mop-agent 0.1.0

package/README.md

@@ -0,0 +1,177 @@
+# MOP-AGENT
+
+MOP-AGENT is a self-hosted AI brain and control plane for projects connected
+through MOP-FLOW. It stores project memory, performs semantic recall and
+consolidation, serves grounded chat, and can request approved actions from a
+linked FLOW node.
+
+> **Release status:** npm package `mop-agent@0.1.0` is prepared but may not have
+> been published yet. After publication, the canonical installation command is
+> exactly `npx mop-agent`.
+
+## Current status
+
+The application core through Fasa 7 foundation is implemented: reverse-WSS
+project links, SQLite + sqlite-vec storage, Better Auth, semantic recall,
+provider settings, consolidation, approval-based write-back, Telegram and
+Discord adapters, skills, graph UI, execution backends, and team invites.
+
+The npm bootstrap stages the packaged application durably at `/opt/mop-agent`,
+uses the proven SQLite + sqlite-vec backend, and asks for sudo only for specific
+OS operations. Package, bootstrap, installer, and smoke verification pass
+locally. A clean VPS installation remains the final production verification.
+
+## Platform support
+
+| Platform | Current support | Recommended use |
+| --- | --- | --- |
+| Debian, Ubuntu, Kali, Mint | Installer candidate | Linux VPS production target |
+| Fedora, RHEL, Rocky, Alma | Installer candidate; paths need live verification | Linux VPS production target |
+| Arch, Manjaro, Alpine | Installer candidate; paths need live verification | Advanced/test use |
+| Windows | Native installer not available | Use WSL2 Ubuntu, or run development mode natively |
+| macOS | Production installer not available | Run development mode; deploy production on Linux |
+
+The automated installer depends on Linux facilities such as `systemd`, nginx,
+Certbot, and standard Linux filesystem paths. Native Windows services/IIS and
+macOS launchd/Homebrew automation have not been implemented.
+
+## Linux installation
+
+Prerequisites:
+
+- A Linux VPS with root/sudo access
+- Node.js 20 or newer and npm
+- A domain with an `A`/`AAAA` record pointing to the server
+- Inbound ports 80 and 443 allowed by the firewall/security group
+
+Run as your normal user:
+
+```bash
+npx mop-agent
+```
+
+The first run copies the npm-packaged runtime from the temporary npx cache into
+`/opt/mop-agent`, installs its dependencies, and opens the TUI. Choose
+`install` to install nginx/Certbot, then `setup` to configure the domain,
+SQLite database, HTTPS, and systemd service. The menu remains open between
+steps.
+
+The installer requests `sudo` only when it needs to write under `/opt` or
+`/etc`, install OS packages, or control nginx/systemd. Do not run the entire
+npm/npx process with `sudo`.
+
+Subsequent operations use the same command:
+
+```bash
+npx mop-agent status
+npx mop-agent update
+npx mop-agent uninstall
+```
+
+### Linux filesystem map
+
+MOP-AGENT is a long-running Node.js service behind nginx, not a static website,
+so it uses `/opt/mop-agent` rather than `/var/www` for application code.
+
+| Purpose | Debian/Ubuntu | RHEL/Arch/Alpine |
+| --- | --- | --- |
