@agent-native/core 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/dist/agent/thread-data-builder.d.ts +1 -0
  2. package/dist/agent/thread-data-builder.d.ts.map +1 -1
  3. package/dist/agent/thread-data-builder.js +1 -0
  4. package/dist/agent/thread-data-builder.js.map +1 -1
  5. package/dist/client/AgentPanel.d.ts.map +1 -1
  6. package/dist/client/AgentPanel.js +8 -45
  7. package/dist/client/AgentPanel.js.map +1 -1
  8. package/dist/client/AssistantChat.d.ts.map +1 -1
  9. package/dist/client/AssistantChat.js +76 -16
  10. package/dist/client/AssistantChat.js.map +1 -1
  11. package/dist/client/builder-frame.d.ts.map +1 -1
  12. package/dist/client/builder-frame.js +10 -3
  13. package/dist/client/builder-frame.js.map +1 -1
  14. package/dist/client/components/ui/dropdown-menu.js +2 -2
  15. package/dist/client/components/ui/dropdown-menu.js.map +1 -1
  16. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  17. package/dist/client/resources/ResourcesPanel.js +6 -6
  18. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  19. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  20. package/dist/client/settings/useBuilderStatus.js +6 -2
  21. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  22. package/dist/client/sharing/ShareButton.d.ts +2 -0
  23. package/dist/client/sharing/ShareButton.d.ts.map +1 -1
  24. package/dist/client/sharing/ShareButton.js +84 -24
  25. package/dist/client/sharing/ShareButton.js.map +1 -1
  26. package/dist/client/use-action.d.ts.map +1 -1
  27. package/dist/client/use-action.js +1 -0
  28. package/dist/client/use-action.js.map +1 -1
  29. package/dist/server/action-routes.d.ts.map +1 -1
  30. package/dist/server/action-routes.js +1 -0
  31. package/dist/server/action-routes.js.map +1 -1
  32. package/dist/server/agent-chat-plugin.d.ts +14 -0
  33. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  34. package/dist/server/agent-chat-plugin.js +77 -12
  35. package/dist/server/agent-chat-plugin.js.map +1 -1
  36. package/dist/server/builder-browser.d.ts +8 -6
  37. package/dist/server/builder-browser.d.ts.map +1 -1
  38. package/dist/server/builder-browser.js +54 -32
  39. package/dist/server/builder-browser.js.map +1 -1
  40. package/dist/server/core-routes-plugin.d.ts +7 -0
  41. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  42. package/dist/server/core-routes-plugin.js +100 -74
  43. package/dist/server/core-routes-plugin.js.map +1 -1
  44. package/package.json +1 -1
package/dist/client/use-action.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"use-action.js","sourceRoot":"","sources":["../../src/client/use-action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAK9E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,MAAM,aAAa,GAAG,eAAe,CAAC,wBAAwB,CAAC,CAAC;AAiChE,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,mBAAmB;IAC1B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,CAAC,QAAQ,IAAI,SAAS,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,MAAc,EACd,MAA4B;IAE5B,IAAI,GAAG,GAAG,GAAG,aAAa,IAAI,IAAI,EAAE,CAAC;IACrC,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,MAAM,EAAE,GAAG,mBAAmB,EAAE,CAAC;IACjC,IAAI,EAAE;QAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,IAAI,GAAgB;QACxB,MAAM;QACN,OAAO;KACR,CAAC;IAEF,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,yEAAyE;QACzE,uDAAuD;QACvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,CACzC,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACxE,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,YAAY,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAS,CAAC;IAEzC,yCAAyC;IACzC,oEAAoE;IACpE,8EAA8E;IAC9E,4DAA4D;IAC5D,0EAA0E;IAC1E,qEAAqE;IACrE,uBAAuB;IACvB,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,GAAG,IAAI,CAAC;QAClB,SAAS,GAAG,GAAG,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,GAAQ,SAAS,CAAC;IAC1B,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,OAAO,GACX,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,uEAAuE;YACvE,qEAAqE;YACrE,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC1B,GAAG,CAAC,UAAU;YACd,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,UAAU,IAAI,YAAY,OAAO,EAAE,CAAC,CAAC;QAC5D,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,4EAA4E;IAC5E,wDAAwD;IACxD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GACT,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,UAAU,IAAI,aAAa,GAAG,CAAC,MAAM,oCAAoC,KAAK,EAAE,CACjF,CAAC;QACD,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,6EAA6E;IAC7E,uEAAuE;IACvE,+BAA+B;IAC/B,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,UAAU,IAAI,wBAAwB,GAAG,CAAC,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAClF,CAAC;QACD,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,OAAO,CAAC,IAAI,IAAK,IAAgB,CAAM,CAAC;AAC1C,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAI5B,UAAiB,EACjB,MAA4B,EAC5B,OAGC;IAGD,OAAO,QAAQ,CAAI;QACjB,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC;QACxC,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,CAAI,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC;QACxD,GAAG,OAAO;KACX,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,iBAAiB,CAK/B,UAAiB,EACjB,OASC;IAED,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,EACJ,MAAM,EAAE,SAAS,EACjB,SAAS,EACT,GAAG,WAAW,EACf,GAAG,OAAO,IAAK,EAAU,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,IAAI,MAAM,CAAC;IAKnC,OAAO,WAAW,CAAc;QAC9B,GAAG,WAAW;QACd,UAAU,EAAE,CAAC,MAAM,EAAE,EAAE,CACrB,WAAW,CAAI,UAAU,EAAE,MAAM,EAAE,MAA6B,CAAC;QACnE,SAAS,EAAE,CAAC,GAAG,IAAqB,EAAE,EAAE;YACtC,oCAAoC;YACpC,WAAW,CAAC,iBAAiB,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACvD,SAAsB,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACrC,CAAC;KACF,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * React Query hooks for calling actions via their auto-mounted HTTP endpoints.\n *\n * Actions are mounted at `/_agent-native/actions/:name` by the framework.\n *\n * ## End-to-end type safety\n *\n * When the action type registry is generated (via the Vite plugin or CLI),\n * `useActionQuery` and `useActionMutation` automatically infer the correct\n * return type and parameter types from the action definitions — no manual\n * type annotations needed.