stagent 0.9.5 → 0.10.0

package/src/app/api/memory/route.ts

@@ -3,9 +3,6 @@ import { db } from "@/lib/db";
 import { agentMemory } from "@/lib/db/schema";
 import { and, eq, desc } from "drizzle-orm";
 import { randomUUID } from "crypto";
-import { checkLimit, buildLimitErrorBody } from "@/lib/license/limit-check";
-import { getMemoryCount } from "@/lib/license/limit-queries";
-import { createTierLimitNotification } from "@/lib/license/notifications";
 
 /**
  * GET /api/memory?profileId=xxx&category=fact&status=active
@@ -78,14 +75,6 @@ export async function POST(req: NextRequest) {
       );
     }
 
-    // Tier limit check — memory cap per profile
-    const currentCount = getMemoryCount(profileId);
-    const limitResult = checkLimit("agentMemories", currentCount);
-    if (!limitResult.allowed) {
-      createTierLimitNotification("agentMemories", currentCount, limitResult.limit).catch(() => {});
-      return NextResponse.json(buildLimitErrorBody("agentMemories", limitResult), { status: 402 });
-    }
-
     const now = new Date();
     const id = randomUUID();
     // Convert 0-1 confidence to 0-1000, default 700

package/src/app/api/notifications/route.ts

@@ -1,7 +1,9 @@
 import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import { notifications } from "@/lib/db/schema";
-import { eq, and, desc, sql, count } from "drizzle-orm";
+import { eq, and, desc, count } from "drizzle-orm";
+
+import { buildDefaultNotificationVisibilityCondition } from "@/lib/notifications/visibility";
 
 export async function GET(req: NextRequest) {
   const url = new URL(req.url);
@@ -9,7 +11,7 @@ export async function GET(req: NextRequest) {
   const type = url.searchParams.get("type");
   const countOnly = url.searchParams.get("countOnly");
 
-  const conditions = [];
+  const conditions = [buildDefaultNotificationVisibilityCondition()];
   if (unread === "true") conditions.push(eq(notifications.read, false));
   if (type) conditions.push(eq(notifications.type, type as typeof notifications.type.enumValues[number]));
 

package/src/app/api/projects/[id]/route.ts

@@ -2,36 +2,11 @@ import { NextRequest, NextResponse } from "next/server";
 import { db } from "@/lib/db";
 import {
   projects,
-  tasks,
-  workflows,
-  documents,
-  schedules,
-  agentLogs,
-  notifications,
-  learnedContext,
-  usageLedger,
-  environmentSyncOps,
-  environmentCheckpoints,
-  environmentArtifacts,
-  environmentScans,
-  chatMessages,
-  conversations,
   projectDocumentDefaults,
-  userTables,
-  userTableColumns,
-  userTableRows,
-  userTableViews,
-  userTableImports,
-  userTableRelationships,
-  tableDocumentInputs,
-  taskTableInputs,
-  workflowTableInputs,
-  scheduleTableInputs,
-  userTableTriggers,
-  userTableRowHistory,
 } from "@/lib/db/schema";
-import { eq, inArray } from "drizzle-orm";
+import { eq } from "drizzle-orm";
 import { updateProjectSchema } from "@/lib/validators/project";
+import { deleteProjectCascade } from "@/lib/data/delete-project";
 
 export async function GET(
   _req: NextRequest,
@@ -109,137 +84,12 @@ export async function DELETE(
   { params }: { params: Promise<{ id: string }> }
 ) {
   const { id } = await params;
-  const [existing] = await db
-    .select()
-    .from(projects)
-    .where(eq(projects.id, id));
-
-  if (!existing) {
-    return NextResponse.json({ error: "Not found" }, { status: 404 });
-  }
 
