chapterhouse 0.6.0 → 0.7.0

package/dist/api/agent-edit-access.js

@@ -0,0 +1,11 @@
+import { ForbiddenError } from "./errors.js";
+export function assertAgentEditAccess(options, user) {
+    if (!options.entraAuthEnabled) {
+        return;
+    }
+    if (user?.role === "team-lead") {
+        return;
+    }
+    throw new ForbiddenError("Admin access required");
+}
+//# sourceMappingURL=agent-edit-access.js.map

package/dist/api/agents.api.test.js

@@ -0,0 +1,48 @@
+import assert from "node:assert/strict";
+import test from "node:test";
+import { createAgentFile, isBuiltinAgent, parseAgentMd } from "../copilot/agents.js";
+test("isBuiltinAgent returns true for shipped agent slugs", () => {
+    assert.equal(isBuiltinAgent("chapterhouse"), true);
+    assert.equal(isBuiltinAgent("coder"), true);
+    assert.equal(isBuiltinAgent("designer"), true);
+    assert.equal(isBuiltinAgent("general-purpose"), true);
+    assert.equal(isBuiltinAgent("custom-helper"), false);
+});
+test("parseAgentMd parses block-style YAML arrays", () => {
+    const agent = parseAgentMd([
+        "---",
+        "name: Designer",
+        "description: Handles UI flows",
+        "model: claude-sonnet-4.6",
+        "skills:",
+        "  - frontend-design",
+        "  - ux-copy",
+        "tools:",
+        "  - read",
+        "  - write",
+        "---",
+        "",
+        "You are Designer.",
+    ].join("\n"), "designer");
+    assert.ok(agent, "agent charter should parse");
+    assert.deepEqual(agent.skills, ["frontend-design", "ux-copy"]);
+    assert.deepEqual(agent.tools, ["read", "write"]);
+});
+test("slug validation regex rejects traversal-like agent slugs", () => {
+    const error = createAgentFile("..%2F..%2F", "Traversal", "Should fail validation", "claude-sonnet-4.6", "You are not valid.");
+    assert.equal(error, "Invalid slug '..%2F..%2F': must be kebab-case (a-z0-9 with hyphens).");
+});
+test("parseAgentMd returns null for invalid frontmatter", () => {
+    const agent = parseAgentMd([
+        "---",
+        "name: Designer",
+        "description: Handles UI flows",
+        "model: claude-sonnet-4.6",
+        "skills: [frontend-design",
+        "---",
+        "",
+        "You are Designer.",
+    ].join("\n"), "designer");
+    assert.equal(agent, null);
+});
+//# sourceMappingURL=agents.api.test.js.map

package/dist/api/server.js

@@ -1,18 +1,19 @@
 import cors from "cors";
 import express from "express";
 import helmet from "helmet";
-import { existsSync } from "fs";
-import { join, dirname } from "path";
+import { existsSync, readFileSync, statSync, writeFileSync } from "fs";
+import { join, dirname, resolve, sep } from "path";
 import { fileURLToPath } from "url";
 import { z } from "zod";
-import { sendToOrchestrator, interruptCurrentTurn, enqueueForSse, getAgentInfo, cancelCurrentMessage, interruptSessionTurn, getLastRouteResult, getCurrentSessionKey } from "../copilot/orchestrator.js";
+import { sendToOrchestrator, interruptCurrentTurn, enqueueForSse, cancelCurrentMessage, interruptSessionTurn, getLastRouteResult, getCurrentSessionKey, getPersistentAgentSessionState, reloadPersistentAgent } from "../copilot/orchestrator.js";
 import { agentEventBus } from "../copilot/agent-event-bus.js";
-import { ensureDefaultAgents, getAgentRegistry, loadAgents } from "../copilot/agents.js";
