# API Route Map

> Generated 2026-05-17. Auth column: `session` = NextAuth cookie,
> `api_key` = `vibn_sk_…` bearer, `admin_secret` = env-var secret,
> `webhook_sig` = HMAC-SHA256, `public` = no auth.
>
> Tenant column: `workspace` = must belong to caller's workspace,
> `project` = must own project, `user` = must match session user,
> `global` = cross-workspace admin op.

## Chat

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/chat` | session | workspace | Main SSE chat with Gemini + tool loop |
| GET | `/api/chat/threads` | session | user | List threads |
| POST | `/api/chat/threads` | session | user | Create thread |
| GET | `/api/chat/threads/[id]` | session | user | Get thread + messages |
| PATCH | `/api/chat/threads/[id]` | session | user | Rename thread |
| DELETE | `/api/chat/threads/[id]` | session | user | Delete thread |

## AI (legacy, plan to deprecate)

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/ai/chat` | session | project | Old collector-mode chat (pre-tool) |
| GET | `/api/ai/conversation` | session | project | Fetch saved conversation history |
| DELETE | `/api/ai/conversation` | session | project | Wipe conversation history |
| POST | `/api/ai/conversation/reset` | session | project | Alias for DELETE |

## Projects

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET | `/api/projects` | session | user | List user's projects |
| POST | `/api/projects/create` | session | user | Create project (enforces quota) |
| POST | `/api/projects/delete` | session | project | Delete project |
| GET/PATCH | `/api/projects/[projectId]` | session | project | Get / update project |
| GET | `/api/projects/[projectId]/activity` | session | project | Activity feed |
| GET/POST | `/api/projects/[projectId]/anatomy` | session | project | Anatomy read/update |
| GET/POST | `/api/projects/[projectId]/apps` | session | project | App list / create |
| GET/POST | `/api/projects/[projectId]/design-kit` | session | project | Design kit CRUD |
| GET/POST | `/api/projects/[projectId]/plan` | session | project | Plan read/update |
| POST | `/api/projects/[projectId]/plan/intelligent` | session | project | AI plan generation |
| POST | `/api/projects/[projectId]/plan/mvp` | session | project | MVP plan |
| POST | `/api/projects/[projectId]/plan/marketing` | session | project | Marketing plan |
| POST | `/api/projects/[projectId]/documents/upload` | session | project | Upload brief |
| GET/POST | `/api/projects/[projectId]/secrets` | session | project | List/set project secrets (B-06) |
| GET/DELETE | `/api/projects/[projectId]/secrets/[key]` | session | project | Reveal/delete secret (B-06) |
| GET | `/api/projects/[projectId]/knowledge` | session | project | Knowledge items |
| POST | `/api/projects/[projectId]/knowledge/batch-extract` | session | project | Batch extract knowledge |
| GET/POST | `/api/projects/[projectId]/agent/sessions` | session | project | Agent session CRUD |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]` | session | project | Session state |
| POST | `/api/projects/[projectId]/agent/sessions/[sessionId]/approve` | session | project | Approve session commit |
| POST | `/api/projects/[projectId]/agent/sessions/[sessionId]/stop` | session | project | Stop agent |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]/events` | session | project | Event list |
| GET | `/api/projects/[projectId]/agent/sessions/[sessionId]/events/stream` | session | project | SSE event tail |

## Workspaces

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET | `/api/workspaces` | session/api_key | user | List workspaces |
| POST | `/api/workspaces/delete` | session | user | Delete workspace |
| GET | `/api/workspaces/[slug]` | session/api_key | workspace | Get workspace |
| GET/POST | `/api/workspaces/[slug]/apps` | session/api_key | workspace | List/create apps |
| GET/PATCH/DELETE | `/api/workspaces/[slug]/apps/[uuid]` | session/api_key | workspace | App CRUD |
| POST | `/api/workspaces/[slug]/apps/[uuid]/deploy` | session/api_key | workspace | Trigger deploy |
| GET | `/api/workspaces/[slug]/apps/[uuid]/logs` | session/api_key | workspace | Runtime logs |
| GET/PATCH | `/api/workspaces/[slug]/apps/[uuid]/envs` | session/api_key | workspace | Env vars |
| POST | `/api/workspaces/[slug]/apps/[uuid]/exec` | session/api_key | workspace | Remote exec |
| GET/POST | `/api/workspaces/[slug]/databases` | session/api_key | workspace | Database CRUD |
| GET | `/api/workspaces/[slug]/domains` | session/api_key | workspace | Domain list |
| GET/POST | `/api/workspaces/[slug]/keys` | session/api_key | workspace | API keys |
| POST | `/api/workspaces/[slug]/provision` | session/api_key | workspace | Provision workspace |