   try {
-    // Cascade-delete in FK-safe order (children before parents)
-    // Follows the same pattern as clear.ts and workflow DELETE
-
-    // 1. Collect child IDs for nested FK chains
-    const taskIds = db
-      .select({ id: tasks.id })
-      .from(tasks)
-      .where(eq(tasks.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    const workflowIds = db
-      .select({ id: workflows.id })
-      .from(workflows)
-      .where(eq(workflows.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    const conversationIds = db
-      .select({ id: conversations.id })
-      .from(conversations)
-      .where(eq(conversations.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    const scanIds = db
-      .select({ id: environmentScans.id })
-      .from(environmentScans)
-      .where(eq(environmentScans.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    const checkpointIds = db
-      .select({ id: environmentCheckpoints.id })
-      .from(environmentCheckpoints)
-      .where(eq(environmentCheckpoints.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    // 2. Environment tables (deepest children first)
-    if (checkpointIds.length > 0) {
-      db.delete(environmentSyncOps)
-        .where(inArray(environmentSyncOps.checkpointId, checkpointIds))
-        .run();
-      db.delete(environmentCheckpoints)
-        .where(inArray(environmentCheckpoints.id, checkpointIds))
-        .run();
-    }
-    if (scanIds.length > 0) {
-      db.delete(environmentArtifacts)
-        .where(inArray(environmentArtifacts.scanId, scanIds))
-        .run();
-      db.delete(environmentScans)
-        .where(inArray(environmentScans.id, scanIds))
-        .run();
+    const deleted = deleteProjectCascade(id);
+    if (!deleted) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
     }
-
-    // 3. Chat tables (messages before conversations)
-    if (conversationIds.length > 0) {
-      db.delete(chatMessages)
-        .where(inArray(chatMessages.conversationId, conversationIds))
-        .run();
-      db.delete(conversations)
-        .where(inArray(conversations.id, conversationIds))
-        .run();
-    }
-
-    // 4. Usage ledger (references projectId, workflowId, taskId)
-    db.delete(usageLedger).where(eq(usageLedger.projectId, id)).run();
-
-    // 5. Task children (logs, notifications, documents, learned context)
-    if (taskIds.length > 0) {
-      db.delete(agentLogs).where(inArray(agentLogs.taskId, taskIds)).run();
-      db.delete(notifications)
-        .where(inArray(notifications.taskId, taskIds))
-        .run();
-      db.delete(documents).where(inArray(documents.taskId, taskIds)).run();
-      db.delete(learnedContext)
-        .where(inArray(learnedContext.sourceTaskId, taskIds))
-        .run();
-    }
-
-    // 6. Project document defaults (junction table)
-    db.delete(projectDocumentDefaults).where(eq(projectDocumentDefaults.projectId, id)).run();
-
-    // 6b. User-defined tables — cascade-delete children before parent
-    const tableIds = db
-      .select({ id: userTables.id })
-      .from(userTables)
-      .where(eq(userTables.projectId, id))
-      .all()
-      .map((r) => r.id);
-
-    if (tableIds.length > 0) {
-      // Junction tables first
-      db.delete(tableDocumentInputs).where(inArray(tableDocumentInputs.tableId, tableIds)).run();
-      db.delete(taskTableInputs).where(inArray(taskTableInputs.tableId, tableIds)).run();
-      db.delete(workflowTableInputs).where(inArray(workflowTableInputs.tableId, tableIds)).run();
-      db.delete(scheduleTableInputs).where(inArray(scheduleTableInputs.tableId, tableIds)).run();
-      // Children
-      db.delete(userTableRowHistory).where(inArray(userTableRowHistory.tableId, tableIds)).run();
-      db.delete(userTableTriggers).where(inArray(userTableTriggers.tableId, tableIds)).run();
-      db.delete(userTableImports).where(inArray(userTableImports.tableId, tableIds)).run();
-      db.delete(userTableViews).where(inArray(userTableViews.tableId, tableIds)).run();
-      db.delete(userTableRelationships).where(inArray(userTableRelationships.fromTableId, tableIds)).run();
-      db.delete(userTableRows).where(inArray(userTableRows.tableId, tableIds)).run();
-      db.delete(userTableColumns).where(inArray(userTableColumns.tableId, tableIds)).run();
-      db.delete(userTables).where(inArray(userTables.id, tableIds)).run();
-    }
-
-    // 7. Direct project children
-    db.delete(documents).where(eq(documents.projectId, id)).run();
-    db.delete(tasks).where(eq(tasks.projectId, id)).run();
-    if (workflowIds.length > 0) {
-      db.delete(workflows).where(inArray(workflows.id, workflowIds)).run();
-    }
-    db.delete(schedules).where(eq(schedules.projectId, id)).run();
-
-    // 7. Finally delete the project
-    db.delete(projects).where(eq(projects.id, id)).run();
-
     return NextResponse.json({ success: true });
   } catch (err) {
     console.error("Project delete failed:", err);

