apteva 0.2.7 → 0.2.9

package/src/routes/api.ts

@@ -1,10 +1,12 @@
 import { spawn } from "bun";
 import { join } from "path";
 import { homedir } from "os";
-import { mkdirSync, existsSync } from "fs";
-import { agentProcesses, BINARY_PATH, getNextPort, getBinaryStatus, BIN_DIR, telemetryBroadcaster, type TelemetryEvent } from "../server";
-import { AgentDB, McpServerDB, TelemetryDB, generateId, type Agent, type AgentFeatures, type McpServer } from "../db";
+import { mkdirSync, existsSync, rmSync } from "fs";
+import { agentProcesses, agentsStarting, BINARY_PATH, getNextPort, getBinaryStatus, BIN_DIR, telemetryBroadcaster, type TelemetryEvent } from "../server";
+import { AgentDB, McpServerDB, TelemetryDB, UserDB, ProjectDB, generateId, type Agent, type AgentFeatures, type McpServer, type Project } from "../db";
 import { ProviderKeys, Onboarding, getProvidersWithStatus, PROVIDERS, type ProviderId } from "../providers";
+import { createUser, hashPassword, validatePassword } from "../auth";
+import type { AuthContext } from "../auth/middleware";
 import {
   binaryExists,
   checkForUpdates,
@@ -21,7 +23,14 @@ import {
   callMcpTool,
   getMcpProcess,
   getMcpProxyUrl,
+  getHttpMcpClient,
 } from "../mcp-client";
+import { openApiSpec } from "../openapi";
+import { getProvider, getProviderIds, registerProvider } from "../integrations";
+import { ComposioProvider } from "../integrations/composio";
+
+// Register integration providers
+registerProvider(ComposioProvider);
 
 // Data directory for agent instances (in ~/.apteva/agents/)
 const AGENTS_DATA_DIR = process.env.DATA_DIR
@@ -35,7 +44,13 @@ function json(data: unknown, status = 200): Response {
   });
 }
 
+const isDev = process.env.NODE_ENV !== "production";
+function debug(...args: unknown[]) {
+  if (isDev) console.log("[api]", ...args);
+}
+
 // Wait for agent to be healthy (with timeout)
+// Note: /health endpoint is whitelisted in agent, no auth needed
 async function waitForAgentHealth(port: number, maxAttempts = 30, delayMs = 200): Promise<boolean> {
   for (let i = 0; i < maxAttempts; i++) {
     try {
@@ -51,23 +66,58 @@ async function waitForAgentHealth(port: number, maxAttempts = 30, delayMs = 200)
   return false;
 }
 
+// Make authenticated request to agent
+async function agentFetch(
+  agentId: string,
+  port: number,
+  endpoint: string,
+  options: RequestInit = {}
+): Promise<Response> {
+  const apiKey = AgentDB.getApiKey(agentId);
+  const headers: Record<string, string> = {
+    ...(options.headers as Record<string, string> || {}),
+  };
+  if (apiKey) {
+    headers["X-API-Key"] = apiKey;
+  }
+  return fetch(`http://localhost:${port}${endpoint}`, {
+    ...options,
+    headers,
+  });
+}
+
 // Build agent config from apteva agent data
 // Note: POST /config expects flat structure WITHOUT "agent" wrapper
 function buildAgentConfig(agent: Agent, providerKey: string) {
   const features = agent.features;
 
   // Get MCP server details for the agent's selected servers
-  // All MCP servers are accessed via HTTP proxy (apteva manages the stdio processes)
-  const mcpServers = (agent.mcp_servers || [])
-    .map(id => McpServerDB.findById(id))
-    .filter((s): s is NonNullable<typeof s> => s !== null && s.status === "running" && s.port)
-    .map(s => ({
-      name: s.name,
-      type: "http" as const,
-      url: `http://localhost:${s.port}/mcp`,
-      headers: {},
-      enabled: true,
-    }));
+  const mcpServers: Array<{ name: string; type: "http"; url: string; headers: Record<string, string>; enabled: boolean }> = [];
+
+  for (const id of agent.mcp_servers || []) {
+    const server = McpServerDB.findById(id);
+    if (!server) continue;
+
+    if (server.type === "http" && server.url) {
+      // Remote HTTP server (Composio, Smithery, or custom)
+      mcpServers.push({
+        name: server.name,
+        type: "http",
+        url: server.url,
+        headers: server.headers || {},
+        enabled: true,
+      });
+    } else if (server.status === "running" && server.port) {
+      // Local MCP server (npm, github, custom)
+      mcpServers.push({
+        name: server.name,
+        type: "http",
+        url: `http://localhost:${server.port}/mcp`,
+        headers: {},
+        enabled: true,
+      });
+    }
+  }
 
   return {
     id: agent.id,
@@ -169,9 +219,10 @@ function buildAgentConfig(agent: Agent, providerKey: string) {
 }
 
 // Push config to running agent
-async function pushConfigToAgent(port: number, config: any): Promise<{ success: boolean; error?: string }> {
+// Push config to running agent (with authentication)
+async function pushConfigToAgent(agentId: string, port: number, config: any): Promise<{ success: boolean; error?: string }> {
   try {
-    const res = await fetch(`http://localhost:${port}/config`, {
+    const res = await agentFetch(agentId, port, "/config", {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(config),
@@ -190,38 +241,85 @@ async function pushConfigToAgent(port: number, config: any): Promise<{ success:
 // Exported helper to start an agent process (used by API route and auto-restart)
 export async function startAgentProcess(
   agent: Agent,
-  options: { silent?: boolean } = {}
+  options: { silent?: boolean; cleanData?: boolean } = {}
 ): Promise<{ success: boolean; port?: number; error?: string }> {
-  const { silent = false } = options;
+  const { silent = false, cleanData = false } = options;
 
   // Check if binary exists
   if (!binaryExists(BIN_DIR)) {
     return { success: false, error: "Agent binary not available" };
   }
 
-  // Check if already running
+  // Check if already running (process map)
   if (agentProcesses.has(agent.id)) {
     return { success: false, error: "Agent already running" };
   }
 
+  // Check if already being started (race condition prevention)
+  if (agentsStarting.has(agent.id)) {
+    return { success: false, error: "Agent is already starting" };
+  }
+
+  // Mark as starting
+  agentsStarting.add(agent.id);
+
   // Get the API key for the agent's provider
   const providerKey = ProviderKeys.getDecrypted(agent.provider);
   if (!providerKey) {
+    agentsStarting.delete(agent.id);
     return { success: false, error: `No API key for provider: ${agent.provider}` };
   }
 
   // Get provider config for env var name
   const providerConfig = PROVIDERS[agent.provider as ProviderId];
   if (!providerConfig) {
+    agentsStarting.delete(agent.id);
     return { success: false, error: `Unknown provider: ${agent.provider}` };
   }
 
