agent-mp 0.5.21 → 0.5.23

package/dist/commands/repl.js

@@ -10,7 +10,7 @@ import { writeJson, ensureDir, readJson, listDir, fileExists } from '../utils/fs
 import { loadAuth, saveAuth, loadCliConfig, saveCliConfig, loadProjectConfig, resolveProjectDir } from '../utils/config.js';
 import { log } from '../utils/logger.js';
 import { AgentEngine, ExitError } from '../core/engine.js';
-import { qwenLogin, qwenAuthStatus, QWEN_AGENT_HOME, fetchQwenModels } from '../utils/qwen-auth.js';
+import { qwenAuthStatus, QWEN_AGENT_HOME, fetchQwenModels, loadApiKeyConfig, saveApiKeyConfig, fetchApiKeyModels, DEFAULT_API_BASE_URL } from '../utils/qwen-auth.js';
 import { renderWelcomePanel, renderHelpHint, renderSectionBox, renderMultiSectionBox } from '../ui/theme.js';
 import { FixedInput } from '../ui/input.js';
 import { newSession, saveSession } from '../utils/sessions.js';
@@ -256,55 +256,52 @@ function buildCmd(cliName, model) {
     const promptFlag = info.promptFlag ? ` ${info.promptFlag}` : '';
     return `${info.command} ${info.modelFlag} ${model}${extra}${promptFlag}`.trim();
 }
-async function cmdLogin(rl) {
-    console.log(chalk.bold.cyan('\n  Login\n'));
-    // If active provider is Qwen, use built-in OAuth device flow (no qwen CLI needed)
-    const auth = await loadAuth();
-    if (auth.activeProvider === 'qwen') {
-        console.log(chalk.dim(`  Credentials will be saved to: ${QWEN_AGENT_HOME}/\n`));
-        try {
-            const success = await qwenLogin();
-            if (!success)
-                return false;
-            const emailInput = await ask(rl, '  Your email (optional, for display): ');
-            auth.entries = auth.entries.filter((e) => e.provider !== 'qwen');
-            auth.entries.push({ provider: 'qwen', method: 'oauth', ...(emailInput.trim() ? { email: emailInput.trim() } : {}) });
-            await saveAuth(auth);
-            return true;
-        }
-        catch (err) {
-            console.log(chalk.red('  Login failed: ' + err.message));
-            return false;
-        }
+async function promptApiKeySetup(rl, askFn) {
+    const existing = await loadApiKeyConfig();
+    if (existing) {
+        console.log(chalk.dim(`  Current: ${existing.provider} / ${existing.model}`));
     }
-    // For other providers, use their CLI
-    console.log(chalk.dim('  Available providers:'));
-    for (const [id, cmd] of Object.entries(CLI_AUTH_COMMANDS)) {
-        const installed = isCliInstalled(id) ? chalk.green('✓') : chalk.red('✗');
-        console.log(chalk.dim(`    ${installed} ${id} - uses: ${cmd}`));
-    }
-    const provider = await ask(rl, '\n  Provider: ');
-    const authCmd = CLI_AUTH_COMMANDS[provider.trim()];
-    if (!authCmd) {
-        console.log(chalk.red(`  No auth command for: ${provider}`));
+    const apiKey = await askFn(`  API Key${existing ? ' [Enter to keep]' : ''}: `);
+    const resolvedKey = apiKey.trim() || existing?.api_key || '';
+    if (!resolvedKey) {
+        console.log(chalk.red('  API key is required.'));
         return false;
     }
-    console.log(chalk.blue(`  Running: ${authCmd}`));
-    console.log(chalk.dim('  (This will open your browser for login)\n'));
-    try {
-        execSync(authCmd, { stdio: 'inherit' });
-        const auth = await loadAuth();
-        auth.entries = auth.entries.filter((e) => e.provider !== provider.trim());
-        auth.entries.push({ provider: provider.trim(), method: 'oauth' });
-        auth.activeProvider = provider.trim();
-        await saveAuth(auth);
-        console.log(chalk.green(`  Auth recorded for ${provider}`));
-        return true;
+    console.log(chalk.dim('\n  Fetching available models...'));
+    const tempCfg = { provider: 'openai-compatible', api_key: resolvedKey, base_url: DEFAULT_API_BASE_URL, model: '' };
+    const models = await fetchApiKeyModels(tempCfg);
+    let chosenModel = existing?.model ?? 'qwen-plus';
+    if (models.length > 0) {
+        console.log(chalk.bold('\n  Available models:'));
+        models.forEach((m, i) => console.log(chalk.dim(`    ${i + 1}. ${m}`)));
+        const pick = await askFn(`\n  Model [${chosenModel}]: `);
+        const num = parseInt(pick.trim());
+        if (!isNaN(num) && num >= 1 && num <= models.length) {
+            chosenModel = models[num - 1];
+        }
+        else if (pick.trim()) {
+            chosenModel = pick.trim();
+        }
     }
-    catch {
-        console.log(chalk.red('  Login failed.'));
-        return false;
+    else {
+        console.log(chalk.yellow('  Could not fetch models — enter model name manually.'));
+        const pick = await askFn(`  Model [${chosenModel}]: `);
+        if (pick.trim())
+            chosenModel = pick.trim();
     }
+    const cfg = {
+        provider: existing?.provider ?? 'openai-compatible',
+        api_key: resolvedKey,
+        base_url: DEFAULT_API_BASE_URL,
+        model: chosenModel,
+    };
+    await saveApiKeyConfig(cfg);
+    console.log(chalk.green(`\n  ✓ API key saved — ${cfg.model}\n`));
+    return true;
+}
+async function cmdLogin(rl) {
+    console.log(chalk.bold.cyan('\n  Configure API Key\n'));
+    return promptApiKeySetup(rl, (q) => ask(rl, q));
 }
 async function cmdSetup(rl) {
     console.log(chalk.bold.cyan('\n  Setup Wizard\n'));
@@ -754,7 +751,7 @@ function cmdHelp(fi) {
         { key: '/explorer [task]', value: 'Run explorer (shortcut)' },
         { key: '/models', value: 'List models for all installed CLIs' },
         { key: '/models <cli>', value: 'List models for a specific CLI' },
-        { key: '/login', value: 'Login (Qwen OAuth or CLI auth)' },
+        { key: '/login', value: 'Configure API key' },
         { key: '/logout', value: 'Logout and clear credentials' },
         { key: '/auth-status', value: 'Show authentication status' },
         { key: '/usage', value: 'Check quota status for all role CLIs' },
@@ -809,101 +806,49 @@ export async function initCoordinator() {
     const auth = await loadAuth();
     const currentAuth = auth.activeProvider;
     let activeCli = installed.find((c) => c.name === currentAuth);
-    // Check if corporate credentials exist for qwen
-    const hasCorporateCreds = (() => {
-        if (currentAuth === 'qwen') {
-            const corporateCreds = path.join(QWEN_AGENT_HOME, 'oauth_creds.json');
-            try {
-                const stats = fsSync.statSync(corporateCreds);
-                return stats.isFile();
-            }
-            catch {
-                return false;
-            }
-        }
-        return true;
-    })();
-    // If no active provider OR no corporate credentials, show selector
-    if (!activeCli || !hasCorporateCreds) {
-        // No coordinator configured - show selector
