npm - slackhive - Versions diffs - 0.1.37 → 0.1.39 - Mend

slackhive 0.1.37 → 0.1.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (542) hide show

package/apps/web/src/app/api/agents/[id]/access/route.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * @fileoverview Agent write-access management API.
+ *
+ * GET    /api/agents/[id]/access — List users with explicit write access
+ * POST   /api/agents/[id]/access — Grant write access to a user
+ * DELETE /api/agents/[id]/access — Revoke write access from a user
+ *
+ * @module web/api/agents/[id]/access
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { guardAdmin } from '@/lib/api-guard';
+import { getAgentWriteUsers, grantAgentWrite, revokeAgentWrite, getAllUsers, userCanWriteAgent } from '@/lib/db';
+import { getSessionFromRequest } from '@/lib/auth';
+/**
+ * GET /api/agents/[id]/access
+ * - For admins: returns write-grant list + all users for the assignment UI.
+ * - For editors/viewers: returns { canWrite: bool } for the current session user.
+ */
+export async function GET(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+): Promise<NextResponse> {
+  const { id } = await params;
+  const session = getSessionFromRequest(req);
+  if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  if (session.role === 'admin' || session.role === 'superadmin') {
+    const [writeUsers, allUsers] = await Promise.all([
+      getAgentWriteUsers(id),
+      getAllUsers(),
+    ]);
+    return NextResponse.json({ writeUsers, allUsers: allUsers.map(u => ({ id: u.id, username: u.username, role: u.role })) });
+  }
+  // For editors/viewers — just return their own write permission
+  const canWrite = await userCanWriteAgent(id, session.username, session.role);
+  return NextResponse.json({ canWrite });
+}
+/**
+ * POST /api/agents/[id]/access
+ * Grants write access to a user (admin only).
+ * Body: { userId: string }
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+): Promise<NextResponse> {
+  const denied = guardAdmin(req);
+  if (denied) return denied;
+  const { id } = await params;
+  const { userId } = await req.json().catch(() => ({}));
+  if (!userId) return NextResponse.json({ error: 'userId required' }, { status: 400 });
+  await grantAgentWrite(id, userId);
+  return new NextResponse(null, { status: 204 });
+}
+/**
+ * DELETE /api/agents/[id]/access
+ * Revokes write access from a user (admin only).
+ * Body: { userId: string }
+ */
+export async function DELETE(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+): Promise<NextResponse> {
+  const denied = guardAdmin(req);
+  if (denied) return denied;
+  const { id } = await params;
+  const { userId } = await req.json().catch(() => ({}));
+  if (!userId) return NextResponse.json({ error: 'userId required' }, { status: 400 });
+  await revokeAgentWrite(id, userId);
+  return new NextResponse(null, { status: 204 });
+}

