fix(gitea-bot): add write:organization scope so bot can create repos

Without this the bot PAT 403s on POST /orgs/{org}/repos, which is
the single most important operation — creating new project repos
inside the workspace's Gitea org.

Made-with: Cursor

app/api/github/connect/route.ts

@@ -1,11 +1,10 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function POST(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
@@ -43,7 +42,7 @@ export async function POST(request: Request) {
 
 export async function GET(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
@@ -73,7 +72,7 @@ export async function GET(request: Request) {
 
 export async function DELETE(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/advisor/route.ts

@@ -10,8 +10,7 @@
  * and injects it as knowledge_context into the orchestrator's system prompt.
  */
 import { NextRequest } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? 'https://agents.vibnai.com';
@@ -129,7 +128,7 @@ export async function POST(
 ) {
   const { projectId } = await params;
 
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return new Response('Unauthorized', { status: 401 });
   }

app/api/projects/[projectId]/agent-chat/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getServerSession } from "next-auth/next";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -87,7 +86,7 @@ export async function POST(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
@@ -190,7 +189,7 @@ export async function DELETE(
   _req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }

app/api/projects/[projectId]/agent/sessions/[sessionId]/approve/route.ts

@@ -8,8 +8,7 @@
  * Body: { commitMessage: string }
  */
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -29,7 +28,7 @@ export async function POST(
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/agent/sessions/[sessionId]/events/route.ts

@@ -6,8 +6,7 @@
  *   Batch append from vibn-agent-runner (x-agent-runner-secret).
  */
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query, getPool } from "@/lib/db-postgres";
 
 export interface AgentSessionEventRow {
@@ -23,7 +22,7 @@ export async function GET(
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/agent/sessions/[sessionId]/events/stream/route.ts

@@ -2,8 +2,7 @@
  * GET /api/projects/.../agent/sessions/.../events/stream?afterSeq=0
  * Server-Sent Events: tail agent_session_events while the session is active.
  */
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query, queryOne } from "@/lib/db-postgres";
 
 export const dynamic = "force-dynamic";
@@ -17,7 +16,7 @@ export async function GET(
   req: Request,
   { params }: { params: Promise<{ projectId: string; sessionId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return new Response("Unauthorized", { status: 401 });
   }

app/api/projects/[projectId]/agent/sessions/[sessionId]/retry/route.ts

@@ -9,8 +9,7 @@
  *                  understands what was already tried
  */
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -21,7 +20,7 @@ export async function POST(
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/agent/sessions/[sessionId]/route.ts

@@ -7,8 +7,7 @@
  *   (handled in /stop/route.ts)
  */
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 export async function GET(
@@ -17,7 +16,7 @@ export async function GET(
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/agent/sessions/[sessionId]/stop/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -11,7 +10,7 @@ export async function POST(
 ) {
   try {
     const { projectId, sessionId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/agent/sessions/route.ts

@@ -9,8 +9,7 @@
  *   List all sessions for a project, newest first.
  */
 import { NextResponse } from "next/server";
-import { getServerSession } from "next-auth";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -33,7 +32,7 @@ export async function POST(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }
@@ -131,7 +130,7 @@ export async function GET(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
     }

app/api/projects/[projectId]/analysis-status/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function GET(
@@ -9,7 +8,7 @@ export async function GET(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/analyze-chats/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export const maxDuration = 60;
@@ -37,7 +36,7 @@ export async function POST(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/analyze-repo/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { execSync } from 'child_process';
 import { existsSync, readdirSync, readFileSync, statSync, rmSync } from 'fs';
@@ -79,7 +78,7 @@ export async function POST(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/analyze/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? 'http://localhost:3333';
@@ -10,7 +9,7 @@ export async function GET(
   _req: Request,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -68,7 +67,7 @@ export async function POST(
   _req: Request,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }

app/api/projects/[projectId]/apps/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
@@ -25,7 +24,7 @@ export async function GET(
 ) {
   const { projectId } = await params;
 
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }
@@ -125,7 +124,7 @@ export async function PATCH(
 ) {
   const { projectId } = await params;
 
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }

app/api/projects/[projectId]/architecture/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getServerSession } from "next-auth/next";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
@@ -13,7 +12,7 @@ export async function GET(
   _req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
@@ -43,7 +42,7 @@ export async function POST(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
@@ -184,7 +183,7 @@ export async function PATCH(
   _req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }

app/api/projects/[projectId]/atlas-chat/route.ts

@@ -1,18 +1,47 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getServerSession } from "next-auth/next";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
+import {
+  augmentAtlasMessage,
+  parseContextRefs,
+} from "@/lib/chat-context-refs";
 
 const AGENT_RUNNER_URL = process.env.AGENT_RUNNER_URL ?? "http://localhost:3333";
 
