refactor(agents): unify caller scope across cli/web/lark/telegram (#466)

[eanzhao]

Closes #466.

Summary

• Bug fix — Lark /agents returned every catalog row when the NyxID /me owner-resolver fell back to null (token expired / 5xx / malformed envelope). Other users' agents leaked, and per-id ops (/run-agent, /disable-agent, /delete-agent) acted on them without ownership verification.
• Architectural fix — collapse scattered OwnerNyxUserId / Platform / ScopeId fields into a single proto sub-message OwnerScope (NyxUserId, Platform, RegistrationScopeId, SenderId); rewrite IUserAgentCatalogQueryPort as caller-scoped only (no QueryAllAsync / unscoped GetAsync); split the dual-purpose runtime port so LLM tools never transitively reach NyxApiKey.

What changed

Proto contracts

• New OwnerScope sub-message in channel_runtime_messages.proto.
• Embedded in UserAgentCatalogEntry, UserAgentCatalogDocument, UserAgentCatalogUpsertCommand, SkillRunnerOutboundConfig, WorkflowAgentState, InitializeWorkflowAgentCommand, WorkflowAgentInitializedEvent.
• Scattered legacy fields (OwnerNyxUserId, Platform) marked [deprecated = true] but kept readable on the wire so legacy state still loads. OwnerScope.FromLegacyFields lazy-backfills the nyxid surface; lark legacy rows fall through (deprecate-and-recreate per migration plan §3).

Caller-scope resolver layer

• ICallerScopeResolver + CallerScopeUnavailableException (fail-closed contract — no permissive fallthrough).
• NyxIdNativeCallerScopeResolver (cli/web), ChannelMetadataCallerScopeResolver (lark/telegram), CompositeCallerScopeResolver.
• INyxIdCurrentUserResolver extracts the NyxID /me lookup that was previously embedded in AgentBuilderTool.

Read port refactor

• IUserAgentCatalogQueryPort: only caller-scoped methods (GetForCallerAsync, QueryByCallerAsync, GetStateVersionForCallerAsync). Strict full-tuple OwnerScope equality; null collapses both "doesn't exist" and "exists but not yours" so non-owners cannot probe existence/version.
• IUserAgentCatalogRuntimeQueryPort deleted. Replaced by:
  • The same caller-scoped public port (LLM tools, no NyxApiKey in DTO).
  • New IUserAgentDeliveryTargetReader (internal-only, by-id, returns UserAgentDeliveryTarget record with NyxApiKey). Registered only for outbound delivery (FeishuCardHumanInteractionPort).

Tool surface

• AgentBuilderTool: drop owner_nyx_user_id arg from schema (impersonation surface). All per-id ops use caller-scoped reads. Resolver failure fails closed with structured error.
• AgentDeliveryTargetTool: drop owner_nyx_user_id and nyx_api_key args from schema. Use public caller-scoped port (no credential surface).
• FeishuCardHumanInteractionPort: take IUserAgentDeliveryTargetReader instead of the deleted runtime port.

Tests

• 24 new acceptance tests in UnifyCallerScopeAcceptanceTests covering each issue refactor(/agents): unify caller scope across cli/web/lark/telegram; remove fall-through filter (cross-user leak) #466 acceptance bullet:
  • cross-NyxID / cross-surface / cross-sender isolation
  • per-id ops on non-owned agent_id → null (no existence/version disclosure)
  • resolver fail-closed (NyxID /me failure, channel metadata partial)
  • composite resolver order (channel before native)
  • secret-boundary (public DTO never carries NyxApiKey)
  • legacy migration (nyxid backfills, lark deprecate-and-recreate)
• 473 existing tests updated by sub-agent to compile against the new contract.