+| Application source | `/opt/mop-agent` | `/opt/mop-agent` |
+| Environment file | `/opt/mop-agent/apps/web/.env` | same |
+| Brain database/data (current) | `/opt/mop-agent/data` | same |
+| nginx vhost | `/etc/nginx/sites-available/mop-agent.conf` | `/etc/nginx/conf.d/mop-agent.conf` |
+| nginx enable link | `/etc/nginx/sites-enabled/mop-agent.conf` | not needed (`conf.d` is included directly) |
+| systemd unit | `/etc/systemd/system/mop-agent.service` | same |
+| TLS certificates | `/etc/letsencrypt/live/<domain>/` | same |
+| Service logs | `journalctl -u mop-agent -f` | same |
+
+`MOP_AGENT_DIR` can override `/opt/mop-agent`. Updates preserve
+`apps/web/.env` and `data/`; uninstall preserves SQLite brain data unless the
+user explicitly passes `--purge`.
+
+Useful operations after setup:
+
+```bash
+sudo systemctl status mop-agent
+sudo journalctl -u mop-agent -f
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+## Windows
+
+### Recommended: WSL2
+
+Install Ubuntu under WSL2, enable systemd in WSL, then run `npx mop-agent`
+inside the WSL terminal. All paths such as `/opt/mop-agent` and `/etc/nginx/...`
+exist inside the WSL filesystem, not under `C:\Program Files`.
+
+### Native Windows development
+
+PowerShell can run the application for development, but the Linux installer,
+nginx, Certbot, and systemd steps do not apply:
+
+```powershell
+git clone https://github.com/BURHANDEV-ENTERPRISE/mop-agent.git
+cd mop-agent
+npm ci
+Copy-Item apps/web/.env.example apps/web/.env
+npm run typecheck
+npm run dev:web
+```
+
+Open `http://localhost:3000/setup`. Native Windows production service and HTTPS
+automation remain TODO; do not use `sudo` in PowerShell or Command Prompt.
+
+## macOS
+
+macOS currently supports development mode only:
+
+```bash
+git clone https://github.com/BURHANDEV-ENTERPRISE/mop-agent.git
+cd mop-agent
+npm ci
+cp apps/web/.env.example apps/web/.env
+npm run typecheck
+npm run dev:web
+```
+
+Open `http://localhost:3000/setup`. A launchd/Homebrew/nginx production
+installer is not implemented; use a supported Linux VPS for production.
+
+## Development
+
+```bash
+git clone https://github.com/BURHANDEV-ENTERPRISE/mop-agent.git
+cd mop-agent
+npm ci
+cp apps/web/.env.example apps/web/.env
+npm run typecheck
+npm run dev:web
+```
+
+Set at least `BETTER_AUTH_SECRET` and `MOP_AGENT_SECRET` in
+`apps/web/.env`. With no Anthropic/OpenRouter key, chat falls back to the local
+offline echo provider.
+
+Repository layout:
+
+```text
+mop-agent/
+├── apps/web/                 # Next.js UI, API, auth, brain, WS gateway
+├── packages/link-protocol/   # shared AGENT <-> FLOW schemas
+├── packages/flow-connector/  # reverse-WSS MOP-FLOW connector
+├── installer/                # installer TUI and platform plans
+├── scripts/                  # smoke tests
+└── data/                     # runtime SQLite/brain data (gitignored)
+```
+
+## Verification
+
+```bash
+npm run typecheck
+npx tsx scripts/smoke-installer.mts
+# Run the remaining smoke-*.mts scripts before a release.
+```
+
+The complete npm publication checklist and installer acceptance criteria are in
+[`TODO.md`](TODO.md).

