agent-zero/skills/a0-development/references/api-webui.md
Alessandro 4b49386f96 Refactor a0-development into grounded references
Split the monolithic a0-development skill into a lean entry point plus focused reference files for runtime, DOX, tools, extensions, API/WebUI, profiles, prompts, skills, projects, and plugin workflow.

Update the skill DOX ownership for the new references directory and clarify the root framework-vs-agent Python runtimes plus port-discovery guidance.

Verified with git diff --check, targeted skill/tool tests under PYTHONPATH, and live localhost:32769 skill loading/read_file checks before committing.
2026-06-23 17:51:43 +02:00

3.2 KiB

API And WebUI

Source Anchors

  • HTTP handler base and route registration: /a0/helpers/api.py
  • API DOX: /a0/api/AGENTS.md
  • WebSocket handler base: /a0/helpers/ws.py
  • WebUI shell DOX: /a0/webui/AGENTS.md
  • Component and JS DOX: /a0/webui/components/AGENTS.md, /a0/webui/js/AGENTS.md
  • Frontend extension loading: /a0/webui/js/extensions.js

HTTP API Contract

HTTP API handlers derive from helpers.api.ApiHandler:

from flask import Request, Response
from helpers.api import ApiHandler

class MyEndpoint(ApiHandler):
    @classmethod
    def get_methods(cls) -> list[str]:
        return ["POST"]

    async def process(self, input: dict, request: Request) -> dict | Response:
        return {"ok": True}

Defaults from ApiHandler:

Method Default
requires_loopback() False
requires_api_key() False
requires_auth() True
get_methods() ["POST"]
requires_csrf() requires_auth()

Override these only when the endpoint contract requires it. Keep auth and CSRF protection intact for browser-facing state changes.

API Routes

helpers.api.register_api_route(...) registers:

/api/<path:path>

Resolution:

  • Built-in endpoint api/<name>.py becomes /api/<name>.
  • Plugin endpoint plugins/<plugin>/api/<handler>.py becomes /api/plugins/<plugin>/<handler>.

Return a Flask Response for files, redirects, custom status codes, and plain text. Return a dictionary for JSON success payloads.

Direct files under api/*.py require matching api/*.py.dox.md.

WebSocket Handlers

WebSocket handlers live in api/ws_*.py or plugin API folders and derive from helpers.ws.WsHandler:

from helpers.ws import WsHandler

class MyHandler(WsHandler):
    async def process(self, event: str, data: dict, sid: str) -> dict | None:
        return {"ok": True}

WsHandler mirrors ApiHandler security flags: auth defaults to True, CSRF defaults to auth, API-key and loopback default to False. Handlers should validate event data before using it and avoid returning secrets or unfiltered exception details.

WebUI Work

Follow the nearest WebUI DOX before changing frontend files:

  • webui/AGENTS.md for the shell, CSS, assets, vendor, and extension loader.
  • webui/js/AGENTS.md for stores, modals, API helpers, and JS infrastructure.
  • webui/components/AGENTS.md and child docs for Alpine components.

Patterns:

  • Store-dependent content should be gated by a template x-if guard before using $store.<name>.
  • Stores are registered with createStore from /js/AlpineStore.js.
  • Modals use openModal(path) and closeModal() from /js/modals.js.
  • Plugin settings UIs bind persisted plugin values to config.* and modal-only state/actions to context.*.
  • Plugin UI should use the A0 notification system instead of inline success/error boxes.

Verification

  • Run endpoint-specific tests or nearest API/WebSocket tests for handler behavior.
  • For auth, CSRF, upload/download, tunnel, or file endpoints, run security-focused regressions.
  • For WebUI changes, use targeted component/store tests or a browser smoke check when practical.
  • Check file-level DOX coverage when touching direct api/*.py modules.