package/src/app/api/projects/__tests__/delete-project.test.ts

@@ -6,14 +6,14 @@ import * as schema from "@/lib/db/schema";
 /**
  * Safety-net regression tests for project cascade deletion.
  *
- * These verify that the DELETE handler in projects/[id]/route.ts
- * properly handles all FK relationships before deleting a project.
- * This prevents the "Failed to delete project" FK constraint error
- * that occurs when related records exist.
+ * These verify that the shared deleteProjectCascade function in
+ * src/lib/data/delete-project.ts properly handles all FK relationships
+ * before deleting a project. This prevents "Failed to delete project"
+ * FK constraint errors when related records exist.
  */
 describe("project DELETE cascade coverage", () => {
   const deleteRouteSource = readFileSync(
-    join(__dirname, "..", "[id]", "route.ts"),
+    join(__dirname, "..", "..", "..", "..", "lib", "data", "delete-project.ts"),
     "utf-8"
   );
 
@@ -115,7 +115,7 @@ describe("project DELETE cascade coverage", () => {
       // Find the LAST occurrence of db.delete(child) and FIRST occurrence of db.delete(parent)
       // within the DELETE function (not the import section)
       const deleteSection = deleteRouteSource.slice(
-        deleteRouteSource.indexOf("export async function DELETE")
+        deleteRouteSource.indexOf("export function deleteProjectCascade")
       );
       const childPos = deleteSection.lastIndexOf(`db.delete(${child})`);
       const parentPos = deleteSection.indexOf(`db.delete(${parent})`);
@@ -129,21 +129,12 @@ describe("project DELETE cascade coverage", () => {
     ).toEqual([]);
   });
 
-  it("wraps deletion in try/catch for error handling", () => {
+  it("checks project existence before deleting", () => {
     const deleteSection = deleteRouteSource.slice(
-      deleteRouteSource.indexOf("export async function DELETE")
+      deleteRouteSource.indexOf("export function deleteProjectCascade")
     );
-    expect(deleteSection).toContain("try {");
-    expect(deleteSection).toContain("catch");
-    expect(deleteSection).toContain("status: 500");
-  });
-
-  it("verifies project exists before attempting delete", () => {
-    const deleteSection = deleteRouteSource.slice(
-      deleteRouteSource.indexOf("export async function DELETE")
-    );
-    expect(deleteSection).toContain("Not found");
-    expect(deleteSection).toContain("status: 404");
+    // The shared function checks if the project exists and returns false if not
+    expect(deleteSection).toContain("if (!existing) return false");
   });
 
