palaryn 0.1.0

package/dist/src/saas/routes.js

@@ -0,0 +1,1566 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createSaaSRouter = createSaaSRouter;
+const express_1 = require("express");
+const crypto = __importStar(require("crypto"));
+const crypto_1 = require("crypto");
+const memory_1 = require("../storage/memory");
+const calculator_1 = require("../trust/calculator");
+const engine_1 = require("../replay/engine");
+const plan_enforcer_1 = require("../billing/plan-enforcer");
+/** Extract a route param as string (Express 5 returns string | string[]). */
+function param(req, name) {
+    const val = req.params[name];
+    return Array.isArray(val) ? val[0] : val;
+}
+/**
+ * Require session authentication for all SaaS routes.
+ */
+function requireSession(req, res) {
+    if (!req.sessionUser) {
+        res.status(401).json({ error: 'Session authentication required' });
+        return false;
+    }
+    return true;
+}
+function createSaaSRouter(deps) {
+    const router = (0, express_1.Router)();
+    const { config, userStore, workspaceStore, workspaceMemberStore, userApiKeyStore, sessionStore, gateway } = deps;
+    // ---------------------------------------------------------------------------
+    // User Profile
+    // ---------------------------------------------------------------------------
+    router.get('/user/profile', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        res.json({
+            id: user.id,
+            email: user.email,
+            display_name: user.display_name,
+            avatar_url: user.avatar_url,
+            status: user.status,
+            onboarding_completed: user.onboarding_completed,
+            created_at: user.created_at,
+        });
+    });
+    router.put('/user/profile', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const { display_name } = req.body;
+        if (!display_name || typeof display_name !== 'string' || display_name.trim().length === 0) {
+            res.status(400).json({ error: 'display_name is required' });
+            return;
+        }
+        if (display_name.length > 100) {
+            res.status(400).json({ error: 'display_name must be 100 characters or less' });
+            return;
+        }
+        const updated = userStore.update(user.id, {
+            display_name: display_name.trim(),
+            updated_at: new Date().toISOString(),
+        });
+        res.json(updated);
+    });
+    router.put('/user/onboarding', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const updated = userStore.update(user.id, {
+            onboarding_completed: true,
+            updated_at: new Date().toISOString(),
+        });
+        res.json(updated);
+    });
+    // ---------------------------------------------------------------------------
+    // Workspaces
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const memberships = workspaceMemberStore.getByUser(user.id);
+        const workspaces = memberships.map(m => {
+            const ws = workspaceStore.getById(m.workspace_id);
+            return ws ? { ...ws, role: m.role } : null;
+        }).filter(Boolean);
+        res.json({ workspaces });
+    });
+    router.post('/workspaces', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const { name, slug } = req.body;
+        if (!name || typeof name !== 'string' || name.trim().length === 0) {
+            res.status(400).json({ error: 'name is required' });
+            return;
+        }
+        // Enforce workspace limit based on user's highest plan
+        const userWorkspaces = workspaceMemberStore.getByUser(user.id)
+            .filter(m => m.role === 'owner')
+            .map(m => workspaceStore.getById(m.workspace_id))
+            .filter(Boolean);
+        // Determine the highest plan the user owns
+        const planPriority = { free: 0, pro: 1, business: 2, enterprise: 3 };
+        let highestPlan = 'free';
+        for (const ws of userWorkspaces) {
+            const p = (ws.plan || 'free');
+            if ((planPriority[p] || 0) > (planPriority[highestPlan] || 0)) {
+                highestPlan = p;
+            }
+        }
+        const wsLimitCheck = plan_enforcer_1.PlanEnforcer.checkWorkspaceLimit(highestPlan, userWorkspaces.length);
+        if (!wsLimitCheck.allowed) {
+            res.status(403).json({ error: wsLimitCheck.reason });
+            return;
+        }
+        // Generate slug from name if not provided
+        const wsSlug = (slug || name).toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').slice(0, 63);
+        if (workspaceStore.getBySlug(wsSlug)) {
+            res.status(409).json({ error: 'Workspace slug already taken' });
+            return;
+        }
+        const now = new Date().toISOString();
+        const workspaceId = (0, crypto_1.randomUUID)();
+        workspaceStore.create({
+            id: workspaceId,
+            name: name.trim(),
+            slug: wsSlug,
+            owner_user_id: user.id,
+            plan: 'free',
+            settings: {},
+            created_at: now,
+            updated_at: now,
+        });
+        workspaceMemberStore.create({
+            id: (0, crypto_1.randomUUID)(),
+            workspace_id: workspaceId,
+            user_id: user.id,
+            role: 'owner',
+            joined_at: now,
+        });
+        // Update session to point to this workspace
+        const sessionData = req.sessionData;
+        if (sessionData) {
+            sessionStore.update(sessionData.id, { workspace_id: workspaceId });
+        }
+        const workspace = workspaceStore.getById(workspaceId);
+        res.status(201).json(workspace);
+    });
+    router.get('/workspaces/:id', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const workspace = workspaceStore.getById(workspaceId);
+        if (!workspace) {
+            res.status(404).json({ error: 'Workspace not found' });
+            return;
+        }
+        res.json({ ...workspace, role: membership.role });
+    });
+    // ---------------------------------------------------------------------------
+    // Workspace Stats (Dashboard)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/stats', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        // Gather stats from the gateway's audit store
+        // Match events by workspace UUID or slug (Android clients send slug as workspace_id)
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const allEvents = gateway.getAuditLogger().getAllEvents();
+        const wsEvents = allEvents.filter(e => e.workspace_id === workspaceId || (wsSlug && e.workspace_id === wsSlug));
+        const recentEvents = wsEvents.filter(e => {
+            const age = Date.now() - new Date(e.timestamp).getTime();
+            return age < 86400000; // Last 24 hours
+        });
+        const members = workspaceMemberStore.getByWorkspace(workspaceId);
+        const apiKeys = userApiKeyStore.getByWorkspace(workspaceId);
+        res.json({
+            total_requests: wsEvents.length,
+            requests_24h: recentEvents.length,
+            members: members.length,
+            api_keys: apiKeys.filter(k => !k.revoked).length,
+            recent_events: recentEvents.slice(-10).reverse(),
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Events (filterable, sortable, paginated)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/events', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const allEvents = gateway.getAuditLogger().getAllEvents();
+        // Filter to this workspace (strict match — no ws_default fallback)
+        let events = allEvents.filter(e => e.workspace_id === workspaceId || (wsSlug && e.workspace_id === wsSlug));
+        // Query params
+        const eventType = req.query.event_type;
+        const toolName = req.query.tool;
