feat(ai-chat): agent write tools, provenance wiring, chat panel + provider settings UI" -m "Backend:

- Add reversible write tools to the per-user agent toolset (page create/update/
  move/soft-delete; comment reply + resolve), exposed under the user's JWT and
  enforced by Docmost CASL; no permanent/force delete (D3).
- Non-spoofable agent provenance: sign actor/aiChatId into the access and collab
  tokens (TokenService), propagate via jwt.strategy onto the request, and set
  pages.last_updated_source/last_updated_ai_chat_id on REST create/update/move and
  comments.created_source/resolved_source/ai_chat_id.
- packages/mcp: add an optional getCollabToken provider (content-edit provenance)
  and guard against empty tokens; service-account /mcp path unchanged.

Frontend:
- Admin 'AI / Models' settings section: provider/model/embedding/base URL, a
  write-only API key field, system prompt, and Test connection.
- AI chat panel (useChat + DefaultChatTransport): conversation list, streamed
  messages, tool-call action log and page citations; header entry point gated on
  settings.ai.chat.

Compile-verified (server nest build + client tsc/vite); not yet live-tested.
Known gaps: history 'AI agent' badge (C3), vector RAG (D), external MCP (E);
chat tool-card citation links pending a fix.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
vvzvlad
2026-06-17 02:39:26 +03:00
parent 683da7a4c5
commit 44b340dc1a
38 changed files with 2384 additions and 21 deletions
@@ -0,0 +1,27 @@
import { createParamDecorator, ExecutionContext } from '@nestjs/common';
/**
* The agent-edit provenance carried by the request, read from the SIGNED access
* token (set by `jwt.strategy`). `actor` is 'agent' only for the internal AI
* agent's minted token; every normal user request resolves to 'user'. Because
* it comes from the signed claim — never a client body field — a normal user
* cannot fake an 'agent' marker.
*/
export interface AuthProvenanceData {
actor: 'user' | 'agent';
aiChatId: string | null;
}
/**
* Resolve the request's provenance. Defaults to a 'user' actor when the claim
* is absent (e.g. an endpoint reached without going through the access-token
* strategy path), so callers can always set the marker unconditionally.
*/
export const AuthProvenance = createParamDecorator(
(data: unknown, ctx: ExecutionContext): AuthProvenanceData => {
const request = ctx.switchToHttp().getRequest();
const actor = request?.raw?.actor === 'agent' ? 'agent' : 'user';
const aiChatId = request?.raw?.aiChatId ?? null;
return { actor, aiChatId };
},
);