-        const qwenInstalled = installed.find((c) => c.name === 'qwen');
-        if (!qwenInstalled) {
-            console.log(chalk.red('  Qwen CLI not found. Install with: npm install -g @qwen-code/qwen-code'));
+    // ── Fast-path: API key configured ────────────────────────────────────────
+    const apiKeyCfg = await loadApiKeyConfig();
+    if (apiKeyCfg?.api_key) {
+        const cliCfg = await loadCliConfig();
+        const model = cliCfg.coordinatorModel || apiKeyCfg.model;
+        gCoordinatorCmd = `qwen-direct -m ${model}`;
+        console.log(chalk.green(`  ✓ Auth: ${apiKeyCfg.provider} / ${model}\n`));
+        const syntheticCli = {
+            name: apiKeyCfg.provider,
+            info: { command: 'qwen-direct', modelFlag: '-m', promptFlag: '-p', description: 'API key' },
+            path: 'qwen-direct',
+        };
+        return { coordinatorCmd: gCoordinatorCmd, activeCli: syntheticCli, installed, rl };
+    }
+    // ── No API key — prompt to configure one ─────────────────────────────────
+    console.log(chalk.yellow('\n  No auth configured.'));
+    console.log(chalk.dim('  Configure an API key to continue.\n'));
+    const doSetup = await new Promise((resolve) => {
+        rl.question('  Set up API key now? (y/N): ', (a) => resolve(a.trim().toLowerCase() === 'y'));
+    });
+    if (doSetup) {
+        const askFn = (q) => new Promise((resolve) => rl.question(q, resolve));
+        const ok = await promptApiKeySetup(rl, askFn);
+        if (!ok) {
             rl.close();
             return null;
         }
-        // Show selector (even if only one option)
-        const selectedName = await selectOption(rl, 'Select AI service for coordinator:', ['qwen']);
-        activeCli = qwenInstalled;
-        auth.activeProvider = 'qwen';
-        auth.entries = auth.entries.filter((e) => e.provider !== 'qwen');
-        auth.entries.push({ provider: 'qwen', method: 'oauth' });
-        await saveAuth(auth);
-    }
-    // If activeCli is already set, skip selection and use existing coordinator
-    console.log(chalk.dim(`\n  Checking ${activeCli.name} auth...`));
-    let authResult = await checkCliAuth(activeCli.name);
-    if (!authResult.ok) {
-        console.log(chalk.yellow(`  ${activeCli.name} session not found.`));
-        console.log(chalk.blue(`  Opening browser for ${activeCli.name} login...`));
-        console.log(chalk.dim('  (Use your corporate account)\n'));
-        const authCmd = CLI_AUTH_COMMANDS[activeCli.name];
-        if (authCmd) {
-            try {
-                // For qwen, do corporate login flow
-                if (activeCli.name === 'qwen') {
-                    const personalCreds = path.join(os.homedir(), '.qwen', 'oauth_creds.json');
-                    const corporateCreds = path.join(QWEN_AGENT_HOME, 'oauth_creds.json');
-                    let personalBackup = null;
-                    if (await fileExists(personalCreds)) {
-                        personalBackup = await fs.readFile(personalCreds, 'utf-8');
-                        await fs.unlink(personalCreds);
-                    }
-                    await fs.unlink(corporateCreds).catch(() => { });
-                    execSync('qwen auth qwen-oauth', { stdio: 'inherit' });
-                    if (await fileExists(personalCreds)) {
-                        const newCreds = await fs.readFile(personalCreds, 'utf-8');
-                        await fs.writeFile(corporateCreds, newCreds);
-                    }
-                    if (personalBackup) {
-                        await fs.writeFile(personalCreds, personalBackup);
-                    }
-                    authResult = await checkCliAuth(activeCli.name);
-                }
-                else {
-                    execSync(authCmd, { stdio: 'inherit' });
-                    authResult = await checkCliAuth(activeCli.name);
-                }
-                if (authResult.ok) {
-                    console.log(chalk.green(`  ${activeCli.name} authenticated successfully\n`));
-                }
-                else {
-                    console.log(chalk.red(`  ${activeCli.name} auth failed. Try /login.\n`));
-                }
-            }
-            catch {
-                console.log(chalk.yellow(`  Login interrupted. Type /login to retry.\n`));
-            }
+        const saved = await loadApiKeyConfig();
+        if (!saved) {
+            rl.close();
+            return null;
         }
+        gCoordinatorCmd = `qwen-direct -m ${saved.model}`;
+        const syntheticCli = {
+            name: saved.provider,
+            info: { command: 'qwen-direct', modelFlag: '-m', promptFlag: '-p', description: 'API key' },
+            path: 'qwen-direct',
+        };
+        return { coordinatorCmd: gCoordinatorCmd, activeCli: syntheticCli, installed, rl };
     }
-    else {
-        const emailStr = authResult.email ? chalk.dim(` (${authResult.email})`) : '';
-        console.log(chalk.green(`  ${activeCli.name} session active${emailStr}\n`));
-    }
-    // Save email to auth store if we have it
-    if (authResult.email) {
-        const auth2 = await loadAuth();
-        const entry = auth2.entries.find((e) => e.provider === activeCli.name);
-        if (entry)
-            entry.email = authResult.email;
-        await saveAuth(auth2);
-    }
-    // Build coordinator command using the ACTIVE CLI (not orchestrator)
-    // The coordinator converses naturally using whatever CLI is active (qwen, claude, etc.)
-    const cliCfg = await loadCliConfig();
-    const activeModel = cliCfg.coordinatorModel || detectModels(activeCli.name)[0] || 'default';
-    gCoordinatorCmd = buildCmd(activeCli.name, activeModel);
-    return { coordinatorCmd: gCoordinatorCmd, activeCli, installed, rl };
+    console.log(chalk.dim('  Run: agent-mp setup api-key'));
+    rl.close();
+    return null;
 }
 /** REPL mode — interactive loop */
 export async function runRepl(resumeSession) {
@@ -1108,8 +1053,9 @@ export async function runRepl(resumeSession) {
                 await withRl(async (rl) => { await cmdLogin(rl); });
                 break;
             case 'logout': {
-                const credsPath = path.join(QWEN_AGENT_HOME, 'oauth_creds.json');
-                await fs.unlink(credsPath).catch(() => { });
+                const { getApiKeyConfigPath } = await import('../utils/qwen-auth.js');
+                await fs.unlink(path.join(QWEN_AGENT_HOME, 'oauth_creds.json')).catch(() => { });
+                await fs.unlink(await getApiKeyConfigPath()).catch(() => { });
                 const authStore = await loadAuth();
                 authStore.entries = [];
                 delete authStore.activeProvider;

