chapterhouse 0.8.2 → 0.9.0

package/dist/api/korg.js

@@ -1,8 +1,8 @@
 import { sendToAgentSession } from "../copilot/orchestrator.js";
 export async function routeKorgMessage(input) {
     const message = input.message.trim();
-    const sessionId = input.session_id?.trim() || `korg-${Date.now()}`;
-    const sessionName = input.session_id?.trim() || message.slice(0, 80).trim() || sessionId;
+    const sessionId = input.sessionKey?.trim() || `korg-${Date.now()}`;
+    const sessionName = input.sessionKey?.trim() || message.slice(0, 80).trim() || sessionId;
     const prompt = [
         "Handle this request as Korg via the API.",
         `Research session id: ${sessionId}`,
@@ -13,7 +13,7 @@ export async function routeKorgMessage(input) {
         message,
     ].join("\n");
     const reply = await sendToAgentSession("korg", prompt);
-    return { ok: true, session_id: sessionId, reply };
+    return { ok: true, sessionKey: sessionId, reply };
 }
 export function listKorgResearchSessions(db) {
     return db.prepare(`
@@ -21,8 +21,8 @@ export function listKorgResearchSessions(db) {
       session_id AS id,
       COALESCE(NULLIF(TRIM(session_name), ''), session_id) AS name,
       COUNT(*) AS source_count,
-      0 AS open_questions,
-      MAX(ingested_at) AS last_activity
+      0 AS open_questions_count,
+      MAX(ingested_at) AS last_activity_at
     FROM wiki_sources
     WHERE status = 'active'
       AND session_id IS NOT NULL

package/dist/api/korg.test.js

@@ -13,7 +13,7 @@ test("routeKorgMessage creates a research session id and delegates to the persis
     const mod = await import(new URL(`./korg.js?case=${Date.now()}-${Math.random()}`, import.meta.url).href);
     const result = await mod.routeKorgMessage({ message: "Research local-first PKB patterns." });
     assert.equal(result.ok, true);
-    assert.match(result.session_id, /^korg-/);
+    assert.match(result.sessionKey, /^korg-/);
     assert.equal(result.reply, "Korg reply");
     assert.deepEqual(calls, [{
             slug: "korg",
@@ -33,8 +33,8 @@ test("routeKorgMessage preserves an existing research session id in the delegate
         },
     });
     const mod = await import(new URL(`./korg.js?case=${Date.now()}-${Math.random()}`, import.meta.url).href);
-    const result = await mod.routeKorgMessage({ message: "Add two more sources.", session_id: "compiler-research" });
-    assert.equal(result.session_id, "compiler-research");
+    const result = await mod.routeKorgMessage({ message: "Add two more sources.", sessionKey: "compiler-research" });
+    assert.equal(result.sessionKey, "compiler-research");
     assert.equal(result.reply, "Continuing session");
     assert.match(prompt, /compiler-research/);
     assert.match(prompt, /Add two more sources\./);

package/dist/api/route-coverage.test.js

@@ -0,0 +1,225 @@
+// Route & SSE coverage — static analysis CI safeguard (P0 remediation, issue #369)
+//
+// Coverage status as of 2026-05-15:
+// ──────────────────────────────────────────────────────────────────────────────
+// GET    /api/wiki/pages            — tested (server.test.ts: coerced updated, frontmatter)
+// GET    /api/wiki/browser-pages    — tested (server.test.ts: browser contract, orphan fallback)
+// GET    /api/wiki/sources          — tested (server.test.ts: empty payload, page filter)
+// GET    /api/wiki/links            — tested (server.test.ts: all links, empty, page filter)
+// GET    /api/wiki/page             — tested (server.test.ts: CRUD, welcome page synthesis, 404)
+// PUT    /api/wiki/page             — tested (server.test.ts: wiki CRUD create flow)
+// DELETE /api/wiki/page             — tested (server.test.ts: wiki CRUD delete flow)
+// GET    /api/wiki/search           — NOT tested (add in Phase 3c)
