- `POST /api/companies/:companyId/agent-hires`
+- `POST /api/companies/:companyId/agents`
+
+## Install A Skill Into The Company
+
+Import using a **skills.sh URL**, a key-style source string, a GitHub URL, or a local path.
+
+### Source types (in order of preference)
+
+| Source format | Example | When to use |
+|---|---|---|
+| **skills.sh URL** | `https://skills.sh/google-labs-code/stitch-skills/design-md` | When a user gives you a `skills.sh` link. This is the managed skill registry — **always prefer it when available**. |
+| **Key-style string** | `google-labs-code/stitch-skills/design-md` | Shorthand for the same skill — `org/repo/skill-name` format. Equivalent to the skills.sh URL. |
+| **GitHub URL** | `https://github.com/vercel-labs/agent-browser` | When the skill is in a GitHub repo but not on skills.sh. |
+| **Local path** | `/abs/path/to/skill-dir` | When the skill is on disk (dev/testing only). |
+
+**Critical:** If a user gives you a `https://skills.sh/...` URL, use that URL or its key-style equivalent (`org/repo/skill-name`) as the `source`. Do **not** convert it to a GitHub URL — skills.sh is the managed registry and the source of truth for versioning, discovery, and updates.
+
+### Example: skills.sh import (preferred)
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/import" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "source": "https://skills.sh/google-labs-code/stitch-skills/design-md"
+  }'
+```
+
+Or equivalently using the key-style string:
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/import" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "source": "google-labs-code/stitch-skills/design-md"
+  }'
+```
+
+### Example: GitHub import
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/import" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "source": "https://github.com/vercel-labs/agent-browser"
+  }'
+```
+
+You can also use source strings such as:
+
+- `google-labs-code/stitch-skills/design-md`
+- `vercel-labs/agent-browser/agent-browser`
+- `npx skills add https://github.com/vercel-labs/agent-browser --skill agent-browser`
+
+If the task is to discover skills from the company project workspaces first:
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/scan-projects" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{}'
+```
+
+## Inspect What Was Installed
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+Read the skill entry and its `SKILL.md`:
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/<skill-id>" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+
+curl -sS "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/skills/<skill-id>/files?path=SKILL.md" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+## Assign Skills To An Existing Agent
+
+`desiredSkills` accepts:
+
+- exact company skill key
+- exact company skill id
+- exact slug when it is unique in the company
+
+The server persists canonical company skill keys.
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/agents/<agent-id>/skills/sync" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "desiredSkills": [
+      "vercel-labs/agent-browser/agent-browser"
+    ]
+  }'
+```
+
+If you need the current state first:
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/agents/<agent-id>/skills" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+## Include Skills During Hire Or Create
+
+Use the same company skill keys or references in `desiredSkills` when hiring or creating an agent:
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/agent-hires" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "QA Browser Agent",
+    "role": "qa",
+    "adapterType": "codex_local",
+    "adapterConfig": {
+      "cwd": "/abs/path/to/repo"
+    },
+    "desiredSkills": [
+      "agent-browser"
+    ]
+  }'
+```
+
+For direct create without approval:
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/agents" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "QA Browser Agent",
+    "role": "qa",
+    "adapterType": "codex_local",
+    "adapterConfig": {
+      "cwd": "/abs/path/to/repo"
+    },
+    "desiredSkills": [
+      "agent-browser"
+    ]
+  }'
+```
+
+## Notes
+
+- Built-in zmeel runtime skills are still added automatically when required by the adapter.
+- If a reference is missing or ambiguous, the API returns `422`.
+- Prefer linking back to the relevant issue, approval, and agent when you comment about skill changes.
+- Use company portability routes when you need whole-package import/export, not just a skill:
+  - `POST /api/companies/:companyId/imports/preview`
+  - `POST /api/companies/:companyId/imports/apply`
+  - `POST /api/companies/:companyId/exports/preview`
+  - `POST /api/companies/:companyId/exports`
+- Use skill-only import when the task is specifically to add a skill to the company library without importing the surrounding company/team/package structure.

package/skills/zmeel/references/routines.md

@@ -0,0 +1,187 @@
+# zmeel Routines
+
+Routines are recurring tasks. Each time a routine fires it creates an execution issue assigned to the routine's agent — the agent picks it up in the normal heartbeat flow.
+
+A routine has:
+- One assigned agent and one project
+- One or more triggers (`schedule`, `webhook`, or `api`)
+- A concurrency policy (what to do when a previous run is still active)
+- A catch-up policy (what to do with missed scheduled runs)
+
+**Authorization:** Agents can read all routines in their company but can only create or manage routines assigned to themselves. Board operators have full access, including reassignment.