+        const actorId = req.query.actor;
+        const status = req.query.status;
+        const search = req.query.q;
+        const since = req.query.since;
+        const sort = req.query.sort || 'desc';
+        const limit = Math.min(parseInt(req.query.limit) || 50, 200);
+        const offset = parseInt(req.query.offset) || 0;
+        // Apply filters
+        if (eventType) {
+            const types = eventType.split(',');
+            events = events.filter(e => types.includes(e.event_type));
+        }
+        if (toolName) {
+            events = events.filter(e => e.tool_name?.includes(toolName));
+        }
+        if (actorId) {
+            events = events.filter(e => e.actor_id?.includes(actorId));
+        }
+        if (status) {
+            const statuses = status.split(',');
+            events = events.filter(e => {
+                const s = e.metadata?.status || e.metadata?.decision || '';
+                return statuses.some(st => s.includes(st));
+            });
+        }
+        if (search) {
+            const q = search.toLowerCase();
+            events = events.filter(e => e.tool_name?.toLowerCase().includes(q) ||
+                e.actor_id?.toLowerCase().includes(q) ||
+                e.task_id?.toLowerCase().includes(q) ||
+                e.event_type?.toLowerCase().includes(q));
+        }
+        if (since) {
+            events = events.filter(e => e.timestamp >= since);
+        }
+        // Sort
+        events.sort((a, b) => {
+            const cmp = a.timestamp.localeCompare(b.timestamp);
+            return sort === 'asc' ? cmp : -cmp;
+        });
+        const total = events.length;
+        const paged = events.slice(offset, offset + limit);
+        res.json({ events: paged, total, offset, limit });
+    });
+    // ---------------------------------------------------------------------------
+    // API Keys
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/api-keys', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const keys = userApiKeyStore.getByWorkspace(workspaceId);
+        // Never return the hash, only metadata
+        res.json({
+            api_keys: keys.map(k => ({
+                id: k.id,
+                key_prefix: k.key_prefix,
+                name: k.name,
+                roles: k.roles,
+                tags: k.tags || [],
+                revoked: k.revoked,
+                last_used_at: k.last_used_at,
+                created_at: k.created_at,
+            })),
+        });
+    });
+    router.post('/workspaces/:id/api-keys', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can create API keys' });
+            return;
+        }
+        const { name, roles, tags } = req.body;
+        if (!name || typeof name !== 'string') {
+            res.status(400).json({ error: 'name is required' });
+            return;
+        }
+        // Validate tags
+        const parsedTags = Array.isArray(tags)
+            ? tags.filter((t) => typeof t === 'string' && t.length > 0).slice(0, 20)
+            : [];
+        // Enforce API key limit based on workspace plan
+        const wsForKeyLimit = workspaceStore.getById(workspaceId);
+        if (wsForKeyLimit) {
+            const plan = (wsForKeyLimit.plan || 'free');
+            const currentKeys = userApiKeyStore.getByWorkspace(workspaceId).filter(k => !k.revoked);
+            const keyLimitCheck = plan_enforcer_1.PlanEnforcer.checkApiKeyLimit(plan, currentKeys.length);
+            if (!keyLimitCheck.allowed) {
+                res.status(403).json({ error: keyLimitCheck.reason });
+                return;
+            }
+        }
+        // Generate a random API key (pn_<32 random hex chars>) with salted hash
+        const rawKey = `pn_${crypto.randomBytes(32).toString('hex')}`;
+        const salt = crypto.randomBytes(16).toString('hex');
+        const hash = crypto.createHash('sha256').update(salt + rawKey).digest('hex');
+        const keyHash = `${salt}:${hash}`; // salted format: "salt:hash"
+        const keyPrefix = rawKey.slice(0, 11); // "pn_" + first 8 hex
+        const apiKey = {
+            id: (0, crypto_1.randomUUID)(),
+            key_hash: keyHash,
+            key_prefix: keyPrefix,
+            user_id: user.id,
+            workspace_id: workspaceId,
+            name: name.trim(),
+            roles: Array.isArray(roles) ? roles : ['agent'],
+            tags: parsedTags,
+            revoked: false,
+            created_at: new Date().toISOString(),
+        };
+        userApiKeyStore.create(apiKey);
+        // Return the plaintext key only once
+        res.status(201).json({
+            id: apiKey.id,
+            key: rawKey,
+            key_prefix: keyPrefix,
+            name: apiKey.name,
+            roles: apiKey.roles,
+            tags: apiKey.tags,
+            workspace_id: workspaceId,
+            created_at: apiKey.created_at,
+        });
+    });
+    router.delete('/workspaces/:id/api-keys/:keyId', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const keyId = param(req, 'keyId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can revoke API keys' });
+            return;
+        }
+        const key = userApiKeyStore.getById(keyId);
+        if (!key || key.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'API key not found' });
+            return;
+        }
+        userApiKeyStore.update(keyId, { revoked: true });
+        res.json({ status: 'ok', id: keyId });
+    });
+    router.patch('/workspaces/:id/api-keys/:keyId', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const keyId = param(req, 'keyId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can update API keys' });
+            return;
+        }
+        const key = userApiKeyStore.getById(keyId);
+        if (!key || key.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'API key not found' });
+            return;
+        }
+        const updates = {};
+        if (req.body.name !== undefined && typeof req.body.name === 'string') {
+            updates.name = req.body.name.trim();
+        }
+        if (Array.isArray(req.body.tags)) {
+            updates.tags = req.body.tags.filter((t) => typeof t === 'string' && t.length > 0).slice(0, 20);
+        }
+        if (Object.keys(updates).length === 0) {
+            res.status(400).json({ error: 'No valid fields to update (supported: name, tags)' });
+            return;
+        }
+        const updated = userApiKeyStore.update(keyId, updates);
+        if (!updated) {
+            res.status(500).json({ error: 'Failed to update API key' });
+            return;
+        }
+        res.json({
+            id: updated.id,
+            key_prefix: updated.key_prefix,
+            name: updated.name,
+            roles: updated.roles,
+            tags: updated.tags || [],
+            revoked: updated.revoked,
+            last_used_at: updated.last_used_at,
+            created_at: updated.created_at,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Traces
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/traces', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const limit = Math.min(parseInt(req.query.limit) || 50, 200);
+        const offset = parseInt(req.query.offset) || 0;
+        const statusFilter = req.query.status;
+        const toolFilter = req.query.tool;
+        const eventTypeFilter = req.query.event_type;
+        const allEvents = gateway.getAuditLogger().getAllEvents();
+        // Match events by workspace UUID or slug (Android clients send slug as workspace_id)
+        const wsForTraces = workspaceStore.getById(workspaceId);
+        const slugForTraces = wsForTraces?.slug;
+        let wsEvents = allEvents
+            .filter(e => e.workspace_id === workspaceId || (slugForTraces && e.workspace_id === slugForTraces));
+        // Apply server-side filters