Test plan

• dotnet build aevatar.slnx → 0 errors
• dotnet test test/Aevatar.GAgents.ChannelRuntime.Tests → 497 passed (24 new + 473 existing)
• dotnet test test/Aevatar.Workflow.Host.Api.Tests → 325 passed
• dotnet test test/Aevatar.GAgents.Channel.Protocol.Tests → 123 passed
• bash tools/ci/architecture_guards.sh → query/projection priming, projection state version, projection route mapping, proto lint, channel guards all green

Migration

• nyxid surface (cli + web): lazy backfill on read — existing rows with OwnerNyxUserId + Platform="nyxid" (or empty Platform) synthesize the OwnerScope on first read; no operator action needed.
• lark surface: deprecate-and-recreate. Legacy lark rows lack sender_id; backfilling would soft-match other senders on the same bot. Operators (or the user via /agents → Delete → recreate) re-provision affected agents. Acceptable scope: small footprint, agent UX is recreate-cheap (issue refactor(/agents): unify caller scope across cli/web/lark/telegram; remove fall-through filter (cross-user leak) #466 §3).

Out of scope (follow-ups)

• Removing the [deprecated] scattered fields from the proto (purely a cleanup PR after the lark deprecate-and-recreate migration completes).
• Full AgentBuilderApplicationService decomposition into surface-neutral application layer + per-channel adapters (issue refactor(/agents): unify caller scope across cli/web/lark/telegram; remove fall-through filter (cross-user leak) #466 §F + refactor(daily-builder): decompose AgentBuilderTool god function into command + saga; remove query-time projection polling #446). The structural fix this PR ships closes the security boundary; the file-level decomposition is a separate, larger refactor that can land on top of these contracts.
• Architecture-guard scripts (full-scan) for "no IAgentTool implementation depends on IUserAgentDeliveryTargetReader" and "UserAgentCatalogEntry does not carry NyxApiKey". Currently enforced by code review + the secret-boundary test; can be added to CI in a follow-up.

🤖 Generated with Claude Code

[eanzhao]

Blocking: OwnerScope never actually reaches UserAgentCatalogState. SkillRunnerGAgent / WorkflowAgentGAgent now set UserAgentCatalogUpsertCommand.OwnerScope, but UserAgentCatalogGAgent.HandleUpsertAsync still builds UserAgentCatalogEntry without copying command.OwnerScope. That means this projector sees entry.OwnerScope == null; for lark/telegram FromLegacyFields(...) intentionally returns null, so newly-created channel agents project with no owner scope and GetForCallerAsync / QueryByCallerAsync will never match them. A /daily create followed by /agents on Lark will look empty. Please persist/merge the scope in the upsert actor, and preferably validate new writes, e.g. copy command.OwnerScope?.Clone() (or existing scope for legacy merge) into the catalog entry instead of relying on the legacy fallback.

[eanzhao]

This still performs an unscoped catalog sweep and only filters in memory. Besides violating the new caller-scoped port contract, it is functionally wrong once the global catalog has more than 1000 rows: if the caller’s agents are not in the first page returned by the store, /agents returns an incomplete or empty list. Please push the full OwnerScope equality plus tombstone predicate into ProjectionDocumentQuery.Filters (nested owner_scope.nyx_user_id/platform/registration_scope_id/sender_id, tombstoned=false) and page as needed, rather than fetching the first global page and applying .Where(...) in application code.

[eanzhao]

The contract above says this reader returns null when the credential document has not materialized, but the implementation returns a target with NyxApiKey = "". FeishuCardHumanInteractionPort then calls ProxyRequestAsync with that empty token, so projection lag or a credential-less target becomes an outbound auth failure instead of “target unavailable”. Please fail closed here when credential is null or credential.NyxApiKey is blank (or surface a typed credential-unavailable error) before constructing the delivery target.