+const ALLOWED_SCOPES = new Set(["overview", "build"]);
+
+function normalizeScope(raw: string | null | undefined): "overview" | "build" {
+  const s = (raw ?? "overview").trim();
+  return ALLOWED_SCOPES.has(s) ? (s as "overview" | "build") : "overview";
+}
+
+function runnerSessionId(projectId: string, scope: "overview" | "build"): string {
+  return scope === "overview" ? `atlas_${projectId}` : `atlas_${projectId}__build`;
+}
+
 // ---------------------------------------------------------------------------
-// DB helpers — atlas_conversations table
+// DB — atlas_chat_threads (project_id + scope); legacy atlas_conversations → overview
 // ---------------------------------------------------------------------------
 
-let tableReady = false;
+let threadsTableReady = false;
+let legacyTableChecked = false;
 
-async function ensureTable() {
-  if (tableReady) return;
+async function ensureThreadsTable() {
+  if (threadsTableReady) return;
+  await query(`
+    CREATE TABLE IF NOT EXISTS atlas_chat_threads (
+      project_id TEXT NOT NULL,
+      scope      TEXT NOT NULL,
+      messages   JSONB NOT NULL DEFAULT '[]'::jsonb,
+      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      PRIMARY KEY (project_id, scope)
+    )
+  `);
+  threadsTableReady = true;
+}
+
+async function ensureLegacyConversationsTable() {
+  if (legacyTableChecked) return;
   await query(`
     CREATE TABLE IF NOT EXISTS atlas_conversations (
       project_id TEXT PRIMARY KEY,
@@ -20,31 +49,47 @@ async function ensureTable() {
       updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
     )
   `);
-  tableReady = true;
+  legacyTableChecked = true;
 }
 
-async function loadAtlasHistory(projectId: string): Promise<any[]> {
+async function loadAtlasHistory(projectId: string, scope: "overview" | "build"): Promise<any[]> {
   try {
-    await ensureTable();
+    await ensureThreadsTable();
     const rows = await query<{ messages: any[] }>(
-      `SELECT messages FROM atlas_conversations WHERE project_id = $1`,
-      [projectId]
+      `SELECT messages FROM atlas_chat_threads WHERE project_id = $1 AND scope = $2`,
+      [projectId, scope]
     );
-    return rows[0]?.messages ?? [];
+    if (rows.length > 0) {
+      const fromThreads = rows[0]?.messages;
+      return Array.isArray(fromThreads) ? fromThreads : [];
+    }
+    if (scope === "overview") {
+      await ensureLegacyConversationsTable();
+      const leg = await query<{ messages: any[] }>(
+        `SELECT messages FROM atlas_conversations WHERE project_id = $1`,
+        [projectId]
+      );
+      const legacyMsgs = leg[0]?.messages ?? [];
+      if (Array.isArray(legacyMsgs) && legacyMsgs.length > 0) {
+        await saveAtlasHistory(projectId, scope, legacyMsgs);
+        return legacyMsgs;
+      }
+    }
+    return [];
   } catch {
     return [];
   }
 }
 
-async function saveAtlasHistory(projectId: string, messages: any[]): Promise<void> {
+async function saveAtlasHistory(projectId: string, scope: "overview" | "build", messages: any[]): Promise<void> {
   try {
-    await ensureTable();
+    await ensureThreadsTable();
     await query(
-      `INSERT INTO atlas_conversations (project_id, messages, updated_at)
-       VALUES ($1, $2::jsonb, NOW())
-       ON CONFLICT (project_id) DO UPDATE
-         SET messages = $2::jsonb, updated_at = NOW()`,
-      [projectId, JSON.stringify(messages)]
+      `INSERT INTO atlas_chat_threads (project_id, scope, messages, updated_at)
+       VALUES ($1, $2, $3::jsonb, NOW())
+       ON CONFLICT (project_id, scope) DO UPDATE
+         SET messages = $3::jsonb, updated_at = NOW()`,
+      [projectId, scope, JSON.stringify(messages)]
     );
   } catch (e) {
     console.error("[atlas-chat] Failed to save history:", e);
@@ -66,21 +111,36 @@ async function savePrd(projectId: string, prdContent: string): Promise<void> {
   }
 }
 
+/** Replace the latest user message content so DB/UI never show the internal ref prefix. */
+function scrubLastUserMessageContent(history: unknown[], cleanText: string): unknown[] {
+  if (!Array.isArray(history) || history.length === 0) return history;
+  const h = history.map(m => (m && typeof m === "object" ? { ...(m as object) } : m));
+  for (let i = h.length - 1; i >= 0; i--) {
+    const m = h[i] as { role?: string; content?: string };
+    if (m?.role === "user" && typeof m.content === "string") {
+      h[i] = { ...m, content: cleanText };
+      break;
+    }
+  }
+  return h;
+}
+
 // ---------------------------------------------------------------------------
 // GET — load stored conversation messages for display
 // ---------------------------------------------------------------------------
 
 export async function GET(
-  _req: NextRequest,
+  req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const { projectId } = await params;
-  const history = await loadAtlasHistory(projectId);
+  const scope = normalizeScope(req.nextUrl.searchParams.get("scope"));
+  const history = await loadAtlasHistory(projectId, scope);
 