+        if (statusFilter) {
+            const sf = statusFilter.toLowerCase();
+            wsEvents = wsEvents.filter(e => {
+                const decision = (e.metadata?.decision || '').toLowerCase();
+                const status = (e.metadata?.status || '').toLowerCase();
+                return decision.includes(sf) || status.includes(sf) || e.event_type.toLowerCase().includes(sf);
+            });
+        }
+        if (toolFilter) {
+            const tf = toolFilter.toLowerCase();
+            wsEvents = wsEvents.filter(e => (e.tool_name || '').toLowerCase().includes(tf));
+        }
+        if (eventTypeFilter) {
+            const ef = eventTypeFilter.toLowerCase();
+            wsEvents = wsEvents.filter(e => e.event_type.toLowerCase().includes(ef));
+        }
+        wsEvents.sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+        res.json({
+            traces: wsEvents.slice(offset, offset + limit),
+            total: wsEvents.length,
+            limit,
+            offset,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Budgets
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/budgets', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const spending = gateway.getBudgetManager().getSpendingSummary();
+        // Use workspace-specific budget config if available, otherwise global
+        const budgetConfigStore = gateway.getBudgetConfigStore();
+        const wsConfig = budgetConfigStore?.getByWorkspaceId(workspaceId);
+        const effectiveConfig = wsConfig ? { ...config.budget, ...wsConfig } : config.budget;
+        const is_custom = !!wsConfig;
+        res.json({
+            workspace_id: workspaceId,
+            config: effectiveConfig,
+            spending,
+            is_custom,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Approvals (proxy to gateway's ApprovalManager)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/approvals', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const pending = gateway.getPendingApprovals(workspaceId);
+        // Strip the JWT token — frontend only sees approval metadata
+        const approvals = pending.map(a => ({
+            approval_id: a.approval_id,
+            tool_call_id: a.tool_call_id,
+            task_id: a.task_id,
+            workspace_id: a.workspace_id,
+            actor_id: a.actor_id,
+            tool_name: a.tool_name,
+            tool_capability: a.tool_capability,
+            args_summary: a.args_summary,
+            scope: a.scope,
+            reason: a.reason,
+            status: a.status,
+            created_at: a.created_at,
+            expires_at: a.expires_at,
+        }));
+        res.json({ approvals });
+    });
+    router.post('/workspaces/:id/approvals/:approvalId/approve', async (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const approvalId = param(req, 'approvalId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        // Verify approval exists and belongs to this workspace
+        const approval = gateway.getApprovalManager().getApproval(approvalId);
+        if (!approval) {
+            res.status(404).json({ error: 'Approval not found' });
+            return;
+        }
+        if (approval.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'Approval not found' });
+            return;
+        }
+        try {
+            await gateway.getApprovalManager().resolveById(approvalId, user.id, true);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'Approval failed';
+            res.status(400).json({ error: message });
+            return;
+        }
+        res.json({ status: 'approved', approval_id: approvalId });
+    });
+    router.post('/workspaces/:id/approvals/:approvalId/deny', async (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const approvalId = param(req, 'approvalId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const approvalRecord = gateway.getApprovalManager().getApproval(approvalId);
+        if (!approvalRecord) {
+            res.status(404).json({ error: 'Approval not found' });
+            return;
+        }
+        if (approvalRecord.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'Approval not found' });
+            return;
+        }
+        const reason = req.body?.reason || 'Denied via SaaS dashboard';
+        try {
+            await gateway.getApprovalManager().resolveById(approvalId, user.id, false, reason);
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : 'Denial failed';
+            res.status(400).json({ error: message });
+            return;
+        }
+        res.json({ status: 'denied', approval_id: approvalId });
+    });
+    // ---------------------------------------------------------------------------
+    // Policies (workspace-aware CRUD)
+    // ---------------------------------------------------------------------------
+    // Ensure a PolicyStore is available on the gateway
+    if (!gateway.getPolicyStore()) {
+        gateway.setStores({ policyStore: deps.policyStore || new memory_1.InMemoryPolicyStore() });
+    }
+    const policyStore = gateway.getPolicyStore();
+    router.get('/workspaces/:id/policies', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const { policy, is_custom } = gateway.getWorkspacePolicy(workspaceId);
+        res.json({ policy, is_custom });
+    });
+    router.put('/workspaces/:id/policies', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify policies' });
+            return;
+        }
+        const body = req.body;
+        const validation = gateway.validatePolicy(body);
+        if (!validation.valid) {
+            res.status(400).json({ valid: false, errors: validation.errors });
+            return;
+        }
+        policyStore.set(workspaceId, body);
+        gateway.getAuditLogger().log({
+            event_type: 'POLICY_UPDATED',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { policy_name: body.name, policy_version: body.version, updated_by: user.id },
+        });
+        res.json({ policy: body, is_custom: true });
+    });
+    router.delete('/workspaces/:id/policies', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify policies' });
+            return;
+        }
+        policyStore.delete(workspaceId);
+        gateway.getAuditLogger().log({
+            event_type: 'POLICY_RESET',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { reset_by: user.id },
+        });
+        const policy = gateway.getCurrentPolicy();
+        res.json({ status: 'reset', policy, is_custom: false });
+    });
+    router.post('/workspaces/:id/policies/validate', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const body = req.body;
+        const validation = gateway.validatePolicy(body);
+        res.json(validation);
+    });
+    // ---------------------------------------------------------------------------
+    // Policy Rule Generation (LLM-powered)
+    // ---------------------------------------------------------------------------
+    router.post('/workspaces/:id/policies/generate-rule', async (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const apiKey = process.env.PALARYN_LLM_API_KEY;
+        if (!apiKey) {
+            res.status(503).json({ error: 'AI rule generation is not configured. Set PALARYN_LLM_API_KEY environment variable.' });
+            return;
+        }
+        const { description } = req.body;
+        if (!description || typeof description !== 'string' || description.trim().length === 0) {
+            res.status(400).json({ error: 'description is required' });
+            return;
+        }
+        const trimmed = description.trim().slice(0, 500);
+        const systemPrompt = `You are a policy rule generator for Palaryn, an AI agent gateway. Given a natural language description, generate a single JSON PolicyRule object.