\n *\n * ```ts\n * // Fully typed — return type and params inferred from the action's defineAction()\n * const { data } = useActionQuery(\"list-forms\", { status: \"published\" });\n * // ^? Form[] (inferred from the action's run() return type)\n * ```\n *\n * Without the registry, the hooks fall back to `any` types for backward\n * compatibility.\n */\nimport { useQuery, useMutation, useQueryClient } from \"@tanstack/react-query\";\nimport type {\n UseQueryOptions,\n UseMutationOptions,\n} from \"@tanstack/react-query\";\nimport { agentNativePath } from \"./api-path.js\";\n\nconst ACTION_PREFIX = agentNativePath(\"/_agent-native/actions\");\n\n// ---------------------------------------------------------------------------\n// Action type registry — augmented by generated code\n// ---------------------------------------------------------------------------\n\n/**\n * Action type registry. This interface is empty by default and gets augmented\n * by the auto-generated `.generated/action-types.d.ts` file. When augmented,\n * it maps action names to their parameter and return types, enabling\n * end-to-end type safety for `useActionQuery` and `useActionMutation`.\n */\nexport interface ActionRegistry {}\n\n/** Resolves to the union of registered action names, or `string` if no registry exists. */\ntype ActionName = keyof ActionRegistry extends never\n ? string\n : (keyof ActionRegistry & string) | (string & {});\n\n/** Resolves the return type of an action, or `any` if not in the registry. */\ntype ActionResult<T extends string> = T extends keyof ActionRegistry\n ? ActionRegistry[T] extends { result: infer R }\n ? R\n : any\n : any;\n\n/** Resolves the parameter type of an action, or `Record<string, any>` if not in the registry. */\ntype ActionParams<T extends string> = T extends keyof ActionRegistry\n ? ActionRegistry[T] extends { params: infer P }\n ? P\n : Record<string, any>\n : Record<string, any>;\n\n// ---------------------------------------------------------------------------\n// Fetch helper\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve the browser's IANA timezone (e.g. \"America/Los_Angeles\"). This is\n * sent on every action request as `x-user-timezone` so server-side defaults\n * like \"today\" honor the user's local day rather than the server's UTC clock.\n */\nfunction resolveUserTimezone(): string | undefined {\n try {\n return Intl.DateTimeFormat().resolvedOptions().timeZone || undefined;\n } catch {\n return undefined;\n }\n}\n\nasync function actionFetch<T>(\n name: string,\n method: string,\n params?: Record<string, any>,\n): Promise<T> {\n let url = `${ACTION_PREFIX}/${name}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n const tz = resolveUserTimezone();\n if (tz) headers[\"x-user-timezone\"] = tz;\n const init: RequestInit = {\n method,\n headers,\n };\n\n if (method === \"GET\" && params && Object.keys(params).length > 0) {\n // Skip null/undefined so optional filters don't turn into literal \"null\"\n // strings in the query string (e.g. `?folderId=null`).\n const entries = Object.entries(params).filter(\n ([, v]) => v !== null && v !== undefined,\n );\n if (entries.length > 0) {\n const qs = new URLSearchParams(entries.map(([k, v]) => [k, String(v)]));\n url += `?${qs}`;\n }\n } else if (method !== \"GET\" && params) {\n init.body = JSON.stringify(params);\n }\n\n let res: Response;\n try {\n res = await fetch(url, init);\n } catch (err) {\n // Network failures, CORS, server unreachable, etc. — give the caller a\n // useful message instead of the opaque \"Failed to fetch\".\n const cause = err instanceof Error ? err.message : String(err);\n throw new Error(`Action ${name} failed: ${cause}`);\n }\n\n // 204 No Content — nothing to parse.\n if (res.status === 204) return null as T;\n\n // Read the body as text first so we can:\n // - tolerate empty bodies (avoids \"Unexpected end of JSON input\")\n // - surface non-JSON error responses (HTML 401/404 pages, plain text, etc.)\n // - preserve the original HTTP status in the thrown error\n // Track read failures separately from \"no body\" — a stream interruption /\n // decode failure on a 2xx response should error rather than silently\n // succeed with `null`.\n let raw = \"\";\n let readFailed = false;\n let readError: unknown;\n try {\n raw = await res.text();\n } catch (err) {\n readFailed = true;\n readError = err;\n }\n\n let data: any = undefined;\n let parseFailed = false;\n if (raw.length > 0) {\n try {\n data = JSON.parse(raw);\n } catch {\n // Body wasn't JSON — keep `data` undefined and use the raw text below.\n parseFailed = true;\n }\n }\n\n if (!res.ok) {\n const message =\n (data && (data.error || data.message)) ||\n // Truncate non-JSON bodies so we don't dump entire HTML pages into the\n // console, but still give the developer a hint as to what came back.\n (raw && raw.slice(0, 200)) ||\n res.statusText ||\n `HTTP ${res.status}`;\n const error = new Error(`Action ${name} failed: ${message}`);\n (error as any).status = res.status;\n throw error;\n }\n\n // 2xx but the body couldn't even be read (mid-stream abort, decode failure,\n // etc.). Don't silently treat that as a `null` success.\n if (readFailed) {\n const cause =\n readError instanceof Error ? readError.message : String(readError);\n const error = new Error(\n `Action ${name} returned ${res.status} but the body could not be read: ${cause}`,\n );\n (error as any).status = res.status;\n throw error;\n }\n\n // 2xx with a non-empty, non-JSON body. Action callers expect typed data, so\n // returning `null` here would silently mask a real server bug (e.g. a proxy\n // returning HTML 200 instead of JSON). Throw instead — empty bodies (handled\n // above by the `raw.length > 0` guard and the 204 short-circuit) still\n // correctly resolve to `null`.\n if (parseFailed) {\n const error = new Error(\n `Action ${name} returned a non-JSON ${res.status} response: ${raw.slice(0, 200)}`,\n );\n (error as any).status = res.status;\n throw error;\n }\n\n return (data ?? (null as unknown)) as T;\n}\n\n// ---------------------------------------------------------------------------\n// Query hook\n// ---------------------------------------------------------------------------\n\n/**\n * Query an action exposed as GET.