   // Filter to only user/assistant messages (no system prompts) for display
   const messages = history
@@ -98,43 +158,50 @@ export async function POST(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const { projectId } = await params;
-  const { message } = await req.json();
+  const body = await req.json();
+  const message = body?.message as string | undefined;
+  const contextRefs = parseContextRefs(body?.contextRefs);
   if (!message?.trim()) {
     return NextResponse.json({ error: "message is required" }, { status: 400 });
   }
 
-  const sessionId = `atlas_${projectId}`;
+  const scope = normalizeScope(body?.scope as string | undefined);
+  const sessionId = runnerSessionId(projectId, scope);
+  const cleanUserText = message.trim();
 
   // Load conversation history from DB to persist across agent runner restarts.
   // Strip tool_call / tool_response messages — replaying them across sessions
   // causes Gemini to reject the request with a turn-ordering error.
-  const rawHistory = await loadAtlasHistory(projectId);
+  const rawHistory = await loadAtlasHistory(projectId, scope);
   const history = rawHistory.filter((m: any) =>
     (m.role === "user" || m.role === "assistant") && m.content
   );
 
   // __init__ is a special internal trigger used only when there is no existing history.
   // If history already exists, ignore the init request (conversation already started).
-  const isInit = message.trim() === "__atlas_init__";
+  const isInit = cleanUserText === "__atlas_init__";
   if (isInit && history.length > 0) {
     return NextResponse.json({ reply: null, alreadyStarted: true });
   }
 
+  const runnerMessage = isInit
+    ? scope === "build"
+      ? "Begin as Vibn in build mode. The user is working in their monorepo. Ask what they want to ship or fix next, and offer concrete implementation guidance. Do not acknowledge this as an internal trigger."
+      : "Begin the conversation. Introduce yourself as Vibn and ask what the user is building. Do not acknowledge this as an internal trigger."
+    : augmentAtlasMessage(cleanUserText, contextRefs);
+
   try {
     const res = await fetch(`${AGENT_RUNNER_URL}/atlas/chat`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
-        // For init, send the greeting prompt but don't store it as a user message
-        message: isInit
-          ? "Begin the conversation. Introduce yourself as Vibn and ask what the user is building. Do not acknowledge this as an internal trigger."
-          : message,
+        message: runnerMessage,
         session_id: sessionId,
         history,
         is_init: isInit,
@@ -153,11 +220,16 @@ export async function POST(
 
     const data = await res.json();
 
-    // Persist updated history
-    await saveAtlasHistory(projectId, data.history ?? []);
+    let historyOut = data.history ?? [];
+    // Store the user's line without the internal reference block (UI shows clean text).
+    if (!isInit && cleanUserText !== "__atlas_init__") {
+      historyOut = scrubLastUserMessageContent(historyOut, cleanUserText);
+    }
 
-    // If Atlas finalized the PRD, save it to the project
-    if (data.prdContent) {
+    await saveAtlasHistory(projectId, scope, historyOut);
+
+    // If Atlas finalized the PRD, save it to the project (discovery / overview)
+    if (data.prdContent && scope === "overview") {
       await savePrd(projectId, data.prdContent);
     }
 
@@ -181,24 +253,35 @@ export async function POST(
 // ---------------------------------------------------------------------------
 
 export async function DELETE(
-  _req: NextRequest,
+  req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
   const { projectId } = await params;
-  const sessionId = `atlas_${projectId}`;
+  const scope = normalizeScope(req.nextUrl.searchParams.get("scope"));
+  const sessionId = runnerSessionId(projectId, scope);
 
   try {
-    await fetch(`${AGENT_RUNNER_URL}/atlas/sessions/${sessionId}`, { method: "DELETE" });
+    await fetch(`${AGENT_RUNNER_URL}/atlas/sessions/${encodeURIComponent(sessionId)}`, { method: "DELETE" });
   } catch { /* runner may be down */ }
 
   try {
-    await query(`DELETE FROM atlas_conversations WHERE project_id = $1`, [projectId]);
+    await ensureThreadsTable();
+    await query(
+      `DELETE FROM atlas_chat_threads WHERE project_id = $1 AND scope = $2`,
+      [projectId, scope]
+    );
   } catch { /* table may not exist yet */ }
 