-  // Assign port
-  const port = getNextPort();
+  // Use agent's permanently assigned port
+  const port = agent.port;
+  if (!port) {
+    agentsStarting.delete(agent.id);
+    return { success: false, error: "Agent has no assigned port" };
+  }
+
+  // Get or create API key for the agent
+  const agentApiKey = AgentDB.ensureApiKey(agent.id);
+  if (!agentApiKey) {
+    agentsStarting.delete(agent.id);
+    return { success: false, error: "Failed to get/create agent API key" };
+  }
 
   try {
-    // Create data directory for this agent
+    // Check if something is already running on this port (orphaned process)
+    try {
+      const res = await fetch(`http://localhost:${port}/health`, { signal: AbortSignal.timeout(500) });
+      if (res.ok) {
+        // Something is running - try to shut it down
+        if (!silent) {
+          console.log(`  Port ${port} in use, stopping orphaned process...`);
+        }
+        try {
+          await fetch(`http://localhost:${port}/shutdown`, { method: "POST", signal: AbortSignal.timeout(1000) });
+          await new Promise(r => setTimeout(r, 500)); // Wait for shutdown
+        } catch {
+          // Shutdown failed - process might not support it
+        }
+      }
+    } catch {
+      // Port is free - good
+    }
+
+    // Handle data directory
     const agentDataDir = join(AGENTS_DATA_DIR, agent.id);
+    if (cleanData && existsSync(agentDataDir)) {
+      // Clean old data if requested
+      rmSync(agentDataDir, { recursive: true, force: true });
+      if (!silent) {
+        console.log(`  Cleaned old data directory`);
+      }
+    }
     if (!existsSync(agentDataDir)) {
       mkdirSync(agentDataDir, { recursive: true });
     }
@@ -232,11 +330,12 @@ export async function startAgentProcess(
       console.log(`  Data dir: ${agentDataDir}`);
     }
 
-    // Build environment with provider key
+    // Build environment with provider key and agent API key
     const env: Record<string, string> = {
       ...process.env as Record<string, string>,
       PORT: String(port),
       DATA_DIR: agentDataDir,
+      AGENT_API_KEY: agentApiKey,
       [providerConfig.envVar]: providerKey,
     };
 
@@ -247,7 +346,8 @@ export async function startAgentProcess(
       stderr: "ignore",
     });
 
-    agentProcesses.set(agent.id, proc);
+    // Store process with port for tracking
+    agentProcesses.set(agent.id, { proc, port });
 
     // Wait for agent to be healthy
     if (!silent) {
@@ -260,6 +360,7 @@ export async function startAgentProcess(
       }
       proc.kill();
       agentProcesses.delete(agent.id);
+      agentsStarting.delete(agent.id);
       return { success: false, error: "Health check timeout" };
     }
 
@@ -268,7 +369,7 @@ export async function startAgentProcess(
       console.log(`  Pushing configuration...`);
     }
     const config = buildAgentConfig(agent, providerKey);
-    const configResult = await pushConfigToAgent(port, config);
+    const configResult = await pushConfigToAgent(agent.id, port, config);
     if (!configResult.success) {
       if (!silent) {
         console.error(`  Failed to configure agent: ${configResult.error}`);
@@ -278,15 +379,17 @@ export async function startAgentProcess(
       console.log(`  Configuration applied successfully`);
     }
 
-    // Update status in database
-    AgentDB.setStatus(agent.id, "running", port);
+    // Update status in database (port is already set, just update status)
+    AgentDB.setStatus(agent.id, "running");
 
     if (!silent) {
       console.log(`Agent ${agent.name} started on port ${port} (pid: ${proc.pid})`);
     }
 
+    agentsStarting.delete(agent.id);
     return { success: true, port };
   } catch (err) {
+    agentsStarting.delete(agent.id);
     if (!silent) {
       console.error(`Failed to start agent: ${err}`);
     }
@@ -319,13 +422,43 @@ function toApiAgent(agent: Agent) {
     features: agent.features,
     mcpServers: agent.mcp_servers, // Keep IDs for backwards compatibility
     mcpServerDetails, // Include full details
+    projectId: agent.project_id,
     createdAt: agent.created_at,
     updatedAt: agent.updated_at,
   };
 }
 
-export async function handleApiRequest(req: Request, path: string): Promise<Response> {
+// Transform DB project to API response format
+function toApiProject(project: Project) {
+  return {
+    id: project.id,
+    name: project.name,
+    description: project.description,
+    color: project.color,
+    createdAt: project.created_at,
+    updatedAt: project.updated_at,
+  };
+}
+
+export async function handleApiRequest(req: Request, path: string, authContext?: AuthContext): Promise<Response> {
   const method = req.method;
+  const user = authContext?.user;
+
+  // GET /api/health - Health check endpoint (no auth required, handled before middleware in server.ts)
+  if (path === "/api/health" && method === "GET") {
+    const agentCount = AgentDB.count();
+    const runningAgents = AgentDB.findRunning().length;
+    return json({
+      status: "ok",
+      version: getAptevaVersion(),
+      agents: { total: agentCount, running: runningAgents },
+    });
+  }
+
+  // GET /api/openapi - OpenAPI spec (no auth required)
+  if (path === "/api/openapi" && method === "GET") {
+    return json(openApiSpec);
+  }
 
   // GET /api/agents - List all agents
   if (path === "/api/agents" && method === "GET") {
@@ -337,7 +470,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
   if (path === "/api/agents" && method === "POST") {
     try {
       const body = await req.json();
-      const { name, model, provider, systemPrompt, features } = body;
+      const { name, model, provider, systemPrompt, features, projectId } = body;
 
       if (!name) {
         return json({ error: "Name is required" }, 400);
@@ -354,6 +487,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
         system_prompt: systemPrompt || "You are a helpful assistant.",
         features: features || DEFAULT_FEATURES,
         mcp_servers: body.mcpServers || [],
+        project_id: projectId || null,
       });
 
       return json({ agent: toApiAgent(agent) }, 201);
@@ -390,6 +524,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       if (body.systemPrompt !== undefined) updates.system_prompt = body.systemPrompt;
       if (body.features !== undefined) updates.features = body.features;
       if (body.mcpServers !== undefined) updates.mcp_servers = body.mcpServers;
+      if (body.projectId !== undefined) updates.project_id = body.projectId;
 
       const updated = AgentDB.update(agentMatch[1], updates);
 
@@ -398,7 +533,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
         const providerKey = ProviderKeys.getDecrypted(updated.provider);
         if (providerKey) {
           const config = buildAgentConfig(updated, providerKey);
-          const configResult = await pushConfigToAgent(updated.port, config);
+          const configResult = await pushConfigToAgent(updated.id, updated.port, config);
           if (!configResult.success) {
             console.error(`Failed to push config to running agent: ${configResult.error}`);
           }
@@ -413,25 +548,77 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
 
   // DELETE /api/agents/:id - Delete an agent
   if (agentMatch && method === "DELETE") {
-    const agent = AgentDB.findById(agentMatch[1]);
+    const agentId = agentMatch[1];
+    const agent = AgentDB.findById(agentId);
     if (!agent) {
       return json({ error: "Agent not found" }, 404);
     }
 
     // Stop the agent if running
-    const proc = agentProcesses.get(agentMatch[1]);
-    if (proc) {
-      proc.kill();
-      agentProcesses.delete(agentMatch[1]);
+    const agentProc = agentProcesses.get(agentId);
+    if (agentProc) {
+      agentProc.proc.kill();
+      agentProcesses.delete(agentId);
     }
 
     // Delete agent's telemetry data
-    TelemetryDB.deleteByAgent(agentMatch[1]);
+    TelemetryDB.deleteByAgent(agentId);
+
+    // Delete agent's data directory (contains threads, messages, etc.)
+    const agentDataDir = join(AGENTS_DATA_DIR, agentId);
+    if (existsSync(agentDataDir)) {
+      try {
+        rmSync(agentDataDir, { recursive: true, force: true });
+        console.log(`Deleted agent data directory: ${agentDataDir}`);
+      } catch (err) {
+        console.error(`Failed to delete agent data directory: ${err}`);
+      }
+    }
 
-    AgentDB.delete(agentMatch[1]);
+    AgentDB.delete(agentId);
     return json({ success: true });
   }
 