\n *\n * When the action type registry is generated, the return type and parameter\n * types are inferred automatically from the action's `defineAction()` call.\n *\n * ```ts\n * // Type-safe — no manual generic needed\n * const { data } = useActionQuery(\"list-meals\", { date: \"2025-01-01\" });\n *\n * // Manual override still works when needed\n * const { data } = useActionQuery<CustomType>(\"list-meals\");\n * ```\n */\nexport function useActionQuery<\n TResult = undefined,\n TName extends ActionName = ActionName,\n>(\n actionName: TName,\n params?: ActionParams<TName>,\n options?: Omit<\n UseQueryOptions<TResult extends undefined ? ActionResult<TName> : TResult>,\n \"queryKey\" | \"queryFn\"\n >,\n) {\n type R = TResult extends undefined ? ActionResult<TName> : TResult;\n return useQuery<R>({\n queryKey: [\"action\", actionName, params],\n queryFn: () => actionFetch<R>(actionName, \"GET\", params),\n ...options,\n });\n}\n\n// ---------------------------------------------------------------------------\n// Mutation hook\n// ---------------------------------------------------------------------------\n\n/**\n * Mutate via an action exposed as POST (default), PUT, or DELETE.\n *\n * When the action type registry is generated, the return type and parameter\n * types are inferred automatically.\n *\n * ```ts\n * // Type-safe\n * const { mutate } = useActionMutation(\"log-meal\");\n * mutate({ name: \"Salad\", calories: 350 });\n * ```\n */\nexport function useActionMutation<\n TData = undefined,\n TVariables = undefined,\n TName extends ActionName = ActionName,\n>(\n actionName: TName,\n options?: Omit<\n UseMutationOptions<\n TData extends undefined ? ActionResult<TName> : TData,\n Error,\n TVariables extends undefined ? ActionParams<TName> : TVariables\n >,\n \"mutationFn\"\n > & {\n method?: \"POST\" | \"PUT\" | \"DELETE\";\n },\n) {\n const queryClient = useQueryClient();\n const {\n method: methodOpt,\n onSuccess,\n ...restOptions\n } = options ?? ({} as any);\n const method = methodOpt ?? \"POST\";\n\n type D = TData extends undefined ? ActionResult<TName> : TData;\n type V = TVariables extends undefined ? ActionParams<TName> : TVariables;\n\n return useMutation<D, Error, V>({\n ...restOptions,\n mutationFn: (params) =>\n actionFetch<D>(actionName, method, params as Record<string, any>),\n onSuccess: (...args: [any, any, any]) => {\n // Invalidate related action queries\n queryClient.invalidateQueries({ queryKey: [\"action\"] });\n (onSuccess as Function)?.(...args);\n },\n });\n}\n"]}
1
+ {"version":3,"file":"use-action.js","sourceRoot":"","sources":["../../src/client/use-action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAK9E,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEhD,MAAM,aAAa,GAAG,eAAe,CAAC,wBAAwB,CAAC,CAAC;AAiChE,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;;GAIG;AACH,SAAS,mBAAmB;IAC1B,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,CAAC,QAAQ,IAAI,SAAS,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,MAAc,EACd,MAA4B;IAE5B,IAAI,GAAG,GAAG,GAAG,aAAa,IAAI,IAAI,EAAE,CAAC;IACrC,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,kBAAkB;KACnC,CAAC;IACF,MAAM,EAAE,GAAG,mBAAmB,EAAE,CAAC;IACjC,IAAI,EAAE;QAAE,OAAO,CAAC,iBAAiB,CAAC,GAAG,EAAE,CAAC;IACxC,MAAM,IAAI,GAAgB;QACxB,MAAM;QACN,OAAO;QACP,KAAK,EAAE,UAAU;KAClB,CAAC;IAEF,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,yEAAyE;QACzE,uDAAuD;QACvD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,CACzC,CAAC;QACF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACxE,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,uEAAuE;QACvE,0DAA0D;QAC1D,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,UAAU,IAAI,YAAY,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,qCAAqC;IACrC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,IAAS,CAAC;IAEzC,yCAAyC;IACzC,oEAAoE;IACpE,8EAA8E;IAC9E,4DAA4D;IAC5D,0EAA0E;IAC1E,qEAAqE;IACrE,uBAAuB;IACvB,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,UAAU,GAAG,IAAI,CAAC;QAClB,SAAS,GAAG,GAAG,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,GAAQ,SAAS,CAAC;IAC1B,IAAI,WAAW,GAAG,KAAK,CAAC;IACxB,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,uEAAuE;YACvE,WAAW,GAAG,IAAI,CAAC;QACrB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,OAAO,GACX,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;YACtC,uEAAuE;YACvE,qEAAqE;YACrE,CAAC,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YAC1B,GAAG,CAAC,UAAU;YACd,QAAQ,GAAG,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,KAAK,CAAC,UAAU,IAAI,YAAY,OAAO,EAAE,CAAC,CAAC;QAC5D,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,4EAA4E;IAC5E,wDAAwD;IACxD,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GACT,SAAS,YAAY,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,UAAU,IAAI,aAAa,GAAG,CAAC,MAAM,oCAAoC,KAAK,EAAE,CACjF,CAAC;QACD,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,4EAA4E;IAC5E,4EAA4E;IAC5E,6EAA6E;IAC7E,uEAAuE;IACvE,+BAA+B;IAC/B,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,IAAI,KAAK,CACrB,UAAU,IAAI,wBAAwB,GAAG,CAAC,MAAM,cAAc,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAClF,CAAC;QACD,KAAa,CAAC,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;QACnC,MAAM,KAAK,CAAC;IACd,CAAC;IAED,OAAO,CAAC,IAAI,IAAK,IAAgB,CAAM,CAAC;AAC1C,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAI5B,UAAiB,EACjB,MAA4B,EAC5B,OAGC;IAGD,OAAO,QAAQ,CAAI;QACjB,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC;QACxC,OAAO,EAAE,GAAG,EAAE,CAAC,WAAW,CAAI,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC;QACxD,GAAG,OAAO;KACX,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,iBAAiB,CAK/B,UAAiB,EACjB,OASC;IAED,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,MAAM,EACJ,MAAM,EAAE,SAAS,EACjB,SAAS,EACT,GAAG,WAAW,EACf,GAAG,OAAO,IAAK,EAAU,CAAC;IAC3B,MAAM,MAAM,GAAG,SAAS,IAAI,MAAM,CAAC;IAKnC,OAAO,WAAW,CAAc;QAC9B,GAAG,WAAW;QACd,UAAU,EAAE,CAAC,MAAM,EAAE,EAAE,CACrB,WAAW,CAAI,UAAU,EAAE,MAAM,EAAE,MAA6B,CAAC;QACnE,SAAS,EAAE,CAAC,GAAG,IAAqB,EAAE,EAAE;YACtC,oCAAoC;YACpC,WAAW,CAAC,iBAAiB,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YACvD,SAAsB,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACrC,CAAC;KACF,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * React Query hooks for calling actions via their auto-mounted HTTP endpoints.