package/dist/commands/setup.js

@@ -371,4 +371,59 @@ export function setupCommand(program) {
     addRoleCommand(setup, 'explorer', 'explorer', 'Configure explorer role only');
     addRoleCommand(setup, 'proposer', 'proposer', 'Configure proposer role only (deliberation)');
     addRoleCommand(setup, 'critic', 'critic', 'Configure critic role only (deliberation)');
+    // ── API key setup ─────────────────────────────────────────────────────────
+    setup
+        .command('api-key')
+        .description('Configure API key authentication (OpenAI-compatible, e.g. DashScope)')
+        .action(async () => {
+        const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+        const { saveApiKeyConfig, loadApiKeyConfig, fetchApiKeyModels, DEFAULT_API_BASE_URL } = await import('../utils/qwen-auth.js');
+        const existing = await loadApiKeyConfig();
+        console.log(chalk.bold.cyan('\n  API Key Setup — OpenAI-compatible\n'));
+        if (existing) {
+            console.log(chalk.yellow(`  Current: ${existing.provider} / ${existing.model}`));
+            console.log('');
+        }
+        const apiKey = await ask(rl, `  API Key${existing ? ' [Enter to keep]' : ''}: `);
+        const resolvedKey = apiKey.trim() || existing?.api_key || '';
+        if (!resolvedKey) {
+            console.log(chalk.red('  API key is required.'));
+            rl.close();
+            return;
+        }
+        // Fetch available models with the provided key
+        console.log(chalk.dim('\n  Fetching available models...'));
+        const tempCfg = { provider: 'openai-compatible', api_key: resolvedKey, base_url: DEFAULT_API_BASE_URL, model: '' };
+        const models = await fetchApiKeyModels(tempCfg);
+        let chosenModel = existing?.model ?? 'qwen-plus';
+        if (models.length > 0) {
+            console.log(chalk.bold('\n  Available models:'));
+            models.forEach((m, i) => console.log(chalk.dim(`    ${i + 1}. ${m}`)));
+            const pick = await ask(rl, `\n  Model [${chosenModel}]: `);
+            const num = parseInt(pick.trim());
+            if (!isNaN(num) && num >= 1 && num <= models.length) {
+                chosenModel = models[num - 1];
+            }
+            else if (pick.trim()) {
+                chosenModel = pick.trim();
+            }
+        }
+        else {
+            const pick = await ask(rl, `  Model [${chosenModel}]: `);
+            if (pick.trim())
+                chosenModel = pick.trim();
+        }
+        const cfg = {
+            provider: existing?.provider ?? 'openai-compatible',
+            api_key: resolvedKey,
+            base_url: DEFAULT_API_BASE_URL,
+            model: chosenModel,
+        };
+        await saveApiKeyConfig(cfg);
+        console.log(chalk.green('\n  ✓ API key saved'));
+        console.log(chalk.dim(`  Model:    ${cfg.model}`));
+        console.log(chalk.dim(`  Base URL: ${cfg.base_url}`));
+        console.log('');
+        rl.close();
+    });
 }

package/dist/core/engine.js

@@ -620,9 +620,16 @@ INSTRUCCIONES:
         const ROLE_BINARIES = new Set(['agent-orch', 'agent-impl', 'agent-rev', 'agent-explorer']);
         const tryRoleBinaryCreds = async (cliName, model) => {
             const credsPath = path.join(os.homedir(), `.${cliName}`, 'oauth_creds.json');
-            if (!(await fileExists(credsPath))) {
-                log.warn(`${cliName} has no credentials — run: ${cliName} --login`);
-                return null;
+            const hasOAuthCreds = await fileExists(credsPath);
+            if (!hasOAuthCreds) {
+                // No role OAuth creds — try global API key config before giving up
+                const { loadApiKeyConfig } = await import('../utils/qwen-auth.js');
+                const apiKeyCfg = await loadApiKeyConfig();
+                if (!apiKeyCfg) {
+                    log.warn(`${cliName} has no credentials — run: agent-mp setup api-key  or  ${cliName} --login`);
+                    return null;
+                }
+                // Fall through: callQwenAPIFromCreds will use the API key config
             }
             const sp = this._startSpinner(`${cliName}  ${model}`);
             let lineBuf = '';
@@ -1334,204 +1341,254 @@ ESTRUCTURA DE LOS 3 NIVELES
 ================================================================
 