+  // GET /api/agents/:id/api-key - Get the agent's API key (masked)
+  const apiKeyGetMatch = path.match(/^\/api\/agents\/([^/]+)\/api-key$/);
+  if (apiKeyGetMatch && method === "GET") {
+    const agent = AgentDB.findById(apiKeyGetMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    const apiKey = AgentDB.getApiKey(agent.id);
+    if (!apiKey) {
+      return json({ error: "No API key found for this agent" }, 404);
+    }
+
+    // Return masked key (show only first 8 chars)
+    const masked = apiKey.substring(0, 8) + "..." + apiKey.substring(apiKey.length - 4);
+    return json({
+      apiKey: masked,
+      hasKey: true,
+    });
+  }
+
+  // POST /api/agents/:id/api-key - Regenerate the agent's API key
+  if (apiKeyGetMatch && method === "POST") {
+    const agent = AgentDB.findById(apiKeyGetMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    const newKey = AgentDB.regenerateApiKey(agent.id);
+    if (!newKey) {
+      return json({ error: "Failed to regenerate API key" }, 500);
+    }
+
+    // Return the full new key (only time it's fully visible)
+    return json({
+      apiKey: newKey,
+      message: "API key regenerated. This is the only time the full key will be shown.",
+    });
+  }
+
   // POST /api/agents/:id/start - Start an agent
   const startMatch = path.match(/^\/api\/agents\/([^/]+)\/start$/);
   if (startMatch && method === "POST") {
@@ -457,10 +644,10 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       return json({ error: "Agent not found" }, 404);
     }
 
-    const proc = agentProcesses.get(agent.id);
-    if (proc) {
-      console.log(`Stopping agent ${agent.name} (pid: ${proc.pid})...`);
-      proc.kill();
+    const agentProc = agentProcesses.get(agent.id);
+    if (agentProc) {
+      console.log(`Stopping agent ${agent.name} (pid: ${agentProc.proc.pid})...`);
+      agentProc.proc.kill();
       agentProcesses.delete(agent.id);
     }
 
@@ -483,59 +670,741 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     try {
       const body = await req.json();
 