+
+The PolicyRule schema:
+{
+  "name": string,           // Short kebab-case name for the rule
+  "description": string,    // Human-readable description
+  "effect": "ALLOW" | "DENY" | "REQUIRE_APPROVAL" | "TRANSFORM",
+  "priority": number,       // Lower = higher precedence (1-100)
+  "conditions": {
+    "tools": string[],           // Tool names: "http.request", "slack.post_message", etc.
+    "tool_match": string,        // Regex pattern for tool name matching
+    "capabilities": string[],    // "read", "write", "delete", "admin"
+    "actors": string[],          // Actor/agent IDs
+    "actor_types": string[],     // "agent", "user", "system"
+    "domains": string[],         // URL domains: "api.github.com", "*.googleapis.com"
+    "domain_blocklist": string[],// Blocked domains
+    "methods": string[],         // HTTP methods: "GET", "POST", "PUT", "DELETE", "PATCH"
+    "labels": string[],          // Context labels
+    "platforms": string[],       // Source platforms: "langgraph", "claude_code", "n8n", "custom"
+    "workspace_ids": string[]    // Specific workspace IDs
+  },
+  "approval": {                  // Only when effect is REQUIRE_APPROVAL
+    "scope": string,
+    "ttl_seconds": number,
+    "reason": string
+  }
+}
+
+Rules:
+- Only include condition fields that are relevant to the description. Omit empty arrays.
+- Use "DENY" for blocking, "ALLOW" for permitting, "REQUIRE_APPROVAL" when human approval is needed.
+- For domain wildcards use "*.example.com" format.
+- IMPORTANT: Always pair capabilities with matching methods. read → ["GET","HEAD","OPTIONS"], write → ["POST","PUT","PATCH"], delete → ["DELETE"], admin → all methods.
+- When the description says "read-only", set capabilities to ["read"] AND methods to ["GET","HEAD","OPTIONS"].
+- Return ONLY the JSON object, no markdown fences, no explanation.
+
+Examples:
+Input: "Allow GET requests to GitHub and Google APIs"
+Output: {"name":"allow-get-github-google","description":"Allow GET requests to GitHub and Google APIs","effect":"ALLOW","priority":10,"conditions":{"tools":["http.request"],"capabilities":["read"],"methods":["GET"],"domains":["api.github.com","*.googleapis.com"]}}
+
+Input: "Block all delete operations"
+Output: {"name":"block-delete-ops","description":"Block all delete operations","effect":"DENY","priority":5,"conditions":{"capabilities":["delete"],"methods":["DELETE"]}}
+
+Input: "Allow read-only access"
+Output: {"name":"allow-read-only","description":"Allow read-only access","effect":"ALLOW","priority":10,"conditions":{"capabilities":["read"],"methods":["GET","HEAD","OPTIONS"]}}
+
+Input: "Require approval for write operations to Slack"
+Output: {"name":"approve-slack-writes","description":"Require approval for write operations to Slack","effect":"REQUIRE_APPROVAL","priority":15,"conditions":{"capabilities":["write"],"methods":["POST","PUT","PATCH"],"domains":["api.slack.com"]},"approval":{"scope":"team_lead","ttl_seconds":3600,"reason":"Write operations to Slack require approval"}}`;
+        try {
+            const controller = new AbortController();
+            const timeout = setTimeout(() => controller.abort(), 15000);
+            const llmRes = await fetch('https://api.anthropic.com/v1/messages', {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'x-api-key': apiKey,
+                    'anthropic-version': '2023-06-01',
+                },
+                body: JSON.stringify({
+                    model: 'claude-sonnet-4-5-20250929',
+                    max_tokens: 1024,
+                    system: systemPrompt,
+                    messages: [{ role: 'user', content: trimmed }],
+                }),
+                signal: controller.signal,
+            });
+            clearTimeout(timeout);
+            if (!llmRes.ok) {
+                const errBody = await llmRes.text();
+                console.error('[generate-rule] LLM API error:', llmRes.status, errBody);
+                res.status(502).json({ error: 'Failed to generate rule. LLM API returned an error.' });
+                return;
+            }
+            const llmData = await llmRes.json();
+            const text = llmData.content?.[0]?.text || '';
+            // Strip markdown code fences if present
+            const cleaned = text.replace(/^```(?:json)?\s*/i, '').replace(/\s*```\s*$/i, '').trim();
+            let rule;
+            try {
+                rule = JSON.parse(cleaned);
+            }
+            catch {
+                console.error('[generate-rule] Failed to parse LLM output:', cleaned);
+                res.status(500).json({ error: 'Failed to parse generated rule. Please try rephrasing your description.' });
+                return;
+            }
+            // Normalize effect to uppercase
+            if (rule.effect && typeof rule.effect === 'string') {
+                rule.effect = rule.effect.toUpperCase();
+            }
+            // Ensure required fields exist
+            if (!rule.name)
+                rule.name = 'generated-rule';
+            if (!rule.conditions)
+                rule.conditions = {};
+            if (!rule.effect)
+                rule.effect = 'DENY';
+            // Strip unknown top-level fields
+            const validKeys = ['name', 'description', 'effect', 'priority', 'conditions', 'transformations', 'approval'];
+            for (const key of Object.keys(rule)) {
+                if (!validKeys.includes(key))
+                    delete rule[key];
+            }
+            res.json({ rule });
+        }
+        catch (err) {
+            if (err.name === 'AbortError') {
+                res.status(504).json({ error: 'Rule generation timed out. Please try again.' });
+                return;
+            }
+            console.error('[generate-rule] Unexpected error:', err);
+            res.status(500).json({ error: 'Failed to generate rule. Please try again.' });
+        }
+    });
+    // ---------------------------------------------------------------------------
+    // Security (DLP detections dashboard)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/security', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const limit = Math.min(parseInt(req.query.limit) || 50, 200);
+        const offset = parseInt(req.query.offset) || 0;
+        const allDlpEvents = gateway.getAuditLogger().getEventsByType('DLP_SCANNED');
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const wsEvents = allDlpEvents