package/apps/web/.env.example

@@ -0,0 +1,18 @@
+# MOP-AGENT web — copy to .env and fill in.
+PORT=3000
+
+# --- Fasa 2 (auth + db + secrets) ---
+# BETTER_AUTH_SECRET=
+# BETTER_AUTH_URL=http://localhost:3000
+# MOP_AGENT_SECRET=          # AES-GCM key for provider keys at rest (32 bytes hex)
+# MOP_AGENT_DATA_DIR=        # defaults to OS data dir if unset
+
+# --- providers (Fasa 2/3) ---
+# ANTHROPIC_API_KEY=
+# OPENROUTER_API_KEY=
+# MOP_AGENT_PROVIDER=anthropic   # anthropic | openrouter | echo (default: auto/echo)
+# MOP_AGENT_MODEL=
+
+# --- channels (Fasa 4.5) — set a token to auto-start that bot ---
+# TELEGRAM_BOT_TOKEN=
+# DISCORD_BOT_TOKEN=

package/apps/web/app/api/actions/[id]/approve/route.ts

@@ -0,0 +1,15 @@
+/** POST /api/actions/[id]/approve — approve + execute over the live link (owner). */
+import { requireRole } from "@/lib/authz";
+import { approveAction } from "@/lib/brain/approvals";
+
+export async function POST(
+  req: Request,
+  { params }: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const { id } = await params;
+  const action = await approveAction(id);
+  if (!action) return Response.json({ error: "not_found" }, { status: 404 });
+  return Response.json({ action });
+}

package/apps/web/app/api/actions/[id]/deny/route.ts

@@ -0,0 +1,15 @@
+/** POST /api/actions/[id]/deny — deny a pending write action (owner). */
+import { requireRole } from "@/lib/authz";
+import { denyAction } from "@/lib/brain/approvals";
+
+export async function POST(
+  req: Request,
+  { params }: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const { id } = await params;
+  const action = denyAction(id);
+  if (!action) return Response.json({ error: "not_found" }, { status: 404 });
+  return Response.json({ action });
+}

package/apps/web/app/api/actions/route.ts

@@ -0,0 +1,29 @@
+/**
+ * GET  /api/actions  — list pending/recent write actions (owner).
+ * POST /api/actions  — request a write action { projectId, tool, args, summary } (owner).
+ */
+import type { McpToolName } from "@mop/link-protocol";
+import { auth } from "@/lib/auth";
+import { listActions, requestAction } from "@/lib/brain/approvals";
+
+export async function GET(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  return Response.json({ actions: listActions() });
+}
+
+export async function POST(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  const body = (await req.json()) as {
+    projectId: string;
+    tool: McpToolName;
+    args: Record<string, unknown>;
+    summary?: string;
+  };
+  if (!body?.projectId || !body?.tool) {
+    return Response.json({ error: "missing_projectId_or_tool" }, { status: 400 });
+  }
+  const action = requestAction(body);
+  return Response.json({ action });
+}

package/apps/web/app/api/auth/[...all]/route.ts

@@ -0,0 +1,4 @@
+import { auth } from "@/lib/auth";
+import { toNextJsHandler } from "better-auth/next-js";
+
+export const { GET, POST } = toNextJsHandler(auth);

package/apps/web/app/api/chat/route.ts

@@ -0,0 +1,50 @@
+/**
+ * POST /api/chat — grounded chat. Owner session -> recall project context ->
+ * stream the provider's answer. Body: { projectId, message, allowCrossProject? }
+ */
+import { auth } from "@/lib/auth";
+import { recall } from "@/lib/brain/broker";
+import { resolveProvider } from "@/lib/providers";
+
+export async function POST(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+
+  const { projectId, message, allowCrossProject } = (await req.json()) as {
+    projectId: string;
+    message: string;
+    allowCrossProject?: boolean;
+  };
+  if (!projectId || !message) {
+    return Response.json({ error: "missing_projectId_or_message" }, { status: 400 });
+  }
+
+  const pack = await recall({ query: message, projectId, allowCrossProject: !!allowCrossProject });
+  const provider = resolveProvider(session.user.id);
+
+  const system = [
+    "You are the MOP-AGENT brain. Answer using the project context below when relevant.",
+    "If the context is empty, say so plainly.",
+    "",
+    pack.toPromptString(),
+  ].join("\n");
+
+  const encoder = new TextEncoder();
+  const stream = new ReadableStream<Uint8Array>({
+    async start(controller) {
+      try {
+        for await (const delta of provider.chat({ system, messages: [{ role: "user", content: message }] })) {
+          controller.enqueue(encoder.encode(delta));
+        }
+      } catch (e) {
+        controller.enqueue(encoder.encode(`\n[provider error: ${e instanceof Error ? e.message : String(e)}]`));
+      } finally {
+        controller.close();
+      }
+    },
+  });
+
+  return new Response(stream, {
+    headers: { "Content-Type": "text/plain; charset=utf-8", "X-Provider": provider.id },
+  });
+}