\n *\n * Actions are mounted at `/_agent-native/actions/:name` by the framework.\n *\n * ## End-to-end type safety\n *\n * When the action type registry is generated (via the Vite plugin or CLI),\n * `useActionQuery` and `useActionMutation` automatically infer the correct\n * return type and parameter types from the action definitions — no manual\n * type annotations needed.\n *\n * ```ts\n * // Fully typed — return type and params inferred from the action's defineAction()\n * const { data } = useActionQuery(\"list-forms\", { status: \"published\" });\n * // ^? Form[] (inferred from the action's run() return type)\n * ```\n *\n * Without the registry, the hooks fall back to `any` types for backward\n * compatibility.\n */\nimport { useQuery, useMutation, useQueryClient } from \"@tanstack/react-query\";\nimport type {\n UseQueryOptions,\n UseMutationOptions,\n} from \"@tanstack/react-query\";\nimport { agentNativePath } from \"./api-path.js\";\n\nconst ACTION_PREFIX = agentNativePath(\"/_agent-native/actions\");\n\n// ---------------------------------------------------------------------------\n// Action type registry — augmented by generated code\n// ---------------------------------------------------------------------------\n\n/**\n * Action type registry. This interface is empty by default and gets augmented\n * by the auto-generated `.generated/action-types.d.ts` file. When augmented,\n * it maps action names to their parameter and return types, enabling\n * end-to-end type safety for `useActionQuery` and `useActionMutation`.\n */\nexport interface ActionRegistry {}\n\n/** Resolves to the union of registered action names, or `string` if no registry exists. */\ntype ActionName = keyof ActionRegistry extends never\n ? string\n : (keyof ActionRegistry & string) | (string & {});\n\n/** Resolves the return type of an action, or `any` if not in the registry. */\ntype ActionResult<T extends string> = T extends keyof ActionRegistry\n ? ActionRegistry[T] extends { result: infer R }\n ? R\n : any\n : any;\n\n/** Resolves the parameter type of an action, or `Record<string, any>` if not in the registry. */\ntype ActionParams<T extends string> = T extends keyof ActionRegistry\n ? ActionRegistry[T] extends { params: infer P }\n ? P\n : Record<string, any>\n : Record<string, any>;\n\n// ---------------------------------------------------------------------------\n// Fetch helper\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve the browser's IANA timezone (e.g. \"America/Los_Angeles\"). This is\n * sent on every action request as `x-user-timezone` so server-side defaults\n * like \"today\" honor the user's local day rather than the server's UTC clock.\n */\nfunction resolveUserTimezone(): string | undefined {\n try {\n return Intl.DateTimeFormat().resolvedOptions().timeZone || undefined;\n } catch {\n return undefined;\n }\n}\n\nasync function actionFetch<T>(\n name: string,\n method: string,\n params?: Record<string, any>,\n): Promise<T> {\n let url = `${ACTION_PREFIX}/${name}`;\n const headers: Record<string, string> = {\n \"Content-Type\": \"application/json\",\n };\n const tz = resolveUserTimezone();\n if (tz) headers[\"x-user-timezone\"] = tz;\n const init: RequestInit = {\n method,\n headers,\n cache: \"no-store\",\n };\n\n if (method === \"GET\" && params && Object.keys(params).length > 0) {\n // Skip null/undefined so optional filters don't turn into literal \"null\"\n // strings in the query string (e.g. `?folderId=null`).\n const entries = Object.entries(params).filter(\n ([, v]) => v !== null && v !== undefined,\n );\n if (entries.length > 0) {\n const qs = new URLSearchParams(entries.map(([k, v]) => [k, String(v)]));\n url += `?${qs}`;\n }\n } else if (method !== \"GET\" && params) {\n init.body = JSON.stringify(params);\n }\n\n let res: Response;\n try {\n res = await fetch(url, init);\n } catch (err) {\n // Network failures, CORS, server unreachable, etc. — give the caller a\n // useful message instead of the opaque \"Failed to fetch\".\n const cause = err instanceof Error ? err.message : String(err);\n throw new Error(`Action ${name} failed: ${cause}`);\n }\n\n // 204 No Content — nothing to parse.\n if (res.status === 204) return null as T;\n\n // Read the body as text first so we can:\n // - tolerate empty bodies (avoids \"Unexpected end of JSON input\")\n // - surface non-JSON error responses (HTML 401/404 pages, plain text, etc.)\n // - preserve the original HTTP status in the thrown error\n // Track read failures separately from \"no body\" — a stream interruption /\n // decode failure on a 2xx response should error rather than silently\n // succeed with `null`.\n let raw = \"\";\n let readFailed = false;\n let readError: unknown;\n try {\n raw = await res.text();\n } catch (err) {\n readFailed = true;\n readError = err;\n }\n\n let data: any = undefined;\n let parseFailed = false;\n if (raw.length > 0) {\n try {\n data = JSON.parse(raw);\n } catch {\n // Body wasn't JSON — keep `data` undefined and use the raw text below.\n parseFailed = true;\n }\n }\n\n if (!res.ok) {\n const message =\n (data && (data.error || data.message)) ||\n // Truncate non-JSON bodies so we don't dump entire HTML pages into the\n // console, but still give the developer a hint as to what came back.\n (raw && raw.slice(0, 200)) ||\n res.statusText ||\n `HTTP ${res.status}`;\n const error = new Error(`Action ${name} failed: ${message}`);\n (error as any).status = res.status;\n throw error;\n }\n\n // 2xx but the body couldn't even be read (mid-stream abort, decode failure,\n // etc.). Don't silently treat that as a `null` success.\n if (readFailed) {\n const cause =\n readError instanceof Error ? readError.message : String(readError);\n const error = new Error(\n `Action ${name} returned ${res.status} but the body could not be read: ${cause}`,\n );\n (error as any).status = res.status;\n throw error;\n }\n\n // 2xx with a non-empty, non-JSON body. Action callers expect typed data, so\n // returning `null` here would silently mask a real server bug (e.g. a proxy\n // returning HTML 200 instead of JSON). Throw instead — empty bodies (handled\n // above by the `raw.length > 0` guard and the 204 short-circuit) still\n // correctly resolve to `null`.