## MCP

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/mcp` | session/api_key | workspace | All 40+ MCP tools |
| GET/POST/DELETE | `/api/mcp/generate-key` | session | user | Manage MCP API keys |

## Auth / Sessions

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST | `/api/auth/[...nextauth]` | public | - | NextAuth handlers |
| GET | `/api/user/api-key` | session | user | Get/create user API key |
| GET | `/api/sessions` | session | user | Session history |
| POST | `/api/sessions/track` | session | user | Track session event |
| POST | `/api/sessions/associate-project` | session | user | Link session to project |

## GitHub Integrations

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST/DELETE | `/api/github/connect` | session | user | Legacy GitHub OAuth connect |
| GET | `/api/github/repos` | session | user | List connected repos |
| GET | `/api/github/repo-tree` | session | user | Repo file tree |
| GET | `/api/github/file-content` | session | user | Single file content |
| POST | `/api/github/oauth/token` | public | - | OAuth token exchange |
| GET | `/api/integrations/github/connect` | session | user | New OAuth connect |
| GET | `/api/integrations/github/callback` | public | - | OAuth callback |
| POST | `/api/integrations/github/disconnect` | session | user | Disconnect GitHub |
| GET | `/api/integrations/github/repos` | session | user | New integration repos |

## Webhooks

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/webhooks/gitea` | webhook_sig | project | Gitea push events → context snapshot |
| POST | `/api/webhooks/coolify` | webhook_sig | project | Deploy status → context snapshot |

## Invites (P4.8)

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| GET/POST | `/api/invites` | admin_secret | global | Create / list invite tokens |
| GET | `/api/invites/[token]` | public | - | Validate token (used by auth page) |
| POST | `/api/invites/[token]` | session | user | Redeem token on signup |

## Admin / Ops

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/admin/migrate` | admin_secret | global | Run SQL migrations |
| GET | `/api/admin/path-b` | admin_secret | global | Path B kill-switch state |
| POST | `/api/admin/path-b/disable` | admin_secret | global | Disable Path B |
| POST | `/api/admin/path-b/enable` | admin_secret | global | Enable Path B |
| POST | `/api/admin/path-b/idle-sweep` | admin_secret | global | Suspend idle dev containers |
| POST | `/api/admin/path-b/autosave` | admin_secret | global | Autosave workspace |
| POST | `/api/admin/backfill-isolation` | admin_secret | global | Backfill tenant isolation |
| POST | `/api/admin/path-b` | admin_secret | global | Path B bulk status |
| GET | `/api/internal/infra-health` | admin_secret | global | Coolify + SSH probe |

## Utilities

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| POST | `/api/context/summarize` | session | user | Gemini one-shot doc summary |
| GET | `/api/activity` | session | user | Workspace activity feed |
| GET | `/api/work-completed` | session | project | Work completed items |
| GET | `/api/stats` | session | user | Usage stats |
| GET | `/api/preview/embed` | session | user | HTML proxy for preview iframes |
| GET/POST | `/api/extension/link-project` | session | user | Browser extension project link |
| POST | `/api/vision/update` | session | project | Update project vision |
| GET | `/api/keys` | session | user | User key management |
| GET | `/api/design-systems/[id]/preview` | public | - | Design system preview HTML |
| GET | `/api/design-systems/[id]/showcase` | public | - | Design system showcase |

## Deprecated / V0

| Method | Path | Auth | Tenant | Purpose |
|--------|------|------|--------|---------|
| * | `/api/v0/*` | varies | varies | Legacy v0 integration (verify still used) |
| * | `/api/openai/*` | session | user | OpenAI GPT import (verify still used) |
| * | `/api/chatgpt/*` | session | user | ChatGPT conversation import |