saltbo
diff --git a/‎apps/web/migrations/0019_agent_versions.sql‎
Lines changed: 5 additions & 0 deletions b/‎apps/web/migrations/0019_agent_versions.sql‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎apps/web/server/agentRepo.ts‎
Lines changed: 132 additions & 4 deletions b/‎apps/web/server/agentRepo.ts‎
Lines changed: 132 additions & 4 deletions
diff --git a/‎apps/web/server/auth.ts‎
Lines changed: 1 addition & 0 deletions b/‎apps/web/server/auth.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apps/web/server/routes.ts‎
Lines changed: 35 additions & 11 deletions b/‎apps/web/server/routes.ts‎
Lines changed: 35 additions & 11 deletions
diff --git a/‎packages/cli/src/client/base.ts‎
Lines changed: 4 additions & 0 deletions b/‎packages/cli/src/client/base.ts‎
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,5 @@
+ALTER TABLE agents ADD COLUMN version TEXT NOT NULL DEFAULT 'latest';
+ALTER TABLE agents ADD COLUMN soul_sha1 TEXT NOT NULL DEFAULT '';
+
+DROP INDEX IF EXISTS idx_agents_username;
+CREATE UNIQUE INDEX idx_agents_username_version ON agents(username, version);
@@ -6,6 +6,21 @@ import { runtimeReadyPredicateSql } from "./machineRepo";
 
 const parseAgent = <T extends Agent>(row: T) => parseJsonFields(row, ["skills", "subagents", "handoff_to"]);
 
+async function sha1(value: string): Promise<string> {
+  const bytes = new TextEncoder().encode(value);
+  const hash = await crypto.subtle.digest("SHA-1", bytes);
+  return [...new Uint8Array(hash)].map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+async function nextVersion(db: D1, username: string, builtin: boolean): Promise<string> {
+  if (builtin) return "latest";
+  const row = await db
+    .prepare("SELECT MAX(CAST(version AS INTEGER)) as version FROM agents WHERE username = ? AND version != 'latest'")
+    .bind(username)
+    .first<{ version: number | null }>();
+  return String((row?.version ?? 0) + 1);
+}
+
 export interface PreparedAgent extends Agent {
   privateKeyJwk: JsonWebKey;
 }
@@ -26,21 +41,24 @@ export async function prepareAgent(
 ): Promise<PreparedAgent> {
   const { id, publicKeyBase64, fingerprint, privateKeyJwk } = identity;
   const now = new Date().toISOString();
+  const soul = input.soul ?? null;
   return {
     id,
     owner_id: ownerId,
     name: input.name || input.username,
     username: input.username,
     gpg_subkey_id: null,
     bio: input.bio ?? null,
-    soul: input.soul ?? null,
+    soul,
     role: input.role ?? null,
     kind: input.kind ?? "worker",
     handoff_to: input.handoff_to ?? null,
     runtime: input.runtime,
     model: input.model ?? null,
     skills: input.skills ?? null,
     subagents: input.subagents ?? null,
+    version: await nextVersion(db, input.username, builtin),
+    soul_sha1: await sha1(soul ?? ""),
     public_key: publicKeyBase64,
     fingerprint,
     builtin: builtin ? 1 : 0,
@@ -56,8 +74,8 @@ export async function insertAgent(db: D1, agent: PreparedAgent, extras?: { mailb
   const handoffJson = agent.handoff_to ? JSON.stringify(agent.handoff_to) : null;
   await db
     .prepare(`
-    INSERT INTO agents (id, owner_id, name, username, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, public_key, private_key, fingerprint, builtin, mailbox_token, gpg_subkey_id, created_at, updated_at)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    INSERT INTO agents (id, owner_id, name, username, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, version, soul_sha1, public_key, private_key, fingerprint, builtin, mailbox_token, gpg_subkey_id, created_at, updated_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
   `)
     .bind(
       agent.id,
@@ -73,6 +91,8 @@ export async function insertAgent(db: D1, agent: PreparedAgent, extras?: { mailb
       agent.model,
       skillsJson,
       subagentsJson,
+      agent.version,
+      agent.soul_sha1,
       agent.public_key,
       JSON.stringify(agent.privateKeyJwk),
       agent.fingerprint,
@@ -127,6 +147,7 @@ export async function listAgents(db: D1, ownerId: string): Promise<AgentWithActi
   const result = await db
     .prepare(`
     SELECT a.id, a.owner_id, a.name, a.username, a.gpg_subkey_id, a.bio, a.soul, a.role, a.kind, a.handoff_to, a.runtime, a.model, a.skills, a.subagents,
+      a.version, a.soul_sha1,
       a.public_key, a.fingerprint, a.builtin, a.created_at, a.updated_at,
       CASE WHEN EXISTS (
         SELECT 1 FROM machines m, json_each(m.runtimes) rt
@@ -159,6 +180,7 @@ export async function getAgent(db: D1, agentId: string, ownerId: string): Promis
   return db
     .prepare(`
     SELECT a.id, a.owner_id, a.name, a.username, a.gpg_subkey_id, a.bio, a.soul, a.role, a.kind, a.handoff_to, a.runtime, a.model, a.skills, a.subagents,
+      a.version, a.soul_sha1,
       a.public_key, a.fingerprint, a.builtin, a.created_at, a.updated_at,
       CASE WHEN EXISTS (
         SELECT 1 FROM machines m, json_each(m.runtimes) rt
@@ -192,7 +214,7 @@ export async function updateAgent(
 ): Promise<Agent | null> {
   const agent = await db
     .prepare(
-      "SELECT id, owner_id, name, username, gpg_subkey_id, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, public_key, fingerprint, builtin, created_at, updated_at FROM agents WHERE id = ?",
+      "SELECT id, owner_id, name, username, gpg_subkey_id, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, version, soul_sha1, public_key, fingerprint, builtin, created_at, updated_at FROM agents WHERE id = ?",
     )
     .bind(agentId)
     .first<Agent>();
@@ -213,6 +235,12 @@ export async function updateAgent(
       (applied as any)[field] = val;
     }
   }
+  if ("soul" in updates && updates.soul !== undefined) {
+    const digest = await sha1(updates.soul ?? "");
+    sets.push("soul_sha1 = ?");
+    binds.push(digest);
+    applied.soul_sha1 = digest;
+  }
 