[eanzhao]

Review: unify caller scope (#466)

Overall well-structured security fix. The OwnerScope sub-message, fail-closed resolver chain, and secret boundary split are architecturally sound. Four issues flagged:

1. Duplicate ResolveCallerScopeAsync — identical method in both tools; extract to extension method on ICallerScopeResolver
2. Hardcoded "scope_id" string — ChannelMetadataCallerScopeResolver uses ChannelMetadataKeys.* for other keys but a raw string for scope_id
3. In-memory ownership filter — QueryByCallerAsync fetches all docs then filters client-side; security boundary needs TODO for predicate push-down
4. No ownership gate on IUserAgentDeliveryTargetReader — credential-exfiltration surface deferred to follow-up; minimum viable protection missing

[eanzhao]

1. Duplicate ResolveCallerScopeAsync — extract to shared utility

Both AgentBuilderTool.cs and AgentDeliveryTargetTool.cs contain an identical private static ResolveCallerScopeAsync method (~12 lines each). The is CompositeCallerScopeResolver type-check leaks the composite pattern into consumers.

Suggestion: Make this an extension method on ICallerScopeResolver so both tools just call await callerScopeResolver.RequireCallerScopeAsync(ct) — no type-check needed. The composite already does the same in its own RequireAsync.

[eanzhao]

2. Hardcoded "scope_id" string literal

ChannelMetadataCallerScopeResolver uses ChannelMetadataKeys.Platform and ChannelMetadataKeys.SenderId for the other metadata keys, but reads scope_id with a hardcoded string:

var registrationScopeId = NormalizeOptional(AgentToolRequestContext.TryGet("scope_id"));

This should use a constant (e.g. ChannelMetadataKeys.ScopeId). Inconsistent with the other reads in the same method.

[eanzhao]

3. QueryByCallerAsync fetches ALL documents then filters in-memory

The ownership filter is applied client-side after fetching up to 1000 documents from the projection store. This is inherited from the pre-existing QueryAllAsync, but now that ownership is a core security boundary (not just a convenience filter), this should have a // TODO: noting the filter should be pushed down to the store-level query once the projection query supports predicate push-down.

Also: if a tenant has >1000 agents, Take = 1000 silently drops results. Pre-existing, but now intersects with the security boundary.

[eanzhao]

4. No ownership gate on IUserAgentDeliveryTargetReader

UserAgentDeliveryTargetReader.GetAsync reads by agentId with zero ownership check — any code with access to this interface can read any agent's NyxApiKey. The PR acknowledges enforcement by DI registration + code review only, but:

1. No architecture guard yet (called out as follow-up, but this ships a credential-exfiltration surface).
2. The planned guard ("no IAgentTool depends on IUserAgentDeliveryTargetReader") is a negative constraint — doesn't prevent other middle-layer code from resolving it from DI.

Minimum: Add a [Obsolete("Internal-only: never inject into LLM tools")] or Roslyn analyzer, and a runtime debug-mode assertion.

[eanzhao]

Overall assessment

Excellent architectural fix. The direction is correct: collapsing scattered ownership fields into OwnerScope, making the query port caller-scoped, splitting the secret-bearing reader from the public DTO, and fail-closed resolver behavior. The 24 acceptance tests are thorough. A few concerns below.

---

1. RequireAsync on concrete type instead of interface

In both AgentBuilderTool.ResolveCallerScopeAsync and AgentDeliveryTargetTool.ResolveCallerScopeAsync, the code casts to CompositeCallerScopeResolver:

if (resolver is CompositeCallerScopeResolver composite)
    return await composite.RequireAsync(ct);

RequireAsync is only defined on CompositeCallerScopeResolver, not on ICallerScopeResolver. The fallback code (non-is path) does the same null-check+validate logic, so the cast is not strictly necessary — but it means any future non-CompositeCallerScopeResolver implementation of ICallerScopeResolver can't benefit from the RequireAsync convenience.

Suggestion: add RequireAsync as a default interface method on ICallerScopeResolver:

public interface ICallerScopeResolver
{
    Task<OwnerScope?> TryResolveAsync(CancellationToken ct = default);
    
    async Task<OwnerScope> RequireAsync(CancellationToken ct = default)
    {
        var scope = await TryResolveAsync(ct);
        if (scope is null)
            throw new CallerScopeUnavailableException("No caller scope resolver matched the current request context.");
        if (!scope.TryValidate(out var error))
            throw new CallerScopeUnavailableException("...");
        return scope;
    }
}

Then both tools can call await resolver.RequireAsync(ct) directly without the cast.