package/apps/web/src/app/api/agents/[id]/claude-md/route.ts ADDED Viewed

@@ -0,0 +1,111 @@
+/**
+ * @fileoverview REST API routes for an agent's CLAUDE.md instruction file.
+ *
+ * CLAUDE.md is the agent's main identity/instruction file, stored as
+ * agents.claude_md in the database. It is separate from skills — skills
+ * are Claude Code slash commands written to .claude/commands/ at runtime.
+ *
+ * GET /api/agents/[id]/claude-md — Returns the stored CLAUDE.md content
+ *                                  with memories appended (read-only view).
+ * PUT /api/agents/[id]/claude-md — Updates agents.claude_md directly.
+ *
+ * @module web/api/agents/[id]/claude-md
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentById, getAgentMemories, updateAgentClaudeMd, publishAgentEvent, getAgentSkills, getAgentPermissions, getAgentMcpServers, createSnapshot } from '@/lib/db';
+import { guardAgentWrite } from '@/lib/api-guard';
+import { getSessionFromRequest } from '@/lib/auth';
+import { skillToSnapshotSkill } from '@/lib/compile';
+/**
+ * GET /api/agents/[id]/claude-md
+ * Returns the agent's CLAUDE.md content with memories appended.
+ *
+ * @param {NextRequest} _req
+ * @param {{ params: Promise<{ id: string }> }} ctx
+ * @returns {Promise<NextResponse>} Plain-text CLAUDE.md or 404.
+ */
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const agent = await getAgentById(id);
+  if (!agent) return new NextResponse('Not found', { status: 404 });
+  const memories = await getAgentMemories(id);
+  const sections: string[] = [];
+  if (agent.claudeMd.trim()) {
+    sections.push(agent.claudeMd.trim());
+  } else {
+    // Fallback: minimal identity block if claude_md not yet set
+    const lines = [`# ${agent.name}`];
+    if (agent.persona) lines.push('', agent.persona);
+    if (agent.description) lines.push('', agent.description);
+    sections.push(lines.join('\n'));
+  }
+  if (memories.length > 0) {
+    const order = ['feedback', 'user', 'project', 'reference'];
+    const grouped = memories.reduce<Record<string, typeof memories>>((acc, m) => {
+      (acc[m.type] ??= []).push(m);
+      return acc;
+    }, {});
+    const memParts = order
+      .filter(t => grouped[t]?.length)
+      .map(t => `## ${t.charAt(0).toUpperCase() + t.slice(1)} Memories\n\n` +
+        grouped[t].map(m => `### ${m.name}\n${m.content}`).join('\n\n'));
+    sections.push(`# Agent Memory\n\n${memParts.join('\n\n')}`);
+  }
+  return new NextResponse(sections.join('\n\n'), {
+    headers: { 'Content-Type': 'text/plain; charset=utf-8' },
+  });
+}
+/**
+ * PUT /api/agents/[id]/claude-md
+ * Saves the CLAUDE.md content to agents.claude_md.
+ * Does NOT touch skills — skills are managed separately via /api/agents/[id]/skills.
+ * Body: raw text/plain content.
+ *
+ * @param {NextRequest} req
+ * @param {{ params: Promise<{ id: string }> }} ctx
+ * @returns {Promise<NextResponse>} 204 No Content or error.
+ */
+export async function PUT(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  const { id } = await params;
+  const denied = await guardAgentWrite(req, id);
+  if (denied) return denied;
+  const agent = await getAgentById(id);
+  if (!agent) return new NextResponse('Not found', { status: 404 });
+  const content = await req.text();
+  if (!content.trim()) return new NextResponse('Empty content', { status: 400 });
+  // Snapshot current state before overwriting
+  const session = getSessionFromRequest(req);
+  const [currentSkills, currentPerms, currentMcps] = await Promise.all([
+    getAgentSkills(id),
+    getAgentPermissions(id),
+    getAgentMcpServers(id),
+  ]);
+  await createSnapshot(
+    id, 'claude-md', session?.username ?? 'system', null,
+    currentSkills.map(skillToSnapshotSkill),
+    currentPerms?.allowedTools ?? [],
+    currentPerms?.deniedTools ?? [],
+    currentMcps.map(m => m.id),
+    agent.claudeMd,
+  ).catch(() => {});
+  await updateAgentClaudeMd(id, content);
+  await publishAgentEvent({ type: 'reload', agentId: id });
+  return new NextResponse(null, { status: 204 });
+}