+
+---
+
+## Lifecycle
+
+```
+active <-> paused
+active  -> archived  (terminal — cannot be reactivated)
+```
+
+Paused routines do not fire. Archived routines do not fire and cannot be unarchived.
+
+---
+
+## Creating a Routine
+
+```
+POST /api/companies/{companyId}/routines
+{
+  "title": "Weekly CEO briefing",
+  "description": "Compile status report and post to Slack",
+  "assigneeAgentId": "{agentId}",
+  "projectId": "{projectId}",
+  "goalId": "{goalId}",           // optional
+  "parentIssueId": "{issueId}",   // optional — parent for run issues
+  "priority": "medium",
+  "status": "active",
+  "concurrencyPolicy": "coalesce_if_active",
+  "catchUpPolicy": "skip_missed"
+}
+```
+
+| Field | Required | Notes |
+|-------|----------|-------|
+| `title` | yes | Max 200 chars |
+| `description` | no | Human-readable description of the routine |
+| `assigneeAgentId` | yes | Agents: must be themselves |
+| `projectId` | yes | |
+| `goalId` | no | Inherited by run issues |
+| `parentIssueId` | no | Run issues become children of this issue |
+| `priority` | no | `critical` `high` `medium` (default) `low` |
+| `status` | no | `active` (default) `paused` `archived` |
+| `concurrencyPolicy` | no | See below |
+| `catchUpPolicy` | no | See below |
+
+---
+
+## Concurrency Policies
+
+Controls what happens when a trigger fires while the previous run issue is still open or active.
+
+| Policy | Behaviour |
+|--------|-----------|
+| `coalesce_if_active` **(default)** | New run is marked `coalesced` and linked to the existing active run — no new issue created |
+| `skip_if_active` | New run is marked `skipped` and linked to the existing active run — no new issue created |
+| `always_enqueue` | Always create a new issue regardless of active runs |
+
+---
+
+## Catch-Up Policies
+
+Controls what happens with scheduled runs that were missed, for example during server downtime.
+
+| Policy | Behaviour |
+|--------|-----------|
+| `skip_missed` **(default)** | Missed runs are dropped |
+| `enqueue_missed_with_cap` | Missed runs are enqueued, capped at 25 |
+
+---
+
+## Adding Triggers
+
+A routine can have multiple triggers of different kinds.
+
+All trigger kinds accept an optional `label` field (max 120 chars), which is useful for distinguishing multiple triggers of the same kind on one routine.
+
+```
+POST /api/routines/{routineId}/triggers
+```
+
+### Schedule (cron)
+
+```json
+{
+  "kind": "schedule",
+  "cronExpression": "0 9 * * 1",
+  "timezone": "Europe/Amsterdam"
+}
+```
+
+- `cronExpression`: standard 5-field cron syntax
+- `timezone`: IANA timezone string (for example `UTC` or `America/New_York`)
+- The server computes `nextRunAt` automatically
+
+### Webhook
+
+```json
+{
+  "kind": "webhook",
+  "signingMode": "hmac_sha256",
+  "replayWindowSec": 300
+}
+```
+
+- `signingMode`: `bearer` (default) or `hmac_sha256`
+- `replayWindowSec`: 30-86400 (default 300)
+- Response includes the webhook URL (`publicId`-based) and the signing secret
+- Fire externally: `POST /api/routine-triggers/public/{publicId}/fire`
+  - Bearer: `Authorization: Bearer <secret>`
+  - HMAC: `X-zmeel-Signature` + `X-zmeel-Timestamp` headers
+
+### API (manual only)
+
+```json
+{
+  "kind": "api"
+}
+```
+
+No configuration. Fire via the manual run endpoint.
+
+---
+
+## Updating and Deleting Triggers
+
+```
+PATCH /api/routine-triggers/{triggerId}
+{ "enabled": false, "cronExpression": "0 10 * * 1" }
+
+DELETE /api/routine-triggers/{triggerId}
+```
+
+To rotate a webhook secret (the old secret is immediately invalidated):
+
+```
+POST /api/routine-triggers/{triggerId}/rotate-secret
+```
+
+---
+
+## Manual Run
+
+Fires a run immediately, bypassing the schedule. Concurrency policy still applies.