+            .filter(e => e.workspace_id === workspaceId || (wsSlug && e.workspace_id === wsSlug))
+            .sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+        // Compute severity stats
+        let high = 0, medium = 0, low = 0;
+        const patternSet = new Set();
+        for (const e of wsEvents) {
+            const severity = e.metadata?.severity;
+            if (severity === 'high')
+                high++;
+            else if (severity === 'medium')
+                medium++;
+            else
+                low++;
+            const detected = e.metadata?.detected;
+            if (Array.isArray(detected)) {
+                for (const p of detected)
+                    patternSet.add(p);
+            }
+        }
+        res.json({
+            events: wsEvents.slice(offset, offset + limit),
+            total: wsEvents.length,
+            limit,
+            offset,
+            stats: {
+                total: wsEvents.length,
+                high,
+                medium,
+                low,
+                unique_patterns: patternSet.size,
+            },
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Workspace Switch
+    // ---------------------------------------------------------------------------
+    router.post('/workspaces/:id/switch', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const workspace = workspaceStore.getById(workspaceId);
+        if (!workspace) {
+            res.status(404).json({ error: 'Workspace not found' });
+            return;
+        }
+        // Update session to point to this workspace
+        const sessionData = req.sessionData;
+        if (sessionData) {
+            sessionStore.update(sessionData.id, { workspace_id: workspaceId });
+        }
+        res.json({ ...workspace, role: membership.role });
+    });
+    // ---------------------------------------------------------------------------
+    // Members
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/members', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const members = workspaceMemberStore.getByWorkspace(workspaceId);
+        const enriched = members.map(m => {
+            const u = userStore.getById(m.user_id);
+            return {
+                id: m.id,
+                user_id: m.user_id,
+                role: m.role,
+                joined_at: m.joined_at,
+                email: u?.email || '',
+                display_name: u?.display_name || '',
+            };
+        });
+        res.json({ members: enriched, viewer_role: membership.role });
+    });
+    router.put('/workspaces/:id/members/:memberId', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const memberId = param(req, 'memberId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can change roles' });
+            return;
+        }
+        const target = workspaceMemberStore.getById(memberId);
+        if (!target || target.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'Member not found' });
+            return;
+        }
+        // Cannot change own role
+        if (target.user_id === user.id) {
+            res.status(400).json({ error: 'Cannot change your own role' });
+            return;
+        }
+        const { role } = req.body;
+        const validRoles = ['owner', 'admin', 'member', 'viewer'];
+        if (!role || !validRoles.includes(role)) {
+            res.status(400).json({ error: `role must be one of: ${validRoles.join(', ')}` });
+            return;
+        }
+        const updated = workspaceMemberStore.update(memberId, { role });
+        res.json(updated);
+    });
+    router.delete('/workspaces/:id/members/:memberId', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const memberId = param(req, 'memberId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can remove members' });
+            return;
+        }
+        const target = workspaceMemberStore.getById(memberId);
+        if (!target || target.workspace_id !== workspaceId) {
+            res.status(404).json({ error: 'Member not found' });
+            return;
+        }
+        // Cannot remove yourself
+        if (target.user_id === user.id) {
+            res.status(400).json({ error: 'Cannot remove yourself' });
+            return;
+        }
+        // Prevent removing the last owner
+        if (target.role === 'owner') {
+            const owners = workspaceMemberStore.getByWorkspace(workspaceId).filter(m => m.role === 'owner');
+            if (owners.length <= 1) {
+                res.status(400).json({ error: 'Cannot remove the last owner' });
+                return;
+            }
+        }
+        workspaceMemberStore.delete(memberId);
+        res.json({ status: 'ok', id: memberId });
+    });
+    router.post('/workspaces/:id/members', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership || (membership.role !== 'owner' && membership.role !== 'admin')) {
+            res.status(403).json({ error: 'Only workspace owners and admins can add members' });
+            return;
+        }
+        const { email, role } = req.body;
+        if (!email || typeof email !== 'string') {
+            res.status(400).json({ error: 'email is required' });
+            return;
+        }
+        // Enforce member limit based on workspace plan
+        const wsForLimit = workspaceStore.getById(workspaceId);
+        if (wsForLimit) {
+            const plan = (wsForLimit.plan || 'free');
+            const currentMembers = workspaceMemberStore.getByWorkspace(workspaceId);
+            const memberLimitCheck = plan_enforcer_1.PlanEnforcer.checkMemberLimit(plan, currentMembers.length);
+            if (!memberLimitCheck.allowed) {
+                res.status(403).json({ error: memberLimitCheck.reason });
+                return;
+            }
+        }
+        const validRoles = ['admin', 'member', 'viewer'];
+        const memberRole = validRoles.includes(role) ? role : 'member';
+        const targetUser = userStore.getByEmail(email.trim().toLowerCase());
+        if (!targetUser) {
+            res.status(404).json({ error: 'User not found' });
+            return;
+        }
+        // Check if already a member
+        const existing = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, targetUser.id);
+        if (existing) {
+            res.status(409).json({ error: 'User is already a member of this workspace' });