 ────────────────────────────────────────────────────────────────
-NIVEL 0 — architecture.md (raiz de .agent/context/)
-Indice global. Objetivo: 50-150 lineas. Concreto.
 ────────────────────────────────────────────────────────────────
-Secciones obligatorias:
+NIVEL 0 — architecture.md  (raiz de .agent/context/)
+Objetivo: 80-150 lineas. Panorama global real, no generico.
+────────────────────────────────────────────────────────────────
 
-# ${this.config.project} — Arquitectura Global (NIVEL 0)
+# [Nombre del proyecto] — Arquitectura Global (NIVEL 0)
 
-> Indice de servicios y relaciones. Lectura escalonada:
+> Lectura escalonada:
 >   NIVEL 0: este archivo
 >   NIVEL 1: .agent/context/[componente]/architecture.md
 >   NIVEL 2: .agent/context/[componente]/modules/[modulo].md
 
 ## 1. Overview funcional
-2-4 lineas en lenguaje simple: que es el sistema, para quien sirve, que problema resuelve.
+2-4 lineas. Que es el sistema, para quien sirve, que problema resuelve.
+Si hay multiples componentes con roles distintos, nombrarlos y contrastarlos en el overview:
+ej. "X es la API de ingesta (escritura, batch), Y es la API de gestion (CRUD, portal Nexus)."
 
 ## 2. Componentes del proyecto
-| Componente | Tipo | Stack + version | Puerto | Proposito (negocio) | Entry point |
-|------------|------|-----------------|--------|---------------------|-------------|
-(una fila por componente, con datos REALES)
+| Componente | Stack (version exacta) | Puerto | Rol principal | Consumers tipicos |
+|---|---|---|---|---|
+(datos REALES del manifest. "Consumers tipicos" = quien llama a este componente: frontend, proceso batch, sistema externo)
 
 ## 3. Relaciones entre componentes
-| Origen | Destino | Tipo (HTTP / Import / DB / Queue / CORS) | Proposito |
-|--------|---------|------------------------------------------|-----------|
-(una fila por cada relacion confirmada)
+| Origen | Destino | Tipo | Proposito |
+|---|---|---|---|
+(incluir URLs/hosts reales si aparecen en .env o config: ej. "http://57.151.96.13:8000/v1/validate")
 
 ## 4. Diagrama de arquitectura
-\`\`\`
-[Frontend Web] ──HTTP──> [API Auth :8081]
-       │                        │
-       │                        v
-       └──HTTP──> [API Core :8080] ──> [MongoDB]
+Usar box-drawing (┌─┐│└┘┬┴├┤) y flechas (→ ──> ▼ ▲). Mostrar puertos REALES.
+Incluir endpoints clave inline en los componentes cuando se conocen.
+\`\`\`text
+┌─────────────────────┐         ┌──────────────────────┐
+│ componente-a :8083  │         │ componente-b :8084    │
+│ POST /api/sales     │         │ GET /api/nexus/combos │
+│ POST /api/stock     │────────>│ PUT /api/nexus/...    │
+└──────────┬──────────┘         └──────────────────────┘
+           │                               │
+           ▼                               ▼
+    ┌──────────────┐              ┌──────────────┐
+    │  SQL Server  │              │  Auth Service│
+    │  :31434      │              │  :8000       │
+    └──────────────┘              └──────────────┘
 \`\`\`
 
-## 5. Flujos end-to-end principales (3-5)
-Mappings funcional → tecnico, paso a paso. Ejemplo:
-- **"Un usuario crea un pedido"**: WebApp → POST /orders (API Core) → valida JWT contra API Auth → guarda en MongoDB → devuelve 201 con el pedido.
+## 5. Flujos end-to-end principales
+Concretos, con componentes, endpoints y acciones reales. 2-5 flujos.
+- **"Nombre del flujo":** Actor → POST /endpoint (componente-a) → valida JWT con auth-service → escribe en SQL Server → responde 201.
 
-## 6. Prerequisitos para levantar el proyecto
-Versiones REALES leidas de los manifests (no rangos genericos).
+## 6. Prerequisitos para levantar
+Solo lo que es real: acceso de red a hosts externos, herramientas requeridas. Sin generalidades.
 
-## 7. Comandos globales de desarrollo
+## 7. Comandos de desarrollo
 | Comando | Descripcion | Directorio |
-
-## 8. Decisiones de arquitectura globales (opcional, solo si hay)
+|---|---|---|
+(comandos reales del Makefile, run.sh, package.json scripts, mvnw, etc.)
 
 ────────────────────────────────────────────────────────────────
 NIVEL 1 — [componente]/architecture.md
-Detalle del componente. Objetivo: 80-200 lineas. Crear UNO POR CADA componente NO trivial.
+Objetivo: 120-250 lineas. Un archivo por cada componente no trivial.
 ────────────────────────────────────────────────────────────────
-Secciones obligatorias:
 
 # [componente] — Arquitectura (NIVEL 1)
 
 ## Que hace
-2-3 lineas en lenguaje simple, sin tecnicismos.
+Parrafo 1: describe el rol del componente en lenguaje de negocio + quien lo consume.
+Parrafo 2 (si hay componentes hermanos): contrasta con ellos. ej. "A diferencia de X que solo escribe en bulk, esta API expone CRUD con paginacion y filtros para el portal."
 
 ## Casos de uso principales
-3-6 bullets en formato negocio:
-- "Permite al usuario X..."
-- "El sistema usa este servicio para Y..."
+Tabla con: Caso de uso | Actor (quien lo dispara) | Descripcion + endpoint si se conoce.
+| Caso de uso | Actor | Descripcion |
+|---|---|---|
+| Ingesta de ventas | Proceso batch BAT | POST /api/sales — upsert bulk de ventas finales |
+| Consulta de productos | Portal Nexus | GET /api/products?eanCode=XXX |
 
 ## Stack tecnico
 | Item | Valor |
-|------|-------|
-| Lenguaje | TypeScript 5.3 |
-| Framework | NestJS 11.0.1 |
-| ORM | Mongoose 9.3.3 |
-| Auth | Passport JWT |
-(datos reales del manifest)
+|---|---|
+| Lenguaje | Java 21 (Temurin LTS) |
+| Framework | Spring Boot 3.5.6 |
+| ORM | Spring Data JPA + Hibernate |
+| Seguridad | Spring Security 6 + JJWT |
+(versiones REALES del manifest. Si hay librerias clave como POI, MapStruct, HikariCP: incluirlas)
 
