feat(ai): migrate AI features from BYOK to XTM One agents (#149)

[m719]

The extension previously embedded its own LLM integration: users had to bring their own API keys (OpenAI, Anthropic, Gemini, or a custom endpoint), and the extension handled prompt engineering, JSON parsing of raw LLM output, and model selection directly in the browser.

This was fragile, hard to iterate on (prompt changes required extension releases), and put the burden of LLM configuration on end users.

With XTM One now hosting dedicated agents for each AI feature, the extension becomes a thin client: it sends structured task payloads and receives structured JSON responses. Prompt management, model routing, and output parsing all move server-side.

All 7 AI features (description generation, scenario generation, full scenario, atomic testing, email generation, entity discovery, relationship resolution) now call POST /api/v1/extension/execute-task with an agent slug. The AIClient class is reduced to a single executeTask() method that serializes the request into a content field and identifies the target agent via XTM_ONE_AGENT_SLUGS. Connection testing uses GET /api/v1/auth/me.

• Deleted AIProvider type, apiKey, model, customBaseUrl, availableModels from AISettings — replaced with xtmOneUrl and apiToken

• Settings UI (AITab.tsx) replaced provider/model dropdowns with XTM One URL + token fields; removed "Coming Soon" placeholder

• Background handlers (ai-handlers.ts, ai-utils.ts) simplified to thin wrappers — removed prompt construction, JSON parsing, retry logic

• Removed unused getMaxContentLength() export from ai-utils.ts

• Removed dead AIGenerationRequest/AIGenerationResponse types

• ai/prompts.ts — hardcoded prompt templates now managed as XTM One agent personas

• ai/json-parser.ts — JSON extraction from raw LLM output no longer needed (XTM One returns structured data)

• Corresponding test files: prompts.test.ts, json-parser.test.ts

• Added credentials: 'omit' to OpenCTI client fetch calls

• Fixed credentials: 'omit' ordering in OpenAEV client — moved after ...options spread to prevent callers from overriding it

• Added user-friendly 401/404 error messages to OpenCTI and OpenAEV clients

• Fixed misleading JSDoc on testConnection() (claimed "execute-task" but actually calls /auth/me)

All AI-gated UI surfaces now show "AI is not configured. Configure XTM One in extension settings." when XTM One is not set up. Previously, ScenarioTypeSelector and ScenarioFormView only showed a generic "AI not available" with no guidance. Enterprise-gate message standardized to "AI features require Enterprise Edition." across all views.

Related issues

• Closes feat: use XTM One for AI capabilities (remove BYOK) #149

How to test this PR

• Install the extension locally (npm run build and load unpacked)
• Open extension settings → verify BYOK provider selection (OpenAI, Anthropic, Gemini, Custom) is gone
• Configure a XTM One endpoint URL and API token in the popup setup wizard
• Trigger each AI feature (container description, scenario generation, full scenario generation, atomic test generation, email generation, entity discovery, relationship resolution) → verify they call XTM One agents and return results
• Test with no XTM One configured → verify AI features are disabled with a clear prompt
• Test with an invalid/expired token → verify a clear auth error is shown
• Test with an unreachable endpoint → verify a clear network error is shown
• Verify no LLM API keys remain in extension storage

Checklist

• The PR title follows the Conventional Commits convention type(scope?): description (#issue)
• I signed my commits
• This PR is linked to an issue
• I consider the submitted work as finished
• I tested the code for its functionality
• I added/updated the relevant documentation
• Where necessary, I refactored code to improve the overall quality

[Copilot]

Pull request overview

This PR migrates the browser extension’s AI capabilities from in-browser BYOK LLM provider integrations to a thin-client model backed by XTM One agents, centralizing prompts/model routing/output parsing server-side and simplifying extension-side AI logic.

Changes:

• Replaces BYOK AI settings/UI and provider logic with XTM One URL + API token configuration and a single execute-task invocation path.
• Removes legacy prompt templates + JSON response parsing utilities (and corresponding tests), and updates background handlers/tests to use structured XTM One responses.
• Improves platform client behavior (credentials handling + clearer auth/instance error messages) and adds token/profile deep-link helpers in the UI.