package/apps/web/src/app/api/agents/[id]/logs/route.ts ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * @fileoverview GET /api/agents/[id]/logs
+ * Server-Sent Events (SSE) stream of live runner logs for a specific agent.
+ * Reads from the runner container's stdout via Docker logs API.
+ *
+ * NOTE: In Docker Compose, this uses `docker logs --follow --tail=100 <runner>`.
+ * The runner prefixes each log line with `[agentSlug]` so we filter by agent.
+ *
+ * @module web/api/agents/[id]/logs
+ */
+import { NextRequest } from 'next/server';
+import { getAgentById } from '@/lib/db';
+import { spawn } from 'child_process';
+/**
+ * GET /api/agents/[id]/logs
+ * Returns an SSE stream of filtered log lines for the agent.
+ *
+ * @param {NextRequest} _req
+ * @param {{ params: Promise<{ id: string }> }} ctx
+ * @returns {Response} SSE stream.
+ */
+export async function GET(
+  _req: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+): Promise<Response> {
+  const { id } = await params;
+  const agent = await getAgentById(id).catch(() => null);
+  const slug = agent?.slug ?? id;
+  const encoder = new TextEncoder();
+  const stream = new ReadableStream({
+    start(controller) {
+      // Tail the runner container logs, filtering for lines containing [slug]
+      const proc = spawn('docker', [
+        'logs', '--follow', '--tail=200',
+        'slackhive-runner-1',
+      ]);
+      function send(line: string) {
+        controller.enqueue(encoder.encode(`data: ${JSON.stringify(line)}\n\n`));
+      }
+      let buffer = '';
+      proc.stdout.on('data', (chunk: Buffer) => {
+        buffer += chunk.toString();
+        const lines = buffer.split('\n');
+        buffer = lines.pop() ?? '';
+        for (const line of lines) {
+          if (line.includes(`"agent":"${slug}"`)) send(line);
+        }
+      });
+      proc.stderr.on('data', (chunk: Buffer) => {
+        buffer += chunk.toString();
+        const lines = buffer.split('\n');
+        buffer = lines.pop() ?? '';
+        for (const line of lines) {
+          if (line.includes(`"agent":"${slug}"`)) send(line);
+        }
+      });
+      proc.on('close', () => {
+        try { controller.close(); } catch { /* already closed */ }
+      });
+      // Clean up if client disconnects
+      _req.signal.addEventListener('abort', () => {
+        proc.kill();
+        try { controller.close(); } catch { /* already closed */ }
+      });
+    },
+  });
+  return new Response(stream, {
+    headers: {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      'Connection': 'keep-alive',
+    },
+  });
+}

package/apps/web/src/app/api/agents/[id]/manifest/route.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * @fileoverview GET /api/agents/[id]/manifest
+ * Returns a generated Slack app manifest JSON for the agent onboarding wizard.
+ * Paste the output into api.slack.com/apps → Create from Manifest.
+ *
+ * @module web/api/agents/[id]/manifest
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentById } from '@/lib/db';
+import { generateSlackManifest } from '@/lib/slack-manifest';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * GET /api/agents/[id]/manifest
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} SlackAppManifest JSON or error.
+ */
+export async function GET(_req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const agent = await getAgentById(id);
+    if (!agent) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+    const manifest = generateSlackManifest({ name: agent.name, description: agent.description, isBoss: agent.isBoss });
+    return NextResponse.json(manifest);
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/mcps/route.ts ADDED Viewed

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview REST API routes for agent MCP assignments.
+ *
+ * GET /api/agents/[id]/mcps — List MCPs assigned to this agent
+ * PUT /api/agents/[id]/mcps — Replace all MCP assignments, then trigger reload
+ *
+ * @module web/api/agents/[id]/mcps
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentById, getAgentSkills, getAgentPermissions, getAgentMcpServers, setAgentMcps, publishAgentEvent, createSnapshot } from '@/lib/db';
+import { guardAgentWrite } from '@/lib/api-guard';
+import { getSessionFromRequest } from '@/lib/auth';
+import { skillToSnapshotSkill } from '@/lib/compile';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * GET /api/agents/[id]/mcps
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} JSON array of assigned McpServer objects.
+ */
+export async function GET(_req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const mcps = await getAgentMcpServers(id);
+    return NextResponse.json(mcps);
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}
+/**
+ * PUT /api/agents/[id]/mcps
+ * Replaces all MCP assignments for an agent and triggers a reload.
+ *
+ * @param {NextRequest} req - Body: { mcpIds: string[] }
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} 200 ok or error.
+ */
+export async function PUT(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    const { mcpIds } = (await req.json()) as { mcpIds: string[] };
+    // Snapshot before mutation
+    const session = getSessionFromRequest(req);
+    const [agent, currentSkills, perms, currentMcps] = await Promise.all([
+      getAgentById(id),
+      getAgentSkills(id),
+      getAgentPermissions(id),
+      getAgentMcpServers(id),
+    ]);
+    await createSnapshot(
+      id, 'mcps', session?.username ?? 'system', null,
+      currentSkills.map(skillToSnapshotSkill),
+      perms?.allowedTools ?? [],
+      perms?.deniedTools ?? [],
+      currentMcps.map(m => m.id),
+      agent?.claudeMd ?? '',
+    ).catch(() => {});
+    await setAgentMcps(id, mcpIds ?? []);
+    await publishAgentEvent({ type: 'reload', agentId: id });
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/memories/[memId]/route.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * @fileoverview DELETE /api/agents/[id]/memories/[memId]
+ * Removes a single memory entry for an agent.
+ *
+ * @module web/api/agents/[id]/memories/[memId]
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { deleteMemory } from '@/lib/db';
+import { guardAgentWrite } from '@/lib/api-guard';
+type RouteParams = { params: Promise<{ id: string; memId: string }> };
+/**
+ * DELETE /api/agents/[id]/memories/[memId]
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} 204 No Content or error.
+ */
+export async function DELETE(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id, memId } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    await deleteMemory(memId);
+    return new NextResponse(null, { status: 204 });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/memories/route.ts ADDED Viewed