 ## Puerto y URLs
-- **Puerto:** 8085 (de PORT en .env)
-- **Swagger / docs:** http://localhost:8085/api/docs (si aplica)
-- **Health check:** GET /health (si existe)
-
-## Estructura interna (arbol real)
-Listar DIRECTORIOS clave + los archivos que leiste (los CONTROLLER/ROUTER y SCHEMA/MODEL del prefetch).
+| Recurso | URL |
+|---|---|
+| API base | http://localhost:8084 |
+| Swagger / docs | http://localhost:8084/swagger-ui/index.html |
+| Perfil activo | development (application-development.properties) |
+
+## Estructura de capas / paquetes
+Arbol con los archivos y directorios REALES que leiste. Usar → para anotar inline que hace cada clase o directorio.
+\`\`\`text
+paquete.raiz/
+├── controller/        → endpoints REST, delegan a service, responden ApiResponse<T>
+│   ├── ClientController     → CRUD /api/clients
+│   ├── SaleController       → POST /api/sales, /api/sales/interim-sales
+│   └── ExportController     → GET /api/export/combos (genera .xlsx)
+├── service/           → interfaces de logica de negocio
+│   └── impl/          → implementaciones (@Transactional aqui)
+├── repository/        → Spring Data JPA Repositories
+├── domain/            → Entidades JPA (@Entity)
+│   ├── Client, InterimClient  → clientes finales y en staging
+│   ├── Sale, InterimSale      → ventas finales y en staging
+│   └── compositekeys/         → @IdClass para PKs compuestas
+├── dto/               → contratos de API (Request/Response DTOs)
+├── mapper/            → MapStruct: Entity ↔ DTO
+├── security/          → filtros JWT, validacion, handler 401
+└── configuration/     → CORS, Swagger, SecurityConfig
 \`\`\`
-src/
-├── main.ts                      # entry point, configura CORS y swagger
-├── auth/
-│   ├── auth.controller.ts       # endpoints /auth/login, /auth/refresh
-│   └── auth.service.ts          # logica de validacion JWT
-├── leads/
-│   ├── leads.controller.ts      # endpoints /leads
-│   └── lead.schema.ts           # modelo Lead { name, email, status }
-└── ...
+(Adaptar a la estructura real del proyecto: puede ser src/, app/, pkg/, etc.)
+
+## Endpoints reales
+SOLO los que se leyeron en los CONTROLLER/ROUTER files. Incluir columna Auth si se conoce.
+| Metodo | Ruta | Auth | Funcion |
+|---|---|---|---|
+| GET | /api/clients | JWT | Lista clientes (paginado, filtrable) |
+| POST | /api/sales | JWT | Upsert bulk de ventas finales |
+| GET | /api/export/combos | JWT/Azure | Descarga Excel con combos |
+(querystring params relevantes en la ruta, ej. ?eanCode= , ?page=&size= )
+
+## Formato de respuesta (si hay wrapper estandar)
+Si el codigo muestra un wrapper comun para todas las respuestas, documentarlo:
+\`\`\`json
+{
+  "status": 200,
+  "message": "Operacion exitosa",
+  "data": [...],
+  "pagination": { "page": 1, "size": 15, "totalElements": 120, "totalPages": 8 }
+}
 \`\`\`
-Para Java, usar el arbol de packages: src/main/java/.../controller/, .../domain/, .../service/, etc.
-Si no se leyo el codigo fuente, mencionar solo los directorios visibles en la estructura de archivos.
+Si no hay wrapper, omitir esta seccion.
 
 ## Modulos internos
-IMPORTANTE: nombrar cada modulo por su FEATURE (clients, sales, products), no por su capa (web, data, service).
-Los modulos surgen de los controllers que se leyeron: un controller → un modulo.
-| Modulo | Proposito (negocio) | Doc tecnica |
-|--------|---------------------|-------------|
-| auth | Login y validacion de tokens | modules/auth.md |
-| leads | Listado y consulta de negocios | modules/leads.md |
-
-## Endpoints principales
-| Metodo | Ruta | Modulo | Que hace (lenguaje simple) |
-|--------|------|--------|----------------------------|
-| GET | /leads | leads | Lista negocios filtrables |
-| GET | /leads/:id | leads | Detalle de un negocio |
-(SOLO endpoints reales extraidos de los controllers — metodo HTTP, ruta, y descripcion en 1 linea)
-
-## Variables de entorno
-| Variable | Default | Proposito |
-|----------|---------|-----------|
-| PORT | 8085 | Puerto del servicio |
-| MONGODB_URI | mongodb://... | Conexion principal |
-
-## Integraciones con otros servicios / sistemas
-| Servicio externo | Tipo (HTTP/DB/Queue) | Proposito |
+| Modulo | Proposito | Doc tecnica |
+|---|---|---|
+| seguridad | Autenticacion JWT/Azure, roles, filtro HTTP | modules/security.md |
+| acceso-datos | JPA, Specifications, pool, entidades | modules/data-access.md |
+| api-web | Controladores, DTOs, validacion, exportacion | modules/web-api.md |
+(Agrupar por responsabilidad tecnica real, no inventar modulos)
+
+## Variables de configuracion clave
+| Propiedad / Variable | Valor actual | Proposito |
+|---|---|---|
+| server.port | 8084 | Puerto de la API |
+| spring.datasource.url | jdbc:sqlserver://... | Conexion SQL Server |
+| auth.url | http://57.151.96.13:8000/v1/validate | Servicio externo de validacion JWT |
+(Valores REALES del archivo de config/env leido. Si no se leyo el archivo, omitir la tabla)
 
 ## Como levantar
-- **Instalar deps:** \`npm install\`
-- **Servicios necesarios:** MongoDB corriendo, security-api accesible
-- **Comando para iniciar:** \`npm run start:dev\`
-
-## Comandos disponibles
-| Comando | Que hace |
+Comando principal primero. Luego paso a paso si existe.
+\`\`\`bash
+./run.sh        # compila y levanta todo en uno (si existe)
+\`\`\`
+O paso a paso:
+\`\`\`bash
+source ./scripts/env.sh
+npm install && npm run dev
+\`\`\`
 