package/apps/web/app/api/consolidate/route.ts

@@ -0,0 +1,10 @@
+/** POST /api/consolidate — owner-triggered episodic→semantic consolidation. */
+import { requireRole } from "@/lib/authz";
+import { consolidate } from "@/lib/brain/consolidate";
+
+export async function POST(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const result = await consolidate();
+  return Response.json(result);
+}

package/apps/web/app/api/graph/route.ts

@@ -0,0 +1,34 @@
+/**
+ * GET /api/graph — Brain knowledge graph (owner).
+ * Nodes: projects, semantic notes (Main Brain), skills.
+ * Edges: semantic note / skill → each of its source projects.
+ */
+import { auth } from "@/lib/auth";
+import { listProjects } from "@/lib/link/store";
+import { listSemanticNotes } from "@/lib/brain/consolidate";
+import { listSkills } from "@/lib/brain/skills";
+
+export type GraphNode = { id: string; label: string; type: "project" | "pattern" | "skill" };
+export type GraphEdge = { from: string; to: string };
+
+export async function GET(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+
+  const nodes: GraphNode[] = [];
+  const edges: GraphEdge[] = [];
+
+  for (const p of listProjects()) nodes.push({ id: `project:${p.id}`, label: p.name, type: "project" });
+
+  for (const n of listSemanticNotes()) {
+    nodes.push({ id: `pattern:${n.id}`, label: n.title, type: "pattern" });
+    for (const pid of n.sourceProjects ?? []) edges.push({ from: `pattern:${n.id}`, to: `project:${pid}` });
+  }
+
+  for (const s of listSkills()) {
+    nodes.push({ id: `skill:${s.id}`, label: s.name, type: "skill" });
+    for (const pid of s.sourceProjects ?? []) edges.push({ from: `skill:${s.id}`, to: `project:${pid}` });
+  }
+
+  return Response.json({ nodes, edges });
+}

package/apps/web/app/api/invites/route.ts

@@ -0,0 +1,38 @@
+/**
+ * GET  /api/invites — list invites (owner).
+ * POST /api/invites — invite an email { email, role? } (owner). Email-scoped.
+ */
+import { eq } from "drizzle-orm";
+import { getDb } from "@/lib/db/client";
+import { invite } from "@/lib/db/schema";
+import { requireRole } from "@/lib/authz";
+
+export async function GET(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  return Response.json({ invites: getDb().select().from(invite).all() });
+}
+
+export async function POST(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const body = (await req.json()) as { email?: string; role?: "member" | "owner"; ttlDays?: number };
+  if (!body?.email) return Response.json({ error: "missing_email" }, { status: 400 });
+  const role = body.role === "owner" ? "owner" : "member";
+  const expiresAt = Date.now() + (body.ttlDays ?? 7) * 86_400_000;
+  getDb()
+    .insert(invite)
+    .values({ email: body.email, role, expiresAt, usedAt: null, invitedBy: a.userId, createdAt: Date.now() })
+    .onConflictDoUpdate({ target: invite.email, set: { role, expiresAt, usedAt: null, invitedBy: a.userId } })
+    .run();
+  return Response.json({ ok: true, email: body.email, role, expiresAt });
+}
+
+export async function DELETE(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const email = new URL(req.url).searchParams.get("email");
+  if (!email) return Response.json({ error: "missing_email" }, { status: 400 });
+  getDb().delete(invite).where(eq(invite.email, email)).run();
+  return Response.json({ ok: true });
+}

package/apps/web/app/api/link/code/route.ts

@@ -0,0 +1,13 @@
+/**
+ * POST /api/link/code — generate a one-time pairing code for "Link Project".
+ * Owner-only: requires a valid Better Auth session.
+ */
+import { requireRole } from "@/lib/authz";
+import { createPairingCode } from "@/lib/link/store";
+
+export async function POST(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const { code, expiresAt } = createPairingCode();
+  return Response.json({ code, expiresAt });
+}