-      // Proxy to the agent's /chat endpoint
-      const agentUrl = `http://localhost:${agent.port}/chat`;
-      const response = await fetch(agentUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-        },
-        body: JSON.stringify(body),
-      });
-
-      // Stream the response back
-      if (!response.ok) {
-        const errorText = await response.text();
-        return json({ error: `Agent error: ${errorText}` }, response.status);
+      // Proxy to the agent's /chat endpoint with authentication
+      const response = await agentFetch(agent.id, agent.port, "/chat", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+      });
+
+      // Stream the response back
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      // Return streaming response with proper headers
+      return new Response(response.body, {
+        status: 200,
+        headers: {
+          "Content-Type": response.headers.get("Content-Type") || "text/event-stream",
+          "Cache-Control": "no-cache",
+          "Connection": "keep-alive",
+        },
+      });
+    } catch (err) {
+      console.error(`Chat proxy error: ${err}`);
+      return json({ error: `Failed to proxy chat: ${err}` }, 500);
+    }
+  }
+
+  // ==================== THREAD & MESSAGE PROXY ====================
+
+  // GET /api/agents/:id/threads - List threads for an agent
+  const threadsListMatch = path.match(/^\/api\/agents\/([^/]+)\/threads$/);
+  if (threadsListMatch && method === "GET") {
+    const agent = AgentDB.findById(threadsListMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const response = await agentFetch(agent.id, agent.port, "/threads", {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Threads list proxy error: ${err}`);
+      return json({ error: `Failed to fetch threads: ${err}` }, 500);
+    }
+  }
+
+  // POST /api/agents/:id/threads - Create a new thread
+  if (threadsListMatch && method === "POST") {
+    const agent = AgentDB.findById(threadsListMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const body = await req.json().catch(() => ({}));
+      const response = await agentFetch(agent.id, agent.port, "/threads", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data, 201);
+    } catch (err) {
+      console.error(`Thread create proxy error: ${err}`);
+      return json({ error: `Failed to create thread: ${err}` }, 500);
+    }
+  }
+
+  // GET /api/agents/:id/threads/:threadId - Get a specific thread
+  const threadDetailMatch = path.match(/^\/api\/agents\/([^/]+)\/threads\/([^/]+)$/);
+  if (threadDetailMatch && method === "GET") {
+    const agent = AgentDB.findById(threadDetailMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const threadId = threadDetailMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/threads/${threadId}`, {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Thread detail proxy error: ${err}`);
+      return json({ error: `Failed to fetch thread: ${err}` }, 500);
+    }
+  }
+
+  // DELETE /api/agents/:id/threads/:threadId - Delete a thread
+  if (threadDetailMatch && method === "DELETE") {
+    const agent = AgentDB.findById(threadDetailMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const threadId = threadDetailMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/threads/${threadId}`, {
+        method: "DELETE",
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      return json({ success: true });
+    } catch (err) {
+      console.error(`Thread delete proxy error: ${err}`);
+      return json({ error: `Failed to delete thread: ${err}` }, 500);
+    }
+  }
+
+  // GET /api/agents/:id/threads/:threadId/messages - Get messages in a thread
+  const threadMessagesMatch = path.match(/^\/api\/agents\/([^/]+)\/threads\/([^/]+)\/messages$/);
+  if (threadMessagesMatch && method === "GET") {
+    const agent = AgentDB.findById(threadMessagesMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const threadId = threadMessagesMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/threads/${threadId}/messages`, {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Thread messages proxy error: ${err}`);
+      return json({ error: `Failed to fetch messages: ${err}` }, 500);
+    }
+  }
+
+  // ==================== MEMORY PROXY ====================
+
+  // GET /api/agents/:id/memories - List memories for an agent
+  const memoriesMatch = path.match(/^\/api\/agents\/([^/]+)\/memories$/);
+  if (memoriesMatch && method === "GET") {
+    const agent = AgentDB.findById(memoriesMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const url = new URL(req.url);
+      const threadId = url.searchParams.get("thread_id") || "";
+      const endpoint = `/memories${threadId ? `?thread_id=${threadId}` : ""}`;
+      const response = await agentFetch(agent.id, agent.port, endpoint, {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Memories list proxy error: ${err}`);
+      return json({ error: `Failed to fetch memories: ${err}` }, 500);
+    }
+  }
+
+  // DELETE /api/agents/:id/memories - Clear all memories for an agent
+  if (memoriesMatch && method === "DELETE") {
+    const agent = AgentDB.findById(memoriesMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const response = await agentFetch(agent.id, agent.port, "/memories", { method: "DELETE" });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      return json({ success: true });
+    } catch (err) {
+      console.error(`Memories clear proxy error: ${err}`);
+      return json({ error: `Failed to clear memories: ${err}` }, 500);
+    }
+  }
+
+  // DELETE /api/agents/:id/memories/:memoryId - Delete a specific memory
+  const memoryDeleteMatch = path.match(/^\/api\/agents\/([^/]+)\/memories\/([^/]+)$/);
+  if (memoryDeleteMatch && method === "DELETE") {
+    const agent = AgentDB.findById(memoryDeleteMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const memoryId = memoryDeleteMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/memories/${memoryId}`, { method: "DELETE" });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      return json({ success: true });
+    } catch (err) {
+      console.error(`Memory delete proxy error: ${err}`);
+      return json({ error: `Failed to delete memory: ${err}` }, 500);
+    }
+  }
+
+  // ==================== FILES PROXY ====================
+
+  // GET /api/agents/:id/files - List files for an agent
+  const filesMatch = path.match(/^\/api\/agents\/([^/]+)\/files$/);
+  if (filesMatch && method === "GET") {
+    const agent = AgentDB.findById(filesMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const url = new URL(req.url);
+      const params = new URLSearchParams();
+      if (url.searchParams.get("thread_id")) params.set("thread_id", url.searchParams.get("thread_id")!);
+      if (url.searchParams.get("limit")) params.set("limit", url.searchParams.get("limit")!);
+
+      const endpoint = `/files${params.toString() ? `?${params}` : ""}`;
+      const response = await agentFetch(agent.id, agent.port, endpoint, {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Files list proxy error: ${err}`);
+      return json({ error: `Failed to fetch files: ${err}` }, 500);
+    }
+  }
+
+  // GET /api/agents/:id/files/:fileId - Get a specific file
+  const fileGetMatch = path.match(/^\/api\/agents\/([^/]+)\/files\/([^/]+)$/);
+  if (fileGetMatch && method === "GET") {
+    const agent = AgentDB.findById(fileGetMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const fileId = fileGetMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/files/${fileId}`, {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`File get proxy error: ${err}`);
+      return json({ error: `Failed to fetch file: ${err}` }, 500);
+    }
+  }
+
+  // DELETE /api/agents/:id/files/:fileId - Delete a specific file
+  if (fileGetMatch && method === "DELETE") {
+    const agent = AgentDB.findById(fileGetMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const fileId = fileGetMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/files/${fileId}`, {
+        method: "DELETE",
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      return json({ success: true });
+    } catch (err) {
+      console.error(`File delete proxy error: ${err}`);
+      return json({ error: `Failed to delete file: ${err}` }, 500);
+    }
+  }
+
+  // GET /api/agents/:id/files/:fileId/download - Download a file
+  const fileDownloadMatch = path.match(/^\/api\/agents\/([^/]+)\/files\/([^/]+)\/download$/);
+  if (fileDownloadMatch && method === "GET") {
+    const agent = AgentDB.findById(fileDownloadMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const fileId = fileDownloadMatch[2];
+      const response = await agentFetch(agent.id, agent.port, `/files/${fileId}/download`);
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      // Pass through the file response
+      return new Response(response.body, {
+        status: response.status,
+        headers: {
+          "Content-Type": response.headers.get("Content-Type") || "application/octet-stream",
+          "Content-Disposition": response.headers.get("Content-Disposition") || "attachment",
+          "Content-Length": response.headers.get("Content-Length") || "",
+        },
+      });
+    } catch (err) {
+      console.error(`File download proxy error: ${err}`);
+      return json({ error: `Failed to download file: ${err}` }, 500);
+    }
+  }
+
+  // ==================== DISCOVERY/PEERS PROXY ====================
+
+  // GET /api/agents/:id/peers - Get discovered peer agents
+  const peersMatch = path.match(/^\/api\/agents\/([^/]+)\/peers$/);
+  if (peersMatch && method === "GET") {
+    const agent = AgentDB.findById(peersMatch[1]);
+    if (!agent) {
+      return json({ error: "Agent not found" }, 404);
+    }
+
+    if (agent.status !== "running" || !agent.port) {
+      return json({ error: "Agent is not running" }, 400);
+    }
+
+    try {
+      const response = await agentFetch(agent.id, agent.port, "/discovery/agents", {
+        method: "GET",
+        headers: { "Accept": "application/json" },
+      });
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        return json({ error: `Agent error: ${errorText}` }, response.status);
+      }
+
+      const data = await response.json();
+      return json(data);
+    } catch (err) {
+      console.error(`Peers list proxy error: ${err}`);
+      return json({ error: `Failed to fetch peers: ${err}` }, 500);
+    }
+  }
+
+  // GET /api/providers - List supported providers and models with key status
+  if (path === "/api/providers" && method === "GET") {
+    const providers = getProvidersWithStatus();
+    return json({ providers });
+  }
+
+  // ==================== ONBOARDING ====================
+
+  // GET /api/onboarding/status - Check onboarding status
+  if (path === "/api/onboarding/status" && method === "GET") {
+    return json(Onboarding.getStatus());
+  }
+
+  // POST /api/onboarding/complete - Mark onboarding as complete
+  if (path === "/api/onboarding/complete" && method === "POST") {
+    Onboarding.complete();
+    return json({ success: true });
+  }
+
+  // POST /api/onboarding/reset - Reset onboarding (for testing)
+  if (path === "/api/onboarding/reset" && method === "POST") {
+    Onboarding.reset();
+    return json({ success: true });
+  }
+
+  // POST /api/onboarding/user - Create first user during onboarding
+  // This endpoint only works when no users exist (enforced by middleware)
+  if (path === "/api/onboarding/user" && method === "POST") {
+    debug("POST /api/onboarding/user");
+    // Double-check no users exist
+    if (UserDB.hasUsers()) {
+      debug("Users already exist");
+      return json({ error: "Users already exist" }, 403);
+    }
+
+    try {
+      const body = await req.json();
+      debug("Onboarding body:", JSON.stringify(body));
+      const { username, password, email } = body;
+
+      if (!username || !password) {
+        debug("Missing username or password");
+        return json({ error: "Username and password are required" }, 400);
+      }
+
+      // Create first user as admin
+      debug("Creating user:", username);
+      const result = await createUser({
+        username,
+        password,
+        email: email || undefined, // Optional, for password recovery
+        role: "admin",
+      });
+      debug("Create user result:", result.success, result.error);
+
+      if (!result.success) {
+        return json({ error: result.error }, 400);
+      }
+
+      return json({
+        success: true,
+        user: {
+          id: result.user!.id,
+          username: result.user!.username,
+          role: result.user!.role,
+        },
+      }, 201);
+    } catch (e) {
+      debug("Onboarding error:", e);
+      return json({ error: "Invalid request body" }, 400);
+    }
+  }
+
+  // ==================== USER MANAGEMENT (Admin only) ====================
+
+  // GET /api/users - List all users
+  if (path === "/api/users" && method === "GET") {
+    const users = UserDB.findAll().map(u => ({
+      id: u.id,
+      username: u.username,
+      email: u.email,
+      role: u.role,
+      createdAt: u.created_at,
+      lastLoginAt: u.last_login_at,
+    }));
+    return json({ users });
+  }
+
+  // POST /api/users - Create a new user
+  if (path === "/api/users" && method === "POST") {
+    try {
+      const body = await req.json();
+      const { username, password, email, role } = body;
+
+      if (!username || !password) {
+        return json({ error: "Username and password are required" }, 400);
+      }
+
+      const result = await createUser({
+        username,
+        password,
+        email: email || undefined,
+        role: role || "user",
+      });
+
+      if (!result.success) {
+        return json({ error: result.error }, 400);
+      }
+
+      return json({
+        user: {
+          id: result.user!.id,
+          username: result.user!.username,
+          email: result.user!.email,
+          role: result.user!.role,
+          createdAt: result.user!.created_at,
+        },
+      }, 201);
+    } catch (e) {
+      return json({ error: "Invalid request body" }, 400);
+    }
+  }
+
+  // GET /api/users/:id - Get a specific user
+  const userMatch = path.match(/^\/api\/users\/([^/]+)$/);
+  if (userMatch && method === "GET") {
+    const targetUser = UserDB.findById(userMatch[1]);
+    if (!targetUser) {
+      return json({ error: "User not found" }, 404);
+    }
+    return json({
+      user: {
+        id: targetUser.id,
+        username: targetUser.username,
+        email: targetUser.email,
+        role: targetUser.role,
+        createdAt: targetUser.created_at,
+        lastLoginAt: targetUser.last_login_at,
+      },
+    });
+  }
+
+  // PUT /api/users/:id - Update a user
+  if (userMatch && method === "PUT") {
+    const targetUser = UserDB.findById(userMatch[1]);
+    if (!targetUser) {
+      return json({ error: "User not found" }, 404);
+    }
+
+    try {
+      const body = await req.json();
+      const updates: Parameters<typeof UserDB.update>[1] = {};
+
+      if (body.email !== undefined) updates.email = body.email;
+      if (body.role !== undefined) {
+        // Prevent removing last admin
+        if (targetUser.role === "admin" && body.role !== "admin") {
+          if (UserDB.countAdmins() <= 1) {
+            return json({ error: "Cannot remove the last admin" }, 400);
+          }
+        }
+        updates.role = body.role;
+      }
+      if (body.password !== undefined) {
+        const validation = validatePassword(body.password);
+        if (!validation.valid) {
+          return json({ error: validation.errors.join(". ") }, 400);
+        }
+        updates.password_hash = await hashPassword(body.password);
+      }
+
+      const updated = UserDB.update(userMatch[1], updates);
+      return json({
+        user: updated ? {
+          id: updated.id,
+          username: updated.username,
+          email: updated.email,
+          role: updated.role,
+          createdAt: updated.created_at,
+          lastLoginAt: updated.last_login_at,
+        } : null,
+      });
+    } catch (e) {
+      return json({ error: "Invalid request body" }, 400);
+    }
+  }
+
+  // DELETE /api/users/:id - Delete a user
+  if (userMatch && method === "DELETE") {
+    const targetUser = UserDB.findById(userMatch[1]);
+    if (!targetUser) {
+      return json({ error: "User not found" }, 404);
+    }
+
+    // Prevent deleting yourself
+    if (user && targetUser.id === user.id) {
+      return json({ error: "Cannot delete your own account" }, 400);
+    }
+
+    // Prevent deleting last admin
+    if (targetUser.role === "admin" && UserDB.countAdmins() <= 1) {
+      return json({ error: "Cannot delete the last admin" }, 400);
+    }
+
+    UserDB.delete(userMatch[1]);
+    return json({ success: true });
+  }
+
+  // ==================== PROJECTS ====================
+
+  // GET /api/projects - List all projects
+  if (path === "/api/projects" && method === "GET") {
+    const projects = ProjectDB.findAll();
+    const agentCounts = ProjectDB.getAgentCounts();
+    return json({
+      projects: projects.map(p => ({
+        ...toApiProject(p),
+        agentCount: agentCounts.get(p.id) || 0,
+      })),
+      unassignedCount: agentCounts.get(null) || 0,
+    });
+  }
+
+  // POST /api/projects - Create a new project
+  if (path === "/api/projects" && method === "POST") {
+    try {
+      const body = await req.json();
+      const { name, description, color } = body;
+
+      if (!name) {
+        return json({ error: "Name is required" }, 400);
       }
 