+import { ensureDefaultAgents, getAgent, getAgentRegistry, isBuiltinAgent, loadAgents, notifyAgentSaved, parseAgentMd, parseAgentMdOrThrow, serializeAgentMd, setAgentSaveRuntimeHooks, SLUG_REGEX, } from "../copilot/agents.js";
 import { config, persistModel } from "../config.js";
 import { ModeContext } from "../mode-context.js";
 import { getRouterConfig, updateRouterConfig } from "../copilot/router.js";
 import { searchIndex, parseIndex } from "../wiki/index-manager.js";
 import { createAuthMiddleware, getBootstrapAuthResponse } from "./auth.js";
+import { assertAgentEditAccess } from "./agent-edit-access.js";
 import { createConcurrentConnectionLimiter, createFixedWindowRateLimiter } from "./rate-limit.js";
 import { createTeamRouter } from "./team.js";
 import { writePage, deletePage, pageExists, listPages, ensureWikiStructure, assertPagePath, } from "../wiki/fs.js";
@@ -23,7 +24,7 @@ import { readWikiPage, teamWikiSync } from "../wiki/team-sync.js";
 import { withWikiWrite } from "../wiki/lock.js";
 import { listSkills, removeSkill } from "../copilot/skills.js";
 import { restartDaemon } from "../daemon.js";
-import { API_TOKEN_PATH } from "../paths.js";
+import { AGENTS_DIR, API_TOKEN_PATH } from "../paths.js";
 import { getCurrentRunId, getDb, getSessionMessages, getTaskEvents } from "../store/db.js";
 import { getTaskLogEvents, subscribeTaskLog } from "../copilot/task-event-log.js";
 import { subscribeSession, getSessionEventsFromDb, getSessionMaxSeqFromDb, oldestSessionSeq, } from "../copilot/turn-event-log.js";
@@ -78,6 +79,22 @@ const autoRequestSchema = z.object({
 const wikiWriteSchema = z.object({
     content: z.string({ error: "Missing 'content' string in request body" }),
 }).strict();
+const agentPatchSchema = z.object({
+    name: requiredString("name must be a non-empty string").optional(),
+    description: requiredString("description must be a non-empty string").optional(),
+    model: requiredString("model must be a non-empty string").optional(),
+    systemPrompt: z.string().optional(),
+}).passthrough().superRefine((value, ctx) => {
+    for (const key of ["slug", "scope", "tools", "skills"]) {
+        if (Object.prototype.hasOwnProperty.call(value, key)) {
+            ctx.addIssue({
+                code: "custom",
+                path: [key],
+                message: `'${key}' is read-only`,
+            });
+        }
+    }
+});
 const projectCreateSchema = z.object({
     slug: requiredString("Missing 'slug' in request body")
         .regex(/^[a-z0-9][a-z0-9-]*$/, "Project slug must be a lowercase slug"),
@@ -284,6 +301,18 @@ Create your first page via the wiki UI or by editing files under \`pages/\`.
 const sseClients = new Map();
 const pendingSseMessages = [];
 let connectionCounter = 0;
+function broadcastSsePayload(payload) {
+    for (const [, res] of sseClients) {
+        res.write(formatSseData(payload));
+    }
+}
+setAgentSaveRuntimeHooks({
+    getPersistentSessionState: getPersistentAgentSessionState,
+    reloadPersistentSession: reloadPersistentAgent,
+    emitAgentReloadEvent: (event) => {
+        broadcastSsePayload(event);
+    },
+});
 // ---------------------------------------------------------------------------
 // Bootstrap — hands the API token to the same-origin SPA on first load.
 // Loopback-only by IP / Origin check.