2. Duplicated ResolveCallerScopeAsync in two tools

AgentBuilderTool and AgentDeliveryTargetTool have identical private ResolveCallerScopeAsync methods. If you move RequireAsync to the interface (point 1), this duplication disappears — each tool just calls callerScopeResolver.RequireAsync(ct).

3. NyxIdCurrentUserResolver.IsErrorPayload — verify error envelope format

IsErrorPayload checks for "error": true (boolean value):

return doc.RootElement.TryGetProperty("error", out var errorProp)
       && errorProp.ValueKind == JsonValueKind.True;

Does the NyxID /me endpoint always return {"error": true, ...} for error responses, or could it return {"error": "502 Bad Gateway"} (string) or {"error": {"code": 401}} (object)? If the NyxID error envelope uses a different shape, this check would fail to detect errors and the code would fall through to trying to parse the "user" id from an error payload — which would return null anyway (safe), but the explicit error check wouldn't fire and the CallerScopeUnavailableException in the resolver would have a misleading message about "malformed payload" rather than "NyxID returned an error."

Recommendation: verify against the actual NyxID /me error response format, or make the check more robust by checking for the absence of expected success fields (e.g., no user object and no direct id/user_id/sub).

4. ReadString handles JsonValueKind.Number

if (property.ValueKind == JsonValueKind.Number) return property.GetRawText();

GetRawText() on a number can lose precision for large integer user IDs (e.g., 16+ digit IDs that exceed double precision boundaries). Unlikely to matter for NyxID user IDs, but worth noting.

5. AgentDeliveryTargetTool.UpsertAsync — NyxApiKey = string.Empty

The upsert command now always sets NyxApiKey = string.Empty with a comment that the actor's MergeNonEmpty policy preserves existing keys. This means AgentDeliveryTargetTool can no longer create new delivery-target entries with credentials — it can only update existing ones. This is intentional per the PR body ("credentials are minted+stored by the create flow"), but might surprise someone who sees "upsert" in the tool name. Consider renaming to update if the tool truly cannot insert new credential-bearing entries anymore.

---

Verdict: Approve with minor suggestions. None of the above should block merge — the fail-closed architecture and test coverage are solid.

[eanzhao]

Solid direction and most of the contract surface lands cleanly — resolver chain, port shape, secret-bearing reader split, schema embedding are all correct. But the integration is broken end-to-end for the lark surface, and a few of #466's architectural acceptance bullets aren't actually enforced. Requesting changes.

🚨 Blocker 1 — the lark surface is still broken end-to-end

UserAgentCatalogGAgent.HandleUpsertAsync (agents/Aevatar.GAgents.ChannelRuntime/UserAgentCatalogGAgent.cs:24-65, file unchanged in this PR) builds a fresh UserAgentCatalogEntry per upsert and never copies command.OwnerScope onto it. Every other field uses MergeNonEmpty(command.X, existing?.X); OwnerScope is silently dropped at the actor → event boundary.

End-to-end:

1. AgentBuilderTool.CreateDailyReportAgentAsync → sets InitializeSkillRunnerCommand.OutboundConfig.OwnerScope = caller ✓
2. SkillRunnerGAgent.UpsertRegistryAsync → command.OwnerScope = ownerScope ✓ (line 471)
3. UserAgentCatalogGAgent.HandleUpsertAsync → entry built without OwnerScope ❌
4. UserAgentCatalogProjector.MaterializeDocument → entry.OwnerScope is null, falls back to FromLegacyFields(OwnerNyxUserId, Platform). For platform="lark" this returns null per the migration plan §3.
5. Document persisted with OwnerScope = null.
6. /agents from same lark sender → DocumentMatchesCaller lazy-backfills again → null → no match. User sees empty list.

Same on the workflow path. So lark /agents is broken in the same direction the PR is meant to fix it — just routed through a different missing assignment.