-## Decisiones tecnicas relevantes
-(solo si hay decisiones notables; si no, omitir esta seccion)
+## Testing (si hay tests en el proyecto)
+Frameworks, comando para correr, cobertura minima si se menciona en el manifest o config.
+\`\`\`bash
+npm test               # todos los tests
+npm test -- --watch    # modo watch
+\`\`\`
 
 ────────────────────────────────────────────────────────────────
 NIVEL 2 — [componente]/modules/[modulo].md
-Detalle de un modulo interno. Objetivo: 40-120 lineas. Crear UNO POR cada modulo significativo.
+Objetivo: 50-120 lineas. Un archivo por modulo significativo.
 ────────────────────────────────────────────────────────────────
-Secciones obligatorias:
 
-# Modulo: [nombre] — [componente]
+# Modulo: [Nombre] — [componente]
 
 ## Funcion (lenguaje simple)
-1-2 lineas: "Permite al usuario gestionar X" / "El sistema usa este modulo para Y".
+1-2 lineas: "Protege todos los endpoints /api/**. Cada request debe llevar un token JWT valido."
 
 ## Funcion (tecnica)
-1-2 lineas: como esta implementado a alto nivel.
-
-## Flujos / casos de uso (1-3)
-Escenarios paso a paso. Ejemplo:
-- **Crear un pedido:** Cliente → POST /orders → middleware valida JWT → service.create() → guarda en DB → responde 201
-
-## Endpoints / interfaces publicas (si aplica)
-| Metodo | Ruta | Body | Respuesta |
-|--------|------|------|-----------|
-
-## Modelos / schemas relevantes
-\`\`\`typescript
-// shape REAL extraido del archivo de schema/model
-{
-  _id: ObjectId,
-  name: string,
-  createdAt: Date,
-  ...
-}
+1-2 lineas: como esta implementado. ej. "Filtro OncePerRequestFilter que extrae el JWT del header Authorization, lo valida contra el servicio externo auth.url, y si es valido establece el SecurityContext."
+
+## Flujo principal (diagrama ASCII)
+Para modulos de seguridad, acceso a datos, o cualquiera con logica de decision/secuencia:
+mostrar el flujo con ASCII art y nombres REALES de clases/metodos.
+\`\`\`text
+HTTP Request
+    │
+    ▼
+AuthFilter (OncePerRequestFilter)
+    │
+    ├── X-User-Source == "Azure"?
+    │       ▼ SI
+    │   AzureHeaderValidator → construye usuario virtual desde headers
+    │
+    └── NO
+        ▼
+    JwtValidator → POST http://auth-service/validate → carga usuario de BD
+    │
+    ▼
+SecurityContextHolder.setAuthentication(...)
+    │
+    ▼
+@PreAuthorize("hasAnyAuthority('ROLE_A','ROLE_B')") en el controller
 \`\`\`
 
-## Reglas de negocio
-- Validaciones: ...
-- Condiciones especiales: ...
-- Excepciones: ...
+## Entidades / modelos relevantes (si aplica)
+Para modulos de acceso a datos: tabla de entidades con su proposito y notas.
+| Entidad | Proposito | Notas |
+|---|---|---|
+| Client | Clientes finales | Clave compuesta: ClientId |
+| InterimClient | Clientes en staging | Tabla intermedia antes de procesar |
+
+## Reglas del modulo
+- Rutas protegidas: /api/** → autenticacion obligatoria
+- Rutas publicas: OPTIONS /**, /swagger-ui/**, /*
+- Sin sesion: STATELESS — sin cookies
+- ddl-auto=validate → el schema nunca se auto-modifica
 
 ## Archivos clave
-OBLIGATORIO: listar los archivos FUENTE reales que encontraste en los pre-fetched data.
-NO poner solo el manifest. Si no hay fuentes leidas para este modulo, omitir la seccion.
-| Archivo (ruta relativa al componente) | Rol |
-|---------------------------------------|-----|
-| src/main/java/.../ClientController.java | Expone endpoints REST /clients |
-| src/main/java/.../Client.java | Entidad JPA mapeada a tabla CLIENTS |
-| src/main/java/.../ClientRepository.java | Acceso a datos via JPA |
-| src/clients/clients.controller.ts | Endpoints /clients (Node.js) |
-| src/clients/clients.service.ts | Logica de negocio (Node.js) |
+Rutas RELATIVAS al directorio raiz del componente (no rutas absolutas, no solo el manifest).
+| Archivo | Rol |
+|---|---|
+| security/AuthFilter.java | Filtro principal — intercepta y valida cada request |
+| security/JwtValidator.java | Extrae username del JWT, verifica firma y expiracion |
+| configuration/SecurityConfig.java | Define SecurityFilterChain, rutas publicas/protegidas |
+| application-development.properties | auth.url, security.token.secret, security.token.expiration |
 
 ## Dependencias
-- **Internas (mismo componente):** auth, common
-- **Externas:** mongoose, class-validator
-- **Cross-component:** llama a security-api via HTTP para validar JWT
+- Librerias clave con version si se conoce: io.jsonwebtoken:jjwt:0.9.1, spring-boot-starter-security
+- Cross-component si corresponde: "llama a http://auth-service:8000/v1/validate para validar tokens"
 
 ================================================================
 CALIBRACION DE DETALLE
 ================================================================
-- NIVEL 0: 50-150 lineas (no menos, no mas)
-- NIVEL 1: 80-200 lineas por componente
-- NIVEL 2: 40-120 lineas por modulo
-- Si te queda corto → leiste pocos archivos, no agregues relleno — simplemente genera con lo que hay
-- Si te queda largo → estas repitiendo o agregando relleno, recorta
+- NIVEL 0: 80-150 lineas
+- NIVEL 1: 120-250 lineas por componente
+- NIVEL 2: 50-120 lineas por modulo
+- Si te queda corto → incluir mas endpoints reales, mas clases en el arbol, mas config values
+- Si te queda largo → estas repitiendo entre niveles o agregando relleno; recorta
 