@@ -316,18 +345,145 @@ const handleHealth = (_req, res) => {
 };
 app.get("/status", handleHealth);
 app.get("/health", handleHealth);
+function getLoadedAgents() {
+    let agents = getAgentRegistry();
+    if (agents.length === 0) {
+        ensureDefaultAgents();
+        agents = loadAgents();
+    }
+    return agents;
+}
+function getAgentLastEdited(slug) {
+    try {
+        return statSync(join(AGENTS_DIR, `${slug}.agent.md`)).mtime.toISOString();
+    }
+    catch {
+        return null;
+    }
+}
 // ---------------------------------------------------------------------------
 // Workers / agents
 // ---------------------------------------------------------------------------
 app.get("/api/agents", (_req, res) => {
-    res.json(getAgentInfo());
+    const agents = getLoadedAgents()
+        .map((agent) => ({
+        name: agent.name,
+        slug: agent.slug,
+        description: agent.description,
+        model: agent.model,
+        scope: agent.scope ?? null,
+        type: isBuiltinAgent(agent.slug) ? "builtin" : "custom",
+        lastEdited: getAgentLastEdited(agent.slug),
+    }))
+        .sort((left, right) => {
+        if (left.type !== right.type) {
+            return left.type === "builtin" ? -1 : 1;
+        }
+        return left.name.localeCompare(right.name);
+    });
+    res.json(agents);
 });
-app.get("/api/channels", (_req, res) => {
-    let agents = getAgentRegistry();
-    if (agents.length === 0) {
-        ensureDefaultAgents();
-        agents = loadAgents();
+app.get("/api/agents/:slug", (req, res, next) => {
+    const slugParam = req.params.slug;
+    const slug = Array.isArray(slugParam) ? slugParam[0] : slugParam;
+    if (slug === "stream") {
+        next();
+        return;
     }
+    if (!SLUG_REGEX.test(slug)) {
+        res.status(400).json({ error: "Invalid slug" });
+        return;
+    }
+    getLoadedAgents();
+    const filePath = join(AGENTS_DIR, `${slug}.agent.md`);
+    const resolvedAgentsDir = resolve(AGENTS_DIR);
+    const resolvedFilePath = resolve(filePath);
+    if (!(resolvedFilePath === resolvedAgentsDir || resolvedFilePath.startsWith(`${resolvedAgentsDir}${sep}`))) {
+        res.status(403).json({ error: "Access denied" });
+        return;
+    }
+    let content;
+    try {
+        content = readFileSync(filePath, "utf-8");
+    }
+    catch {
+        res.status(404).json({ error: `Agent '${slug}' not found` });
+        return;
+    }
+    const agent = parseAgentMd(content, slug);
+    if (!agent) {
+        res.status(500).json({ error: `Agent '${slug}' could not be parsed` });
+        return;
+    }
+    const builtin = isBuiltinAgent(slug);
+    res.json({
+        name: agent.name,
+        slug: agent.slug,
+        description: agent.description,
+        model: agent.model,
+        scope: agent.scope ?? null,
+        persistent: agent.persistent ?? false,
+        skills: agent.skills ?? [],
+        type: builtin ? "builtin" : "custom",
+        editable: !builtin,
+        systemPrompt: agent.systemMessage,
+    });
+});
+app.patch("/api/agents/:slug", async (req, res) => {
+    const slugParam = req.params.slug;
+    const slug = Array.isArray(slugParam) ? slugParam[0] : slugParam;
+    if (!SLUG_REGEX.test(slug)) {
+        throw new BadRequestError("Invalid slug");
+    }
+    if (modeContext.isTeam() && req.user?.role !== "team-lead") {
+        throw new ForbiddenError("Forbidden");
+    }
+    const patch = parseRequest(agentPatchSchema, req.body ?? {});
+    const filePath = join(AGENTS_DIR, `${slug}.agent.md`);
+    const resolvedAgentsDir = resolve(AGENTS_DIR);
+    const resolvedFilePath = resolve(filePath);
+    if (!(resolvedFilePath === resolvedAgentsDir || resolvedFilePath.startsWith(`${resolvedAgentsDir}${sep}`))) {
+        throw new ForbiddenError("Access denied");
+    }
+    assertAgentEditAccess({ entraAuthEnabled: config.entraAuthEnabled }, req.user);
+    if (isBuiltinAgent(slug)) {
+        throw new ForbiddenError("Built-in agents are read-only");
+    }
+    if (!existsSync(filePath)) {
+        throw new NotFoundError("Agent not found");
+    }
+    try {
+        const current = parseAgentMdOrThrow(readFileSync(filePath, "utf-8"), slug);