The acceptance tests don't catch this because every readmodel test builds documents directly with OwnerScope = scope.Clone(), bypassing the actor. There is no test that exercises AgentBuilderTool.create → SkillRunnerGAgent → UserAgentCatalogGAgent → projector → query port for a lark caller. Add one.

The fix is one line in HandleUpsertAsync:

// merge semantics: an upsert without OwnerScope inherits existing
// (lifecycle re-upserts like UpdateRegistryExecutionAsync don't carry it)
OwnerScope = command.OwnerScope ?? existing?.OwnerScope,

And a unit test on HandleUpsertAsync that asserts the new entry's OwnerScope matches the command's.

🚨 Blocker 2 — predicate is not pushed to the projection store

UserAgentCatalogQueryPort.QueryByCallerAsync (line 47) does Take = 1000 + in-process .Where(DocumentMatchesCaller). Issue #466 acceptance is explicit: "the owner predicate is pushed into IProjectionDocumentReader via ProjectionDocumentFilter strict-equality on the full OwnerScope tuple." The xmldoc on IUserAgentCatalogQueryPort claims this is what the implementation does. It isn't.

Real consequences:

• Catalog past 1000 entries: owners on the back of the index silently disappear from /agents. The comment at lines 43-46 ("filter applies before serialization so a misconfigured tenant cannot probe other tenants' counts via Take") is wrong: take happens before filter, so the filter — not the count probe — is what gets truncated.
• Every list call drags ~1000 docs from ES per request; doesn't scale.
• CLAUDE.md 禁止侧读冒充 query — Take + .Where is the soft form.

The filter infra is already there (ProjectionDocumentFilter + FilterOperator.Eq + ProjectionDocumentValue.FromString). Push 4 Eq filters on owner_scope.{nyx_user_id, platform, registration_scope_id, sender_id}. The Get*ForCallerAsync paths can stay Get-then-equality (single doc), but Query must push.

🟠 Public DTO still surfaces OwnerNyxUserId and Platform

UserAgentCatalogQueryPort.ToEntry (lines 99-108):

Platform = document.Platform ?? string.Empty,
OwnerNyxUserId = document.OwnerNyxUserId ?? string.Empty,

#466 §A: "Replace the scattered OwnerNyxUserId / Platform / ScopeId fields. Do not extend the existing fragmented field set — collapse them into the sub-message in one step." Today the DTO carries both — entry.OwnerScope.NyxUserId AND entry.OwnerNyxUserId. Two sources of truth; downstream code reading the deprecated field bypasses scope semantics. JSON serializing the entry exposes both fields to the LLM/log target.

Either zero out the deprecated fields on the DTO (project them only into entry.OwnerScope, leave the legacy fields empty), or remove them from the proto in this PR. PR description claims the public DTO drops NyxApiKey (good) but the same surgery wasn't done for Platform / OwnerNyxUserId.

🟠 Architecture guard for "no IAgentTool depends on IUserAgentDeliveryTargetReader" deferred

#466 §D was about a type boundary, not a convention. PR description acknowledges deferring the full-scan guard. Without it, the boundary is DI-registration discipline only — services.TryAddSingleton<IUserAgentDeliveryTargetReader, ...> reachable from any tool's IServiceProvider. Add a 5-line check to tools/ci/architecture_guards.sh:

# No IAgentTool implementation may depend on IUserAgentDeliveryTargetReader (#466 §D)
violators=$(rg -l 'class\s+\w+\s*:\s*[^{]*IAgentTool' agents/ src/ 2>/dev/null \
            | xargs -r rg -l 'IUserAgentDeliveryTargetReader' 2>/dev/null)
if [ -n "$violators" ]; then
  echo "IAgentTool implementation depends on IUserAgentDeliveryTargetReader:"
  echo "$violators"
  exit 1
fi

Also a guard for "UserAgentCatalogEntry is not surfaced via JSON serialization in any tool path with NyxApiKey populated" — but that one is harder to express; covered structurally by the proto-level removal in the cleanup PR.