 ================================================================
 QUE NO HACER
 ================================================================
 - NO usar "Inferido", "Probablemente", "(asumido)", "(quizas)", "parece"
 - NO repetir lo mismo entre niveles sin agregar valor (cada nivel zoomea mas)
-- NO dejar tablas vacias ni con placeholders tipo "..."
-- NO mezclar lenguaje tecnico puro: SIEMPRE empezar funcional, despues tecnico
-- NO documentar componentes triviales (scripts, docs, configs sueltas) con su propia carpeta — mencionalos en NIVEL 0 y listo
-- NO inventar endpoints, env vars, puertos o schemas que no leiste
+- NO dejar tablas vacias ni con placeholders tipo "..." o "ver manifest"
+- NO escribir overview que podria aplicar a cualquier proyecto (tiene que ser especifico de ESTE proyecto)
+- NO documentar componentes triviales (scripts sueltos, configs simples) con carpeta propia — mencionalos en NIVEL 0 y listo
+- NO inventar endpoints, env vars, puertos, hosts, clases o schemas que no leiste en los archivos reales
 
 ================================================================
 FORMATO DE SALIDA — OBLIGATORIO

package/dist/index.js

@@ -61,8 +61,8 @@ REPL commands (type inside the session):
   /run orch <task>   Run only orchestrator
   /run impl <id>     Run only implementor
   /run rev <id>      Run only reviewer
-  /login             Login (OAuth)
-  /logout            Logout and clear credentials
+  /login             Configure API key
+  /logout            Clear API key and credentials
   /models [cli]      List available models
   /tasks             List all tasks
   /clear             Clear screen
@@ -100,25 +100,32 @@ if (nativeRole) {
         console.log(chalk.dim(`  Version: ${PKG_NAME} --version\n`));
         process.exit(0);
     }
-    // --login: OAuth login for this role's account
+    // --login: configure API key for this role
     if (args.includes('--login') || args.includes('login')) {
-        const { qwenLogin, fetchQwenModels } = await import('./utils/qwen-auth.js');
-        const { loadCliConfig, saveCliConfig } = await import('./utils/config.js');
-        const ok = await qwenLogin();
-        if (ok) {
-            // Fetch and cache available models so /setup can show them
-            const models = await fetchQwenModels();
-            if (models.length) {
-                const cliConfig = await loadCliConfig();
-                cliConfig.availableModels = models;
-                if (!cliConfig.coordinatorModel)
-                    cliConfig.coordinatorModel = models[0];
-                await saveCliConfig(cliConfig);
-                console.log(chalk.green(`  ✓ Models cached: ${models.slice(0, 3).join(', ')}${models.length > 3 ? '...' : ''}`));
-                console.log(chalk.dim(`  Default model: ${cliConfig.coordinatorModel}`));
-            }
+        const { saveApiKeyConfig, loadApiKeyConfig, DEFAULT_API_BASE_URL } = await import('./utils/qwen-auth.js');
+        const rl = (await import('readline')).createInterface({ input: process.stdin, output: process.stdout });
+        const ask = (q) => new Promise((res) => rl.question(q, res));
+        const existing = await loadApiKeyConfig();
+        console.log(chalk.bold.cyan(`\n  ${PKG_NAME} — API Key Setup\n`));
+        if (existing) {
+            console.log(chalk.dim(`  Current: ${existing.provider} / ${existing.model}`));
+        }
+        const apiKey = await ask(`  API Key${existing ? ' [Enter to keep]' : ''}: `);
+        const model = await ask(`  Model [${existing?.model ?? 'qwen-plus'}]: `);
+        rl.close();
+        const cfg = {
+            provider: existing?.provider ?? 'openai-compatible',
+            api_key: apiKey.trim() || existing?.api_key || '',
+            base_url: DEFAULT_API_BASE_URL,
+            model: model.trim() || existing?.model || 'qwen-plus',
+        };
+        if (!cfg.api_key) {
+            console.log(chalk.red('  API key is required.'));
+            process.exit(1);
         }
-        process.exit(ok ? 0 : 1);
+        await saveApiKeyConfig(cfg);
+        console.log(chalk.green(`\n  ✓ API key saved — ${cfg.provider} / ${cfg.model}\n`));
+        process.exit(0);
     }
     // --status: show auth status
     if (args.includes('--status') || args.includes('status')) {

package/dist/utils/qwen-auth.d.ts

@@ -1,3 +1,14 @@
+export declare const DEFAULT_API_BASE_URL = "https://dashscope-intl.aliyuncs.com/compatible-mode/v1";
+export interface ApiKeyConfig {
+    provider: string;
+    api_key: string;
+    base_url: string;
+    model: string;
+}
+export declare function getApiKeyConfigPath(): Promise<string>;
+export declare function loadApiKeyConfig(): Promise<ApiKeyConfig | null>;
+export declare function saveApiKeyConfig(cfg: ApiKeyConfig): Promise<void>;
+export declare function fetchApiKeyModels(cfg?: ApiKeyConfig | null): Promise<string[]>;
 /** Exported as const for backward compat */
 export declare const QWEN_AGENT_HOME: string;
 /** Dynamic getter (recommended for runtime changes) */
@@ -14,17 +25,16 @@ export declare function qwenLogin(): Promise<boolean>;
 export declare function qwenAuthStatus(): Promise<{
     authenticated: boolean;
     email?: string;
+    method?: string;
 }>;
 export declare function fetchQwenModels(): Promise<string[]>;
 export declare function getQwenAccessToken(): Promise<string | null>;
 /**
- * Call Qwen REST API directly using OAuth credentials stored locally.
- * No dependency on any qwen CLI binary.
+ * Call Qwen REST API directly. Tries API key first, falls back to OAuth.
  */
 export declare function callQwenAPI(prompt: string, model?: string, onData?: (chunk: string) => void): Promise<string>;
 /**
- * Call Qwen API using credentials stored at a specific path (for role binaries).
- * Calls the Qwen REST API directly — no dependency on any qwen CLI binary.
+ * Call Qwen API using role-specific OAuth creds or global API key config.
  */
 export declare function callQwenAPIFromCreds(prompt: string, model: string, credsPath: string, onData?: (chunk: string) => void): Promise<string>;
 /** Check quota status by making a minimal test API call */