   /**

package/src/app/api/schedules/[id]/execute/route.ts

@@ -0,0 +1,111 @@
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { schedules, tasks, usageLedger } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+import { executeTaskWithRuntime } from "@/lib/agents/runtime";
+import { claimSlot, countRunningScheduledSlots } from "@/lib/schedules/slot-claim";
+import {
+  getScheduleMaxConcurrent,
+  getScheduleMaxRunDurationSec,
+} from "@/lib/schedules/config";
+import { randomUUID } from "crypto";
+
+/**
+ * Manually fire a schedule. Honors the global concurrency cap by default.
+ * Use `?force=true` to bypass the cap (logged to usage_ledger as
+ * "manual_force_bypass" for audit).
+ *
+ * Security note: force bypass is audit-logged synchronously before task
+ * execution begins, so every bypass leaves a permanent record regardless of
+ * task outcome.
+ */
+export async function POST(
+  req: NextRequest,
+  { params }: { params: Promise<{ id: string }> },
+) {
+  const { id: scheduleId } = await params;
+  const force = req.nextUrl.searchParams.get("force") === "true";
+
+  const [schedule] = db
+    .select()
+    .from(schedules)
+    .where(eq(schedules.id, scheduleId))
+    .all();
+  if (!schedule) {
+    return NextResponse.json({ error: "schedule_not_found" }, { status: 404 });
+  }
+
+  const taskId = randomUUID();
+  const firingNumber = schedule.firingCount + 1;
+  const now = new Date();
+
+  db.insert(tasks)
+    .values({
+      id: taskId,
+      projectId: schedule.projectId,
+      workflowId: null,
+      scheduleId: schedule.id,
+      title: `${schedule.name} — manual firing #${firingNumber}`,
+      description: schedule.prompt,
+      status: "queued",
+      assignedAgent: schedule.assignedAgent,
+      agentProfile: schedule.agentProfile,
+      priority: 2,
+      sourceType: "scheduled",
+      maxTurns: schedule.maxTurns,
+      createdAt: now,
+      updatedAt: now,
+    })
+    .run();
+
+  const cap = getScheduleMaxConcurrent();
+  const leaseSec = schedule.maxRunDurationSec ?? getScheduleMaxRunDurationSec();
+
+  // When force=true, pass an effectively infinite cap so the subquery COUNT
+  // can never exceed it. This lets `claimSlot` atomically transition the task
+  // to "running" even when the real cap is full.
+  const effectiveCap = force ? Number.MAX_SAFE_INTEGER : cap;
+  const { claimed } = claimSlot(taskId, effectiveCap, leaseSec);
+
+  if (!claimed) {
+    db.delete(tasks).where(eq(tasks.id, taskId)).run();
+    const slotEtaSec = 60;
+    return NextResponse.json(
+      {
+        error: "capacity_full",
+        message: `Swarm at capacity (${countRunningScheduledSlots()}/${cap}). Retry in ~${slotEtaSec}s or add ?force=true to bypass.`,
+        slotEtaSec,
+      },
+      { status: 429 },
+    );
+  }
+
+  // Audit log written synchronously before task execution so that a force
+  // bypass is always recorded even if the task itself fails immediately.
+  if (force) {
+    const nowTs = new Date();
+    db.insert(usageLedger)
+      .values({
+        id: randomUUID(),
+        taskId,
+        scheduleId: schedule.id,
+        projectId: schedule.projectId,
+        activityType: "manual_force_bypass",
+        runtimeId: "manual",
+        providerId: "manual",
+        status: "completed",
+        costMicros: 0,
+        startedAt: nowTs,
+        finishedAt: nowTs,
+      })
+      .run();
+  }
+
+  // Fire-and-forget: the route returns immediately with taskId; execution runs
+  // in the background. Errors are logged but do not affect the 200 response.
+  executeTaskWithRuntime(taskId).catch((err) => {
+    console.error(`[api/schedules/execute] task ${taskId} failed:`, err);
+  });
+
+  return NextResponse.json({ taskId, forced: force });
+}

package/src/app/api/schedules/[id]/route.ts

@@ -4,6 +4,7 @@ import { schedules, tasks } from "@/lib/db/schema";
 import { eq, like } from "drizzle-orm";
 import { parseInterval, computeNextFireTime } from "@/lib/schedules/interval-parser";
 import { parseNaturalLanguage } from "@/lib/schedules/nlp-parser";
+import { checkCollision } from "@/lib/schedules/collision-check";
 import { resolveAgentRuntime } from "@/lib/agents/runtime/catalog";
 import { validateRuntimeProfileAssignment } from "@/lib/agents/profiles/assignment-validation";
 
@@ -199,7 +200,14 @@ export async function PATCH(
     .from(schedules)
     .where(eq(schedules.id, id));
 