+        const updated = {
+            ...current,
+            name: patch.name ?? current.name,
+            description: patch.description ?? current.description,
+            model: patch.model ?? current.model,
+            systemMessage: patch.systemPrompt ?? current.systemMessage,
+        };
+        const nextContent = serializeAgentMd(updated);
+        writeFileSync(filePath, nextContent, "utf-8");
+        await notifyAgentSaved(slug, updated);
+        res.json({
+            name: updated.name,
+            slug: updated.slug,
+            description: updated.description,
+            model: updated.model,
+            scope: updated.scope ?? null,
+            persistent: updated.persistent ?? false,
+            skills: updated.skills ?? [],
+            type: "custom",
+            editable: true,
+            systemPrompt: updated.systemMessage,
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new BadRequestError(`Invalid content: ${message}`);
+    }
+});
+app.get("/api/channels", (_req, res) => {
+    const agents = getLoadedAgents();
     const persistentAgentChannels = agents
         .filter((agent) => agent.persistent)
         .map((agent) => ({
@@ -650,6 +806,21 @@ app.post("/api/cancel", async (_req, res) => {
     }
     res.json({ status: "ok", cancelled });
 });
+app.post("/api/agents/:slug/reload-confirm", async (req, res) => {
+    const slugParam = Array.isArray(req.params.slug) ? req.params.slug[0] : req.params.slug;
+    const slug = slugParam?.trim() || "";
+    const agent = getAgent(slug);
+    if (!agent?.persistent) {
+        throw new NotFoundError("Agent not found");
+    }
+    const sessionKey = `agent:${agent.slug}`;
+    await interruptSessionTurn(sessionKey);
+    const reloadResult = await reloadPersistentAgent(agent.slug);
+    if (reloadResult === "reloaded") {
+        broadcastSsePayload({ type: "agent_reloaded", slug: agent.slug, reason: "confirmed_restart" });
+    }
+    res.json({ status: "ok" });
+});
 // Cancel the active turn for one session key without touching other channels.
 app.post("/api/session/:sessionKey/interrupt", async (req, res) => {
     const sessionKey = Array.isArray(req.params.sessionKey)

package/dist/api/server.test.js

@@ -124,6 +124,22 @@ function readProjectRegistryRows(testRoot) {
         db.close();
     }
 }
+function getAgentFilePath(testRoot, slug) {
+    return join(testRoot, ".chapterhouse", "agents", `${slug}.agent.md`);
+}
+function writeAgentFile(testRoot, slug, content) {
+    mkdirSync(join(testRoot, ".chapterhouse", "agents"), { recursive: true });
+    writeFileSync(getAgentFilePath(testRoot, slug), content, "utf-8");
+}
+function markBundledAgent(testRoot, slug, hash = "bundled-hash") {
+    const db = new Database(getProjectDbPath(testRoot));
+    try {
+        db.prepare(`INSERT OR REPLACE INTO max_state (key, value) VALUES (?, ?)`).run(`bundled_agent_hash:${slug}.agent.md`, hash);
+    }
+    finally {
+        db.close();
+    }
+}
 function setMemoryActiveScope(testRoot, slug) {
     const db = new Database(getProjectDbPath(testRoot));
     try {
@@ -192,6 +208,15 @@ async function withStartedServer(run, extraEnv = {}, timeoutMs = DEFAULT_API_SER
         rmSync(testRoot, { recursive: true, force: true });
     }
 }
+test("agent edits require a team lead when Entra auth is enabled", async () => {
+    const accessModule = await import("./agent-edit-access.js");
+    assert.equal(typeof accessModule.assertAgentEditAccess, "function", "assertAgentEditAccess should be exported");
+    const assertAgentEditAccess = accessModule.assertAgentEditAccess;
+    assert.doesNotThrow(() => assertAgentEditAccess({ entraAuthEnabled: false }, { role: "engineer" }));
+    assert.throws(() => assertAgentEditAccess({ entraAuthEnabled: true }, { role: "engineer" }), /Admin access required/);
+    assert.throws(() => assertAgentEditAccess({ entraAuthEnabled: true }), /Admin access required/);
+    assert.doesNotThrow(() => assertAgentEditAccess({ entraAuthEnabled: true }, { role: "team-lead" }));
+});
 test("server routes expose bootstrap and public config without auth", async () => {
     await withStartedServer(async ({ baseUrl }) => {
         const bootstrap = await fetch(`${baseUrl}/api/bootstrap`);