+// POST   /api/wiki/update           — static auth guard tested below
+// POST   /api/wiki/page/pin         — auth + traversal guard tested
+// POST   /api/wiki/ingest           — NOT tested (add in Phase 3c)
+// GET    /api/wiki/korg/sessions    — NOT tested (add in Phase 3c)
+// POST   /api/wiki/korg             — NOT tested (add in Phase 3c)
+// ──────────────────────────────────────────────────────────────────────────────
+import { describe, test } from "node:test";
+import assert from "node:assert/strict";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { fileURLToPath } from "node:url";
+const __dirname = fileURLToPath(new URL(".", import.meta.url));
+const ROOT = join(__dirname, "..", "..");
+const FRONTEND_API_PATH = join(ROOT, "web", "src", "api.ts");
+const SERVER_TS_PATH = join(ROOT, "src", "api", "server.ts");
+const WEB_SCHEMAS_PATH = join(ROOT, "src", "shared", "api-schemas.ts");
+/**
+ * Normalise a URL path for comparison:
+ *  - Replace complete template-literal expressions  ${...}  with  :param
+ *  - Strip incomplete trailing template expressions (e.g. `${query ` cut by `?`)
+ *  - Replace Express named params  :slug  with  :param
+ *  - Strip trailing slashes
+ */
+function normalizePath(raw) {
+    return raw
+        .replace(/\$\{[^}]*\}/g, ":param") // complete ${...} → :param
+        .replace(/\$\{[^}]*$/, "") // trailing incomplete ${...  (cut by `?` in regex)
+        .replace(/:[a-zA-Z_][a-zA-Z0-9_]*/g, ":param") // :slug → :param
+        .replace(/\/+$/, "") // strip trailing slash
+        .trim();
+}
+/**
+ * Extract all unique normalised API paths called via authedFetch() in the
+ * frontend api.ts. Only static string / template-literal arguments are
+ * detected — calls that pass a pre-constructed variable are skipped.
+ */
+function extractFrontendPaths(src) {
+    // Matches authedFetch( then an opening quote/backtick then /api/...
+    // Stops at the same quote character, or at `?` (query string start).
+    const re = /authedFetch\(["'`](\/api\/[^"'`?]+)/g;
+    const paths = new Set();
+    for (const m of src.matchAll(re)) {
+        const normalised = normalizePath(m[1]);
+        if (normalised) {
+            paths.add(normalised);
+        }
+    }
+    return paths;
+}
+/**
+ * Extract all unique normalised API paths registered via app.METHOD() in
+ * server.ts. Only /api/ prefixed paths are considered.
+ */
+function extractServerPaths(src) {
+    const re = /app\.(get|post|put|delete|patch)\(["'`](\/api\/[^"'`?]+)/g;
+    const paths = new Set();
+    for (const m of src.matchAll(re)) {
+        const normalised = normalizePath(m[2]);
+        if (normalised) {
+            paths.add(normalised);
+        }
+    }
+    return paths;
+}
+/**
+ * Extract SSE type literals emitted inline via formatSseData({ type: "X", ... })
+ * in server.ts. Pass-through calls like formatSseData(event) are not detected.
+ */
+function extractSseDataTypes(src) {
+    // Allow up to ~200 chars between `formatSseData({` and `type: "X"` to
+    // handle multi-line object literals (queued, queue-advance, etc.).
+    const re = /formatSseData\(\{[\s\S]{0,200}?type:\s*["']([^"']+)["']/g;
+    const types = new Set();
+    for (const m of src.matchAll(re)) {
+        types.add(m[1]);
+    }
+    return types;
+}
+/**
+ * Extract the first argument (event name) from all formatSseEvent("name", ...)
+ * calls in server.ts.
+ */
+function extractSseEventNames(src) {
+    const re = /formatSseEvent\(["']([^"']+)["']/g;
+    const names = new Set();
+    for (const m of src.matchAll(re)) {
+        names.add(m[1]);
+    }
+    return names;
+}
+/**
+ * Extract the `type` literal values from StreamEventSchema in web/src/api-schemas.ts
+ * by scanning for `type: z.literal("X")` patterns.
