bonecode 1.0.0

package/bone/output/session/src/routes/message.ts

@@ -0,0 +1,93 @@
+// Generated by BoneScript compiler. DO NOT EDIT.
+// Service: MessageService
+import { Router, Request, Response } from "express";
+import { v4 as uuid } from "uuid";
+import { query, queryOne, execute, pool } from "../db";
+import { eventBus } from "../events";
+import { requireAuth, AuthContext } from "../auth";
+import rateLimit from "express-rate-limit";
+import { auditLog } from "../audit";
+import { logger } from "../logger";
+import { counter } from "../metrics";
+import * as __algorithms from "../algorithms";
+const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;
+
+export const messagesRouter = Router();
+
+// Rate limiter from policy declaration
+const __routeRateLimit = rateLimit({ windowMs: 60000, max: 500, standardHeaders: true, legacyHeaders: false });
+
+// CREATE
+messagesRouter.post("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const id = uuid();
+    const { session_id, role, model_id, provider_id, tokens_input, tokens_output, cost_usd, error } = req.body;
+    const sql = `INSERT INTO messages (id, session_id, role, model_id, provider_id, tokens_input, tokens_output, cost_usd, error) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9) RETURNING *`;
+    const rows = await query(sql, [id, session_id, role, model_id, provider_id, tokens_input, tokens_output, cost_usd, error]);
+    counter("entity.created", { entity: "Message" });
+    res.status(201).json(rows[0]);
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CREATE_FAILED", message: e.message } });
+  }
+});
+
+// READ
+messagesRouter.get("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const row = await queryOne(`SELECT * FROM messages WHERE id = $1`, [req.params.id]);
+    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.json(row);
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// LIST
+messagesRouter.get("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT messages.*, row_to_json(session.*) as owner_session FROM messages LEFT JOIN sessions session ON messages.session_id = session.id ORDER BY messages.created_at DESC LIMIT $1 OFFSET $2`, [pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM messages`);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// UPDATE
+messagesRouter.put("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  const fields = { ...req.body };
+  const sets = Object.keys(fields).map((k, i) => `${k} = $${i + 2}`).join(", ");
+  const values = Object.values(fields);
+  const sql = `UPDATE messages SET ${sets}, updated_at = NOW() WHERE id = $1 RETURNING *`;
+  const rows = await query(sql, [req.params.id, ...values]);
+  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+  res.json(rows[0]);
+});
+
+// DELETE
+messagesRouter.delete("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const count = await execute(`DELETE FROM messages WHERE id = $1`, [req.params.id]);
+    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.status(204).send();
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// RELATION: parts (has_many Part)
+messagesRouter.get("/:id/parts", requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM parts WHERE message_id = $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3`, [req.params.id, pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM parts WHERE message_id = $1`, [req.params.id]);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});

package/bone/output/session/src/routes/part.ts

@@ -0,0 +1,79 @@
+// Generated by BoneScript compiler. DO NOT EDIT.
+// Service: PartService
+import { Router, Request, Response } from "express";
+import { v4 as uuid } from "uuid";
+import { query, queryOne, execute, pool } from "../db";
+import { eventBus } from "../events";
+import { requireAuth, AuthContext } from "../auth";
+import rateLimit from "express-rate-limit";
+import { auditLog } from "../audit";
+import { logger } from "../logger";
+import { counter } from "../metrics";
+import * as __algorithms from "../algorithms";
+const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;
+
+export const partsRouter = Router();
+
+// Rate limiter from policy declaration
+const __routeRateLimit = rateLimit({ windowMs: 60000, max: 500, standardHeaders: true, legacyHeaders: false });
+
+// CREATE
+partsRouter.post("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const id = uuid();
+    const { message_id, session_id, part_type, data, order_index } = req.body;
+    const sql = `INSERT INTO parts (id, message_id, session_id, part_type, data, order_index) VALUES ($1, $2, $3, $4, $5, $6) RETURNING *`;
+    const rows = await query(sql, [id, message_id, session_id, part_type, data, order_index]);
+    counter("entity.created", { entity: "Part" });
+    res.status(201).json(rows[0]);
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CREATE_FAILED", message: e.message } });
+  }
+});
+
+// READ
+partsRouter.get("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const row = await queryOne(`SELECT * FROM parts WHERE id = $1`, [req.params.id]);
+    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.json(row);
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// LIST
+partsRouter.get("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT parts.*, row_to_json(message.*) as owner_message FROM parts LEFT JOIN messages message ON parts.message_id = message.id ORDER BY parts.created_at DESC LIMIT $1 OFFSET $2`, [pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM parts`);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// UPDATE
+partsRouter.put("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  const fields = { ...req.body };
+  const sets = Object.keys(fields).map((k, i) => `${k} = $${i + 2}`).join(", ");
+  const values = Object.values(fields);
+  const sql = `UPDATE parts SET ${sets}, updated_at = NOW() WHERE id = $1 RETURNING *`;
+  const rows = await query(sql, [req.params.id, ...values]);
+  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+  res.json(rows[0]);
+});
+
+// DELETE
+partsRouter.delete("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const count = await execute(`DELETE FROM parts WHERE id = $1`, [req.params.id]);
+    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.status(204).send();
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});