\n if (parseFailed) {\n const error = new Error(\n `Action ${name} returned a non-JSON ${res.status} response: ${raw.slice(0, 200)}`,\n );\n (error as any).status = res.status;\n throw error;\n }\n\n return (data ?? (null as unknown)) as T;\n}\n\n// ---------------------------------------------------------------------------\n// Query hook\n// ---------------------------------------------------------------------------\n\n/**\n * Query an action exposed as GET.\n *\n * When the action type registry is generated, the return type and parameter\n * types are inferred automatically from the action's `defineAction()` call.\n *\n * ```ts\n * // Type-safe — no manual generic needed\n * const { data } = useActionQuery(\"list-meals\", { date: \"2025-01-01\" });\n *\n * // Manual override still works when needed\n * const { data } = useActionQuery<CustomType>(\"list-meals\");\n * ```\n */\nexport function useActionQuery<\n TResult = undefined,\n TName extends ActionName = ActionName,\n>(\n actionName: TName,\n params?: ActionParams<TName>,\n options?: Omit<\n UseQueryOptions<TResult extends undefined ? ActionResult<TName> : TResult>,\n \"queryKey\" | \"queryFn\"\n >,\n) {\n type R = TResult extends undefined ? ActionResult<TName> : TResult;\n return useQuery<R>({\n queryKey: [\"action\", actionName, params],\n queryFn: () => actionFetch<R>(actionName, \"GET\", params),\n ...options,\n });\n}\n\n// ---------------------------------------------------------------------------\n// Mutation hook\n// ---------------------------------------------------------------------------\n\n/**\n * Mutate via an action exposed as POST (default), PUT, or DELETE.\n *\n * When the action type registry is generated, the return type and parameter\n * types are inferred automatically.\n *\n * ```ts\n * // Type-safe\n * const { mutate } = useActionMutation(\"log-meal\");\n * mutate({ name: \"Salad\", calories: 350 });\n * ```\n */\nexport function useActionMutation<\n TData = undefined,\n TVariables = undefined,\n TName extends ActionName = ActionName,\n>(\n actionName: TName,\n options?: Omit<\n UseMutationOptions<\n TData extends undefined ? ActionResult<TName> : TData,\n Error,\n TVariables extends undefined ? ActionParams<TName> : TVariables\n >,\n \"mutationFn\"\n > & {\n method?: \"POST\" | \"PUT\" | \"DELETE\";\n },\n) {\n const queryClient = useQueryClient();\n const {\n method: methodOpt,\n onSuccess,\n ...restOptions\n } = options ?? ({} as any);\n const method = methodOpt ?? \"POST\";\n\n type D = TData extends undefined ? ActionResult<TName> : TData;\n type V = TVariables extends undefined ? ActionParams<TName> : TVariables;\n\n return useMutation<D, Error, V>({\n ...restOptions,\n mutationFn: (params) =>\n actionFetch<D>(actionName, method, params as Record<string, any>),\n onSuccess: (...args: [any, any, any]) => {\n // Invalidate related action queries\n queryClient.invalidateQueries({ queryKey: [\"action\"] });\n (onSuccess as Function)?.(...args);\n },\n });\n}\n"]}
package/dist/server/action-routes.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"action-routes.d.ts","sourceRoot":"","sources":["../../src/server/action-routes.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAiEhE,MAAM,WAAW,wBAAwB;IACvC,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,0DAA0D;IAC1D,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CACvE;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACpC,OAAO,CAAC,EAAE,wBAAwB,QA6JnC"}
1
+ {"version":3,"file":"action-routes.d.ts","sourceRoot":"","sources":["../../src/server/action-routes.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAiEhE,MAAM,WAAW,wBAAwB;IACvC,gEAAgE;IAChE,iBAAiB,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAC7D,0DAA0D;IAC1D,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;CACvE;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,EACpC,OAAO,CAAC,EAAE,wBAAwB,QA+JnC"}
package/dist/server/action-routes.js CHANGED
@@ -72,6 +72,7 @@ export function mountActionRoutes(nitroApp, actions, options) {
72
72
  if (reqMethod === "OPTIONS") {
73
73
  return handleOptionsRequest(event);
74
74
  }
75
+ setResponseHeader(event, "Cache-Control", "no-store");
75
76
  // Allow the declared method
76
77
  if (effectiveMethod !== method) {
77
78
  setResponseStatus(event, 405);
package/dist/server/action-routes.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"action-routes.js","sourceRoot":"","sources":["../../src/server/action-routes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAC1D,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,QAAQ,EACR,SAAS,GACV,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EACL,oBAAoB,IAAI,wBAAwB,EAChD,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAE3B,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAE9C;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAU;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAChD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAC;QACtD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,MAA0B;IACtD,OAAO,wBAAwB,CAAC,MAAM,EAAE;QACtC,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAU;IACtC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,oBAAoB,CACxC,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAChD,CAAC;IAEF,IAAI,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAa,CAAC,CAAC;QACvE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;QACrE,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;QACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,oIAAoI,CACrI,CAAC;IACJ,CAAC;IAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,OAAO,EAAE,CAAC;AACZ,CAAC;AASD;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAa,EACb,OAAoC,EACpC,OAAkC;IAElC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,0BAA0B;QAC1B,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;YAAE,SAAS;QAEnC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,MAAM,IAAI,MAAM,CAAC;QAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACtC,MAAM,SAAS,GAAG,GAAG,YAAY,IAAI,IAAI,EAAE,CAAC;QAE5C