Secure an AI Agent REST API

Problem/Feature Description

Your team is building a Spring AI-powered internal assistant that exposes a REST API. The service has been running with a basic prototype configuration that lacks proper authentication. The backend tech lead has asked you to wire in production-grade security before the service goes to the QA environment.

The application is a Spring Boot project. It exposes the following endpoint groups:

• /api/public/** — health checks and status pages (no auth required)
• /api/chat/** — the main AI chat endpoint (authenticated users only)
• /api/admin/** — management endpoints (administrators only)
• /api/tools/** (POST only) — tool execution endpoints (agents and admins only)
• Everything else should be denied

The application is stateless (JWT-based auth, no sessions). CSRF protection is not needed. The security configuration should also enable method-level security so that individual Spring beans can be annotated with authorization rules. All other requests not matching the above patterns should be denied by default.

Provide an in-memory user store for local development with three users: a regular user, an agent-level user, and an admin user — using appropriate password encoding.

Output Specification

Produce a complete, compilable Java source file SecurityConfig.java in the package com.example.agentapi.config that contains the security configuration. Also produce UserStoreConfig.java in the same package with the in-memory user store setup.

Include a brief NOTES.md documenting any important decisions you made about the security configuration.