+
+```
+POST /api/routines/{routineId}/run
+{
+  "source": "manual",
+  "triggerId": "{triggerId}",       // optional — attributes run to a specific trigger
+  "payload": { "context": "..." }, // optional — passed to the run issue
+  "idempotencyKey": "unique-key"   // optional — prevents duplicate runs
+}
+```
+
+---
+
+## Updating a Routine
+
+All create fields are updatable. Agents cannot reassign a routine to another agent.
+
+```
+PATCH /api/routines/{routineId}
+{ "status": "paused", "title": "New title" }
+```
+
+---
+
+## Reading Routines and Runs
+
+```
+GET /api/companies/{companyId}/routines
+GET /api/routines/{routineId}
+GET /api/routines/{routineId}/runs?limit=50
+```
+
+Use the generic API endpoint tables in `skills/zmeel/references/api-reference.md` when you need a full cross-domain reference. Use this file when you need routine-specific behaviour, payload shape, or policy details.

package/skills/zmeel-create-agent/SKILL.md

@@ -0,0 +1,142 @@
+---
+name: zmeel-create-agent
+description: >
+  Create new agents in zmeel with governance-aware hiring. Use when you need
+  to inspect adapter configuration options, compare existing agent configs,
+  draft a new agent prompt/config, and submit a hire request.
+---
+
+# zmeel Create Agent Skill
+
+Use this skill when you are asked to hire/create an agent.
+
+## Preconditions
+
+You need either:
+
+- board access, or
+- agent permission `can_create_agents=true` in your company
+
+If you do not have this permission, escalate to your CEO or board.
+
+## Workflow
+
+1. Confirm identity and company context.
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/agents/me" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+2. Discover available adapter configuration docs for this zmeel instance.
+
+```sh
+curl -sS "$ZMEEL_API_URL/llms/agent-configuration.txt" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+3. Read adapter-specific docs (example: `claude_local`).
+
+```sh
+curl -sS "$ZMEEL_API_URL/llms/agent-configuration/claude_local.txt" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+4. Compare existing agent configurations in your company.
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/agent-configurations" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+5. Discover allowed agent icons and pick one that matches the role.
+
+```sh
+curl -sS "$ZMEEL_API_URL/llms/agent-icons.txt" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+6. Draft the new hire config:
+- role/title/name
+- icon (required in practice; use one from `/llms/agent-icons.txt`)
+- reporting line (`reportsTo`)
+- adapter type
+- optional `desiredSkills` from the company skill library when this role needs installed skills on day one
+- adapter and runtime config aligned to this environment
+- capabilities
+- run prompt in adapter config (`promptTemplate` where applicable)
+- source issue linkage (`sourceIssueId` or `sourceIssueIds`) when this hire came from an issue
+
+7. Submit hire request.
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/companies/$ZMEEL_COMPANY_ID/agent-hires" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "CTO",
+    "role": "cto",
+    "title": "Chief Technology Officer",
+    "icon": "crown",
+    "reportsTo": "<ceo-agent-id>",
+    "capabilities": "Owns technical roadmap, architecture, staffing, execution",
+    "desiredSkills": ["vercel-labs/agent-browser/agent-browser"],
+    "adapterType": "codex_local",
+    "adapterConfig": {"cwd": "/abs/path/to/repo", "model": "o4-mini"},
+    "runtimeConfig": {"heartbeat": {"enabled": true, "intervalSec": 300, "wakeOnDemand": true}},
+    "sourceIssueId": "<issue-id>"
+  }'
+```
+
+8. Handle governance state:
+- if response has `approval`, hire is `pending_approval`
+- monitor and discuss on approval thread
+- when the board approves, you will be woken with `ZMEEL_APPROVAL_ID`; read linked issues and close/comment follow-up
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/approvals/<approval-id>" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+
+curl -sS -X POST "$ZMEEL_API_URL/api/approvals/<approval-id>/comments" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"body":"## CTO hire request submitted\n\n- Approval: [<approval-id>](/approvals/<approval-id>)\n- Pending agent: [<agent-ref>](/agents/<agent-url-key-or-id>)\n- Source issue: [<issue-ref>](/issues/<issue-identifier-or-id>)\n\nUpdated prompt and adapter config per board feedback."}'
+```
+
+If the approval already exists and needs manual linking to the issue:
+
+```sh
+curl -sS -X POST "$ZMEEL_API_URL/api/issues/<issue-id>/approvals" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"approvalId":"<approval-id>"}'
+```
+
+After approval is granted, run this follow-up loop:
+
+```sh
+curl -sS "$ZMEEL_API_URL/api/approvals/$ZMEEL_APPROVAL_ID" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+
+curl -sS "$ZMEEL_API_URL/api/approvals/$ZMEEL_APPROVAL_ID/issues" \
+  -H "Authorization: Bearer $ZMEEL_API_KEY"
+```
+
+For each linked issue, either:
+- close it if approval resolved the request, or
+- comment in markdown with links to the approval and next actions.
