CLI command modules. Wave 5a (v0.6.3) extracted these out of
main.rs so each handler can be unit-tested by capturing output
into a Vec<u8> via CliOutput instead of literal println!s.
HTTP handler module index. Per-domain handler code lives in the
sibling sub-modules; this file is the public-facing re-export
surface plus the inline test scaffolding.
v0.7.x (issue #1174 follow-up #1192 / #1196) — cross-surface
RuntimeContext for substrate state that spans the HTTP daemon,
the MCP stdio binary, and the CLI.
#951 (Track A QC sweep, 2026-05-20) — canonical
is_visible_to_caller helper, non-sal-gated so both feature
flag profiles share the same predicate. See module docstring
for the drift history that motivated the consolidation.
v0.7.0 #951 (Track A QC sweep, 2026-05-20) — single canonical
is_visible_to_caller helper, available on both sal and
non-sal builds.
v0.7.x (issue #1174 PR5 — pm-v3.1 namespace-sentinel sweep) — the
default namespace for AI-NHI memory writes when the caller omits
the namespace parameter. Bare value: "global".
Variants in pub enum Command (src/daemon_runtime.rs) that
COMPILE under the default build. The source file declares 82
variants; two (Migrate, SchemaInit) are #[cfg(feature = "sal")]-gated and excluded from default builds, leaving 80.
(v0.7.0 #1443 added Expand for the ai-memory expand CLI parity
surface, bumping 78 → 79; #1598 added Reembed for the
ai-memory reembed vector-space migration, bumping 79 → 80.)
Variants in pub enum Command that COMPILE under --features sal
(or sal-postgres, which implies sal in Cargo.toml). Equals the
awk-canonical source-file count: every variant declared in the
enum body (including Migrate + SchemaInit). v0.7.0 #1443 added
Expand, bumping 80 → 81; #1598 added Reembed, bumping 81 → 82.
Number of distinct URL paths (multi-line-aware) registered by the
production router. Derived via
awk '/\.route\(/{in=1}in&&/"\/[^"]*"/{match($0,/"\/[^"]*"/);print substr($0,RSTART,RLENGTH);in=0}' src/lib.rs | sort -u | wc -l
excluding the #[cfg(test)]-gated /slow slowloris route. Pinned
by tests/route_count_invariant.rs so the docs surface count
cannot drift silently. v0.7.0 multi-agent literal-sweep (scanner
A, finding F-A4.1) — previously the 73 unique URL paths count
was cited in 30+ doc sites with no const.
API-key auth header consumed by the HTTP daemon’s auth middleware
(handlers/transport.rs) and SENT by every internal client
(federation push/receive, CLI remote commands). Client and server
must agree byte-for-byte — a drifted copy is a silent auth break
(#1558 batch 4).
_inbox/ namespace prefix for agent-to-agent notification routing.
Reserved-namespace convention; the recipient’s target_agent id
is appended to form the canonical inbox namespace
(_inbox/<target>).
metadata.consolidated_from_agents — array of source authors,
preserved on memory_consolidate (the consolidator’s id becomes
agent_id; the original authors stay readable from this array).
Documented at CLAUDE.md §“Agent Identity (NHI)” → “Special metadata
keys”.
metadata.imported_from_agent_id — original NHI claim preserved
when ai-memory import restamps agent_id with the importing
caller’s id (absent when --trust-source is passed). Documented at
CLAUDE.md §“Agent Identity (NHI)” → “Special metadata keys”.
metadata.scope — visibility marker (one of [MemoryScope::all_strs]
at crate::models::namespace::MemoryScope). Controls which agents
can see a memory via hierarchical namespace matching per Task 1.5.
Memories without this key are treated as "private" by the query
layer (see crate::models::namespace::MemoryScope::default()).
metadata.target_agent_id — recipient NHI for memories that
represent agent-to-agent shares / notifications. Read by the
canonical visibility predicate is_visible_to_caller to permit
the named target to see otherwise-private rows alongside the owner.
Milliseconds per second — for secs→ms conversions feeding wire/SQL
surfaces that take milliseconds (e.g. postgres statement_timeout).
u64 matches the *_timeout_secs config field type; i64/u128
callers cast at the use site like the SECS_PER_* family above.
The crate version (compile-time CARGO_PKG_VERSION) as one named
const — wire surfaces (capabilities, serverInfo, backup manifests,
boot banners, webhook user-agent) all report it from here instead
of nine scattered env! calls (#1558 batch 5).
#1558 batch 5 wave 3 — canonical secret-redaction placeholder
rendered by every Debug impl that masks credential material
(AppConfig.api_key, [llm].api_key, ResolvedLlm.api_key,
HooksSubscriptionConfig.hmac_secret, x25519 Keypair.secret,
RuntimeContext.hooks_hmac_secret). One spelling, hoist-only;
src/llm.rs keeps its own site per the vendor carve-out.
F-B6 — test-side body read cap; pinned equal to the production limit so
tests exercise the full 0..=2 MiB envelope production accepts (was an
asymmetric 1 MiB across 90+ to_bytes(.., 1024 * 1024) call sites).
v0.7.0 H7 (round-2) — variant of build_router that takes an
explicit per-request wall-clock timeout. Composes a per-request
timeout middleware so a slow-POST (slowloris-style) attacker
cannot keep a handler scope alive indefinitely. Requests that
exceed the timeout get a 504 Gateway Timeout response with a
{"error":"request timed out"} body. The production daemon
calls this with the value resolved from
AppConfig::effective_request_timeout_secs (default 60 s); tests
pass a short timeout to drive the timeout edge directly.
Build the canonical inbox namespace for a target agent id.
Returns "_inbox/<target>" formatted via the
INBOX_NAMESPACE_PREFIX const. Use this in place of inline
format!("_inbox/{target}") so a future rename of the prefix
(or addition of validation, normalization, etc.) touches one
place. Closes scanner E finding F-E5 (#1436).