Reviewed changes

Copilot reviewed 45 out of 45 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/unit/prompts.test.ts	Removes tests tied to deleted in-extension prompt templates.
tests/unit/json-parser.test.ts	Removes tests tied to deleted raw-LLM JSON parsing utilities.
tests/unit/platform-registry.test.ts	Adds coverage for new token/profile page URL derivation helpers.
tests/unit/opencti-client.test.ts	Updates expectations for new user-friendly auth/instance error mapping.
tests/unit/messages.test.ts	Updates message type coverage for AI_TEST_CONNECTION.
tests/unit/ai-utils.test.ts	Refactors tests to the XTM One task execution helper and structured responses.
tests/unit/ai-client.test.ts	Refactors tests to the XTM One execute-task contract and HTTP error mapping.
src/shared/types/messages.ts	Replaces model-fetch message type with XTM One connection test message type.
src/shared/types/ai.ts	Replaces provider/model settings with XTM One URL + API token configuration fields.
src/shared/platform/registry.ts	Adds tokenPagePath per platform and getTokenPageUrl() helper.
src/shared/api/opencti-client.ts	Adds credentials: 'omit' and clearer 401/404 + GraphQL auth error mapping.
src/shared/api/openaev-client.ts	Ensures credentials: 'omit' can’t be overridden; adds clearer 401/404 errors.
src/shared/api/ai/types.ts	Removes dead generation request/response types, keeps task-specific types.
src/shared/api/ai/prompts.ts	Deletes hardcoded prompt templates (now server-side in XTM One agents).
src/shared/api/ai/json-parser.ts	Deletes raw-LLM JSON extraction/parsing utilities (XTM One returns structured JSON).
src/shared/api/ai-client.ts	Implements XTM One agent invocation client with structured response envelopes and status mapping.
src/popup/types.ts	Adds XTM One status to connection status and wizard step typing.
src/popup/hooks/useSetupWizard.ts	Adds XTM One step to setup wizard and saves XTM One AI settings.
src/popup/hooks/usePlatformStatus.ts	Tracks and tests XTM One connectivity alongside OpenCTI/OpenAEV.
src/popup/components/PlatformSetupForm.tsx	Adds XTM One configuration metadata for the setup wizard UI.
src/popup/components/PlatformDetailsPopover.tsx	Displays XTM One connection card/status in the platform details popover.
src/popup/App.tsx	Adds XTM One setup step rendering and status indicator.
src/panel/views/OCTIContainerFormView.tsx	Updates AI disabled/EE gating messaging to reference XTM One consistently.
src/panel/views/OAEVScenarioView.tsx	Plumbs detailed AI-disabled reason into scenario type selector.
src/panel/views/OAEVAtomicTestingView.tsx	Updates AI disabled messaging to reference XTM One configuration.
src/panel/views/CommonScanResultsView.tsx	Updates AI not configured warnings to instruct XTM One setup.
src/panel/types/panel-types.ts	Removes obsolete provider from panel AI state (XTM One-only).
src/panel/components/scenario/ScenarioTypeSelector.tsx	Shows concrete AI-disabled reason instead of generic “AI not available”.
src/panel/components/scenario/ScenarioFormView.tsx	Improves tooltip messaging for AI email generation availability.
src/panel/App.tsx	Updates AI availability detection to XTM One URL + token.
src/options/constants.ts	Removes unused model type used by BYOK model selection.
src/options/components/PlatformCard.tsx	Adds helper link to platform token/profile page via getTokenPageUrl().
src/options/components/AITab.tsx	Replaces BYOK config UI with XTM One URL/token config and connection test.
src/options/App.tsx	Replaces test+fetch-models flow with XTM One connection test wiring.
src/background/index.ts	Routes AI_TEST_CONNECTION messages to the new handler.
src/background/handlers/ai-utils.ts	Simplifies AI handler plumbing to XTM One task execution + truncation/transform hooks.
docs/README.md	Updates docs to reflect XTM One as the AI backend.
docs/overview.md	Updates diagram to show XTM One as the sole AI backend.
docs/features/xtm-one-integration-architecture.md	Adds detailed architecture/rationale for XTM One execute-task integration.
docs/features.md	Updates feature docs from multi-provider BYOK to XTM One configuration.
docs/development.md	Updates development docs to reflect new AI client and message types.
docs/configuration.md	Updates configuration guide to XTM One URL/token + connection testing.
docs/architecture.md	Updates architecture docs to reflect thin-client XTM One AI boundary and agent slugs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 58.93617% with 193 lines in your changes missing coverage. Please review.
✅ Project coverage is 34.38%. Comparing base (c6fe25f) to head (5e36fe4).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #150      +/-   ##
==========================================
+ Coverage   33.40%   34.38%   +0.98%     
==========================================
  Files          92       90       -2     
  Lines       16556    15787     -769     
  Branches     5349     4942     -407     
==========================================
- Hits         5531     5429     -102     
+ Misses      11025    10358     -667     

Flag	Coverage Δ
e2e	34.38% <58.93%> (+0.98%)	⬆️
integration-openaev	34.38% <58.93%> (+0.98%)	⬆️
integration-opencti	34.38% <58.93%> (+0.98%)	⬆️
unittests	34.38% <58.93%> (+0.98%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.