-      // Return streaming response with proper headers
-      return new Response(response.body, {
-        status: 200,
-        headers: {
-          "Content-Type": response.headers.get("Content-Type") || "text/event-stream",
-          "Cache-Control": "no-cache",
-          "Connection": "keep-alive",
-        },
+      const project = ProjectDB.create({
+        name,
+        description: description || null,
+        color: color || "#6366f1",
       });
-    } catch (err) {
-      console.error(`Chat proxy error: ${err}`);
-      return json({ error: `Failed to proxy chat: ${err}` }, 500);
+
+      return json({ project: toApiProject(project) }, 201);
+    } catch (e) {
+      console.error("Create project error:", e);
+      return json({ error: "Invalid request body" }, 400);
     }
   }
 
-  // GET /api/providers - List supported providers and models with key status
-  if (path === "/api/providers" && method === "GET") {
-    const providers = getProvidersWithStatus();
-    return json({ providers });
+  // GET /api/projects/:id - Get a specific project
+  const projectMatch = path.match(/^\/api\/projects\/([^/]+)$/);
+  if (projectMatch && method === "GET") {
+    const project = ProjectDB.findById(projectMatch[1]);
+    if (!project) {
+      return json({ error: "Project not found" }, 404);
+    }
+    const agents = AgentDB.findByProject(project.id);
+    return json({
+      project: toApiProject(project),
+      agents: agents.map(toApiAgent),
+    });
   }
 
-  // ==================== ONBOARDING ====================
+  // PUT /api/projects/:id - Update a project
+  if (projectMatch && method === "PUT") {
+    const project = ProjectDB.findById(projectMatch[1]);
+    if (!project) {
+      return json({ error: "Project not found" }, 404);
+    }
 
-  // GET /api/onboarding/status - Check onboarding status
-  if (path === "/api/onboarding/status" && method === "GET") {
-    return json(Onboarding.getStatus());
-  }
+    try {
+      const body = await req.json();
+      const updates: Partial<Project> = {};
 
-  // POST /api/onboarding/complete - Mark onboarding as complete
-  if (path === "/api/onboarding/complete" && method === "POST") {
-    Onboarding.complete();
-    return json({ success: true });
+      if (body.name !== undefined) updates.name = body.name;
+      if (body.description !== undefined) updates.description = body.description;
+      if (body.color !== undefined) updates.color = body.color;
+
+      const updated = ProjectDB.update(projectMatch[1], updates);
+      return json({ project: updated ? toApiProject(updated) : null });
+    } catch (e) {
+      return json({ error: "Invalid request body" }, 400);
+    }
   }
 
-  // POST /api/onboarding/reset - Reset onboarding (for testing)
-  if (path === "/api/onboarding/reset" && method === "POST") {
-    Onboarding.reset();
+  // DELETE /api/projects/:id - Delete a project
+  if (projectMatch && method === "DELETE") {
+    const project = ProjectDB.findById(projectMatch[1]);
+    if (!project) {
+      return json({ error: "Project not found" }, 404);
+    }
+
+    ProjectDB.delete(projectMatch[1]);
     return json({ success: true });
   }
 
@@ -625,13 +1494,19 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
 
   // POST /api/version/update - Download/install latest agent binary
   if (path === "/api/version/update" && method === "POST") {
-    // Check if any agents are running
+    // Get all running agents to restart later
     const runningAgents = AgentDB.findAll().filter(a => a.status === "running");
-    if (runningAgents.length > 0) {
-      return json(
-        { success: false, error: "Cannot update while agents are running. Stop all agents first." },
-        { status: 400 }
-      );
+    const agentsToRestart = runningAgents.map(a => a.id);
+
+    // Stop all running agents
+    for (const agent of runningAgents) {
+      const agentProc = agentProcesses.get(agent.id);
+      if (agentProc) {
+        console.log(`Stopping agent ${agent.name} for update...`);
+        agentProc.proc.kill();
+        agentProcesses.delete(agent.id);
+      }
+      AgentDB.setStatus(agent.id, "stopped");
     }
 
     // Try npm install first, fall back to direct download
@@ -641,10 +1516,31 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       result = await downloadLatestBinary(BIN_DIR);
     }
 
-    if (result.success) {
-      return json({ success: true, version: result.version });
+    if (!result.success) {
+      return json({ success: false, error: result.error }, 500);
+    }
+
+    // Restart agents that were running
+    const restartResults: { id: string; name: string; success: boolean; error?: string }[] = [];
+    for (const agentId of agentsToRestart) {
+      const agent = AgentDB.findById(agentId);
+      if (agent) {
+        console.log(`Restarting agent ${agent.name} after update...`);
+        const startResult = await startAgentProcess(agent);
+        restartResults.push({
+          id: agent.id,
+          name: agent.name,
+          success: startResult.success,
+          error: startResult.error,
+        });
+      }
     }
-    return json({ success: false, error: result.error }, { status: 500 });
+
+    return json({
+      success: true,
+      version: result.version,
+      restarted: restartResults,
+    });
   }
 