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,SAAS,EACT,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,eAAe,GACnB,SAAS,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAE/D,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YAED,4BAA4B;YAC5B,IAAI,eAAe,KAAK,MAAM,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,MAAM,GAAG,EAAE,CAAC;YACzD,CAAC;YAED,oEAAoE;YACpE,0DAA0D;YAC1D,qEAAqE;YACrE,8DAA8D;YAC9D,kDAAkD;YAClD,gEAAgE;YAChE,mEAAmE;YACnE,gEAAgE;YAChE,uCAAuC;YACvC,+DAA+D;YAC/D,oEAAoE;YACpE,+BAA+B;YAC/B,MAAM,cAAc,GAClB,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,KAAK,GAAG,CAAC;YACzD,IAAI,cAAc,IAAI,KAAK,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;gBACnD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EAAE,WAAW,IAAI,+BAA+B;iBACtD,CAAC;YACJ,CAAC;YAED,+CAA+C;YAC/C,MAAM,SAAS,GAAG,OAAO,EAAE,iBAAiB;gBAC1C,CAAC,CAAC,MAAM,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC;gBACxC,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,KAAK,GAAG,OAAO,EAAE,YAAY;gBACjC,CAAC,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,IAAI,SAAS,CAAC;gBACpD,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAE3C,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,EAC9B,KAAK,IAAI,EAAE;gBACT,kEAAkE;gBAClE,qEAAqE;gBACrE,qEAAqE;gBACrE,sCAAsC;gBACtC,IAAI,MAA2B,CAAC;gBAChC,IAAI,CAAC;oBACH,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;wBACrB,sDAAsD;wBACtD,MAAM,MAAM,GAAI,KAAa,CAAC,GAAG,CAAC;wBAClC,IAAI,MAAM,EAAE,GAAG,EAAE,CAAC;4BAChB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;4BAChC,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;wBAChD,CAAC;6BAAM,CAAC;4BACN,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAwB,CAAC;wBAClD,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,MAAM,GAAI,KAAa,CAAC,GAAG,CAAC;wBAClC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;4BAChD,6DAA6D;4BAC7D,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;wBACzD,CAAC;6BAAM,CAAC;4BACN,wCAAwC;4BACxC,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;wBACzC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,EAAE,CAAC;gBACd,CAAC;gBAED,iBAAiB;gBACjB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAEvC,8DAA8D;oBAC9D,+DAA+D;oBAC/D,gEAAgE;oBAChE,8DAA8D;oBAC9D,6DAA6D;oBAC7D,qDAAqD;oBACrD,+DAA+D;oBAC/D,mEAAmE;oBACnE,gEAAgE;oBAChE,6DAA6D;oBAC7D,MAAM,UAAU,GACd,OAAO,KAAK,CAAC,QAAQ,KAAK,SAAS;wBACjC,CAAC,CAAC,KAAK,CAAC,QAAQ;wBAChB,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC;oBACvB,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,IAAI,CAAC;4BACH,YAAY,CAAC;gCACX,MAAM,EAAE,QAAQ;gCAChB,IAAI,EAAE,QAAQ;gCACd,GAAG,EAAE,IAAI;gCACT,KAAK,EAAE,SAAS;6BACjB,CAAC,CAAC;wBACL,CAAC;wBAAC,MAAM,CAAC;4BACP,SAAS;wBACX,CAAC;oBACH,CAAC;oBAED,6EAA6E;oBAC7E,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;wBAC/B,IAAI,CAAC;4BACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;wBAC5B,CAAC;wBAAC,MAAM,CAAC;4BACP,OAAO,MAAM,CAAC;wBAChB,CAAC;oBACH,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;oBACxC,4DAA4D;oBAC5D,iBAAiB,CACf,KAAK,EACL,GAAG,CAAC,UAAU,CAAC,2BAA2B,CAAC;wBACzC,CAAC,CAAC,GAAG;wBACL,CAAC,CAAC,OAAO,GAAG,EAAE,UAAU,KAAK,QAAQ;4BACnC,CAAC,CAAC,GAAG,CAAC,UAAU;4BAChB,CAAC,CAAC,GAAG,CACV,CAAC;oBACF,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;gBACxB,CAAC;YACH,CAAC,CACF,CAAC,CAAC,4BAA4B;QACjC,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACzC,OAAO,CAAC,GAAG,CACT,2BAA2B,OAAO,CAAC,MAAM,qBAAqB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;AACN,CAAC","sourcesContent":["/**\n * Auto-mount actions as HTTP endpoints under /_agent-native/actions/:name.\n *\n * Actions are exposed as POST by default. Use `http: { method: \"GET\" }` in\n * defineAction to expose as GET. Use `http: false` to mark as agent-only.\n */\nimport { getH3App } from \"./framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseStatus,\n setResponseHeader,\n getMethod,\n getQuery,\n getHeader,\n} from \"h3\";\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { recordChange } from \"./poll.js\";\nimport {\n getAllowedCorsOrigin as resolveAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\n\nconst ROUTE_PREFIX = \"/_agent-native/actions\";\n\n/**\n * Read the caller's IANA timezone from the `x-user-timezone` header. The core\n * client sends this on every action request so server-side \"today\" fallbacks\n * can honor the user's local day.\n */\nfunction readTimezoneHeader(event: any): string | undefined {\n try {\n const raw = getHeader(event, \"x-user-timezone\");\n if (!raw || typeof raw !== \"string\") return undefined;\n const trimmed = raw.trim();\n return trimmed.length > 0 && trimmed.length < 64 ? trimmed : undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction getAllowedCorsOrigin(origin: string | undefined): string | null {\n return resolveAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n}\n\nfunction handleOptionsRequest(event: any): string {\n const origin = getHeader(event, \"origin\");\n const allowedOrigin = getAllowedCorsOrigin(\n typeof origin === \"string\" ? origin : undefined,\n );\n\n if (origin && !allowedOrigin) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n if (allowedOrigin) {\n setResponseHeader(event, \"Access-Control-Allow-Origin\", allowedOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-Agent-Native-Tool-Bridge,X-Agent-Native-Tool-Id\",\n );\n }\n\n setResponseStatus(event, 204);\n return \"\";\n}\n\nexport interface MountActionRoutesOptions {\n /** Resolve owner email from the H3 event (for data scoping). */\n getOwnerFromEvent?: (event: any) => string | Promise<string>;\n /** Resolve org ID from the H3 event (for org scoping). */\n resolveOrgId?: (event: any) => string | null | Promise<string | null>;\n}\n\n/**\n * Mount discovered actions as HTTP endpoints.\n *\n * Only actions from `autoDiscoverActions` (template actions) are mounted.\n * Built-in actions (resource-*, chat-*, shell, etc.) are NOT passed here.