+ *
+ * These are the only valid SSE frame types the frontend will parse via the
+ * default `message` EventSource handler.
+ */
+function extractStreamEventSchemaTypes(src) {
+    // Locate the StreamEventSchema block first so we don't accidentally pick up
+    // literals from other schemas.
+    const startIdx = src.indexOf("export const StreamEventSchema");
+    if (startIdx === -1) {
+        throw new Error("StreamEventSchema not found in src/shared/api-schemas.ts");
+    }
+    // Take a generous slice (10 000 chars) — the schema is large but finite.
+    const block = src.slice(startIdx, startIdx + 10_000);
+    const re = /type:\s*z\.literal\(["']([^"']+)["']\)/g;
+    const types = new Set();
+    for (const m of block.matchAll(re)) {
+        types.add(m[1]);
+    }
+    return types;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Tests
+// ─────────────────────────────────────────────────────────────────────────────
+describe("route coverage — static analysis", () => {
+    test("all frontend authedFetch paths have a matching server route registration", () => {
+        const frontendSrc = readFileSync(FRONTEND_API_PATH, "utf8");
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const frontendPaths = extractFrontendPaths(frontendSrc);
+        const serverPaths = extractServerPaths(serverSrc);
+        const missing = [];
+        for (const fp of [...frontendPaths].sort()) {
+            if (!serverPaths.has(fp)) {
+                missing.push(fp);
+            }
+        }
+        assert.ok(missing.length === 0, `Frontend calls ${missing.length} route(s) with no matching server registration:\n` +
+            missing.map((p) => `  MISSING: ${p}`).join("\n") +
+            "\n\nAdd the missing route(s) to src/api/server.ts");
+    });
+    test("server routes cover every unique normalised path (no obvious duplicates leaked)", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const serverPaths = extractServerPaths(serverSrc);
+        // Sanity: the server must expose at least 30 /api/ routes.
+        assert.ok(serverPaths.size >= 30, `Expected ≥30 server routes, found ${serverPaths.size}. Check extractServerPaths regex.`);
+    });
+});
+describe("wiki write route safeguards — static analysis", () => {
+    test("wiki update and pin routes declare authMiddleware explicitly", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        assert.match(serverSrc, /app\.post\("\/api\/wiki\/update",\s*authMiddleware,\s*async \(req: Request, res: Response\) => \{/);
+        assert.match(serverSrc, /app\.post\("\/api\/wiki\/page\/pin",\s*authMiddleware,\s*async \(req: Request, res: Response\) => \{/);
+    });
+});
+describe("SSE exhaustiveness — static analysis", () => {
+    // ───────────────────────────────────────────────────────────────────────────
+    // REGRESSION CANARY for issues #367 / #368:
+    //
+    // `formatSseEvent("status", payload)` generates an SSE *named event*:
+    //   event: status\ndata: {...}\n\n
+    //
+    // The frontend's EventSource only handles the default `message` event.
+    // Named events are silently dropped — the frontend never sees them.
+    //
+    // If any future code adds `formatSseEvent("X", ...)` where "X" is also a
+    // type in StreamEventSchema, this test FAILS, preventing the regression.
+    // ───────────────────────────────────────────────────────────────────────────
+    test("formatSseEvent is not used with names that belong in the StreamEventSchema data channel", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const namedEventNames = extractSseEventNames(serverSrc);
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        const conflicts = [];
+        for (const name of namedEventNames) {
+            if (schemaTypes.has(name)) {
+                conflicts.push(name);
+            }
+        }
+        assert.ok(conflicts.length === 0, `formatSseEvent() is being used with name(s) that are also StreamEventSchema types:\n` +
+            conflicts.map((n) => `  CONFLICT: formatSseEvent("${n}", ...) — must use formatSseData({ type: "${n}", ... }) instead`).join("\n") +
+            "\n\nNamed SSE events are silently dropped by the frontend's default 'message' handler (issues #367/#368).");
+    });
+    test("all inline formatSseData type literals are known StreamEventSchema types or agent-stream-only types", () => {
+        const serverSrc = readFileSync(SERVER_TS_PATH, "utf8");
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const emittedTypes = extractSseDataTypes(serverSrc);
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        // Types emitted only on /api/agents/stream — not part of the main chat
+        // StreamEventSchema but intentional (received by a separate subscriber).