package/apps/web/app/api/link/pair/route.ts

@@ -0,0 +1,41 @@
+/**
+ * POST /api/link/pair  — FLOW exchanges a one-time pairing code for a link token.
+ * Body: { code, manifest }  (see @mop/link-protocol PairRequest)
+ */
+import {
+  LINK_WS_PATH,
+  type PairRequest,
+  type PairResponse,
+} from "@mop/link-protocol";
+import { consumePairingCode, registerProject } from "@/lib/link/store";
+
+export async function POST(req: Request): Promise<Response> {
+  let body: PairRequest;
+  try {
+    body = (await req.json()) as PairRequest;
+  } catch {
+    return Response.json({ error: "bad_json" }, { status: 400 });
+  }
+
+  if (!body?.code || !body?.manifest?.projectId) {
+    return Response.json({ error: "missing_code_or_manifest" }, { status: 400 });
+  }
+
+  if (!consumePairingCode(body.code)) {
+    return Response.json({ error: "invalid_or_expired_code" }, { status: 401 });
+  }
+
+  const { linkToken } = registerProject(body.manifest);
+
+  const wsUrl = new URL(req.url);
+  wsUrl.protocol = wsUrl.protocol === "https:" ? "wss:" : "ws:";
+  wsUrl.pathname = LINK_WS_PATH;
+  wsUrl.search = "";
+
+  const out: PairResponse = {
+    projectId: body.manifest.projectId,
+    linkToken,
+    wsUrl: wsUrl.toString(),
+  };
+  return Response.json(out);
+}

package/apps/web/app/api/me/route.ts

@@ -0,0 +1,11 @@
+/** GET /api/me — current user + role. */
+import { auth, getRole } from "@/lib/auth";
+
+export async function GET(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  return Response.json({
+    user: { id: session.user.id, email: session.user.email, name: session.user.name },
+    role: getRole(session.user.id) ?? "member",
+  });
+}

package/apps/web/app/api/members/route.ts

@@ -0,0 +1,16 @@
+/** GET /api/members — list users + roles (owner). */
+import { getSqlite } from "@/lib/db/client";
+import { requireRole } from "@/lib/authz";
+
+export async function GET(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const members = getSqlite()
+    .prepare(
+      `SELECT u.id, u.email, u.name, COALESCE(r.role, 'member') AS role
+       FROM user u LEFT JOIN app_role r ON r.user_id = u.id
+       ORDER BY r.role = 'owner' DESC, u.email`,
+    )
+    .all();
+  return Response.json({ members });
+}

package/apps/web/app/api/projects/[id]/memory/route.ts

@@ -0,0 +1,12 @@
+import { auth } from "@/lib/auth";
+import { listProjectMemory } from "@/lib/brain/mirror";
+
+export async function GET(
+  req: Request,
+  { params }: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  const { id } = await params;
+  return Response.json({ memory: listProjectMemory(id) });
+}

package/apps/web/app/api/projects/[id]/state/route.ts

@@ -0,0 +1,19 @@
+import { auth } from "@/lib/auth";
+import { getMirror } from "@/lib/brain/mirror";
+
+export async function GET(
+  req: Request,
+  { params }: { params: Promise<{ id: string }> },
+): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  const { id } = await params;
+  const mirror = getMirror(id);
+  if (!mirror) return Response.json({ error: "not_found" }, { status: 404 });
+  return Response.json({
+    state: mirror.state,
+    artifacts: mirror.artifacts,
+    memoryCount: mirror.memoryCount,
+    updatedAt: mirror.updatedAt,
+  });
+}