@@ -222,6 +247,312 @@ test("server channels route returns chapterhouse plus persistent agents in chann
         ]);
     });
 });
+test("server agents routes return source-aware charter summaries and details", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "alpha-custom", [
+            "---",
+            "name: Alpha Custom",
+            "description: First custom charter",
+            "model: gpt-5.4",
+            "scope: frontend",
+            "skills:",
+            "  - ui-copy",
+            "  - wireframes",
+            "---",
+            "",
+            "You are Alpha Custom.",
+        ].join("\n"));
+        writeAgentFile(testRoot, "zulu-custom", [
+            "---",
+            "name: Zulu Custom",
+            "description: Last custom charter",
+            "model: claude-sonnet-4.6",
+            "persistent: true",
+            "---",
+            "",
+            "You are Zulu Custom.",
+        ].join("\n"));
+        markBundledAgent(testRoot, "designer");
+        const listResponse = await fetch(`${baseUrl}/api/agents`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(listResponse.status, 200);
+        const agents = await listResponse.json();
+        const firstCustomIndex = agents.findIndex((agent) => agent.type === "custom");
+        assert.notEqual(firstCustomIndex, -1);
+        assert.ok(agents.slice(0, firstCustomIndex).every((agent) => agent.type === "builtin"));
+        const customAgents = agents.filter((agent) => agent.type === "custom");
+        assert.deepEqual(customAgents.map((agent) => agent.name), ["Alpha Custom", "Zulu Custom"]);
+        const designer = agents.find((agent) => agent.slug === "designer");
+        assert.ok(designer);
+        assert.equal(designer.type, "builtin");
+        assert.equal(typeof designer.lastEdited, "string");
+        const alpha = agents.find((agent) => agent.slug === "alpha-custom");
+        assert.deepEqual(alpha, {
+            name: "Alpha Custom",
+            slug: "alpha-custom",
+            description: "First custom charter",
+            model: "gpt-5.4",
+            scope: "frontend",
+            type: "custom",
+            lastEdited: alpha?.lastEdited ?? null,
+        });
+        assert.equal(typeof alpha?.lastEdited, "string");
+        const detailResponse = await fetch(`${baseUrl}/api/agents/${encodeURIComponent("alpha-custom")}`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(detailResponse.status, 200);
+        assert.deepEqual(await detailResponse.json(), {
+            name: "Alpha Custom",
+            slug: "alpha-custom",
+            description: "First custom charter",
+            model: "gpt-5.4",
+            scope: "frontend",
+            persistent: false,
+            skills: ["ui-copy", "wireframes"],
+            type: "custom",
+            editable: true,
+            systemPrompt: "You are Alpha Custom.",
+        });
+        const builtinDetailResponse = await fetch(`${baseUrl}/api/agents/${encodeURIComponent("designer")}`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(builtinDetailResponse.status, 200);
+        const builtinDetail = await builtinDetailResponse.json();
+        assert.equal(builtinDetail.slug, "designer");
+        assert.equal(builtinDetail.type, "builtin");
+        assert.equal(builtinDetail.editable, false);
+        assert.equal(typeof builtinDetail.systemPrompt, "string");
+        assert.ok(builtinDetail.systemPrompt.length > 0);
+        const missingResponse = await fetch(`${baseUrl}/api/agents/${encodeURIComponent("missing-agent")}`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(missingResponse.status, 404);
+        assert.deepEqual(await missingResponse.json(), { error: "Agent 'missing-agent' not found" });
+    });
+});
+test("server rejects invalid agent slugs before reading agent files", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeFileSync(join(testRoot, "some-path.agent.md"), [
+            "---",
+            "name: Escaped Agent",
+            "description: Should never be readable",
+            "model: gpt-5.4",
+            "---",
+            "",
+            "You should not see this.",
+        ].join("\n"), "utf-8");