+        const agentStreamOnlyTypes = new Set(["agent_event"]);
+        const unknown = [];
+        for (const t of [...emittedTypes].sort()) {
+            if (!schemaTypes.has(t) && !agentStreamOnlyTypes.has(t)) {
+                unknown.push(t);
+            }
+        }
+        assert.ok(unknown.length === 0, `formatSseData emits type(s) not present in StreamEventSchema:\n` +
+            unknown.map((t) => `  UNKNOWN: "${t}"`).join("\n") +
+            "\n\nEither add these to StreamEventSchema in src/shared/api-schemas.ts, " +
+            "or add them to the agentStreamOnlyTypes allowlist in this test.");
+    });
+    test("StreamEventSchema covers at least the core chat stream types", () => {
+        const schemaSrc = readFileSync(WEB_SCHEMAS_PATH, "utf8");
+        const schemaTypes = extractStreamEventSchemaTypes(schemaSrc);
+        const required = [
+            "connected",
+            "delta",
+            "message",
+            "cancelled",
+            "status",
+            "queued",
+            "activity",
+            "queue-advance",
+            "turn-interrupted",
+        ];
+        const missing = required.filter((t) => !schemaTypes.has(t));
+        assert.ok(missing.length === 0, `StreamEventSchema is missing expected type(s): ${missing.join(", ")}\n` +
+            "These types were removed or renamed — update the schema and this test together.");
+    });
+});
+//# sourceMappingURL=route-coverage.test.js.map

package/dist/api/server.js

@@ -16,7 +16,7 @@ import { createAuthMiddleware, getBootstrapAuthResponse } from "./auth.js";
 import { assertAgentEditAccess } from "./agent-edit-access.js";
 import { createConcurrentConnectionLimiter, createFixedWindowRateLimiter } from "./rate-limit.js";
 import { createTeamRouter } from "./team.js";
-import { writePage, deletePage, pageExists, listPages, ensureWikiStructure, assertPagePath, getWikiDir, } from "../wiki/fs.js";
+import { readPage, writePage, deletePage, pageExists, listPages, ensureWikiStructure, assertPagePath, getWikiDir, } from "../wiki/fs.js";
 import { parseWikiFrontmatter } from "../wiki/frontmatter.js";
 import { normalizeWikiPath } from "../wiki/path-utils.js";
 import { loadRegistry, saveRegistry } from "../wiki/project-registry.js";
@@ -30,7 +30,7 @@ import { getCurrentRunId, getDb, getSessionMessages, getTaskEvents } from "../st
 import { getTaskLogEvents, subscribeTaskLog } from "../copilot/task-event-log.js";
 import { subscribeSession, getSessionEventsFromDb, getSessionMaxSeqFromDb, oldestSessionSeq, } from "../copilot/turn-event-log.js";
 import { getStatus, onStatusChange } from "../status.js";
-import { formatSseData, formatSseEvent } from "./sse.js";
+import { formatSseData } from "./sse.js";
 import { assertAuthenticationConfigured, createHealthPayload, createPublicConfigPayload, getDisplayHost, resolveApiToken, shouldServeSpaPath, } from "./server-runtime.js";
 import { BadRequestError, ForbiddenError, InternalServerError, NotFoundError, apiNotFoundHandler, asBadRequest, createApiErrorHandler, parseRequest, } from "./errors.js";
 import { childLogger } from "../util/logger.js";
@@ -41,6 +41,7 @@ import { recordObservation } from "../memory/observations.js";
 import { recordDecision } from "../memory/decisions.js";
 import { upsertEntity } from "../memory/entities.js";
 import { getInboxItem, listPendingInboxItems, resolveInboxItem } from "../memory/inbox.js";
+import { ingestSource } from "../wiki/ingest.js";
 import { listKorgResearchSessions, routeKorgMessage } from "./korg.js";
 const log = childLogger("server");
 const modeContext = new ModeContext(config);
@@ -147,7 +148,7 @@ const prMergeHookSchema = z.object({
 });
 const korgRequestSchema = z.object({