+            return;
+        }
+        const newMember = {
+            id: (0, crypto_1.randomUUID)(),
+            workspace_id: workspaceId,
+            user_id: targetUser.id,
+            role: memberRole,
+            joined_at: new Date().toISOString(),
+        };
+        workspaceMemberStore.create(newMember);
+        const enriched = {
+            id: newMember.id,
+            user_id: targetUser.id,
+            role: newMember.role,
+            joined_at: newMember.joined_at,
+            email: targetUser.email,
+            display_name: targetUser.display_name,
+        };
+        res.status(201).json(enriched);
+    });
+    // ---------------------------------------------------------------------------
+    // Trace Detail (single task)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/traces/:taskId', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const taskId = param(req, 'taskId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const events = gateway.getTaskTrace(taskId);
+        // Filter to events belonging to this workspace
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const filteredEvents = events.filter(e => e.workspace_id === workspaceId || (wsSlug && e.workspace_id === wsSlug));
+        // Cap at 200 events to prevent UI overload
+        res.json({
+            task_id: taskId,
+            events: filteredEvents.slice(0, 200),
+            total: filteredEvents.length,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Dashboard Stats (aggregated metrics for dashboard widgets)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/dashboard/stats', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        // Use the audit logger's getEventStats for aggregated metrics
+        // Pass both workspace UUID and slug to match events (no ws_default — strict isolation)
+        const stats = gateway.getAuditLogger().getEventStats(workspaceId, 24);
+        const slugStats = wsSlug ? gateway.getAuditLogger().getEventStats(wsSlug, 24) : null;
+        // Merge stats from UUID and slug matches only
+        const allStats = [stats, slugStats].filter((s) => s !== null);
+        const mergeSum = (fn) => allStats.reduce((acc, s) => acc + fn(s), 0);
+        const metrics = {
+            requests_per_minute: Math.round(mergeSum(s => s.requests_per_minute) * 10) / 10,
+            blocked_24h: mergeSum(s => s.blocked_count),
+            avg_latency_ms: Math.round(stats.avg_duration_ms || slugStats?.avg_duration_ms || 0),
+            active_agents: mergeSum(s => s.active_agents),
+            pending_approvals: gateway.getPendingApprovals(workspaceId).length,
+            budget_burn_percent: 0,
+        };
+        // Compute budget burn
+        const spending = gateway.getBudgetManager().getSpendingSummary();
+        const budgetConfig = config.budget;
+        if (budgetConfig.workspace_monthly_budget_usd && budgetConfig.workspace_monthly_budget_usd > 0) {
+            metrics.budget_burn_percent = Math.round((spending.workspace_monthly_total / budgetConfig.workspace_monthly_budget_usd) * 100);
+        }
+        // Shield score: compute from policy breakdown (across all matching workspace IDs)
+        const totalDecisions = allStats.reduce((acc, s) => acc + Object.values(s.policy_breakdown).reduce((sum, n) => sum + n, 0), 0);
+        const allowCount = allStats.reduce((acc, s) => acc + (s.policy_breakdown['allow'] || 0), 0);
+        const transformCount = allStats.reduce((acc, s) => acc + (s.policy_breakdown['transform'] || 0), 0);
+        const approvalCount = allStats.reduce((acc, s) => acc + (s.policy_breakdown['require_approval'] || 0), 0);
+        const denyCount = allStats.reduce((acc, s) => acc + (s.policy_breakdown['deny'] || 0), 0);
+        const shield_score = {
+            score: totalDecisions > 0 ? Math.round(((allowCount + transformCount) / totalDecisions) * 100) : 100,
+            breakdown: {
+                allowed_percent: totalDecisions > 0 ? Math.round((allowCount / totalDecisions) * 100) : 100,
+                transformed_percent: totalDecisions > 0 ? Math.round((transformCount / totalDecisions) * 100) : 0,
+                approval_percent: totalDecisions > 0 ? Math.round((approvalCount / totalDecisions) * 100) : 0,
+                blocked_percent: totalDecisions > 0 ? Math.round((denyCount / totalDecisions) * 100) : 0,
+            },
+        };
+        // Pipeline throughput from stats (merged across all matching workspace IDs)
+        const pipeline_throughput = stats.pipeline_throughput.map(stage => ({
+            ...stage,
+            passed: allStats.reduce((acc, s) => acc + (s.pipeline_throughput.find(t => t.stage === stage.stage)?.passed || 0), 0),
+            failed: allStats.reduce((acc, s) => acc + (s.pipeline_throughput.find(t => t.stage === stage.stage)?.failed || 0), 0),
+        }));
+        res.json({
+            metrics,
+            shield_score,
+            pipeline_throughput,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Anomaly Baseline (for anomaly radar widget)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/anomalies/baseline', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const detector = gateway.getAnomalyDetector();
+        if (!detector) {
+            res.json({ current: {}, baseline: {}, alerts: [] });
+            return;
+        }
+        const report = detector.getBaselineReport();
+        res.json(report);
+    });
+    // ---------------------------------------------------------------------------
+    // Agent Trust Score
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/agents/:actorId/trust', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const actorId = param(req, 'actorId');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const detector = gateway.getAnomalyDetector();
+        if (!detector) {
+            res.json({ actor_id: actorId, score: 100, risk_level: 'low', breakdown: {}, calculated_at: new Date().toISOString() });
+            return;
+        }
+        const calculator = new calculator_1.TrustScoreCalculator(detector, gateway.getAuditLogger(), gateway.getBudgetManager());
+        res.json(calculator.calculate(actorId));
+    });
+    router.get('/workspaces/:id/agents/trust-leaderboard', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        // Get distinct actor IDs from workspace events