\n */\nexport function mountActionRoutes(\n nitroApp: any,\n actions: Record<string, ActionEntry>,\n options?: MountActionRoutesOptions,\n) {\n const mounted: string[] = [];\n\n for (const [name, entry] of Object.entries(actions)) {\n // Skip agent-only actions\n if (entry.http === false) continue;\n\n const method = entry.http?.method ?? \"POST\";\n const path = entry.http?.path ?? name;\n const routePath = `${ROUTE_PREFIX}/${path}`;\n\n getH3App(nitroApp).use(\n routePath,\n defineEventHandler(async (event) => {\n const reqMethod = getMethod(event);\n const effectiveMethod =\n reqMethod === \"HEAD\" && method === \"GET\" ? \"GET\" : reqMethod;\n\n if (reqMethod === \"OPTIONS\") {\n return handleOptionsRequest(event);\n }\n\n // Allow the declared method\n if (effectiveMethod !== method) {\n setResponseStatus(event, 405);\n return { error: `Method not allowed. Use ${method}.` };\n }\n\n // (audit H5) Per-action `toolCallable` opt-out for the tools-iframe\n // bridge. The bridge tags every outbound action call with\n // X-Agent-Native-Tool-Bridge: 1. When that header is present and the\n // action declares `toolCallable: false`, we 403 — used by the\n // framework's share-resource / unshare-resource /\n // set-resource-visibility for defense-in-depth on auth-adjacent\n // operations. Undefined defaults to allow: tools are intra-org and\n // typically authored by trusted teammates, so the default is to\n // trust the org-level access controls.\n // The header is set by the parent (the React host), not by the\n // iframe's user-authored content; sanitizeToolRequestOptions strips\n // iframe attempts to spoof it.\n const fromToolBridge =\n getHeader(event, \"x-agent-native-tool-bridge\") === \"1\";\n if (fromToolBridge && entry.toolCallable === false) {\n setResponseStatus(event, 403);\n return {\n error: `Action '${name}' is not callable from tools.`,\n };\n }\n\n // Resolve auth context for per-request scoping\n const userEmail = options?.getOwnerFromEvent\n ? await options.getOwnerFromEvent(event)\n : undefined;\n const orgId = options?.resolveOrgId\n ? ((await options.resolveOrgId(event)) ?? undefined)\n : undefined;\n const timezone = readTimezoneHeader(event);\n\n return runWithRequestContext(\n { userEmail, orgId, timezone },\n async () => {\n // Parse params based on method. On web-standard runtimes (Netlify\n // Functions, CF Workers), event.req IS the web Request — use .json()\n // directly. H3's readBody fails on those runtimes because it expects\n // a Node.js stream on event.node.req.\n let params: Record<string, any>;\n try {\n if (method === \"GET\") {\n // H3 v2: prefer web Request URL, fallback to getQuery\n const webReq = (event as any).req;\n if (webReq?.url) {\n const url = new URL(webReq.url);\n params = Object.fromEntries(url.searchParams);\n } else {\n params = getQuery(event) as Record<string, any>;\n }\n } else {\n const webReq = (event as any).req;\n if (webReq && typeof webReq.json === \"function\") {\n // H3 v2: event.req is the web Request — use .json() directly\n params = (await webReq.json().catch(() => null)) ?? {};\n } else {\n // Fallback: H3's readBody (Node.js dev)\n params = (await readBody(event)) ?? {};\n }\n }\n } catch {\n params = {};\n }\n\n // Run the action\n try {\n const result = await entry.run(params);\n\n // Auto-refresh the UI after a successful mutating action. GET\n // actions and actions explicitly flagged readOnly are skipped.\n // Other tabs' useDbSync will see source:\"action\" and invalidate\n // their action queries. The calling tab already refetches via\n // useActionMutation's onSuccess, so this is mainly cross-tab\n // sync (and parity with the agent's tool-call path).\n // Explicit entry.readOnly (true OR false) wins over the method\n // heuristic. defineAction already auto-infers GET → readOnly=true,\n // so for actions registered through that path entry.readOnly is\n // always set and the fallback just guards legacy wrap paths.\n const isReadOnly =\n typeof entry.readOnly === \"boolean\"\n ? entry.readOnly\n : method === \"GET\";\n if (!isReadOnly) {\n try {\n recordChange({\n source: \"action\",\n type: \"change\",\n key: name,\n owner: userEmail,\n });\n } catch {\n // ignore\n }\n }\n\n // If the action returned a string, try to parse as JSON for a clean response\n if (typeof result === \"string\") {\n try {\n return JSON.parse(result);\n } catch {\n return result;\n }\n }\n\n return result;\n } catch (err: any) {\n const msg = err?.message ?? String(err);\n // Return 400 for validation errors, 500 for everything else\n setResponseStatus(\n event,\n msg.startsWith(\"Invalid action parameters\")\n ? 400\n : typeof err?.statusCode === \"number\"\n ? err.statusCode\n : 500,\n );\n return { error: msg };\n }\n },\n ); // end runWithRequestContext\n }),\n );\n\n mounted.push(`${method} ${routePath}`);\n }\n\n if (mounted.length > 0 && process.env.DEBUG)\n console.log(\n `[action-routes] Mounted ${mounted.length} action route(s): ${mounted.join(\", \")}`,\n );\n}\n"]}
1
+ {"version":3,"file":"action-routes.js","sourceRoot":"","sources":["../../src/server/action-routes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAC1D,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,SAAS,EACT,QAAQ,EACR,SAAS,GACV,MAAM,IAAI,CAAC;AAEZ,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EACL,oBAAoB,IAAI,wBAAwB,EAChD,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAE3B,MAAM,YAAY,GAAG,wBAAwB,CAAC;AAE9C;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAU;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAChD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAC;QACtD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,MAA0B;IACtD,OAAO,wBAAwB,CAAC,MAAM,EAAE;QACtC,cAAc,EAAE,sBAAsB,EAAE;QACxC,6BAA6B,EAAE,IAAI;KACpC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAU;IACtC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,oBAAoB,CACxC,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAChD,CAAC;IAEF,IAAI,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC7B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAa,CAAC,CAAC;QACvE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,iBAAiB,CAAC,KAAK,EAAE,kCAAkC,EAAE,MAAM,CAAC,CAAC;QACrE,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;QACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,oIAAoI,CACrI,CAAC;IACJ,CAAC;IAED,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,OAAO,EAAE,CAAC;AACZ,CAAC;AASD;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAa,EACb,OAAoC,EACpC,OAAkC;IAElC