feat(ai): anonymous AI assistant on public shares

Lets an unauthenticated viewer of a published share ask an AI scoped strictly
to that share's page tree. The authenticated agent is untouched; the security
boundary is the tool scope (no identity), and nothing is persisted.

Server:
- workspace toggle settings.ai.publicShareAssistant (default off) +
  optional settings.ai.provider.publicShareChatModel (cheap model id; reuses
  the chat driver/baseUrl/key). getChatModel(workspaceId, override) substitutes
  only the model id, falling back to chatModel.
- POST /api/shares/ai/stream (@Public, SSE). Guardrail funnel, each failing
  before streaming: toggle off -> 404; share missing/wrong-workspace/sharing
  off -> 404; pageId not in share tree -> 404; provider unconfigured -> 503;
  per-IP (5/min) and per-workspace (300/h, IP-independent) rate limits -> 429.
  Uniform 404s never confirm a private page's existence.
- forShare read-only in-process toolset: searchSharePages (existing shareId
  FTS branch, no spaceId/userId), getSharePage (getShareForPage gate +
  share.id check, content via the public sanitizer), listSharePages. No write/
  comment/history/cross-space/external-MCP tools.
- Locked share system prompt + immutable safety block; stepCountIs(5).
- /shares/page-info exposes an aiAssistant flag (gated behind isSharingAllowed).

Client: an ephemeral, text-only Ask-AI widget on the public shared page,
shown only when the flag is set; useChat -> /api/shares/ai/stream,
credentials omit. Admin toggle + model field in Settings -> AI.

Also adds a jest moduleNameMapper for src/-rooted imports (fixes pre-existing
unresolvable specs; additive).

Implements docs/public-share-assistant-plan.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/client/src/features/workspace/components/settings/components/ai-provider-settings.tsx

@@ -44,6 +44,8 @@ import AiMcpServers from "./ai-mcp-servers.tsx";
 // (empty means "leave unchanged" unless explicitly cleared).
 const formSchema = z.object({
   chatModel: z.string(),
+  // Cheap model id for the anonymous public-share assistant; empty = use chatModel.
+  publicShareChatModel: z.string(),
   embeddingModel: z.string(),
   baseUrl: z.string(),
   // Embedding-specific base URL. Empty means "use the chat base URL".
@@ -114,9 +116,17 @@ export default function AiProviderSettings() {
   const [dictationEnabled, setDictationEnabled] = useState<boolean>(
     workspace?.settings?.ai?.dictation ?? false,
   );
+  const [publicShareAssistantEnabled, setPublicShareAssistantEnabled] =
+    useState<boolean>(
+      workspace?.settings?.ai?.publicShareAssistant ?? false,
+    );
   const [chatToggleLoading, setChatToggleLoading] = useState(false);
   const [searchToggleLoading, setSearchToggleLoading] = useState(false);
   const [dictationToggleLoading, setDictationToggleLoading] = useState(false);
+  const [
+    publicShareAssistantToggleLoading,
+    setPublicShareAssistantToggleLoading,
+  ] = useState(false);
 
   // Whether a key is currently stored server-side (drives the placeholder).
   const [hasApiKey, setHasApiKey] = useState(false);
@@ -136,6 +146,7 @@ export default function AiProviderSettings() {
     validate: zod4Resolver(formSchema),
     initialValues: {
       chatModel: "",
+      publicShareChatModel: "",
       embeddingModel: "",
       baseUrl: "",
       embeddingBaseUrl: "",
@@ -155,6 +166,7 @@ export default function AiProviderSettings() {
     if (!settings) return;
     form.setValues({
       chatModel: settings.chatModel ?? "",
+      publicShareChatModel: settings.publicShareChatModel ?? "",
       embeddingModel: settings.embeddingModel ?? "",
       baseUrl: settings.baseUrl ?? "",
       embeddingBaseUrl: settings.embeddingBaseUrl ?? "",
@@ -181,6 +193,9 @@ export default function AiProviderSettings() {
       // Everything is OpenAI-compatible.
       driver: "openai",
       chatModel: values.chatModel,
+      // Cheap model id for the anonymous public-share assistant; empty falls
+      // back to chatModel server-side.
+      publicShareChatModel: values.publicShareChatModel,
       embeddingModel: values.embeddingModel,
       // The embedding base URL is optional; empty falls back to the chat base
       // URL server-side.
@@ -344,6 +359,37 @@ export default function AiProviderSettings() {
     }
   }
 