   // GET /api/health - Health check
@@ -669,10 +1565,10 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
 
   // ==================== TASKS ====================
 
-  // Helper to fetch from a running agent
-  async function fetchFromAgent(port: number, endpoint: string): Promise<any> {
+  // Helper to fetch from a running agent (with authentication)
+  async function fetchFromAgent(agentId: string, port: number, endpoint: string): Promise<any> {
     try {
-      const response = await fetch(`http://localhost:${port}${endpoint}`, {
+      const response = await agentFetch(agentId, port, endpoint, {
         headers: { "Accept": "application/json" },
       });
       if (response.ok) {
@@ -693,7 +1589,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     const allTasks: any[] = [];
 
     for (const agent of runningAgents) {
-      const data = await fetchFromAgent(agent.port!, `/tasks?status=${status}`);
+      const data = await fetchFromAgent(agent.id, agent.port!, `/tasks?status=${status}`);
       if (data?.tasks) {
         // Add agent info to each task
         for (const task of data.tasks) {
@@ -729,7 +1625,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     const url = new URL(req.url);
     const status = url.searchParams.get("status") || "all";
 
-    const data = await fetchFromAgent(agent.port, `/tasks?status=${status}`);
+    const data = await fetchFromAgent(agent.id, agent.port, `/tasks?status=${status}`);
     if (!data) {
       return json({ error: "Failed to fetch tasks from agent" }, 500);
     }
@@ -748,7 +1644,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     let runningTasks = 0;
 
     for (const agent of runningAgents) {
-      const data = await fetchFromAgent(agent.port!, "/tasks?status=all");
+      const data = await fetchFromAgent(agent.id, agent.port!, "/tasks?status=all");
       if (data?.tasks) {
         totalTasks += data.tasks.length;
         for (const task of data.tasks) {
@@ -833,20 +1729,39 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       }
       const data = await res.json();
 
-      // Transform to simpler format
-      const servers = (data.servers || []).map((item: any) => {
-        const s = item.server;
-        const pkg = s.packages?.find((p: any) => p.registryType === "npm");
-        return {
-          name: s.name,
-          description: s.description,
-          version: s.version,
-          repository: s.repository?.url,
-          npmPackage: pkg?.identifier,
-          transport: pkg?.transport?.type || "stdio",
-          envVars: pkg?.environmentVariables || [],
-        };
-      }).filter((s: any) => s.npmPackage); // Only show npm packages for now
+      // Transform to simpler format - dedupe by name
+      const seen = new Set<string>();
+      const servers = (data.servers || [])
+        .map((item: any) => {
+          const s = item.server;
+          const pkg = s.packages?.find((p: any) => p.registryType === "npm");
+          const remote = s.remotes?.[0];
+
+          // Extract a short display name from the full name
+          // e.g., "ai.smithery/smithery-ai-github" -> "github"
+          // e.g., "io.github.user/my-server" -> "my-server"
+          const fullName = s.name || "";
+          const shortName = fullName.split("/").pop()?.replace(/-mcp$/, "").replace(/^mcp-/, "") || fullName;
+
+          return {
+            id: fullName, // Use full name as unique ID
+            name: shortName,
+            fullName: fullName,
+            description: s.description,
+            version: s.version,
+            repository: s.repository?.url,
+            npmPackage: pkg?.identifier || null,
+            remoteUrl: remote?.url || null,
+            transport: pkg?.transport?.type || (remote ? "http" : "stdio"),
+          };
+        })
+        .filter((s: any) => {
+          // Dedupe by fullName
+          if (seen.has(s.fullName)) return false;
+          seen.add(s.fullName);
+          // Only show servers with npm package or remote URL
+          return s.npmPackage || s.remoteUrl;
+        });
 
       return json({ servers });
     } catch (e) {
@@ -854,11 +1769,410 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     }
   }
 