   binds.push(agentId);
   await db
@@ -222,6 +250,106 @@ export async function updateAgent(
   return parseAgent({ ...agent, ...applied, updated_at: now });
 }
 
+type AgentSnapshot = Agent & { private_key: string; mailbox_token: string | null };
+
+function jsonOrNull(value: unknown[] | null): string | null {
+  return value ? JSON.stringify(value) : null;
+}
+
+async function findLatestAgentId(db: D1, username: string): Promise<string | null> {
+  const row = await db.prepare("SELECT id FROM agents WHERE username = ? AND version = 'latest'").bind(username).first<{ id: string }>();
+  return row?.id ?? null;
+}
+
+async function updateLatestAgent(db: D1, latestId: string, source: AgentSnapshot, updatedAt: string): Promise<void> {
+  await db
+    .prepare(`
+      UPDATE agents
+      SET name = ?, gpg_subkey_id = ?, bio = ?, soul = ?, role = ?, kind = ?, handoff_to = ?, runtime = ?, model = ?,
+          skills = ?, subagents = ?, soul_sha1 = ?, public_key = ?, private_key = ?, fingerprint = ?, builtin = ?, mailbox_token = ?, updated_at = ?
+      WHERE id = ?
+    `)
+    .bind(
+      source.name,
+      source.gpg_subkey_id,
+      source.bio,
+      source.soul,
+      source.role,
+      source.kind,
+      jsonOrNull(source.handoff_to),
+      source.runtime,
+      source.model,
+      jsonOrNull(source.skills),
+      jsonOrNull(source.subagents),
+      source.soul_sha1,
+      source.public_key,
+      source.private_key,
+      source.fingerprint,
+      source.builtin,
+      source.mailbox_token,
+      updatedAt,
+      latestId,
+    )
+    .run();
+}
+
+async function insertLatestAgent(db: D1, ownerId: string, source: AgentSnapshot, now: string): Promise<string> {
+  const latestId = crypto.randomUUID();
+  await db
+    .prepare(`
+      INSERT INTO agents (id, owner_id, name, username, gpg_subkey_id, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, version, soul_sha1, public_key, private_key, fingerprint, builtin, mailbox_token, created_at, updated_at)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 'latest', ?, ?, ?, ?, ?, ?, ?, ?)
+    `)
+    .bind(
+      latestId,
+      ownerId,
+      source.name,
+      source.username,
+      source.gpg_subkey_id,
+      source.bio,
+      source.soul,
+      source.role,
+      source.kind,
+      jsonOrNull(source.handoff_to),
+      source.runtime,
+      source.model,
+      jsonOrNull(source.skills),
+      jsonOrNull(source.subagents),
+      source.soul_sha1,
+      source.public_key,
+      source.private_key,
+      source.fingerprint,
+      source.builtin,
+      source.mailbox_token,
+      now,
+      now,
+    )
+    .run();
+  return latestId;
+}
+
+export async function publishAgent(db: D1, username: string, agentId: string, ownerId: string): Promise<Agent | null> {
+  const target = await db
+    .prepare(
+      "SELECT id, owner_id, name, username, gpg_subkey_id, bio, soul, role, kind, handoff_to, runtime, model, skills, subagents, version, soul_sha1, public_key, private_key, fingerprint, builtin, mailbox_token FROM agents WHERE id = ? AND owner_id = ?",
+    )
+    .bind(agentId, ownerId)
+    .first<Agent & { private_key: string; mailbox_token: string | null }>();
+  if (!target) return null;
+  const source = parseAgent(target) as AgentSnapshot;
+  if (source.username !== username) return null;
+  if (source.version === "latest") return getAgent(db, agentId, ownerId);
+
+  const now = new Date().toISOString();
+  const latestId = await findLatestAgentId(db, source.username);
+  if (latestId) {
+    await updateLatestAgent(db, latestId, source, now);
+    return getAgent(db, latestId, ownerId);
+  }
+
+  return getAgent(db, await insertLatestAgent(db, ownerId, source, now), ownerId);
+}
+
 export async function deleteAgent(db: D1, agentId: string): Promise<boolean> {
   await db.prepare("UPDATE tasks SET assigned_to = NULL WHERE assigned_to = ? AND status IN ('todo', 'in_progress')").bind(agentId).run();
   const result = await db.prepare("DELETE FROM agents WHERE id = ?").bind(agentId).run();
 