+  // Optimistic toggle for the anonymous public-share AI assistant
+  // (settings.ai.publicShareAssistant). When off, the public endpoint 404s.
+  async function handleTogglePublicShareAssistant(value: boolean) {
+    setPublicShareAssistantToggleLoading(true);
+    const previous = publicShareAssistantEnabled;
+    setPublicShareAssistantEnabled(value);
+    try {
+      const updated = await updateWorkspace({
+        aiPublicShareAssistant: value,
+      });
+      setWorkspace({
+        ...updated,
+        settings: {
+          ...updated.settings,
+          ai: { ...updated.settings?.ai, publicShareAssistant: value },
+        },
+      });
+      notifications.show({ message: t("Updated successfully") });
+    } catch (err) {
+      setPublicShareAssistantEnabled(previous);
+      const message = (err as { response?: { data?: { message?: string } } })
+        ?.response?.data?.message;
+      notifications.show({
+        message: message ?? t("Failed to update data"),
+        color: "red",
+      });
+    } finally {
+      setPublicShareAssistantToggleLoading(false);
+    }
+  }
+
   // Admins only — match the previous behavior.
   if (!isAdmin) {
     return (
@@ -455,6 +501,39 @@ export default function AiProviderSettings() {
           {t("Resolves to {{url}}", { url: chatResolved })}
         </Text>
 
+        {/* Anonymous public-share assistant: a single master toggle + an
+            optional cheaper model id. Reuses this card's driver/URL/key. */}
+        <Group justify="space-between" align="center" wrap="nowrap" mt="md">
+          <Text fw={600} size="sm">
+            {t("Public share assistant")}
+          </Text>
+          <Switch
+            label={t("Enabled")}
+            labelPosition="left"
+            checked={publicShareAssistantEnabled}
+            disabled={publicShareAssistantToggleLoading}
+            onChange={(e) =>
+              handleTogglePublicShareAssistant(e.currentTarget.checked)
+            }
+          />
+        </Group>
+        <Text size="xs" c="dimmed" mt={4} mb="xs">
+          {t(
+            "Let anonymous visitors of public shares ask an AI assistant scoped to that share's pages. You pay for the tokens.",
+          )}
+        </Text>
+        <TextInput
+          label={t("Public assistant model")}
+          placeholder={t("Defaults to the chat model")}
+          disabled={isLoading || !publicShareAssistantEnabled}
+          {...form.getInputProps("publicShareChatModel")}
+        />
+        <Text size="xs" c="dimmed" mt={4}>
+          {t(
+            "Optional cheaper model id for the public assistant. Empty uses the chat model above.",
+          )}
+        </Text>
+
         <Group mt="md" align="center">
           <Button
             variant="default"

apps/client/src/features/workspace/services/ai-settings-service.ts

@@ -16,6 +16,8 @@ export type SttApiStyle = "multipart" | "json";
 export interface IAiSettings {
   driver?: AiDriver;
   chatModel?: string;
+  // Cheap model id for the anonymous public-share assistant; empty = chatModel.
+  publicShareChatModel?: string;
   embeddingModel?: string;
   baseUrl?: string;
   embeddingBaseUrl?: string;
@@ -42,6 +44,7 @@ export interface IAiSettings {
 export interface IAiSettingsUpdate {
   driver?: AiDriver;
   chatModel?: string;
+  publicShareChatModel?: string;
   embeddingModel?: string;
   baseUrl?: string;
   embeddingBaseUrl?: string;

apps/client/src/features/workspace/types/workspace.types.ts

@@ -25,6 +25,7 @@ export interface IWorkspace {
   mcpEnabled?: boolean;
   aiChat?: boolean;
   aiDictation?: boolean;
+  aiPublicShareAssistant?: boolean;
   trashRetentionDays?: number;
   restrictApiToAdmins?: boolean;
   allowMemberTemplates?: boolean;
@@ -48,6 +49,7 @@ export interface IWorkspaceAiSettings {
   mcp?: boolean;
   chat?: boolean;
   dictation?: boolean;
+  publicShareAssistant?: boolean;
 }
 
 export interface IWorkspaceSharingSettings {