+  // ============ Generic Integration Providers ============
+  // These endpoints work with any registered provider (composio, smithery, etc.)
+
+  // GET /api/integrations/providers - List available integration providers
+  if (path === "/api/integrations/providers" && method === "GET") {
+    const providerIds = getProviderIds();
+    const providers = providerIds.map(id => {
+      const provider = getProvider(id);
+      const hasKey = !!ProviderKeys.getDecrypted(id);
+      return {
+        id,
+        name: provider?.name || id,
+        connected: hasKey,
+      };
+    });
+    return json({ providers });
+  }
+
+  // GET /api/integrations/:provider/apps - List available apps from a provider
+  const appsMatch = path.match(/^\/api\/integrations\/([^/]+)\/apps$/);
+  if (appsMatch && method === "GET") {
+    const providerId = appsMatch[1];
+    const provider = getProvider(providerId);
+    if (!provider) {
+      return json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+
+    const apiKey = ProviderKeys.getDecrypted(providerId);
+    if (!apiKey) {
+      return json({ error: `${provider.name} API key not configured`, apps: [] }, 200);
+    }
+
+    try {
+      const apps = await provider.listApps(apiKey);
+      return json({ apps });
+    } catch (e) {
+      console.error(`Failed to list apps from ${providerId}:`, e);
+      return json({ error: "Failed to fetch apps" }, 500);
+    }
+  }
+
+  // GET /api/integrations/:provider/connected - List user's connected accounts
+  const connectedMatch = path.match(/^\/api\/integrations\/([^/]+)\/connected$/);
+  if (connectedMatch && method === "GET") {
+    const providerId = connectedMatch[1];
+    const provider = getProvider(providerId);
+    if (!provider) {
+      return json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+
+    const apiKey = ProviderKeys.getDecrypted(providerId);
+    if (!apiKey) {
+      return json({ error: `${provider.name} API key not configured`, accounts: [] }, 200);
+    }
+
+    // Use Apteva user ID as the entity ID for the provider
+    const userId = user?.id || "default";
+
+    try {
+      const accounts = await provider.listConnectedAccounts(apiKey, userId);
+      return json({ accounts });
+    } catch (e) {
+      console.error(`Failed to list connected accounts from ${providerId}:`, e);
+      return json({ error: "Failed to fetch connected accounts" }, 500);
+    }
+  }
+
+  // POST /api/integrations/:provider/connect - Initiate connection (OAuth or API Key)
+  const connectMatch = path.match(/^\/api\/integrations\/([^/]+)\/connect$/);
+  if (connectMatch && method === "POST") {
+    const providerId = connectMatch[1];
+    const provider = getProvider(providerId);
+    if (!provider) {
+      return json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+
+    const apiKey = ProviderKeys.getDecrypted(providerId);
+    if (!apiKey) {
+      return json({ error: `${provider.name} API key not configured` }, 401);
+    }
+
+    try {
+      const body = await req.json();
+      const { appSlug, redirectUrl, credentials } = body;
+
+      if (!appSlug) {
+        return json({ error: "appSlug is required" }, 400);
+      }
+
+      // Use Apteva user ID as the entity ID
+      const userId = user?.id || "default";
+
+      // Default redirect URL back to our integrations page
+      const callbackUrl = redirectUrl || `http://localhost:${process.env.PORT || 4280}/mcp?tab=hosted&connected=${appSlug}`;
+
+      const result = await provider.initiateConnection(apiKey, userId, appSlug, callbackUrl, credentials);
+      return json(result);
+    } catch (e) {
+      console.error(`Failed to initiate connection for ${providerId}:`, e);
+      return json({ error: `Failed to initiate connection: ${e}` }, 500);
+    }
+  }
+
+  // GET /api/integrations/:provider/connection/:id - Check connection status
+  const connectionStatusMatch = path.match(/^\/api\/integrations\/([^/]+)\/connection\/([^/]+)$/);
+  if (connectionStatusMatch && method === "GET") {
+    const providerId = connectionStatusMatch[1];
+    const connectionId = connectionStatusMatch[2];
+    const provider = getProvider(providerId);
+    if (!provider) {
+      return json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+
+    const apiKey = ProviderKeys.getDecrypted(providerId);
+    if (!apiKey) {
+      return json({ error: `${provider.name} API key not configured` }, 401);
+    }
+
+    try {
+      const connection = await provider.getConnectionStatus(apiKey, connectionId);
+      if (!connection) {
+        return json({ error: "Connection not found" }, 404);
+      }
+      return json({ connection });
+    } catch (e) {
+      console.error(`Failed to get connection status:`, e);
+      return json({ error: "Failed to get connection status" }, 500);
+    }
+  }
+
+  // DELETE /api/integrations/:provider/connection/:id - Disconnect/revoke
+  const disconnectMatch = path.match(/^\/api\/integrations\/([^/]+)\/connection\/([^/]+)$/);
+  if (disconnectMatch && method === "DELETE") {
+    const providerId = disconnectMatch[1];
+    const connectionId = disconnectMatch[2];
+    const provider = getProvider(providerId);
+    if (!provider) {
+      return json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+
+    const apiKey = ProviderKeys.getDecrypted(providerId);
+    if (!apiKey) {
+      return json({ error: `${provider.name} API key not configured` }, 401);
+    }
+
+    try {
+      const success = await provider.disconnect(apiKey, connectionId);
+      return json({ success });
+    } catch (e) {
+      console.error(`Failed to disconnect:`, e);
+      return json({ error: "Failed to disconnect" }, 500);
+    }
+  }
+
+  // ============ Composio-Specific Routes (MCP Configs) ============
+
+  // GET /api/integrations/composio/configs - List Composio MCP configs
+  if (path === "/api/integrations/composio/configs" && method === "GET") {
+    const apiKey = ProviderKeys.getDecrypted("composio");
+    if (!apiKey) {
+      return json({ error: "Composio API key not configured", configs: [] }, 200);
+    }
+
+    try {
+      const res = await fetch("https://backend.composio.dev/api/v3/mcp/servers?limit=50", {
+        headers: {
+          "x-api-key": apiKey,
+          "Content-Type": "application/json",
+        },
+      });
+
+      if (!res.ok) {
+        const text = await res.text();
+        console.error("Composio API error:", res.status, text);
+        return json({ error: "Failed to fetch Composio configs" }, 500);
+      }
+
+      const data = await res.json();
+
+      // Transform to our format (no user_id in URLs - that's provided when adding)
+      const configs = (data.items || data.servers || []).map((item: any) => ({
+        id: item.id,
+        name: item.name || item.id,
+        toolkits: item.toolkits || item.apps || [],
+        toolsCount: item.toolsCount || item.tools?.length || 0,
+        createdAt: item.createdAt || item.created_at,
+      }));
+
+      return json({ configs });
+    } catch (e) {
+      console.error("Composio fetch error:", e);
+      return json({ error: "Failed to connect to Composio" }, 500);
+    }
+  }
+
+  // GET /api/integrations/composio/configs/:id - Get single Composio config details
+  const composioConfigMatch = path.match(/^\/api\/integrations\/composio\/configs\/([^/]+)$/);
+  if (composioConfigMatch && method === "GET") {
+    const configId = composioConfigMatch[1];
+    const apiKey = ProviderKeys.getDecrypted("composio");
+    if (!apiKey) {
+      return json({ error: "Composio API key not configured" }, 401);
+    }
+
+    try {
+      const res = await fetch(`https://backend.composio.dev/api/v3/mcp/${configId}`, {
+        headers: {
+          "x-api-key": apiKey,
+          "Content-Type": "application/json",
+        },
+      });
+
+      if (!res.ok) {
+        return json({ error: "Config not found" }, 404);
+      }
+
+      const data = await res.json();
+      return json({
+        config: {
+          id: data.id,
+          name: data.name || data.id,
+          toolkits: data.toolkits || data.apps || [],
+          tools: data.tools || [],
+        },
+      });
+    } catch (e) {
+      return json({ error: "Failed to fetch config" }, 500);
+    }
+  }
+
+  // POST /api/integrations/composio/configs/:id/add - Add a Composio config as an MCP server
+  // Fetches the mcp_url directly from Composio API
+  const composioAddMatch = path.match(/^\/api\/integrations\/composio\/configs\/([^/]+)\/add$/);
+  if (composioAddMatch && method === "POST") {
+    const configId = composioAddMatch[1];
+    const apiKey = ProviderKeys.getDecrypted("composio");
+    if (!apiKey) {
+      return json({ error: "Composio API key not configured" }, 401);
+    }
+
+    try {
+      // Fetch config details from Composio to get the name and mcp_url
+      const res = await fetch(`https://backend.composio.dev/api/v3/mcp/${configId}`, {
+        headers: {
+          "x-api-key": apiKey,
+          "Content-Type": "application/json",
+        },
+      });
+
+      if (!res.ok) {
+        const errText = await res.text();
+        console.error("Failed to fetch Composio MCP config:", errText);
+        return json({ error: "Failed to fetch MCP config from Composio" }, 400);
+      }
+
+      const data = await res.json();
+      const configName = data.name || `composio-${configId.slice(0, 8)}`;
+      const mcpUrl = data.mcp_url;
+      const authConfigIds = data.auth_config_ids || [];
+      const serverInstanceCount = data.server_instance_count || 0;
+
+      if (!mcpUrl) {
+        return json({ error: "MCP config does not have a URL" }, 400);
+      }
+
+      // Get user_id from connected accounts for this auth config
+      const { createMcpServerInstance, getUserIdForAuthConfig } = await import("../integrations/composio");
+      let userId: string | null = null;
+
+      if (authConfigIds.length > 0) {
+        userId = await getUserIdForAuthConfig(apiKey, authConfigIds[0]);
+
+        // Create server instance if none exists
+        if (serverInstanceCount === 0 && userId) {
+          const instance = await createMcpServerInstance(apiKey, configId, userId);
+          if (instance) {
+            console.log(`Created server instance for user ${userId} on server ${configId}`);
+          }
+        }
+      }
+
+      // Append user_id to mcp_url for authentication
+      const mcpUrlWithUser = userId
+        ? `${mcpUrl}?user_id=${encodeURIComponent(userId)}`
+        : mcpUrl;
+
+      // Check if already exists (match by config ID in URL)
+      const existing = McpServerDB.findAll().find(
+        s => s.source === "composio" && s.url?.includes(configId)
+      );
+      if (existing) {
+        return json({ server: existing, message: "Server already exists" });
+      }
+
+      // Create the MCP server entry with user_id in URL
+      const server = McpServerDB.create({
+        id: generateId(),
+        name: configName,
+        type: "http",
+        package: null,
+        command: null,
+        args: null,
+        env: {},
+        url: mcpUrlWithUser,
+        headers: { "x-api-key": apiKey },
+        source: "composio",
+      });
+
+      return json({ server, message: "Server added successfully" });
+    } catch (e) {
+      console.error("Failed to add Composio config:", e);
+      return json({ error: "Failed to add Composio config" }, 500);
+    }
+  }
+
+  // POST /api/integrations/composio/configs - Create a new MCP config from connected app
+  if (path === "/api/integrations/composio/configs" && method === "POST") {
+    const apiKey = ProviderKeys.getDecrypted("composio");
+    if (!apiKey) {
+      return json({ error: "Composio API key not configured" }, 401);
+    }
+
+    try {
+      const body = await req.json();
+      const { name, toolkitSlug, authConfigId } = body;
+
+      if (!name || !toolkitSlug) {
+        return json({ error: "name and toolkitSlug are required" }, 400);
+      }
+
+      // If authConfigId not provided, find it from the toolkit
+      let configId = authConfigId;
+      if (!configId) {
+        const { getAuthConfigForToolkit } = await import("../integrations/composio");
+        configId = await getAuthConfigForToolkit(apiKey, toolkitSlug);
+        if (!configId) {
+          return json({ error: `No auth config found for ${toolkitSlug}. Make sure you have connected this app first.` }, 400);
+        }
+      }
+
+      // Create MCP server in Composio
+      const { createMcpServer, createMcpServerInstance, getUserIdForAuthConfig } = await import("../integrations/composio");
+      const mcpServer = await createMcpServer(apiKey, name, [configId]);
+
+      if (!mcpServer) {
+        return json({ error: "Failed to create MCP config" }, 500);
+      }
+
+      // Create server instance for the user who has the connected account
+      const userId = await getUserIdForAuthConfig(apiKey, configId);
+      if (userId) {
+        const instance = await createMcpServerInstance(apiKey, mcpServer.id, userId);
+        if (!instance) {
+          console.warn(`Created MCP server but failed to create instance for user ${userId}`);
+        }
+      }
+
+      // Append user_id to mcp_url for authentication
+      const mcpUrlWithUser = userId
+        ? `${mcpServer.mcpUrl}?user_id=${encodeURIComponent(userId)}`
+        : mcpServer.mcpUrl;
+
+      return json({
+        config: {
+          id: mcpServer.id,
+          name: mcpServer.name,
+          toolkits: mcpServer.toolkits,
+          mcpUrl: mcpUrlWithUser,
+          allowedTools: mcpServer.allowedTools,
+          userId,
+        },
+      }, 201);
+    } catch (e: any) {
+      console.error("Failed to create Composio MCP config:", e);
+      return json({ error: e.message || "Failed to create MCP config" }, 500);
+    }
+  }
+
+  // DELETE /api/integrations/composio/configs/:id - Delete a Composio MCP config
+  if (composioConfigMatch && method === "DELETE") {
+    const configId = composioConfigMatch[1];
+    const apiKey = ProviderKeys.getDecrypted("composio");
+    if (!apiKey) {
+      return json({ error: "Composio API key not configured" }, 401);
+    }
+
+    try {
+      const { deleteMcpServer } = await import("../integrations/composio");
+      const success = await deleteMcpServer(apiKey, configId);
+      if (!success) {
+        return json({ error: "Failed to delete MCP config" }, 500);
+      }
+      return json({ success: true });
+    } catch (e) {
+      console.error("Failed to delete Composio config:", e);
+      return json({ error: "Failed to delete MCP config" }, 500);
+    }
+  }
+
   // POST /api/mcp/servers - Create/install a new MCP server
   if (path === "/api/mcp/servers" && method === "POST") {
     try {
       const body = await req.json();
-      const { name, type, package: pkg, command, args, env } = body;
+      const { name, type, package: pkg, command, args, env, url, headers, source } = body;
 