     message: requiredString("Missing 'message' in request body"),
-    session_id: z.string().trim().min(1).optional(),
+    sessionKey: z.string().trim().min(1).optional(),
 }).strict();
 const projectHardRulesSchema = z.object({
     hardRules: z.object({
@@ -205,6 +206,77 @@ function coerceWikiPageUpdated(path, updated) {
         return "unknown";
     }
 }
+function wikiPathToBrowserSlug(path) {
+    return path.replace(/^pages\//, "").replace(/\.md$/, "");
+}
+function normalizeOptionalQueryParam(value) {
+    if (typeof value !== "string") {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed ? trimmed : undefined;
+}
+function matchesWikiBrowserFilters(page, filters) {
+    if (filters.type && page.type !== filters.type) {
+        return false;
+    }
+    if (!filters.q) {
+        return true;
+    }
+    const query = filters.q.toLowerCase();
+    return page.title.toLowerCase().includes(query) || page.summary.toLowerCase().includes(query);
+}
+function mapIndexEntryToBrowserPage(entry) {
+    return {
+        slug: wikiPathToBrowserSlug(entry.path),
+        title: entry.title,
+        summary: entry.summary,
+        type: entry.section,
+        last_updated: coerceWikiPageUpdated(entry.path, entry.updated),
+    };
+}
+function listFallbackWikiBrowserPages(filters) {
+    const entries = parseIndex();
+    const indexed = new Set(entries.map((entry) => entry.path));
+    const indexedResults = entries.map(mapIndexEntryToBrowserPage);
+    const orphanResults = listPages()
+        .filter((path) => !indexed.has(path))
+        .map((path) => ({
+        slug: wikiPathToBrowserSlug(path),
+        title: path,
+        summary: "",
+        type: "Unindexed",
+        last_updated: coerceWikiPageUpdated(path, undefined),
+    }));
+    return [...indexedResults, ...orphanResults].filter((page) => matchesWikiBrowserFilters(page, filters));
+}
+function listDbWikiBrowserPages(filters) {
+    const db = getDb();
+    const clauses = [];
+    const params = [];
+    if (filters.type) {
+        clauses.push("entity_type = ?");
+        params.push(filters.type);
+    }
+    if (filters.q) {
+        clauses.push("(title LIKE ? COLLATE NOCASE OR COALESCE(summary, '') LIKE ? COLLATE NOCASE)");
+        params.push(`%${filters.q}%`, `%${filters.q}%`);
+    }
+    const rows = db.prepare(`
+    SELECT path, title, summary, entity_type, last_updated, pinned
+    FROM wiki_pages
+    ${clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : ""}
+    ORDER BY COALESCE(last_updated, '') DESC, title ASC
+  `).all(...params);
+    return rows.map((row) => ({
+        slug: wikiPathToBrowserSlug(row.path),
+        title: row.title,
+        summary: row.summary ?? "",
+        type: row.entity_type ?? "topics",
+        last_updated: coerceWikiPageUpdated(row.path, row.last_updated ?? undefined),
+        ...(row.pinned ? { pinned: true } : {}),
+    }));
+}
 function parseWikiSourcePages(value) {
     if (!value) {
         return [];
@@ -838,11 +910,11 @@ app.get("/stream", (req, res) => {
     }
     sseClients.set(connectionId, res);
     const unsubscribeStatus = onStatusChange((status, message) => {
-        res.write(formatSseEvent("status", { status, message }));
+        res.write(formatSseData({ type: "status", status, message }));
     });
     const currentStatus = getStatus();
     if (currentStatus.status !== "idle") {
-        res.write(formatSseEvent("status", currentStatus));
+        res.write(formatSseData({ type: "status", ...currentStatus }));
     }
     const heartbeat = setInterval(() => {
         res.write(`:ping\n\n`);
@@ -1544,6 +1616,19 @@ app.get("/api/wiki/pages", async (req, res) => {
     }));