package/bone/output/session/src/routes/permission.ts

@@ -0,0 +1,79 @@
+// Generated by BoneScript compiler. DO NOT EDIT.
+// Service: PermissionService
+import { Router, Request, Response } from "express";
+import { v4 as uuid } from "uuid";
+import { query, queryOne, execute, pool } from "../db";
+import { eventBus } from "../events";
+import { requireAuth, AuthContext } from "../auth";
+import rateLimit from "express-rate-limit";
+import { auditLog } from "../audit";
+import { logger } from "../logger";
+import { counter } from "../metrics";
+import * as __algorithms from "../algorithms";
+const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;
+
+export const permissionsRouter = Router();
+
+// Rate limiter from policy declaration
+const __routeRateLimit = rateLimit({ windowMs: 60000, max: 500, standardHeaders: true, legacyHeaders: false });
+
+// CREATE
+permissionsRouter.post("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const id = uuid();
+    const { session_id, tool_name, pattern, decision, expires_at } = req.body;
+    const sql = `INSERT INTO permissions (id, session_id, tool_name, pattern, decision, expires_at) VALUES ($1, $2, $3, $4, $5, $6) RETURNING *`;
+    const rows = await query(sql, [id, session_id, tool_name, pattern, decision, expires_at]);
+    counter("entity.created", { entity: "Permission" });
+    res.status(201).json(rows[0]);
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CREATE_FAILED", message: e.message } });
+  }
+});
+
+// READ
+permissionsRouter.get("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const row = await queryOne(`SELECT * FROM permissions WHERE id = $1`, [req.params.id]);
+    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.json(row);
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// LIST
+permissionsRouter.get("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM permissions ORDER BY created_at DESC LIMIT $1 OFFSET $2`, [pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM permissions`);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// UPDATE
+permissionsRouter.put("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  const fields = { ...req.body };
+  const sets = Object.keys(fields).map((k, i) => `${k} = $${i + 2}`).join(", ");
+  const values = Object.values(fields);
+  const sql = `UPDATE permissions SET ${sets}, updated_at = NOW() WHERE id = $1 RETURNING *`;
+  const rows = await query(sql, [req.params.id, ...values]);
+  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+  res.json(rows[0]);
+});
+
+// DELETE
+permissionsRouter.delete("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const count = await execute(`DELETE FROM permissions WHERE id = $1`, [req.params.id]);
+    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.status(204).send();
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});

package/bone/output/session/src/routes/project.ts

@@ -0,0 +1,79 @@
+// Generated by BoneScript compiler. DO NOT EDIT.
+// Service: ProjectService
+import { Router, Request, Response } from "express";
+import { v4 as uuid } from "uuid";
+import { query, queryOne, execute, pool } from "../db";
+import { eventBus } from "../events";
+import { requireAuth, AuthContext } from "../auth";
+import rateLimit from "express-rate-limit";
+import { auditLog } from "../audit";
+import { logger } from "../logger";
+import { counter } from "../metrics";
+import * as __algorithms from "../algorithms";
+const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;
+
+export const projectsRouter = Router();
+
+// Rate limiter from policy declaration
+const __routeRateLimit = rateLimit({ windowMs: 60000, max: 500, standardHeaders: true, legacyHeaders: false });
+
+// CREATE
+projectsRouter.post("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const id = uuid();
+    const { root_commit_hash, worktree, vcs, name, sandboxes } = req.body;
+    const sql = `INSERT INTO projects (id, root_commit_hash, worktree, vcs, name, sandboxes) VALUES ($1, $2, $3, $4, $5, $6) RETURNING *`;
+    const rows = await query(sql, [id, root_commit_hash, worktree, vcs, name, sandboxes]);
+    counter("entity.created", { entity: "Project" });
+    res.status(201).json(rows[0]);
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CREATE_FAILED", message: e.message } });
+  }
+});
+
+// READ
+projectsRouter.get("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const row = await queryOne(`SELECT * FROM projects WHERE id = $1`, [req.params.id]);
+    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.json(row);
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// LIST
+projectsRouter.get("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM projects ORDER BY created_at DESC LIMIT $1 OFFSET $2`, [pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM projects`);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// UPDATE
+projectsRouter.put("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  const fields = { ...req.body };
+  const sets = Object.keys(fields).map((k, i) => `${k} = $${i + 2}`).join(", ");
+  const values = Object.values(fields);
+  const sql = `UPDATE projects SET ${sets}, updated_at = NOW() WHERE id = $1 RETURNING *`;
+  const rows = await query(sql, [req.params.id, ...values]);
+  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+  res.json(rows[0]);
+});
+
+// DELETE
+projectsRouter.delete("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const count = await execute(`DELETE FROM projects WHERE id = $1`, [req.params.id]);
+    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.status(204).send();
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});

