feat(api): agents routes + token mgmt (owner-only)

Add lib/api/routes/agents.js: list/create/get, PATCH capabilities,
mint token (plaintext returned exactly once, then bcrypt-hashed),
revoke token. All endpoints gated by requireOwner so an agent token
can never bootstrap a new agent or grant itself capabilities.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

tests/api/agents.test.js

@@ -0,0 +1,70 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import request from 'supertest';
+import { setup } from './helpers.js';
+import * as agentsRepo from '../../lib/db/repos/agents.js';
+
+let app, ownerHeaders;
+const owner = { kind: 'user', id: null };
+
+async function mintAgentToken(slug, caps = { read: true }) {
+  const a = await agentsRepo.create({
+    slug, name: slug, kind: 'claude', model: 'sonnet',
+    capabilities: caps, scopes: {}
+  }, owner);
+  const { token } = await agentsRepo.createToken(a.id, 'h');
+  return { Authorization: `Bearer ${token}` };
+}
+
+beforeAll(async () => { ({ app, ownerHeaders } = await setup()); });
+
+describe('agents routes (owner-only)', () => {
+  it('GET /api/agents requires owner', async () => {
+    const headers = await mintAgentToken(`x-${Date.now()}`);
+    const res = await request(app).get('/api/agents').set(headers);
+    expect(res.status).toBe(403);
+  });
+
+  it('owner can POST agent and mint token', async () => {
+    const slug = `m-${Date.now()}`;
+    const create = await request(app).post('/api/agents').set(ownerHeaders).send({
+      slug, name: 'Mercy', kind: 'claude', model: 'sonnet',
+      capabilities: { read: true, write: true }, scopes: { page: true }
+    });
+    expect(create.status).toBe(201);
+    const mint = await request(app).post(`/api/agents/${create.body.id}/tokens`).set(ownerHeaders)
+      .send({ label: 'laptop' });
+    expect(mint.status).toBe(201);
+    expect(mint.body.token).toBeDefined();
+    expect(mint.body.token).toMatch(/^vk_/);
+    expect(mint.body.id).toBeDefined();
+
+    const auth = { Authorization: `Bearer ${mint.body.token}` };
+    const spacesList = await request(app).get('/api/spaces').set(auth);
+    expect(spacesList.status).toBe(200);
+
+    const revoke = await request(app).delete(`/api/agent-tokens/${mint.body.id}`).set(ownerHeaders);
+    expect(revoke.status).toBe(204);
+    const after = await request(app).get('/api/spaces').set(auth);
+    expect(after.status).toBe(401);
+  });
+
+  it('PATCH /:id/capabilities updates caps', async () => {
+    const slug = `c-${Date.now()}`;
+    const create = await request(app).post('/api/agents').set(ownerHeaders).send({
+      slug, name: slug, kind: 'claude'
+    });
+    const res = await request(app).patch(`/api/agents/${create.body.id}/capabilities`).set(ownerHeaders)
+      .send({ capabilities: { read: true, suggest: true }, scopes: { page: true } });
+    expect(res.status).toBe(200);
+    expect(res.body.capabilities.suggest).toBe(true);
+    expect(res.body.scopes.page).toBe(true);
+  });
+
+  it('agent token cannot POST a new agent', async () => {
+    const headers = await mintAgentToken(`e-${Date.now()}`, { read: true, write: true });
+    const res = await request(app).post('/api/agents').set(headers).send({
+      slug: `bad-${Date.now()}`, name: 'Bad', kind: 'claude'
+    });
+    expect(res.status).toBe(403);
+  });
+});