     res.json([...indexedResults, ...orphanResults]);
 });
+app.get("/api/wiki/browser-pages", async (req, res) => {
+    ensureWikiStructure();
+    const filters = {
+        q: normalizeOptionalQueryParam(req.query.q),
+        type: normalizeOptionalQueryParam(req.query.type),
+    };
+    const db = getDb();
+    const { count } = db.prepare("SELECT COUNT(*) AS count FROM wiki_pages").get();
+    const pages = count > 0
+        ? listDbWikiBrowserPages(filters)
+        : listFallbackWikiBrowserPages(filters);
+    res.json({ pages });
+});
 app.get("/api/wiki/sources", async (req, res) => {
     ensureWikiStructure();
     res.json({ sources: listWikiSources(readOptionalPageFilter(req)) });
@@ -1553,6 +1638,33 @@ app.get("/api/wiki/links", async (req, res) => {
     res.json({ links: listWikiLinks(readOptionalPageFilter(req)) });
 });
 app.get("/api/wiki/page", async (req, res) => {
+    const slugParam = normalizeOptionalQueryParam(req.query.slug);
+    if (slugParam) {
+        const path = `pages/${slugParam}.md`;
+        assertValidPagePath(path);
+        const db = getDb();
+        const row = db.prepare("SELECT title, entity_type, last_updated, pinned FROM wiki_pages WHERE path = ?").get(path);
+        const authorizationHeader = typeof req.headers.authorization === "string"
+            ? req.headers.authorization
+            : undefined;
+        const rawContent = await readWikiPage(path, { authorizationHeader });
+        if (rawContent === undefined) {
+            throw new NotFoundError("Page not found");
+        }
+        const { parsed: frontmatter } = parseWikiFrontmatter(rawContent);
+        res.json({
+            page: {
+                slug: slugParam,
+                title: row?.title ?? slugParam,
+                type: row?.entity_type ?? "topics",
+                last_updated: row?.last_updated ?? coerceWikiPageUpdated(path, undefined),
+                compiled_truth: rawContent,
+                pinned: Boolean(row?.pinned),
+                frontmatter,
+            },
+        });
+        return;
+    }
     const path = assertValidPagePath(readPathParam(req));
     const authorizationHeader = typeof req.headers.authorization === "string"
         ? req.headers.authorization
@@ -1577,6 +1689,54 @@ app.put("/api/wiki/page", async (req, res) => {
     });
     res.json({ ok: true, created, path });
 });
+const wikiUpdateSchema = z.object({
+    slug: requiredString("Missing 'slug' in request body"),
+    compiled_truth: z.string().optional(),
+    frontmatter: z.record(z.string(), z.unknown()).optional(),
+});
+app.post("/api/wiki/update", authMiddleware, async (req, res) => {
+    const { slug, compiled_truth, frontmatter: newFrontmatter } = parseRequest(wikiUpdateSchema, req.body);
+    const path = assertValidPagePath(`pages/${slug}.md`);
+    let finalContent = compiled_truth;
+    if (newFrontmatter !== undefined) {
+        const existing = readPage(path);
+        const base = finalContent ?? existing ?? "";
+        const { parsed: existingFrontmatter, body } = parseWikiFrontmatter(base);
+        const merged = { ...existingFrontmatter, ...newFrontmatter };
+        const fmLines = Object.entries(merged).map(([k, v]) => `${k}: ${JSON.stringify(v)}`).join("\n");
+        finalContent = `---\n${fmLines}\n---\n${body}`;
+    }
+    if (finalContent !== undefined) {
+        await withWikiWrite(() => writePage(path, finalContent));
+    }
+    const db = getDb();
+    const row = db.prepare("SELECT title, entity_type, last_updated, pinned FROM wiki_pages WHERE path = ?").get(path);
+    const content = readPage(path) ?? finalContent ?? "";
+    const { parsed: frontmatter } = parseWikiFrontmatter(content);
+    res.json({