@@ -0,0 +1,56 @@
+/**
+ * @fileoverview REST API routes for agent memories.
+ *
+ * GET  /api/agents/[id]/memories — List all memories for an agent
+ * POST /api/agents/[id]/memories — Create or update a memory entry
+ *
+ * @module web/api/agents/[id]/memories
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentMemories, upsertMemory } from '@/lib/db';
+import type { UpsertMemoryRequest } from '@slackhive/shared';
+import { guardAgentWrite } from '@/lib/api-guard';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * GET /api/agents/[id]/memories
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} JSON array of Memory objects.
+ */
+export async function GET(_req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const memories = await getAgentMemories(id);
+    return NextResponse.json(memories);
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}
+/**
+ * POST /api/agents/[id]/memories
+ * Creates or updates a memory entry.
+ *
+ * @param {NextRequest} req - Body: UpsertMemoryRequest
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} The upserted Memory or error.
+ */
+export async function POST(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    const body = (await req.json()) as UpsertMemoryRequest;
+    if (!body.type || !body.name || !body.content) {
+      return NextResponse.json({ error: 'type, name, content are required' }, { status: 400 });
+    }
+    const memory = await upsertMemory(id, body.type, body.name, body.content);
+    return NextResponse.json(memory, { status: 201 });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/permissions/route.ts ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * @fileoverview REST API routes for agent tool permissions.
+ *
+ * GET /api/agents/[id]/permissions — Get current permissions
+ * PUT /api/agents/[id]/permissions — Replace permissions, then trigger reload
+ *
+ * @module web/api/agents/[id]/permissions
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentById, getAgentSkills, getAgentPermissions, getAgentMcpServers, upsertPermissions, publishAgentEvent, createSnapshot } from '@/lib/db';
+import type { UpdatePermissionsRequest } from '@slackhive/shared';
+import { guardAgentWrite } from '@/lib/api-guard';
+import { getSessionFromRequest } from '@/lib/auth';
+import { skillToSnapshotSkill } from '@/lib/compile';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * GET /api/agents/[id]/permissions
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} Permission object or null.
+ */
+export async function GET(_req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const perms = await getAgentPermissions(id);
+    return NextResponse.json(perms ?? { allowedTools: [], deniedTools: [] });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}
+/**
+ * PUT /api/agents/[id]/permissions
+ * Replaces all tool permissions for an agent.
+ *
+ * @param {NextRequest} req - Body: { allowedTools: string[], deniedTools: string[] }
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} 200 ok or error.
+ */
+export async function PUT(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    const body = (await req.json()) as UpdatePermissionsRequest;
+    // Snapshot before mutation
+    const session = getSessionFromRequest(req);
+    const [agent, currentSkills, perms, mcps] = await Promise.all([
+      getAgentById(id),
+      getAgentSkills(id),
+      getAgentPermissions(id),
+      getAgentMcpServers(id),
+    ]);
+    await createSnapshot(
+      id, 'permissions', session?.username ?? 'system', null,
+      currentSkills.map(skillToSnapshotSkill),
+      perms?.allowedTools ?? [],
+      perms?.deniedTools ?? [],
+      mcps.map(m => m.id),
+      agent?.claudeMd ?? '',
+    ).catch(() => {});
+    await upsertPermissions(id, body.allowedTools ?? [], body.deniedTools ?? []);
+    await publishAgentEvent({ type: 'reload', agentId: id });
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/reload/route.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview POST /api/agents/[id]/reload
+ * Publishes a reload event: runner stops the agent, recompiles CLAUDE.md, and restarts it.
+ *
+ * @module web/api/agents/[id]/reload
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import { getAgentById, publishAgentEvent } from '@/lib/db';
+import { guardAgentWrite } from '@/lib/api-guard';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * POST /api/agents/[id]/reload
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} 200 on success, 404 or 500 on error.
+ */
+export async function POST(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    const agent = await getAgentById(id);
+    if (!agent) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+    await publishAgentEvent({ type: 'reload', agentId: id });
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}