-  return NextResponse.json(updated);
+  const effectiveCron = (updates.cronExpression as string | undefined) ?? schedule.cronExpression;
+  const warnings = checkCollision(
+    effectiveCron,
+    schedule.avgTurnsPerFiring ?? 0,
+    schedule.projectId ?? null,
+    schedule.id,
+  );
+  return NextResponse.json({ schedule: updated, warnings });
 }
 
 export async function DELETE(

package/src/app/api/schedules/__tests__/execute-route.test.ts

@@ -0,0 +1,118 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { db } from "@/lib/db";
+import { tasks, schedules, projects, settings, usageLedger } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+import { randomUUID } from "crypto";
+import { NextRequest } from "next/server";
+import { POST } from "../[id]/execute/route";
+
+vi.mock("@/lib/agents/runtime", () => ({
+  executeTaskWithRuntime: vi.fn().mockResolvedValue(undefined),
+}));
+
+function req(url: string): NextRequest {
+  return new NextRequest(new URL(url, "http://localhost"));
+}
+
+function seedSchedule(): string {
+  const pid = randomUUID();
+  const sid = randomUUID();
+  const now = new Date();
+  db.insert(projects)
+    .values({ id: pid, name: "p", status: "active", createdAt: now, updatedAt: now })
+    .run();
+  db.insert(schedules)
+    .values({
+      id: sid,
+      projectId: pid,
+      name: "manual",
+      prompt: "test",
+      cronExpression: "0 0 * * *",
+      status: "active",
+      type: "scheduled",
+      firingCount: 0,
+      suppressionCount: 0,
+      heartbeatSpentToday: 0,
+      failureStreak: 0,
+      turnBudgetBreachStreak: 0,
+      createdAt: now,
+      updatedAt: now,
+    })
+    .run();
+  return sid;
+}
+
+describe("POST /api/schedules/:id/execute", () => {
+  beforeEach(() => {
+    db.delete(usageLedger).run();
+    db.delete(tasks).run();
+    db.delete(schedules).run();
+    db.delete(projects).run();
+    db.delete(settings).where(eq(settings.key, "schedule.maxConcurrent")).run();
+    db.insert(settings)
+      .values({ key: "schedule.maxConcurrent", value: "1", updatedAt: new Date() })
+      .run();
+  });
+
+  it("fires when capacity available, returns 200 with taskId", async () => {
+    const sid = seedSchedule();
+    const res = await POST(req(`/api/schedules/${sid}/execute`), {
+      params: Promise.resolve({ id: sid }),
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.taskId).toBeDefined();
+  });
+
+  it("returns 429 when cap is full", async () => {
+    const sid1 = seedSchedule();
+    const sid2 = seedSchedule();
+
+    const res1 = await POST(req(`/api/schedules/${sid1}/execute`), {
+      params: Promise.resolve({ id: sid1 }),
+    });
+    expect(res1.status).toBe(200);
+
+    const res2 = await POST(req(`/api/schedules/${sid2}/execute`), {
+      params: Promise.resolve({ id: sid2 }),
+    });
+    expect(res2.status).toBe(429);
+    const body = await res2.json();
+    expect(body.error).toBe("capacity_full");
+    expect(body.slotEtaSec).toBeGreaterThanOrEqual(0);
+
+    const remaining = db.select().from(tasks).all();
+    expect(remaining.length).toBe(1); // only sid1's task remains; sid2's was cleaned up on refusal
+  });
+
+  it("bypasses the cap when ?force=true and writes audit-log entry", async () => {
+    const sid1 = seedSchedule();
+    const sid2 = seedSchedule();
+
+    await POST(req(`/api/schedules/${sid1}/execute`), {
+      params: Promise.resolve({ id: sid1 }),
+    });
+
+    const res2 = await POST(
+      req(`/api/schedules/${sid2}/execute?force=true`),
+      { params: Promise.resolve({ id: sid2 }) },
+    );
+    expect(res2.status).toBe(200);
+    const body2 = await res2.json();
+
+    const ledger = db
+      .select()
+      .from(usageLedger)
+      .where(eq(usageLedger.activityType, "manual_force_bypass"))
+      .all();
+    expect(ledger.length).toBe(1);
+    expect(ledger[0].taskId).toBe(body2.taskId);
+  });
+
+  it("returns 404 when the schedule does not exist", async () => {
+    const res = await POST(req("/api/schedules/nonexistent/execute"), {
+      params: Promise.resolve({ id: "nonexistent" }),
+    });
+    expect(res.status).toBe(404);
+  });
+});