       if (!name) {
         return json({ error: "Name is required" }, 400);
@@ -872,6 +2186,9 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
         command: command || null,
         args: args || null,
         env: env || {},
+        url: url || null,
+        headers: headers || {},
+        source: source || null,
       });
 
       return json({ server }, 201);
@@ -974,7 +2291,7 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
     }
 
     // Get a port for the HTTP proxy
-    const port = getNextPort();
+    const port = await getNextPort();
 
     console.log(`Starting MCP server ${server.name}...`);
     console.log(`  Command: ${cmd.join(" ")}`);
@@ -1021,7 +2338,24 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       return json({ error: "MCP server not found" }, 404);
     }
 
-    // Check if process is running
+    // HTTP servers use remote HTTP transport
+    if (server.type === "http" && server.url) {
+      try {
+        const httpClient = getHttpMcpClient(server.url, server.headers || {});
+        const serverInfo = await httpClient.initialize();
+        const tools = await httpClient.listTools();
+
+        return json({
+          serverInfo,
+          tools,
+        });
+      } catch (err) {
+        console.error(`Failed to list HTTP MCP tools: ${err}`);
+        return json({ error: `Failed to communicate with MCP server: ${err}` }, 500);
+      }
+    }
+
+    // Stdio servers require a running process
     const mcpProcess = getMcpProcess(server.id);
     if (!mcpProcess) {
       return json({ error: "MCP server is not running" }, 400);
@@ -1049,14 +2383,30 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
       return json({ error: "MCP server not found" }, 404);
     }
 
-    // Check if process is running
+    const toolName = decodeURIComponent(mcpToolCallMatch[2]);
+
+    // HTTP servers use remote HTTP transport
+    if (server.type === "http" && server.url) {
+      try {
+        const body = await req.json();
+        const args = body.arguments || {};
+
+        const httpClient = getHttpMcpClient(server.url, server.headers || {});
+        const result = await httpClient.callTool(toolName, args);
+
+        return json({ result });
+      } catch (err) {
+        console.error(`Failed to call HTTP MCP tool: ${err}`);
+        return json({ error: `Failed to call tool: ${err}` }, 500);
+      }
+    }
+
+    // Stdio servers require a running process
     const mcpProcess = getMcpProcess(server.id);
     if (!mcpProcess) {
       return json({ error: "MCP server is not running" }, 400);
     }
 
-    const toolName = decodeURIComponent(mcpToolCallMatch[2]);
-
     try {
       const body = await req.json();
       const args = body.arguments || {};
@@ -1156,8 +2506,10 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
   // GET /api/telemetry/events - Query telemetry events
   if (path === "/api/telemetry/events" && method === "GET") {
     const url = new URL(req.url);
+    const projectIdParam = url.searchParams.get("project_id");
     const events = TelemetryDB.query({
       agent_id: url.searchParams.get("agent_id") || undefined,
+      project_id: projectIdParam === "null" ? null : projectIdParam || undefined,
       category: url.searchParams.get("category") || undefined,
       level: url.searchParams.get("level") || undefined,
       trace_id: url.searchParams.get("trace_id") || undefined,
@@ -1172,8 +2524,10 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
   // GET /api/telemetry/usage - Get usage statistics
   if (path === "/api/telemetry/usage" && method === "GET") {
     const url = new URL(req.url);
+    const projectIdParam = url.searchParams.get("project_id");
     const usage = TelemetryDB.getUsage({
       agent_id: url.searchParams.get("agent_id") || undefined,
+      project_id: projectIdParam === "null" ? null : projectIdParam || undefined,
       since: url.searchParams.get("since") || undefined,
       until: url.searchParams.get("until") || undefined,
       group_by: (url.searchParams.get("group_by") as "agent" | "day") || undefined,
@@ -1185,7 +2539,11 @@ export async function handleApiRequest(req: Request, path: string): Promise<Resp
   if (path === "/api/telemetry/stats" && method === "GET") {
     const url = new URL(req.url);
     const agentId = url.searchParams.get("agent_id") || undefined;
-    const stats = TelemetryDB.getStats(agentId);
+    const projectIdParam = url.searchParams.get("project_id");
+    const stats = TelemetryDB.getStats({
+      agentId,
+      projectId: projectIdParam === "null" ? null : projectIdParam || undefined,
+    });
     return json({ stats });
   }