package/apps/web/src/app/api/agents/[id]/restrictions/route.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * @fileoverview REST API routes for per-agent channel restrictions.
+ *
+ * GET /api/agents/[id]/restrictions — Get current restrictions
+ * PUT /api/agents/[id]/restrictions — Replace restrictions, then trigger reload
+ *
+ * @module web/api/agents/[id]/restrictions
+ */
+import { NextRequest, NextResponse } from 'next/server';
+import {
+  getAgentById,
+  getAgentSkills,
+  getAgentPermissions,
+  getAgentMcpServers,
+  getAgentRestrictions,
+  upsertRestrictions,
+  publishAgentEvent,
+  createSnapshot,
+} from '@/lib/db';
+import type { UpdateRestrictionsRequest } from '@slackhive/shared';
+import { guardAgentWrite } from '@/lib/api-guard';
+import { getSessionFromRequest } from '@/lib/auth';
+import { skillToSnapshotSkill } from '@/lib/compile';
+type RouteParams = { params: Promise<{ id: string }> };
+/**
+ * GET /api/agents/[id]/restrictions
+ *
+ * @param {NextRequest} _req
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} Restriction object or empty default.
+ */
+export async function GET(_req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const restrictions = await getAgentRestrictions(id);
+    return NextResponse.json(restrictions ?? { allowedChannels: [] });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}
+/**
+ * PUT /api/agents/[id]/restrictions
+ * Replaces channel restrictions for an agent.
+ *
+ * @param {NextRequest} req - Body: { allowedChannels: string[] }
+ * @param {RouteParams} ctx
+ * @returns {Promise<NextResponse>} 200 ok or error.
+ */
+export async function PUT(req: NextRequest, { params }: RouteParams): Promise<NextResponse> {
+  try {
+    const { id } = await params;
+    const denied = await guardAgentWrite(req, id);
+    if (denied) return denied;
+    const body = (await req.json()) as UpdateRestrictionsRequest;
+    // Snapshot before mutation
+    const session = getSessionFromRequest(req);
+    const [agent, currentSkills, perms, mcps, currentRestrictions] = await Promise.all([
+      getAgentById(id),
+      getAgentSkills(id),
+      getAgentPermissions(id),
+      getAgentMcpServers(id),
+      getAgentRestrictions(id),
+    ]);
+    await createSnapshot(
+      id, 'restrictions', session?.username ?? 'system', null,
+      currentSkills.map(skillToSnapshotSkill),
+      perms?.allowedTools ?? [],
+      perms?.deniedTools ?? [],
+      mcps.map(m => m.id),
+      agent?.claudeMd ?? '',
+      currentRestrictions?.allowedChannels ?? [],
+    ).catch(() => {});
+    await upsertRestrictions(id, body.allowedChannels ?? []);
+    await publishAgentEvent({ type: 'reload', agentId: id });
+    return NextResponse.json({ ok: true });
+  } catch (err) {
+    return NextResponse.json({ error: (err as Error).message }, { status: 500 });
+  }
+}