🟠 OwnerScope.MatchesStrictly is Ordinal but factories normalize

OwnerScope.Partial.cs:59-62. ForChannel does .ToLowerInvariant() on Platform; FromLegacyFields does the same. But anyone constructing new OwnerScope { Platform = "Lark" } directly (proto deserialization, future caller, hand-written test) silently fails to match a "lark" document. Two complementary fixes:

1. Normalize on MatchesStrictly (defense-in-depth on every read).
2. Lock down the canonical set in TryValidate. xmldoc on OwnerScope says "closed canonical string set: nyxid, lark, telegram", but TryValidate (lines 26-31) accepts any non-empty string:

private static readonly HashSet<string> CanonicalPlatforms = new(StringComparer.Ordinal) { "nyxid", "lark", "telegram" };
// ... in TryValidate:
if (!CanonicalPlatforms.Contains(Platform)) {
    error = $"OwnerScope.platform '{Platform}' is not in the canonical set ({{nyxid, lark, telegram}})";
    return false;
}

Do both.

🟡 Minor

1. AgentDeliveryTargetTool.UpsertAsync silently downgrades to "rebind only" (line 231: NyxApiKey = string.Empty + comment "preserved through MergeNonEmpty"). For an existing entry this works. For a new entry, the upsert produces a credential-less delivery target that can't dispatch. Either reject the upsert when no entry exists for the caller, or document the semantic shift in the tool description (it's now an update-only tool; create-new now lives in AgentBuilderTool).
2. ChannelMetadataCallerScopeResolver.cs:55 reads literal "scope_id" instead of a typed key. AgentBuilderTool.cs:223 uses the same literal. If ChannelMetadataKeys.RegistrationScopeId doesn't exist yet, add it; string constants drift.
3. Legacy lark agents continue running but become invisible. IUserAgentDeliveryTargetReader.GetAsync is by-id with no scope, so legacy lark scheduled outbound continues to dispatch. But /agents shows nothing, so the user can't disable_agent / delete_agent them via the bot. "Deprecate-and-recreate" needs an operator path (admin script, scoped tombstone migration, or surface-conditional resurrection-on-read) — otherwise users see "unkillable" daily reports.
4. AgentBuilderTool.ResolveCallerScopeAsync and AgentDeliveryTargetTool.ResolveCallerScopeAsync are duplicated with the same if (resolver is CompositeCallerScopeResolver composite) ... runtime fallback. Two copies will drift. Promote RequireAsync to an extension method on ICallerScopeResolver (or default-interface method).
5. Acceptance tests stub at the port boundary — every cross-isolation property holds at the projection-filter level, but the actor → projector → query integration is unexercised. Combined with Blocker 1, that's what hid the lark regression. Add at least one test that goes through the actor.

---

Once Blocker 1 + 2 are fixed and the public-DTO leak is closed, the rest are landable as a small follow-up. The shape of the design is right; the wiring just isn't fully there yet.

[eanzhao]

Blocker 1 surfaces here, but the missing code is in UserAgentCatalogGAgent.HandleUpsertAsync (file unchanged in this PR). You set command.OwnerScope = ownerScope here, but the upsert handler at UserAgentCatalogGAgent.cs:35-60 builds a new UserAgentCatalogEntry via MergeNonEmpty for every other field and never copies command.OwnerScope. End-to-end the new lark agent ends up with entry.OwnerScope = null → projector lazy-backfills (returns null for lark per migration plan) → document has OwnerScope = null → query port can't match the caller → user sees empty /agents.

Fix in HandleUpsertAsync:

OwnerScope = command.OwnerScope ?? existing?.OwnerScope,

And add an UserAgentCatalogGAgentTests case asserting the new entry's OwnerScope matches the command's. The cross-isolation tests in UnifyCallerScopeAcceptanceTests build documents directly so they don't catch this.

[eanzhao]

Blocker 2 — filter is not pushed to the projection store. Take = 1000 + in-process .Where(...) is the same shape as the bug being fixed, just at a different layer.