package/src/app/api/schedules/route.ts

@@ -6,9 +6,7 @@ import { parseInterval, computeNextFireTime } from "@/lib/schedules/interval-par
 import { parseNaturalLanguage } from "@/lib/schedules/nlp-parser";
 import { resolveAgentRuntime } from "@/lib/agents/runtime/catalog";
 import { validateRuntimeProfileAssignment } from "@/lib/agents/profiles/assignment-validation";
-import { checkLimit, buildLimitErrorBody } from "@/lib/license/limit-check";
-import { getActiveScheduleCount } from "@/lib/license/limit-queries";
-import { createTierLimitNotification } from "@/lib/license/notifications";
+import { checkCollision } from "@/lib/schedules/collision-check";
 
 export async function GET() {
   const result = await db
@@ -130,14 +128,6 @@ export async function POST(req: NextRequest) {
     return NextResponse.json({ error: compatibilityError }, { status: 400 });
   }
 
-  // Tier limit check — active schedule cap
-  const activeCount = getActiveScheduleCount();
-  const limitResult = checkLimit("activeSchedules", activeCount);
-  if (!limitResult.allowed) {
-    createTierLimitNotification("activeSchedules", activeCount, limitResult.limit).catch(() => {});
-    return NextResponse.json(buildLimitErrorBody("activeSchedules", limitResult), { status: 402 });
-  }
-
   const id = crypto.randomUUID();
   const now = new Date();
   const nextFireAt = computeNextFireTime(cronExpression, now);
@@ -201,5 +191,6 @@ export async function POST(req: NextRequest) {
     .from(schedules)
     .where(eq(schedules.id, id));
 
-  return NextResponse.json(created, { status: 201 });
+  const warnings = checkCollision(cronExpression, 0, projectId ?? null, null);
+  return NextResponse.json({ schedule: created, warnings }, { status: 201 });
 }

package/src/app/api/settings/openai/login/route.ts

@@ -0,0 +1,22 @@
+import { NextResponse } from "next/server";
+import {
+  cancelOpenAIChatGPTLogin,
+  getOpenAILoginState,
+  startOpenAIChatGPTLogin,
+} from "@/lib/settings/openai-login-manager";
+import { setOpenAIAuthSettings } from "@/lib/settings/openai-auth";
+
+export async function GET() {
+  return NextResponse.json(getOpenAILoginState());
+}
+
+export async function POST() {
+  await setOpenAIAuthSettings({ method: "oauth" });
+  const state = await startOpenAIChatGPTLogin();
+  return NextResponse.json(state);
+}
+
+export async function DELETE() {
+  const state = await cancelOpenAIChatGPTLogin();
+  return NextResponse.json(state);
+}

package/src/app/api/settings/openai/logout/route.ts

@@ -0,0 +1,7 @@
+import { NextResponse } from "next/server";
+import { logoutStagentCodexAuth } from "@/lib/agents/runtime/openai-codex-auth";
+
+export async function POST() {
+  await logoutStagentCodexAuth();
+  return NextResponse.json({ success: true });
+}

package/src/app/api/settings/openai/route.ts

@@ -3,11 +3,31 @@ import {
   getOpenAIAuthSettings,
   setOpenAIAuthSettings,
 } from "@/lib/settings/openai-auth";
+import { readStagentCodexAuthState } from "@/lib/agents/runtime/openai-codex-auth";
 import { updateOpenAISettingsSchema } from "@/lib/validators/settings";
 
 export async function GET() {
   const settings = await getOpenAIAuthSettings();
-  return NextResponse.json(settings);
+  if (settings.method !== "oauth") {
+    return NextResponse.json(settings);
+  }
+
+  try {
+    const current = await readStagentCodexAuthState({ refreshToken: true });
+    return NextResponse.json({
+      ...settings,
+      oauthConnected: current.connected,
+      account: current.account,
+      rateLimits: current.rateLimits,
+    });
+  } catch {
+    return NextResponse.json({
+      ...settings,
+      oauthConnected: false,
+      account: null,
+      rateLimits: null,
+    });
+  }
 }
 
 export async function POST(req: NextRequest) {