+        const response = await fetch(`${baseUrl}/api/agents/..%2F..%2Fsome-path`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(response.status, 400);
+        assert.deepEqual(await response.json(), { error: "Invalid slug" });
+    });
+});
+test("server patches a custom agent file and reloads the persistent agent registry", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "scribe", [
+            "---",
+            "name: Scribe",
+            "description: Drafts release notes",
+            "model: claude-sonnet-4.6",
+            "persistent: true",
+            "scope: docs",
+            "skills:",
+            "  - writing",
+            "tools:",
+            "  - bash",
+            "---",
+            "",
+            "Original system prompt.",
+        ].join("\n"));
+        const before = await fetch(`${baseUrl}/api/channels`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(before.status, 200);
+        const response = await fetch(`${baseUrl}/api/agents/scribe`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({
+                name: "Scribe Prime",
+                description: "Publishes saved agent edits",
+                systemPrompt: "# Updated Prompt\n\nShip it.",
+            }),
+        });
+        assert.equal(response.status, 200);
+        assert.deepEqual(await response.json(), {
+            name: "Scribe Prime",
+            slug: "scribe",
+            description: "Publishes saved agent edits",
+            model: "claude-sonnet-4.6",
+            scope: "docs",
+            persistent: true,
+            skills: ["writing"],
+            type: "custom",
+            editable: true,
+            systemPrompt: "# Updated Prompt\n\nShip it.",
+        });
+        const saved = readFileSync(getAgentFilePath(testRoot, "scribe"), "utf-8");
+        assert.match(saved, /^---\n[\s\S]*\n---\n\n# Updated Prompt\n\nShip it\.\n?$/);
+        assert.match(saved, /name: Scribe Prime/);
+        assert.match(saved, /description: Publishes saved agent edits/);
+        assert.match(saved, /model: claude-sonnet-4.6/);
+        assert.match(saved, /scope: docs/);
+        assert.match(saved, /tools:\n  - bash/);
+        assert.match(saved, /skills:\n  - writing/);
+        const after = await fetch(`${baseUrl}/api/channels`, {
+            headers: { authorization: authHeader },
+        });
+        assert.equal(after.status, 200);
+        const channels = await after.json();
+        assert.deepEqual(channels.find((channel) => channel.slug === "scribe"), {
+            key: "agent:scribe",
+            label: "# scribe",
+            slug: "scribe",
+            name: "Scribe Prime",
+            description: "Publishes saved agent edits",
+            scope: "docs",
+        });
+    });
+});
+test("server rejects PATCH /api/agents/:slug when the request changes skills", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "scribe", [
+            "---",
+            "name: Scribe",
+            "description: Drafts release notes",
+            "model: claude-sonnet-4.6",
+            "skills:",
+            "  - writing",
+            "---",
+            "",
+            "Original system prompt.",
+        ].join("\n"));
+        const response = await fetch(`${baseUrl}/api/agents/scribe`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ skills: ["editing", "review"] }),
+        });
+        assert.equal(response.status, 400);
+        assert.match((await response.json()).error, /skills/i);
+    });
+});
+test("server rejects PATCH /api/agents/:slug when the request changes read-only fields", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "scribe", [
+            "---",
+            "name: Scribe",
+            "description: Drafts release notes",
+            "model: claude-sonnet-4.6",
+            "---",
+            "",
+            "Original system prompt.",
+        ].join("\n"));
+        const response = await fetch(`${baseUrl}/api/agents/scribe`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ slug: "other-scribe" }),
+        });
+        assert.equal(response.status, 400);
+        assert.match((await response.json()).error, /slug/i);
+    });
+});
+test("server rejects PATCH /api/agents/:slug for bundled agents", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader }) => {