package/dist/utils/qwen-auth.js

@@ -2,7 +2,71 @@ import * as fs from 'fs/promises';
 import * as path from 'path';
 import * as crypto from 'crypto';
 import open from 'open';
+import OpenAI from 'openai';
 import { AGENT_HOME } from './config.js';
+// ── API Key (OpenAI-compatible) ───────────────────────────────────────────────
+export const DEFAULT_API_BASE_URL = 'https://dashscope-intl.aliyuncs.com/compatible-mode/v1';
+export async function getApiKeyConfigPath() {
+    await fs.mkdir(AGENT_HOME, { recursive: true });
+    return path.join(AGENT_HOME, 'api_key.json');
+}
+export async function loadApiKeyConfig() {
+    try {
+        const content = await fs.readFile(await getApiKeyConfigPath(), 'utf-8');
+        const cfg = JSON.parse(content);
+        if (!cfg.api_key || !cfg.base_url)
+            return null;
+        return cfg;
+    }
+    catch {
+        return null;
+    }
+}
+export async function saveApiKeyConfig(cfg) {
+    await fs.writeFile(await getApiKeyConfigPath(), JSON.stringify(cfg, null, 2), 'utf-8');
+}
+export async function fetchApiKeyModels(cfg) {
+    const resolved = cfg ?? await loadApiKeyConfig();
+    if (!resolved?.api_key)
+        return [];
+    try {
+        const client = new OpenAI({ apiKey: resolved.api_key, baseURL: resolved.base_url });
+        const list = await client.models.list();
+        return list.data.map((m) => m.id).sort();
+    }
+    catch {
+        return [];
+    }
+}
+async function callWithApiKey(cfg, prompt, model, onData) {
+    const useModel = (model && model !== 'coder-model') ? model : cfg.model;
+    const client = new OpenAI({
+        apiKey: cfg.api_key,
+        baseURL: cfg.base_url,
+    });
+    if (!onData) {
+        const completion = await client.chat.completions.create({
+            model: useModel,
+            messages: [{ role: 'user', content: prompt }],
+        });
+        return completion.choices[0]?.message?.content ?? '';
+    }
+    let fullText = '';
+    const stream = await client.chat.completions.create({
+        model: useModel,
+        messages: [{ role: 'user', content: prompt }],
+        stream: true,
+    });
+    for await (const chunk of stream) {
+        const delta = chunk.choices[0]?.delta?.content ?? '';
+        if (delta) {
+            fullText += delta;
+            onData(delta);
+        }
+    }
+    return fullText;
+}
+// ── OAuth ─────────────────────────────────────────────────────────────────────
 const QWEN_OAUTH_BASE_URL = 'https://chat.qwen.ai';
 const QWEN_OAUTH_DEVICE_CODE_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/device/code`;
 const QWEN_OAUTH_TOKEN_ENDPOINT = `${QWEN_OAUTH_BASE_URL}/api/v1/oauth2/token`;
@@ -223,13 +287,16 @@ async function pollForToken(deviceCode, codeVerifier, interval, expiresIn) {
     return null;
 }
 export async function qwenAuthStatus() {
+    const apiKeyCfg = await loadApiKeyConfig();
+    if (apiKeyCfg?.api_key) {
+        return { authenticated: true, method: 'apikey', email: `${apiKeyCfg.provider} / ${apiKeyCfg.model}` };
+    }
     const token = await loadToken();
     if (!token)
         return { authenticated: false };
-    // Verify token is not expired (loadToken already refreshes if close to expiry)
     if (token.expiresAt > 0 && token.expiresAt < Date.now())
         return { authenticated: false };
-    return { authenticated: true };
+    return { authenticated: true, method: 'oauth' };
 }
 export async function fetchQwenModels() {
     const token = await loadToken();
@@ -335,19 +402,21 @@ async function callQwenAPIWithToken(token, prompt, model, onData) {
     return fullText;
 }
 /**
- * Call Qwen REST API directly using OAuth credentials stored locally.
- * No dependency on any qwen CLI binary.
+ * Call Qwen REST API directly. Tries API key first, falls back to OAuth.
  */
 export async function callQwenAPI(prompt, model = 'coder-model', onData) {
+    const apiKeyCfg = await loadApiKeyConfig();
+    if (apiKeyCfg) {
+        return callWithApiKey(apiKeyCfg, prompt, model, onData);
+    }
     let token = await loadToken();
     if (!token) {
-        throw new Error('QWEN_AUTH_EXPIRED: No hay token de Qwen. Ejecutá --login primero.');
+        throw new Error('No auth configured. Run: agent-mp --login  or  agent-mp setup api-key');
     }
     try {
         return await callQwenAPIWithToken(token, prompt, model, onData);
     }
     catch (err) {
-        // Quota errors: refresh won't help, propagate immediately
         if (err.message?.startsWith('QWEN_QUOTA_EXCEEDED'))
             throw err;
         if (!err.message?.startsWith('QWEN_AUTH_EXPIRED'))
@@ -363,10 +432,14 @@ export async function callQwenAPI(prompt, model = 'coder-model', onData) {
     }
 }
 /**
- * Call Qwen API using credentials stored at a specific path (for role binaries).
- * Calls the Qwen REST API directly — no dependency on any qwen CLI binary.
+ * Call Qwen API using role-specific OAuth creds or global API key config.
  */
 export async function callQwenAPIFromCreds(prompt, model, credsPath, onData) {
+    // Prefer global API key config over role-specific OAuth creds
+    const apiKeyCfg = await loadApiKeyConfig();
+    if (apiKeyCfg) {
+        return callWithApiKey(apiKeyCfg, prompt, model, onData);
+    }
     const cliName = path.basename(path.dirname(credsPath)).replace(/^\./, '');
     let raw;
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-mp",
-  "version": "0.5.21",
+  "version": "0.5.23",
   "description": "Deterministic multi-agent CLI orchestrator — plan, code, review",
   "type": "module",
   "main": "./dist/index.js",