package/apps/web/app/api/projects/route.ts

@@ -0,0 +1,21 @@
+/**
+ * GET /api/projects — linked projects + their live status and mirror summary.
+ */
+import { listProjects } from "@/lib/link/store";
+import { getMirror } from "@/lib/brain/mirror";
+
+export async function GET(): Promise<Response> {
+  const projects = listProjects().map((p) => {
+    const mirror = getMirror(p.id);
+    return {
+      id: p.id,
+      name: p.name,
+      status: p.status,
+      mopFlowVersion: p.mopFlowVersion,
+      lastSeenAt: p.lastSeenAt,
+      memoryCount: mirror?.memoryCount ?? 0,
+      artifactCount: mirror?.artifacts.length ?? 0,
+    };
+  });
+  return Response.json({ projects });
+}

package/apps/web/app/api/providers/route.ts

@@ -0,0 +1,32 @@
+/**
+ * GET  /api/providers — current provider config (masked) + env-key availability.
+ * POST /api/providers — set { provider, apiKey, model } (owner; key encrypted at rest).
+ */
+import { requireAuth, requireRole } from "@/lib/authz";
+import { getProviderConfigMasked, setProviderConfig, type ProviderId } from "@/lib/providers/config";
+
+export async function GET(req: Request): Promise<Response> {
+  const a = await requireAuth(req);
+  if (!a.ok) return a.response;
+  return Response.json({
+    config: getProviderConfigMasked(a.userId),
+    env: {
+      anthropic: !!process.env.ANTHROPIC_API_KEY,
+      openrouter: !!process.env.OPENROUTER_API_KEY,
+    },
+  });
+}
+
+export async function POST(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const body = (await req.json()) as { provider: ProviderId; apiKey: string; model?: string };
+  if (!body?.provider || !body?.apiKey) {
+    return Response.json({ error: "missing_provider_or_apiKey" }, { status: 400 });
+  }
+  if (body.provider !== "anthropic" && body.provider !== "openrouter") {
+    return Response.json({ error: "unknown_provider" }, { status: 400 });
+  }
+  setProviderConfig(a.userId, { provider: body.provider, apiKey: body.apiKey, model: body.model });
+  return Response.json({ config: getProviderConfigMasked(a.userId) });
+}

package/apps/web/app/api/semantic/route.ts

@@ -0,0 +1,9 @@
+/** GET /api/semantic — list Main Brain semantic notes (owner-only). */
+import { auth } from "@/lib/auth";
+import { listSemanticNotes } from "@/lib/brain/consolidate";
+
+export async function GET(req: Request): Promise<Response> {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session) return Response.json({ error: "unauthorized" }, { status: 401 });
+  return Response.json({ notes: listSemanticNotes() });
+}

package/apps/web/app/api/setup/status/route.ts

@@ -0,0 +1,6 @@
+/** GET /api/setup/status — whether the owner account has been created yet. */
+import { ownerExists } from "@/lib/auth";
+
+export async function GET(): Promise<Response> {
+  return Response.json({ ownerExists: ownerExists() });
+}

package/apps/web/app/api/skills/route.ts

@@ -0,0 +1,23 @@
+/**
+ * GET  /api/skills — list procedural skills (owner).
+ * POST /api/skills — add a skill { name, description, body, sourceProjects? } (owner).
+ */
+import { requireAuth, requireRole } from "@/lib/authz";
+import { addSkill, listSkills } from "@/lib/brain/skills";
+
+export async function GET(req: Request): Promise<Response> {
+  const a = await requireAuth(req);
+  if (!a.ok) return a.response;
+  return Response.json({ skills: listSkills() });
+}
+
+export async function POST(req: Request): Promise<Response> {
+  const a = await requireRole(req, ["owner"]);
+  if (!a.ok) return a.response;
+  const body = (await req.json()) as { name: string; description: string; body: string; sourceProjects?: string[] };
+  if (!body?.name || !body?.body) {
+    return Response.json({ error: "missing_name_or_body" }, { status: 400 });
+  }
+  const id = await addSkill({ name: body.name, description: body.description ?? "", body: body.body, sourceProjects: body.sourceProjects });
+  return Response.json({ id });
+}