+        const response = await fetch(`${baseUrl}/api/agents/designer`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ description: "Should not save" }),
+        });
+        assert.equal(response.status, 403);
+        assert.deepEqual(await response.json(), { error: "Built-in agents are read-only" });
+    });
+});
+test("server rejects PATCH /api/agents/:slug for non-team-leads in team mode", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "scribe", [
+            "---",
+            "name: Scribe",
+            "description: Drafts release notes",
+            "model: claude-sonnet-4.6",
+            "---",
+            "",
+            "Original system prompt.",
+        ].join("\n"));
+        const response = await fetch(`${baseUrl}/api/agents/scribe`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ description: "Should not save" }),
+        });
+        assert.equal(response.status, 403);
+        assert.deepEqual(await response.json(), { error: "Forbidden" });
+    }, {
+        CHAPTERHOUSE_MODE: "team",
+    });
+});
+test("server returns 404 when PATCH /api/agents/:slug targets a missing file", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader }) => {
+        const response = await fetch(`${baseUrl}/api/agents/missing-agent`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ description: "Still missing" }),
+        });
+        assert.equal(response.status, 404);
+        assert.deepEqual(await response.json(), { error: "Agent not found" });
+    });
+});
+test("server returns 400 when PATCH /api/agents/:slug cannot parse malformed agent content", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader, testRoot }) => {
+        writeAgentFile(testRoot, "scribe", [
+            "---",
+            "name: Scribe",
+            "description: Drafts release notes",
+            "model: claude-sonnet-4.6",
+            "skills: [writing",
+            "---",
+            "",
+            "Original system prompt.",
+        ].join("\n"));
+        const response = await fetch(`${baseUrl}/api/agents/scribe`, {
+            method: "PATCH",
+            headers: {
+                authorization: authHeader,
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ description: "Broken input stays broken" }),
+        });
+        assert.equal(response.status, 400);
+        assert.match((await response.json()).error, /^Invalid content:/);
+    });
+});
+test("server returns 404 when confirming reload for an unknown agent", async () => {
+    await withStartedServer(async ({ baseUrl, authHeader }) => {
+        const response = await fetch(`${baseUrl}/api/agents/missing/reload-confirm`, {
+            method: "POST",
+            headers: { authorization: authHeader },
+        });
+        assert.equal(response.status, 404);
+        assert.match(await response.text(), /Agent not found/i);
+    });
+});
 test("server runs in standalone mode without auth", async () => {
     await withStartedServer(async ({ baseUrl }) => {
         const bootstrap = await fetch(`${baseUrl}/api/bootstrap`);
@@ -916,17 +1247,17 @@ test("server caps concurrent SSE connections per IP", async () => {
         let secondResponse;
         try {
             firstResponse = await fetch(`${baseUrl}/stream`, {
-                headers: { authorization: authHeader },
+                headers: { authorization: authHeader, connection: "close" },
                 signal: firstController.signal,
             });
             secondResponse = await fetch(`${baseUrl}/stream`, {
-                headers: { authorization: authHeader },
+                headers: { authorization: authHeader, connection: "close" },
                 signal: secondController.signal,
             });
             assert.equal(firstResponse.status, 200);
             assert.equal(secondResponse.status, 200);
             const rejected = await fetch(`${baseUrl}/stream`, {
-                headers: { authorization: authHeader },
+                headers: { authorization: authHeader, connection: "close" },
             });
             assert.equal(rejected.status, 429);
             assert.equal(rejected.headers.get("retry-after"), "60");