package/bone/output/session/src/routes/session.ts

@@ -0,0 +1,294 @@
+// Generated by BoneScript compiler. DO NOT EDIT.
+// Service: SessionService
+import { Router, Request, Response } from "express";
+import { v4 as uuid } from "uuid";
+import { query, queryOne, execute, pool } from "../db";
+import { eventBus } from "../events";
+import { requireAuth, AuthContext } from "../auth";
+import rateLimit from "express-rate-limit";
+import { auditLog } from "../audit";
+import { logger } from "../logger";
+import { counter } from "../metrics";
+import * as __algorithms from "../algorithms";
+const { shortestPath, topologicalSort, binarySearch, bipartiteMatching, roundRobin, weightedAverage, percentile, rankBy, consistentHash } = __algorithms as any;
+
+import { transitionSession, SESSION_INITIAL } from "../state_machines/session";
+
+export const sessionsRouter = Router();
+
+// Rate limiter from policy declaration
+const __routeRateLimit = rateLimit({ windowMs: 60000, max: 500, standardHeaders: true, legacyHeaders: false });
+
+// CREATE
+sessionsRouter.post("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const id = uuid();
+    const { slug, project_id, workspace_id, parent_id, directory, title, version, share_url, summary_additions, summary_deletions, summary_files, summary_diffs, revert_data, permission_ruleset } = req.body;
+    const state = SESSION_INITIAL;
+    const sql = `INSERT INTO sessions (id, slug, project_id, workspace_id, parent_id, directory, title, version, share_url, summary_additions, summary_deletions, summary_files, summary_diffs, revert_data, permission_ruleset, state) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16) RETURNING *`;
+    const rows = await query(sql, [id, slug, project_id, workspace_id, parent_id, directory, title, version, share_url, summary_additions, summary_deletions, summary_files, summary_diffs, revert_data, permission_ruleset, state]);
+    counter("entity.created", { entity: "Session" });
+    res.status(201).json(rows[0]);
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CREATE_FAILED", message: e.message } });
+  }
+});
+
+// READ
+sessionsRouter.get("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const row = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.params.id]);
+    if (!row) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.json(row);
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// LIST
+sessionsRouter.get("/", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM sessions ORDER BY created_at DESC LIMIT $1 OFFSET $2`, [pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM sessions`);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// UPDATE
+sessionsRouter.put("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  const fields = { ...req.body };
+  // State machine enforcement
+  if (fields.state !== undefined) {
+    const current = await queryOne<{ state: string }>(`SELECT state FROM sessions WHERE id = $1`, [req.params.id]);
+    if (!current) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    // Find the trigger for this state transition
+    const trigger = `${current.state}_to_${fields.state}`;
+    const tr = transitionSession(current.state as any, trigger);
+    if (!tr.ok) return res.status(422).json({ error: { code: "INVALID_TRANSITION", message: `Cannot transition from ${current.state} to ${fields.state}` } });
+  }
+  const sets = Object.keys(fields).map((k, i) => `${k} = $${i + 2}`).join(", ");
+  const values = Object.values(fields);
+  const sql = `UPDATE sessions SET ${sets}, updated_at = NOW() WHERE id = $1 RETURNING *`;
+  const rows = await query(sql, [req.params.id, ...values]);
+  if (rows.length === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+  res.json(rows[0]);
+});
+
+// DELETE
+sessionsRouter.delete("/:id", __routeRateLimit, requireAuth, async (req: Request, res: Response) => {
+  try {
+    const count = await execute(`DELETE FROM sessions WHERE id = $1`, [req.params.id]);
+    if (count === 0) return res.status(404).json({ error: { code: "NOT_FOUND", message: "Not found" } });
+    res.status(204).send();
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// CAPABILITY: archive_session [transactional]
+sessionsRouter.post("/archive-session", __routeRateLimit, requireAuth, auditLog("archive_session", "Session"), async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  const __client = await pool.connect();