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const allEvents = gateway.getAuditLogger().getAllEvents();
+        const actorIds = new Set();
+        for (const e of allEvents) {
+            if (e.workspace_id === workspaceId || (wsSlug && e.workspace_id === wsSlug)) {
+                if (e.actor_id)
+                    actorIds.add(e.actor_id);
+            }
+        }
+        const detector = gateway.getAnomalyDetector();
+        if (!detector || actorIds.size === 0) {
+            res.json({ agents: [] });
+            return;
+        }
+        const calculator = new calculator_1.TrustScoreCalculator(detector, gateway.getAuditLogger(), gateway.getBudgetManager());
+        const leaderboard = calculator.getLeaderboard([...actorIds]);
+        res.json({ agents: leaderboard });
+    });
+    // ---------------------------------------------------------------------------
+    // Session Replay
+    // ---------------------------------------------------------------------------
+    router.post('/workspaces/:id/replay', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const { task_id, policy_pack_path } = req.body;
+        if (!task_id || typeof task_id !== 'string') {
+            res.status(400).json({ error: 'task_id is required' });
+            return;
+        }
+        if (!policy_pack_path || typeof policy_pack_path !== 'string') {
+            res.status(400).json({ error: 'policy_pack_path is required' });
+            return;
+        }
+        const engine = new engine_1.SessionReplayEngine(gateway.getAuditLogger());
+        const result = engine.replay(task_id, policy_pack_path);
+        res.json(result);
+    });
+    // ---------------------------------------------------------------------------
+    // LLM Usage (model/provider breakdown)
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/llm-usage', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const range = req.query.range || '24h';
+        const rangeMs = {
+            '1h': 3600000,
+            '6h': 21600000,
+            '24h': 86400000,
+            '7d': 604800000,
+            '30d': 2592000000,
+        };
+        const windowMs = rangeMs[range] || rangeMs['24h'];
+        const cutoff = Date.now() - windowMs;
+        const workspace = workspaceStore.getById(workspaceId);
+        const wsSlug = workspace?.slug;
+        const allEvents = gateway.getAuditLogger().getAllEvents();
+        // Filter events that have model metadata and belong to this workspace
+        const wsEvents = allEvents.filter(e => {
+            if (e.workspace_id !== workspaceId && (!wsSlug || e.workspace_id !== wsSlug))
+                return false;
+            if (new Date(e.timestamp).getTime() < cutoff)
+                return false;
+            return e.metadata?.model;
+        });
+        // Aggregate by model
+        const modelMap = new Map();
+        let totalRequests = 0;
+        let totalCostUsd = 0;
+        let totalTokens = 0;
+        let totalLatencyMs = 0;
+        for (const e of wsEvents) {
+            const model = e.metadata.model;
+            const provider = e.metadata.provider || 'unknown';
+            const inputTokens = e.metadata.input_tokens || 0;
+            const outputTokens = e.metadata.output_tokens || 0;
+            const costUsd = e.metadata.cost_usd || 0;
+            const durationMs = e.metadata.duration_ms || 0;
+            let entry = modelMap.get(model);
+            if (!entry) {
+                entry = { model, provider, requests: 0, input_tokens: 0, output_tokens: 0, cost_usd: 0, total_latency_ms: 0 };
+                modelMap.set(model, entry);
+            }
+            entry.requests++;
+            entry.input_tokens += inputTokens;
+            entry.output_tokens += outputTokens;
+            entry.cost_usd += costUsd;
+            entry.total_latency_ms += durationMs;
+            totalRequests++;
+            totalCostUsd += costUsd;
+            totalTokens += inputTokens + outputTokens;
+            totalLatencyMs += durationMs;
+        }
+        const byModel = Array.from(modelMap.values()).map(m => ({
+            model: m.model,
+            provider: m.provider,
+            requests: m.requests,
+            input_tokens: m.input_tokens,
+            output_tokens: m.output_tokens,
+            cost_usd: m.cost_usd,
+            avg_latency_ms: m.requests > 0 ? Math.round(m.total_latency_ms / m.requests) : 0,
+        })).sort((a, b) => b.requests - a.requests);
+        // Build time series (bucket events into intervals)
+        const bucketCount = Math.min(24, Math.max(6, Math.floor(windowMs / 3600000)));
+        const bucketMs = windowMs / bucketCount;
+        const timeSeries = [];
+        for (let i = 0; i < bucketCount; i++) {
+            const bucketStart = cutoff + i * bucketMs;
+            const bucketEnd = bucketStart + bucketMs;
+            let requests = 0;
+            let cost = 0;
+            let tokens = 0;
+            for (const e of wsEvents) {
+                const t = new Date(e.timestamp).getTime();
+                if (t >= bucketStart && t < bucketEnd) {
+                    requests++;
+                    cost += e.metadata.cost_usd || 0;
+                    tokens += (e.metadata.input_tokens || 0) + (e.metadata.output_tokens || 0);
+                }
+            }
+            timeSeries.push({
+                timestamp: new Date(bucketStart).toISOString(),
+                requests,
+                cost_usd: cost,
+                tokens,
+            });
+        }
+        res.json({
+            summary: {
+                total_requests: totalRequests,
+                total_cost_usd: totalCostUsd,
+                total_tokens: totalTokens,
+                avg_latency_ms: totalRequests > 0 ? Math.round(totalLatencyMs / totalRequests) : 0,
+            },
+            by_model: byModel,
+            time_series: timeSeries,
+        });
+    });
+    // ---------------------------------------------------------------------------
+    // Per-Workspace Rate Limit Configuration
+    // ---------------------------------------------------------------------------
+    // Ensure stores are available on the gateway
+    if (!gateway.getRateLimitConfigStore()) {
+        gateway.setStores({ rateLimitConfigStore: deps.rateLimitConfigStore || new memory_1.InMemoryRateLimitConfigStore() });
+    }
+    const rateLimitConfigStore = gateway.getRateLimitConfigStore();