@@ -19,6 +19,7 @@ const ROUTE_RULES: { method: string; pattern: RegExp; rule: RouteRule }[] = [
 
   // Agents — user/machine/leader creates, user/leader manages
   { method: "POST", pattern: /^\/api\/agents$/, rule: { allow: ["user", "machine", "agent:leader"] } },
+  { method: "PUT", pattern: /^\/api\/agents\/[^/]+\/versions\/latest$/, rule: { allow: ["user", "agent:leader"] } },
   { method: "PATCH", pattern: /^\/api\/agents\/[^/]+$/, rule: { allow: ["user", "agent:leader"] } },
   { method: "DELETE", pattern: /^\/api\/agents\/[^/]+$/, rule: { allow: ["user", "agent:leader"] } },
 
 
@@ -19,6 +19,7 @@ import {
   insertAgent,
   listAgents,
   prepareAgent,
+  publishAgent,
   updateAgent,
 } from "./agentRepo";
 import { closeSession, createSession, listSessions, reopenSession, updateSessionUsage } from "./agentSessionRepo";
@@ -286,7 +287,11 @@ api.get("/api/share/:slug/stream", async (c) => {
 
 api.get("/agents/:file{.+\\.gpg$}", async (c) => {
   const username = c.req.param("file").replace(/\.gpg$/, "");
-  const agent = await c.env.DB.prepare("SELECT owner_id FROM agents WHERE username = ?").bind(username).first<{ owner_id: string }>();
+  const agent = await c.env.DB.prepare(
+    "SELECT owner_id FROM agents WHERE username = ? ORDER BY CASE WHEN version = 'latest' THEN 0 ELSE 1 END LIMIT 1",
+  )
+    .bind(username)
+    .first<{ owner_id: string }>();
   if (!agent) throw new HTTPException(404, { message: "Agent not found" });
   const armoredPublicKey = await getRootPublicKey(c.env.DB, agent.owner_id);
   if (!armoredPublicKey) throw new HTTPException(404, { message: "GPG key not found" });
@@ -301,7 +306,11 @@ api.get("/.well-known/openpgpkey/hu/:hash", async (c) => {
   const hash = c.req.param("hash");
   const localPart = c.req.query("l");
   if (!localPart) throw new HTTPException(400, { message: "Missing l= query parameter" });
-  const agent = await c.env.DB.prepare("SELECT owner_id FROM agents WHERE username = ?").bind(localPart).first<{ owner_id: string }>();
+  const agent = await c.env.DB.prepare(
+    "SELECT owner_id FROM agents WHERE username = ? ORDER BY CASE WHEN version = 'latest' THEN 0 ELSE 1 END LIMIT 1",
+  )
+    .bind(localPart)
+    .first<{ owner_id: string }>();
   if (!agent) throw new HTTPException(404, { message: "Agent not found" });
   // Verify the hash matches the local part (WKD uses SHA-1 + z-base-32)
   const expectedHash = await wkdHash(localPart);
@@ -521,9 +530,12 @@ api.post("/api/agents", async (c) => {
   const ownerId = c.get("ownerId");
   await assertRegisteredWorkerSubagents(c.env.DB, ownerId, body.subagents);
 