+  try {
+    await __client.query("BEGIN");
+    // Fetch entities
+    const session = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.body.session_id || req.params.id]);
+    if (!session) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "session not found" } });
+    }
+
+    // Preconditions
+    if (!([["active", "busy", "compacting"]].flat().includes(session?.state))) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "session.state in [\\\"active\\\", \\\"busy\\\", \\\"compacting\\\"]" } });
+    }
+
+    // Effects (applied in declaration order)
+    const __effect_0 = await query(`UPDATE sessions SET state = $1, updated_at = NOW() WHERE id = $2 RETURNING *`, ["archived", req.body.session_id || req.params.id]);
+    if (!__effect_0 || __effect_0.length === 0) {
+      throw new Error("Effect failed: session.state = \"archived\"");
+    }
+
+    // Emit events
+    await eventBus.publish("SessionStateChanged", { session_id: session?.id, timestamp: new Date().toISOString(), actor_id: auth.actor_id }, "SessionService", auth.trace_id, __client);
+
+    res.json({ ok: true, action: "archive_session", entity: session });
+    await __client.query("COMMIT");
+  } catch (e: any) {
+    await __client.query("ROLLBACK");
+    res.status(400).json({ error: { code: "CAPABILITY_FAILED", message: e.message } });
+  } finally {
+    __client.release();
+  }
+});
+
+// CAPABILITY: delete_session [transactional]
+sessionsRouter.post("/delete-session", __routeRateLimit, requireAuth, auditLog("delete_session", "Session"), async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  const __client = await pool.connect();
+  try {
+    await __client.query("BEGIN");
+    // Fetch entities
+    const session = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.body.session_id || req.params.id]);
+    if (!session) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "session not found" } });
+    }
+
+    // Preconditions
+    if (!(session?.state !== "deleted")) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "session.state != \\\"deleted\\\"" } });
+    }
+
+    // Effects (applied in declaration order)
+    const __effect_0 = await query(`UPDATE sessions SET state = $1, updated_at = NOW() WHERE id = $2 RETURNING *`, ["deleted", req.body.session_id || req.params.id]);
+    if (!__effect_0 || __effect_0.length === 0) {
+      throw new Error("Effect failed: session.state = \"deleted\"");
+    }
+
+    // Emit events
+    await eventBus.publish("SessionStateChanged", { session_id: session?.id, timestamp: new Date().toISOString(), actor_id: auth.actor_id }, "SessionService", auth.trace_id, __client);
+
+    res.json({ ok: true, action: "delete_session", entity: session });
+    await __client.query("COMMIT");
+  } catch (e: any) {
+    await __client.query("ROLLBACK");
+    res.status(400).json({ error: { code: "CAPABILITY_FAILED", message: e.message } });
+  } finally {
+    __client.release();
+  }
+});
+
+// CAPABILITY: add_message [transactional]
+sessionsRouter.post("/add-message", __routeRateLimit, requireAuth, auditLog("add_message", "Session"), async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  const __client = await pool.connect();
+  try {
+    await __client.query("BEGIN");
+    const { role, data } = req.body;
+
+    // Fetch entities
+    const session = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.body.session_id || req.params.id]);
+    if (!session) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "session not found" } });
+    }
+
+    // Preconditions
+    if (!([["active", "busy"]].flat().includes(session?.state))) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "session.state in [\\\"active\\\", \\\"busy\\\"]" } });
+    }
+    if (!([["user", "assistant", "system", "tool"]].flat().includes(role))) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "role in [\\\"user\\\", \\\"assistant\\\", \\\"system\\\", \\\"tool\\\"]" } });
+    }
+
+    // Emit events
+    await eventBus.publish("MessageAdded", { session_id: session?.id, timestamp: new Date().toISOString(), actor_id: auth.actor_id }, "SessionService", auth.trace_id, __client);
+
+    res.json({ ok: true, action: "add_message", entity: session });
+    await __client.query("COMMIT");
+  } catch (e: any) {
+    await __client.query("ROLLBACK");
+    res.status(400).json({ error: { code: "CAPABILITY_FAILED", message: e.message } });