+  if (scope === "overview") {
+    try {
+      await query(`DELETE FROM atlas_conversations WHERE project_id = $1`, [projectId]);
+    } catch { /* legacy */ }
+  }
+
   return NextResponse.json({ cleared: true });
 }

app/api/projects/[projectId]/design-surfaces/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 /**
@@ -12,7 +11,7 @@ export async function GET(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
 
     const rows = await query<{ data: Record<string, unknown> }>(
@@ -49,7 +48,7 @@ export async function PATCH(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
 
     // Step 1: read current data — explicit ::text casts on every param

app/api/projects/[projectId]/file/route.ts

@@ -6,8 +6,7 @@
  * Response for file:      { type: "file", content: string, encoding: "utf8" | "base64" }
  */
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 const GITEA_API_URL = process.env.GITEA_API_URL ?? 'https://git.vibnai.com';
@@ -39,7 +38,7 @@ export async function GET(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/generate-migration-plan/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export const maxDuration = 120;
@@ -28,7 +27,7 @@ export async function POST(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/knowledge/import-ai-chat/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { createKnowledgeItem } from '@/lib/server/knowledge';
 import type { KnowledgeSourceMeta } from '@/lib/types/knowledge';
@@ -34,7 +33,7 @@ export async function POST(
       return NextResponse.json({ error: 'transcript is required' }, { status: 400 });
     }
 
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/knowledge/items/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function GET(
@@ -10,7 +9,7 @@ export async function GET(
   try {
     const { projectId } = await params;
 
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/knowledge/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getServerSession } from "next-auth/next";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 async function assertOwnership(projectId: string, email: string): Promise<boolean> {
@@ -18,7 +17,7 @@ export async function GET(
   _req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   const { projectId } = await params;
@@ -41,7 +40,7 @@ export async function POST(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   const { projectId } = await params;
@@ -83,7 +82,7 @@ export async function DELETE(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
   const { projectId } = await params;

app/api/projects/[projectId]/preview-url/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { listApplications, CoolifyApplication } from '@/lib/coolify';
 
@@ -20,7 +19,7 @@ export async function GET(
 ) {
   const { projectId } = await params;
 
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }

app/api/projects/[projectId]/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function GET(
@@ -10,7 +9,7 @@ export async function GET(
   try {
     const { projectId } = await params;
 
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
@@ -45,7 +44,7 @@ export async function PATCH(
     const { projectId } = await params;
     const body = await request.json();
 
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/save-phase/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getServerSession } from "next-auth/next";
-import { authOptions } from "@/lib/auth/authOptions";
+import { authSession } from "@/lib/auth/session-server";
 import { query } from "@/lib/db-postgres";
 
 // ---------------------------------------------------------------------------
@@ -11,7 +10,7 @@ export async function POST(
   req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
@@ -85,7 +84,7 @@ export async function GET(
   _req: NextRequest,
   { params }: { params: Promise<{ projectId: string }> }
 ) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user?.email) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }

app/api/projects/[projectId]/vision/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function POST(
@@ -9,7 +8,7 @@ export async function POST(
 ) {
   try {
     const { projectId } = await params;
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/[projectId]/workspace/route.ts

@@ -1,6 +1,5 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { provisionTheiaWorkspace } from '@/lib/cloud-run-workspace';
 
@@ -11,7 +10,7 @@ export async function POST(
   try {
     const { projectId } = await params;
 
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/delete/route.ts

@@ -1,11 +1,10 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function POST(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/deploy/route.ts

@@ -8,14 +8,13 @@
  */
 
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { deployApplication } from '@/lib/coolify';
 
 export async function POST(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/projects/prewarm/route.ts

@@ -1,6 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { prewarmWorkspace } from '@/lib/cloud-run-workspace';
 
 /**
@@ -12,7 +11,7 @@ import { prewarmWorkspace } from '@/lib/cloud-run-workspace';
  * to avoid CORS issues with run.app domains.
  */
 export async function POST(req: NextRequest) {
-  const session = await getServerSession(authOptions);
+  const session = await authSession();
   if (!session?.user) {
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
   }

app/api/projects/route.ts

@@ -1,11 +1,10 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function GET() {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }

app/api/sessions/route.ts

@@ -1,11 +1,10 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 
 export async function GET(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json([], { status: 200 });
     }

app/api/user/api-key/route.ts

@@ -1,12 +1,11 @@
 import { NextResponse } from 'next/server';
-import { getServerSession } from 'next-auth';
-import { authOptions } from '@/lib/auth/authOptions';
+import { authSession } from "@/lib/auth/session-server";
 import { query } from '@/lib/db-postgres';
 import { v4 as uuidv4 } from 'uuid';
 
 export async function GET(request: Request) {
   try {
-    const session = await getServerSession(authOptions);
+    const session = await authSession();
     if (!session?.user?.email) {
       return NextResponse.json({ error: 'No authorization token provided' }, { status: 401 });
     }