feat(api): shared agent domain tool registry, proposals, and commit path #330
No reviewers
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
2 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol!330
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "51-domain-tool-surface"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Implements the shared domain tool registry for epic #47's agent (#51), per ADR-0029 and ADR-0030. The
lib/agent/module is framework-agnostic — the future PWA agent loop and MCP endpoint import it unchanged.What's in it
find_people_at_org,link_person_to_org,add_note_to_person,merge_people.verb_nounnaming; every write tool taggedsafe_create | safe_update | destructive_update | destructive_delete.ProposedChangeand persist it; they never mutate. The commit path is the only mutator: re-validates against current state, enforces a 15-min expiry, applies through the entity repository, and writes an append-only audit event.022_agent_proposals+023_audit_events(+ repositories, entities, schema). Standalone for now; the agent-loop ticket will link proposals to conversations later.POST /api/agent/proposals/{id}/{commit,reject}(resolve the user from session/PAT via the existing identity reader).Safety (ADR-0030)
user_id— the acting identity comes only from request context; cross-user access is unrepresentable in the schema. Enforcement lives at the repository layer.pending→appliedclaim; stale proposals (out-of-band edit) →409 proposal_stale; expired →409 proposal_expired.Verification (re-run locally)
@carol/apitypecheck + lint — cleanopenapi:checkup to date ·openapi:coverage107 pairs ·@carol/api-clientregen + typecheck cleanagent_proposals/audit_eventsmigrations and per-engine tool suites are proven on Postgres too, not just SQLite.Notes
create_person_note— the earnedadd_note_to_persondomain tool is the create path (per ADR-0030's "domain tool wins where it fits"); update/delete/list/get remain.merge_peoplere-points children and drops self-referencing rows; a rare UNIQUE collision on already-shared links surfaces as a commit error → re-propose (not silently swallowed).PROPOSAL_TTL_MSis a 15-min code constant).Closes #51
🤖 Generated with Claude Code
📊 Test coverage
Patch coverage: no testable lines changed.
Overall (
app/,lib/,db/, excluding UI per ADR-0019):Soft thresholds per ADR-0019. Coverage is informational and does not block merge.