+  } finally {
+    __client.release();
+  }
+});
+
+// CAPABILITY: update_part
+sessionsRouter.post("/update-part", __routeRateLimit, requireAuth, auditLog("update_part", "Session"), async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  try {
+    // sync: realtime — execute then broadcast to WebSocket channel
+    const { message_id, part_id, data } = req.body;
+
+    // Fetch entities
+    const session = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.body.session_id || req.params.id]);
+    if (!session) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "session not found" } });
+    }
+
+    // Preconditions
+    if (!([["active", "busy"]].flat().includes(session?.state))) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "session.state in [\\\"active\\\", \\\"busy\\\"]" } });
+    }
+
+    // Emit events
+    await eventBus.publish("PartUpdated", { session_id: session?.id, timestamp: new Date().toISOString(), actor_id: auth.actor_id }, "SessionService", auth.trace_id);
+
+    res.json({ ok: true, action: "update_part", entity: session });
+    // Broadcast to WebSocket subscribers after successful execution
+    const { broadcastToChannel: _broadcast } = require("../websocket") as any;
+    if (typeof _broadcast === "function") {
+      _broadcast("SessionService", { type: "update_part", payload: req.body, actor: auth.actor_id });
+    }
+  } catch (e: any) {
+    res.status(400).json({ error: { code: "CAPABILITY_FAILED", message: e.message } });
+  }
+});
+
+// CAPABILITY: compact_session [transactional]
+sessionsRouter.post("/compact-session", __routeRateLimit, requireAuth, auditLog("compact_session", "Session"), async (req: Request, res: Response) => {
+  const auth: AuthContext = (req as any).auth;
+  const __client = await pool.connect();
+  try {
+    await __client.query("BEGIN");
+    // Fetch entities
+    const session = await queryOne(`SELECT * FROM sessions WHERE id = $1`, [req.body.session_id || req.params.id]);
+    if (!session) {
+      return res.status(404).json({ error: { code: "NOT_FOUND", message: "session not found" } });
+    }
+
+    // Preconditions
+    if (!(session?.state === "active")) {
+      return res.status(422).json({ error: { code: "PRECONDITION_FAILED", message: "session.state == \\\"active\\\"" } });
+    }
+
+    // Effects (applied in declaration order)
+    const __effect_0 = await query(`UPDATE sessions SET state = $1, updated_at = NOW() WHERE id = $2 RETURNING *`, ["compacting", req.body.session_id || req.params.id]);
+    if (!__effect_0 || __effect_0.length === 0) {
+      throw new Error("Effect failed: session.state = \"compacting\"");
+    }
+
+    // Emit events
+    await eventBus.publish("SessionStateChanged", { session_id: session?.id, timestamp: new Date().toISOString(), actor_id: auth.actor_id }, "SessionService", auth.trace_id, __client);
+
+    res.json({ ok: true, action: "compact_session", entity: session });
+    await __client.query("COMMIT");
+  } catch (e: any) {
+    await __client.query("ROLLBACK");
+    res.status(400).json({ error: { code: "CAPABILITY_FAILED", message: e.message } });
+  } finally {
+    __client.release();
+  }
+});
+
+// RELATION: messages (has_many Message)
+sessionsRouter.get("/:id/messages", requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM messages WHERE session_id = $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3`, [req.params.id, pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM messages WHERE session_id = $1`, [req.params.id]);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});
+
+// RELATION: tool_calls (has_many ToolCall)
+sessionsRouter.get("/:id/tool_calls", requireAuth, async (req: Request, res: Response) => {
+  try {
+    const page = parseInt(req.query.page as string) || 1;
+    const pageSize = Math.min(parseInt(req.query.page_size as string) || 50, 100);
+    const offset = (page - 1) * pageSize;
+    const rows = await query(`SELECT * FROM tool_calls WHERE session_id = $1 ORDER BY created_at DESC LIMIT $2 OFFSET $3`, [req.params.id, pageSize, offset]);
+    const [{ count }] = await query(`SELECT COUNT(*) as count FROM tool_calls WHERE session_id = $1`, [req.params.id]);
+    res.json({ items: rows, total: parseInt(count), page, page_size: pageSize });
+  } catch (e: any) {
+    res.status(500).json({ error: { code: "DB_ERROR", message: e.message } });
+  }
+});