The comment claims "the caller filter applies before serialization regardless so a misconfigured tenant cannot probe other tenants' counts via Take" — but the take happens before the filter, so it's the filter that gets truncated. Catalog past 1000 entries silently drops owners on the back of the ES index from /agents.

The IUserAgentCatalogQueryPort xmldoc says "the implementation pushes a strict full-tuple equality filter into the projection reader" — this is the implementation that's supposed to do that.

var filters = new[]
{
    new ProjectionDocumentFilter { FieldPath = "owner_scope.nyx_user_id",         Operator = Eq, Value = FromString(caller.NyxUserId) },
    new ProjectionDocumentFilter { FieldPath = "owner_scope.platform",            Operator = Eq, Value = FromString(caller.Platform) },
    new ProjectionDocumentFilter { FieldPath = "owner_scope.registration_scope_id", Operator = Eq, Value = FromString(caller.RegistrationScopeId) },
    new ProjectionDocumentFilter { FieldPath = "owner_scope.sender_id",           Operator = Eq, Value = FromString(caller.SenderId) },
};
var result = await _documentReader.QueryAsync(new ProjectionDocumentQuery { Filters = filters, Take = 1000 }, ct);

Note: this only works for documents that have OwnerScope set. The lazy-backfill currently in DocumentMatchesCaller would no longer apply. That's the right direction (force the migration to actually populate OwnerScope on disk) — which is also why Blocker 1 has to be fixed first.

[eanzhao]

Public DTO still leaks the deprecated scattered fields. entry.OwnerScope.NyxUserId AND entry.OwnerNyxUserId are both populated — two sources of truth. Anyone JSON-serializing the entry sends both to the LLM/log/wire.

Issue #466 §A: "do not extend the existing fragmented field set — collapse them into the sub-message in one step." Either zero these out here (project only into entry.OwnerScope) or drop them from the proto in this PR. The [deprecated] proto markers prevent only C# call sites with #pragma warning disable CS0612 discipline; serialization sees them anyway.

[eanzhao]

Silent semantic shift: NyxApiKey = string.Empty + comment relying on MergeNonEmpty means this tool's upsert is now update-only. For an existing delivery target it works (preserves the credential). For a new target it produces a credential-less row that can't dispatch.

If that's the design (creates moved entirely to AgentBuilderTool which mints keys server-side), the Description property and the JSON schema should say so explicitly: "Action upsert updates the routing of an existing delivery target; new targets are created via agent_builder.create_agent." Otherwise either reject the upsert when no entry exists for the caller, or accept nyx_api_key only for the existing-entry-missing case.

Minor: there's no test covering the create-via-this-tool path — if the design is "this tool is now update-only", lock that with a unit test that asserts upsert returns a structured error when no existing entry.

[eanzhao]

Case-sensitive Ordinal compare while ForChannel and FromLegacyFields lowercase — anyone constructing new OwnerScope { Platform = "Lark" } directly (proto deserialization, future caller, hand-written test fixture) silently fails to match a "lark" document.

Also, the xmldoc on OwnerScope (proto) says the canonical set is {nyxid, lark, telegram} but TryValidate accepts any non-empty string. Two complementary fixes:

1. Normalize on MatchesStrictly (every read fails-safe).
2. Lock down the canonical set in TryValidate:

private static readonly HashSet<string> CanonicalPlatforms = new(StringComparer.Ordinal) { "nyxid", "lark", "telegram" };

Do both.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.26%. Comparing base (bafcd70) to head (1a0e43b).
⚠️ Report is 11 commits behind head on dev.

@@            Coverage Diff             @@
##              dev     #467      +/-   ##
==========================================
+ Coverage   70.90%   71.26%   +0.36%     
==========================================
  Files        1209     1211       +2     
  Lines       87045    87420     +375     
  Branches    11411    11446      +35     
==========================================
+ Hits        61715    62297     +582     
+ Misses      20882    20643     -239     
- Partials     4448     4480      +32     

Flag	Coverage Δ
ci	71.26% <ø> (+0.36%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 25 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.