{ "name": "Thynaptic PocketBase (agent operations)", "schema_version": "2026-04-11", "base_url": "https://pocketbase.thynaptic.com", "public_manifest_url": "https://pocketbase.thynaptic.com/agent.json", "public_manifest_well_known": "https://pocketbase.thynaptic.com/.well-known/agent.json", "human_landing_page": "https://pocketbase.thynaptic.com/", "pocketbase_version": "0.22.x", "description": "This stack is primarily operated by build agents, not the dashboard. Use the right credential class for the job.", "related_agent_manifests": { "ori_developer_portal": "https://dev.thynaptic.com/agent.json", "note": "ORI runtime and GLM integration are defined there. This file is the companion manifest for PocketBase-only work (schema, records, migrations)." }, "auth_modes": { "superuser": { "purpose": "Full admin: create/update/delete collections, indexes, API rules; CRUD any record; settings. API collection rules are ignored.", "collection": "_superusers", "env": { "POCKETBASE_URL": "https://pocketbase.thynaptic.com", "POCKETBASE_SUPERUSER_EMAIL": "", "POCKETBASE_SUPERUSER_PASSWORD": "" }, "token_request": { "method": "POST", "path": "/api/collections/_superusers/auth-with-password", "headers": { "Content-Type": "application/json" }, "body": { "identity": "${POCKETBASE_SUPERUSER_EMAIL}", "password": "${POCKETBASE_SUPERUSER_PASSWORD}" } }, "authorization_header": "Authorization: Bearer ", "cli": "POCKETBASE_URL=... POCKETBASE_SUPERUSER_EMAIL=... POCKETBASE_SUPERUSER_PASSWORD=... /root/scripts/pb-token superuser" }, "service_account": { "purpose": "Bounded automation against existing collections (G-LM, memory, tenants, etc.). Respects API rules and scopes JSON.", "collection": "service_accounts", "env": { "POCKETBASE_URL": "https://pocketbase.thynaptic.com", "POCKETBASE_AUTH_COLLECTION": "service_accounts", "POCKETBASE_IDENTITY": "", "POCKETBASE_PASSWORD": "" }, "token_request": { "method": "POST", "path": "/api/collections/service_accounts/auth-with-password", "headers": { "Content-Type": "application/json" }, "body": { "identity": "${POCKETBASE_IDENTITY}", "password": "${POCKETBASE_PASSWORD}" } }, "authorization_header": "Authorization: Bearer ", "cli": "POCKETBASE_URL=... POCKETBASE_AUTH_COLLECTION=service_accounts POCKETBASE_IDENTITY=... POCKETBASE_PASSWORD=... /root/scripts/pb-token service" } }, "primary_endpoints": { "health": "GET /api/health", "list_collections": "GET /api/collections (requires superuser token)", "get_collection": "GET /api/collections/{nameOrId} (requires superuser token)", "create_collection": "POST /api/collections (requires superuser token)", "patch_collection": "PATCH /api/collections/{nameOrId} (requires superuser token)", "delete_collection": "DELETE /api/collections/{nameOrId} (requires superuser token)", "records_crud": "/api/collections/{collection}/records[/{id}] — use service account or superuser per rules above" }, "build_flow": [ "Fetch this manifest from public_manifest_url when working outside this host.", "Pick auth: superuser for schema or god-mode data fixes; service_accounts for normal bounded writes.", "POST the matching auth-with-password endpoint; cache the JWT only in-memory or CI secrets. Prefer /root/scripts/pb-token on the server.", "For schema changes: prefer adding a numbered migration under /pb_migrations, then systemctl restart pocketbase. Direct PATCH /api/collections is fine for fast iteration when you accept live-apply risk.", "For data: use standard Records API; timestamps must be RFC3339 with a T separator.", "After schema changes, verify with GET /api/collections/{name} and a smoke read/write on records." ], "host_operations": { "note": "Applies to the systemd PocketBase host (not Docker on this machine).", "binary": "/pocketbase", "data_dir": "/pb_data", "migrations_dir": "/pb_migrations", "static_agent_manifest_dir": "/root/pb_public", "working_directory": "/root", "restart": "systemctl restart pocketbase", "local_listen": "127.0.0.1:8090 (TLS terminates at reverse proxy)" }, "invariants": [ "Service account JWTs cannot substitute for superuser; collection/schema APIs require superuser.", "Superuser bypasses all collection API rules — treat tokens as root on this database.", "service_accounts passwords: minimum length 15 (PocketBase auth rule).", "Do not use legacy /api/admins/auth-with-password — use _superusers auth on current PocketBase.", "Bad migration files can prevent clean startup; fix or remove the failing file before restart." ], "failure_modes": [ { "condition": "missing_or_invalid_token", "result": "401" }, { "condition": "authenticated_but_forbidden_rule_or_scope", "result": "403 (service accounts); superuser ignores rules" }, { "condition": "schema_validation_or_field_error", "result": "400" } ], "docs": { "integration_readme": "/root/README_POCKETBASE_API.md", "service_accounts": "/root/SERVICE_ACCOUNTS_GUIDE.md", "rbac": "/root/POCKETBASE_RBAC_GUIDE.md", "ori_agent_json": "https://dev.thynaptic.com/agent.json", "ori_agent_json_well_known": "https://dev.thynaptic.com/.well-known/agent.json", "this_manifest": "https://pocketbase.thynaptic.com/agent.json", "human_dev_page": "https://pocketbase.thynaptic.com/" }, "parity_with_ori_portal": [ "Same discovery pattern as https://dev.thynaptic.com/agent.json: machine-readable contract, auth modes, build flow, invariants.", "This file is served as static content from PocketBase (see host_operations.static_agent_manifest_dir) so any agent can GET it over HTTPS without SSH." ] }