-  // Validate username uniqueness before GPG mutation
-  const taken = await c.env.DB.prepare("SELECT 1 FROM agents WHERE username = ?").bind(body.username).first();
-  if (taken) throw new HTTPException(409, { message: `Username "${body.username}" is already taken` });
+  const existingUsername = await c.env.DB.prepare("SELECT owner_id FROM agents WHERE username = ? LIMIT 1")
+    .bind(body.username)
+    .first<{ owner_id: string }>();
+  if (existingUsername && existingUsername.owner_id !== ownerId) {
+    throw new HTTPException(409, { message: `Username "${body.username}" is already taken` });
+  }
   if (body.kind === "leader") {
     const existingLeader = await c.env.DB.prepare("SELECT 1 FROM agents WHERE owner_id = ? AND runtime = ? AND kind = 'leader'")
       .bind(ownerId, body.runtime)
@@ -539,7 +551,7 @@ api.post("/api/agents", async (c) => {
   const prepared = await prepareAgent(c.env.DB, ownerId, body as CreateAgentInput, identity);
 
   // External service — create mailbox (skip if MAILS_ADMIN_TOKEN not configured)
-  const mailboxToken = c.env.MAILS_ADMIN_TOKEN ? await createMailbox(c.env.MAILS_ADMIN_TOKEN, email) : undefined;
+  const mailboxToken = c.env.MAILS_ADMIN_TOKEN && !existingUsername ? await createMailbox(c.env.MAILS_ADMIN_TOKEN, email) : undefined;
 
   try {
     // Single atomic insert with all fields
@@ -557,13 +569,24 @@ api.post("/api/agents", async (c) => {
 
     return c.json(agent, 201);
   } catch (err) {
-    await deleteMailbox(c.env.MAILS_ADMIN_TOKEN, email).catch((cleanupErr: unknown) => {
-      logger.warn(`mailbox cleanup failed for ${email}: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
-    });
+    if (!existingUsername) {
+      await deleteMailbox(c.env.MAILS_ADMIN_TOKEN, email).catch((cleanupErr: unknown) => {
+        logger.warn(`mailbox cleanup failed for ${email}: ${cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr)}`);
+      });
+    }
     throw err;
   }
 });
 
+api.put("/api/agents/:username/versions/latest", async (c) => {
+  const body = await c.req.json<{ agent_id: string }>();
+  assertJsonObject(body, "latest agent version");
+  if (!body.agent_id) throw new HTTPException(400, { message: "agent_id is required" });
+  const agent = await publishAgent(c.env.DB, c.req.param("username"), body.agent_id, c.get("ownerId"));
+  if (!agent) throw new HTTPException(404, { message: "Agent not found" });
+  return c.json(agent);
+});
+
 api.patch("/api/agents/:id", async (c) => {
   const ownerId = c.get("ownerId");
   const existing = await getAgent(c.env.DB, c.req.param("id"), ownerId);
@@ -591,13 +614,14 @@ api.delete("/api/agents/:id", async (c) => {
   await assertAgentNotReferencedAsSubagent(c.env.DB, ownerId, agent.id);
   const email = agentEmail(agent.username);
   await deleteAgent(c.env.DB, agent.id);
-  if (c.env.MAILS_ADMIN_TOKEN) {
+  const remaining = await c.env.DB.prepare("SELECT 1 FROM agents WHERE username = ? LIMIT 1").bind(agent.username).first();
+  if (c.env.MAILS_ADMIN_TOKEN && !remaining) {
     await deleteMailbox(c.env.MAILS_ADMIN_TOKEN, email);
   }
 
   // Remove email from GitHub (best-effort)
   const token = await getGithubToken(c.env.DB, c.get("ownerId"));
-  if (token) {
+  if (token && !remaining) {
     await removeAgentEmail(token, email).catch((err: unknown) => {
       logger.warn(`github email cleanup failed for ${email}: ${err instanceof Error ? err.message : String(err)}`);
     });
 
@@ -119,6 +119,10 @@ export abstract class ApiClient {
   deleteAgent(agentId: string) {
     return this.request("DELETE", `/api/agents/${agentId}`);
   }
+  async publishAgent(agentId: string) {
+    const agent = (await this.getAgent(agentId)) as { username: string };
+    return this.request("PUT", `/api/agents/${agent.username}/versions/latest`, { agent_id: agentId });
+  }
 
   // Machines
   registerMachine(info: { name: string; os: string; version: string; runtimes: MachineRuntime[]; device_id: string }) {