+    if (!gateway.getBudgetConfigStore()) {
+        gateway.setStores({ budgetConfigStore: deps.budgetConfigStore || new memory_1.InMemoryBudgetConfigStore() });
+    }
+    const budgetConfigStore = gateway.getBudgetConfigStore();
+    router.get('/workspaces/:id/rate-limits', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const wsConfig = rateLimitConfigStore.getByWorkspaceId(workspaceId);
+        const globalConfig = config.rate_limit || { enabled: false, actor_max_per_window: 100, workspace_max_per_window: 500, window_ms: 60000 };
+        const effectiveConfig = wsConfig ? { ...globalConfig, ...wsConfig } : globalConfig;
+        res.json({ config: effectiveConfig, is_custom: !!wsConfig });
+    });
+    router.put('/workspaces/:id/rate-limits', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify rate limits' });
+            return;
+        }
+        const body = req.body;
+        // Validate: all values must be positive numbers if present
+        const errors = [];
+        if (body.actor_max_per_window !== undefined && (typeof body.actor_max_per_window !== 'number' || body.actor_max_per_window <= 0)) {
+            errors.push('actor_max_per_window must be a positive number');
+        }
+        if (body.workspace_max_per_window !== undefined && (typeof body.workspace_max_per_window !== 'number' || body.workspace_max_per_window <= 0)) {
+            errors.push('workspace_max_per_window must be a positive number');
+        }
+        if (body.window_ms !== undefined && (typeof body.window_ms !== 'number' || body.window_ms <= 0)) {
+            errors.push('window_ms must be a positive number');
+        }
+        if (errors.length > 0) {
+            res.status(400).json({ error: 'Validation failed', errors });
+            return;
+        }
+        const clean = {};
+        if (body.actor_max_per_window !== undefined)
+            clean.actor_max_per_window = body.actor_max_per_window;
+        if (body.workspace_max_per_window !== undefined)
+            clean.workspace_max_per_window = body.workspace_max_per_window;
+        if (body.window_ms !== undefined)
+            clean.window_ms = body.window_ms;
+        rateLimitConfigStore.set(workspaceId, clean);
+        gateway.getAuditLogger().log({
+            event_type: 'RATE_LIMIT_CONFIG_UPDATED',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { config: clean, updated_by: user.id },
+        });
+        const globalConfig = config.rate_limit || { enabled: false, actor_max_per_window: 100, workspace_max_per_window: 500, window_ms: 60000 };
+        res.json({ config: { ...globalConfig, ...clean }, is_custom: true });
+    });
+    router.delete('/workspaces/:id/rate-limits', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify rate limits' });
+            return;
+        }
+        rateLimitConfigStore.delete(workspaceId);
+        gateway.getAuditLogger().log({
+            event_type: 'RATE_LIMIT_CONFIG_RESET',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { reset_by: user.id },
+        });
+        const globalConfig = config.rate_limit || { enabled: false, actor_max_per_window: 100, workspace_max_per_window: 500, window_ms: 60000 };
+        res.json({ status: 'reset', config: globalConfig, is_custom: false });
+    });
+    // ---------------------------------------------------------------------------
+    // Per-Workspace Budget Configuration
+    // ---------------------------------------------------------------------------
+    router.get('/workspaces/:id/budget-config', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        const wsConfig = budgetConfigStore.getByWorkspaceId(workspaceId);
+        const effectiveConfig = wsConfig ? { ...config.budget, ...wsConfig } : config.budget;
+        res.json({ config: effectiveConfig, is_custom: !!wsConfig });
+    });
+    router.put('/workspaces/:id/budget-config', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify budget config' });
+            return;
+        }
+        const body = req.body;
+        // Validate: all values must be positive numbers if present
+        const errors = [];
+        const numFields = [
+            'task_budget_usd', 'user_daily_budget_usd', 'user_monthly_budget_usd',
+            'workspace_daily_budget_usd', 'workspace_monthly_budget_usd',
+            'max_steps_per_task', 'max_retries_per_call', 'max_wall_clock_ms',
+        ];
+        for (const field of numFields) {
+            const val = body[field];
+            if (val !== undefined && (typeof val !== 'number' || val <= 0)) {
+                errors.push(`${field} must be a positive number`);
+            }
+        }
+        if (errors.length > 0) {
+            res.status(400).json({ error: 'Validation failed', errors });
+            return;
+        }
+        const clean = {};
+        for (const field of numFields) {
+            if (body[field] !== undefined)
+                clean[field] = body[field];
+        }
+        budgetConfigStore.set(workspaceId, clean);
+        gateway.getAuditLogger().log({
+            event_type: 'BUDGET_CONFIG_UPDATED',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { config: clean, updated_by: user.id },
+        });
+        res.json({ config: { ...config.budget, ...clean }, is_custom: true });
+    });
+    router.delete('/workspaces/:id/budget-config', (req, res) => {
+        if (!requireSession(req, res))
+            return;
+        const user = req.sessionUser;
+        const workspaceId = param(req, 'id');
+        const membership = workspaceMemberStore.getByWorkspaceAndUser(workspaceId, user.id);
+        if (!membership) {
+            res.status(403).json({ error: 'Not a member of this workspace' });
+            return;
+        }
+        if (!['owner', 'admin'].includes(membership.role)) {
+            res.status(403).json({ error: 'Only workspace owners and admins can modify budget config' });
+            return;
+        }
+        budgetConfigStore.delete(workspaceId);
+        gateway.getAuditLogger().log({
+            event_type: 'BUDGET_CONFIG_RESET',
+            tool_call_id: '',
+            task_id: '',
+            workspace_id: workspaceId,
+            actor_id: user.id,
+            tool_name: '',
+            metadata: { reset_by: user.id },
+        });
+        res.json({ status: 'reset', config: config.budget, is_custom: false });
+    });
+    return router;
+}
+//# sourceMappingURL=routes.js.map