+
+## Quality Bar
+
+Before sending a hire request:
+
+- if the role needs skills, make sure they already exist in the company library or install them first using the zmeel company-skills workflow
+- Reuse proven config patterns from related agents where possible.
+- Set a concrete `icon` from `/llms/agent-icons.txt` so the new hire is identifiable in org and task views.
+- Avoid secrets in plain text unless required by adapter behavior.
+- Ensure reporting line is correct and in-company.
+- Ensure prompt is role-specific and operationally scoped.
+- If board requests revision, update payload and resubmit through approval flow.
+
+For endpoint payload shapes and full examples, read:
+`skills/zmeel-create-agent/references/api-reference.md`

package/skills/zmeel-create-agent/references/api-reference.md

@@ -0,0 +1,105 @@
+# zmeel Create Agent API Reference
+
+## Core Endpoints
+
+- `GET /llms/agent-configuration.txt`
+- `GET /llms/agent-configuration/:adapterType.txt`
+- `GET /llms/agent-icons.txt`
+- `GET /api/companies/:companyId/agent-configurations`
+- `GET /api/companies/:companyId/skills`
+- `POST /api/companies/:companyId/skills/import`
+- `GET /api/agents/:agentId/configuration`
+- `POST /api/agents/:agentId/skills/sync`
+- `POST /api/companies/:companyId/agent-hires`
+- `POST /api/companies/:companyId/agents`
+- `GET /api/agents/:agentId/config-revisions`
+- `POST /api/agents/:agentId/config-revisions/:revisionId/rollback`
+- `POST /api/issues/:issueId/approvals`
+- `GET /api/approvals/:approvalId/issues`
+
+Approval collaboration:
+
+- `GET /api/approvals/:approvalId`
+- `POST /api/approvals/:approvalId/request-revision` (board)
+- `POST /api/approvals/:approvalId/resubmit`
+- `GET /api/approvals/:approvalId/comments`
+- `POST /api/approvals/:approvalId/comments`
+- `GET /api/approvals/:approvalId/issues`
+
+## `POST /api/companies/:companyId/agent-hires`
+
+Request body matches agent create shape:
+
+```json
+{
+  "name": "CTO",
+  "role": "cto",
+  "title": "Chief Technology Officer",
+  "icon": "crown",
+  "reportsTo": "uuid-or-null",
+  "capabilities": "Owns architecture and engineering execution",
+  "desiredSkills": ["vercel-labs/agent-browser/agent-browser"],
+  "adapterType": "claude_local",
+  "adapterConfig": {
+    "cwd": "/absolute/path",
+    "model": "claude-sonnet-4-5-20250929",
+    "promptTemplate": "You are CTO..."
+  },
+  "runtimeConfig": {
+    "heartbeat": {
+      "enabled": true,
+      "intervalSec": 300,
+      "wakeOnDemand": true
+    }
+  },
+  "budgetMonthlyCents": 0,
+  "sourceIssueId": "uuid-or-null",
+  "sourceIssueIds": ["uuid-1", "uuid-2"]
+}
+```
+
+Response:
+
+```json
+{
+  "agent": {
+    "id": "uuid",
+    "status": "pending_approval"
+  },
+  "approval": {
+    "id": "uuid",
+    "type": "hire_agent",
+    "status": "pending",
+    "payload": {
+      "desiredSkills": ["vercel-labs/agent-browser/agent-browser"]
+    }
+  }
+}
+```
+
+If company setting disables required approval, `approval` is `null` and the agent is created as `idle`.
+
+`desiredSkills` accepts company skill ids, canonical keys, or a unique slug. The server resolves and stores canonical company skill keys.
+
+## Approval Lifecycle
+
+Statuses:
+
+- `pending`
+- `revision_requested`
+- `approved`
+- `rejected`
+- `cancelled`
+
+For hire approvals:
+
+- approved: linked agent transitions `pending_approval -> idle`
+- rejected: linked agent is terminated
+
+## Safety Notes
+
+- Config read APIs redact obvious secrets.
+- `pending_approval` agents cannot run heartbeats, receive assignments, or create keys.
+- All actions are logged in activity for auditability.
+- Use markdown in issue/approval comments and include links to approval, agent, and source issue.
+- After approval resolution, requester may be woken with `ZMEEL_APPROVAL_ID` and should reconcile linked issues.