+        ok: true,
+        page: {
+            slug,
+            title: row?.title ?? slug,
+            type: row?.entity_type ?? "topics",
+            last_updated: row?.last_updated ?? coerceWikiPageUpdated(path, undefined),
+            compiled_truth: content,
+            pinned: Boolean(row?.pinned),
+            frontmatter,
+        },
+    });
+});
+const wikiPinSchema = z.object({
+    slug: requiredString("Missing 'slug' in request body"),
+    pinned: z.boolean({ error: "Missing 'pinned' in request body" }),
+});
+app.post("/api/wiki/page/pin", authMiddleware, async (req, res) => {
+    const { slug, pinned } = parseRequest(wikiPinSchema, req.body);
+    const path = assertValidPagePath(`pages/${slug}.md`);
+    const db = getDb();
+    db.prepare("UPDATE wiki_pages SET pinned = ? WHERE path = ?").run(pinned ? 1 : 0, path);
+    res.json({ ok: true, pinned: Boolean(pinned) });
+});
 app.delete("/api/wiki/page", async (req, res) => {
     const path = assertValidPagePath(readPathParam(req));
     const removed = await withWikiWrite(() => deletePage(path));
@@ -1590,6 +1750,72 @@ app.post("/api/wiki/korg", authMiddleware, async (req, res) => {
 app.get("/api/wiki/korg/sessions", authMiddleware, (_req, res) => {
     res.json({ sessions: listKorgResearchSessions(getDb()) });
 });
+const wikiIngestSchema = z.object({
+    source_url: z.string().optional(),
+    path: z.string().optional(),
+    topic: z.string().optional(),
+});
+app.post("/api/wiki/ingest", authMiddleware, async (req, res) => {
+    const { source_url, path: ingestPath, topic } = parseRequest(wikiIngestSchema, req.body ?? {});
+    const source = source_url ?? ingestPath;
+    if (!source) {
+        throw new BadRequestError("Missing 'source_url' or 'path' in request body");
+    }
+    const type = source_url ? "url" : "text";
+    await withWikiWrite(() => ingestSource(source, type, topic));
+    res.json({ ok: true });
+});
+const wikiSearchSchema = z.object({
+    q: z.string().optional(),
+    type: z.string().optional(),
+});
+app.get("/api/wiki/search", authMiddleware, async (req, res) => {
+    ensureWikiStructure();
+    const q = normalizeOptionalQueryParam(req.query.q);
+    const type = normalizeOptionalQueryParam(req.query.type);
+    const db = getDb();
+    let rows;
+    try {
+        const clauses = ["wiki_pages_fts MATCH ?"];
+        const params = [q ? `${q}*` : "*"];
+        if (type) {
+            clauses.push("entity_type = ?");
+            params.push(type);
+        }
+        rows = db.prepare(`
+      SELECT path, title, entity_type, last_updated
+      FROM wiki_pages_fts
+      WHERE ${clauses.join(" AND ")}
+      ORDER BY rank
+      LIMIT 50
+    `).all(...params);
+    }
+    catch {
+        const clauses = [];
+        const params = [];
+        if (q) {
+            clauses.push("title LIKE ? COLLATE NOCASE");
+            params.push(`%${q}%`);
+        }
+        if (type) {
+            clauses.push("entity_type = ?");
+            params.push(type);
+        }
+        rows = db.prepare(`
+      SELECT path, title, entity_type, last_updated
+      FROM wiki_pages
+      ${clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : ""}
+      LIMIT 50
+    `).all(...params);
+    }
+    const pages = rows.map((row) => ({
+        slug: wikiPathToBrowserSlug(row.path),
+        title: row.title,
+        type: row.entity_type ?? "topics",
+        last_updated: coerceWikiPageUpdated(row.path, row.last_updated ?? undefined),
+    }));
+    res.json({ pages });
+});
 // ---------------------------------------------------------------------------
 // Skills
 // ---------------------------------------------------------------------------