,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,0BAA0B;QAC1B,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK;YAAE,SAAS;QAEnC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,MAAM,IAAI,MAAM,CAAC;QAC5C,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACtC,MAAM,SAAS,GAAG,GAAG,YAAY,IAAI,IAAI,EAAE,CAAC;QAE5C,QAAQ,CAAC,QAAQ,CAAC,CAAC,GAAG,CACpB,SAAS,EACT,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;YACjC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,eAAe,GACnB,SAAS,KAAK,MAAM,IAAI,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;YAE/D,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YAED,iBAAiB,CAAC,KAAK,EAAE,eAAe,EAAE,UAAU,CAAC,CAAC;YAEtD,4BAA4B;YAC5B,IAAI,eAAe,KAAK,MAAM,EAAE,CAAC;gBAC/B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,2BAA2B,MAAM,GAAG,EAAE,CAAC;YACzD,CAAC;YAED,oEAAoE;YACpE,0DAA0D;YAC1D,qEAAqE;YACrE,8DAA8D;YAC9D,kDAAkD;YAClD,gEAAgE;YAChE,mEAAmE;YACnE,gEAAgE;YAChE,uCAAuC;YACvC,+DAA+D;YAC/D,oEAAoE;YACpE,+BAA+B;YAC/B,MAAM,cAAc,GAClB,SAAS,CAAC,KAAK,EAAE,4BAA4B,CAAC,KAAK,GAAG,CAAC;YACzD,IAAI,cAAc,IAAI,KAAK,CAAC,YAAY,KAAK,KAAK,EAAE,CAAC;gBACnD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EAAE,WAAW,IAAI,+BAA+B;iBACtD,CAAC;YACJ,CAAC;YAED,+CAA+C;YAC/C,MAAM,SAAS,GAAG,OAAO,EAAE,iBAAiB;gBAC1C,CAAC,CAAC,MAAM,OAAO,CAAC,iBAAiB,CAAC,KAAK,CAAC;gBACxC,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,KAAK,GAAG,OAAO,EAAE,YAAY;gBACjC,CAAC,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,IAAI,SAAS,CAAC;gBACpD,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,QAAQ,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;YAE3C,OAAO,qBAAqB,CAC1B,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,EAC9B,KAAK,IAAI,EAAE;gBACT,kEAAkE;gBAClE,qEAAqE;gBACrE,qEAAqE;gBACrE,sCAAsC;gBACtC,IAAI,MAA2B,CAAC;gBAChC,IAAI,CAAC;oBACH,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;wBACrB,sDAAsD;wBACtD,MAAM,MAAM,GAAI,KAAa,CAAC,GAAG,CAAC;wBAClC,IAAI,MAAM,EAAE,GAAG,EAAE,CAAC;4BAChB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;4BAChC,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;wBAChD,CAAC;6BAAM,CAAC;4BACN,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAwB,CAAC;wBAClD,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACN,MAAM,MAAM,GAAI,KAAa,CAAC,GAAG,CAAC;wBAClC,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;4BAChD,6DAA6D;4BAC7D,MAAM,GAAG,CAAC,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;wBACzD,CAAC;6BAAM,CAAC;4BACN,wCAAwC;4BACxC,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;wBACzC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,EAAE,CAAC;gBACd,CAAC;gBAED,iBAAiB;gBACjB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAEvC,8DAA8D;oBAC9D,+DAA+D;oBAC/D,gEAAgE;oBAChE,8DAA8D;oBAC9D,6DAA6D;oBAC7D,qDAAqD;oBACrD,+DAA+D;oBAC/D,mEAAmE;oBACnE,gEAAgE;oBAChE,6DAA6D;oBAC7D,MAAM,UAAU,GACd,OAAO,KAAK,CAAC,QAAQ,KAAK,SAAS;wBACjC,CAAC,CAAC,KAAK,CAAC,QAAQ;wBAChB,CAAC,CAAC,MAAM,KAAK,KAAK,CAAC;oBACvB,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,IAAI,CAAC;4BACH,YAAY,CAAC;gCACX,MAAM,EAAE,QAAQ;gCAChB,IAAI,EAAE,QAAQ;gCACd,GAAG,EAAE,IAAI;gCACT,KAAK,EAAE,SAAS;6BACjB,CAAC,CAAC;wBACL,CAAC;wBAAC,MAAM,CAAC;4BACP,SAAS;wBACX,CAAC;oBACH,CAAC;oBAED,6EAA6E;oBAC7E,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;wBAC/B,IAAI,CAAC;4BACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;wBAC5B,CAAC;wBAAC,MAAM,CAAC;4BACP,OAAO,MAAM,CAAC;wBAChB,CAAC;oBACH,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC;oBACxC,4DAA4D;oBAC5D,iBAAiB,CACf,KAAK,EACL,GAAG,CAAC,UAAU,CAAC,2BAA2B,CAAC;wBACzC,CAAC,CAAC,GAAG;wBACL,CAAC,CAAC,OAAO,GAAG,EAAE,UAAU,KAAK,QAAQ;4BACnC,CAAC,CAAC,GAAG,CAAC,UAAU;4BAChB,CAAC,CAAC,GAAG,CACV,CAAC;oBACF,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;gBACxB,CAAC;YACH,CAAC,CACF,CAAC,CAAC,4BAA4B;QACjC,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,IAAI,SAAS,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;QACzC,OAAO,CAAC,GAAG,CACT,2BAA2B,OAAO,CAAC,MAAM,qBAAqB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnF,CAAC;AACN,CAAC","sourcesContent":["/**\n * Auto-mount actions as HTTP endpoints under /_agent-native/actions/:name.\n *\n * Actions are exposed as POST by default. Use `http: { method: \"GET\" }` in\n * defineAction to expose as GET. Use `http: false` to mark as agent-only.\n */\nimport { getH3App } from \"./framework-request-handler.js\";\nimport {\n defineEventHandler,\n setResponseStatus,\n setResponseHeader,\n getMethod,\n getQuery,\n getHeader,\n} from \"h3\";\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { recordChange } from \"./poll.js\";\nimport {\n getAllowedCorsOrigin as resolveAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\n\nconst ROUTE_PREFIX = \"/_agent-native/actions\";\n\n/**\n * Read the caller's IANA timezone from the `x-user-timezone` header. The core\n * client sends this on every action request so server-side \"today\" fallbacks\n * can honor the user's local day.\n */\nfunction readTimezoneHeader(event: any): string | undefined {\n try {\n const raw = getHeader(event, \"x-user-timezone\");\n if (!raw || typeof raw !== \"string\") return undefined;\n const trimmed = raw.trim();\n return trimmed.length > 0 && trimmed.length < 64 ? trimmed : undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction getAllowedCorsOrigin(origin: string | undefined): string | null {\n return resolveAllowedCorsOrigin(origin, {\n allowedOrigins: readCorsAllowedOrigins(),\n allowLocalhostWhenNoAllowlist: true,\n });\n}\n\nfunction handleOptionsRequest(event: any): string {\n const origin = getHeader(event, \"origin\");\n const allowedOrigin = getAllowedCorsOrigin(\n typeof origin === \"string\" ? origin : undefined,\n );\n\n if (origin && !allowedOrigin) {\n setResponseStatus(event, 403);\n return \"\";\n }\n\n if (allowedOrigin) {\n setResponseHeader(event, \"Access-Control-Allow-Origin\", allowedOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(event, \"Access-Control-Allow-Credentials\", \"true\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-Agent-Native-Tool-Bridge,X-Agent-Native-Tool-Id\",\n );\n }\n\n setResponseStatus(event, 204);\n return \"\";\n}\n\nexport interface MountActionRoutesOptions {\n /** Resolve owner email from the H3 event (for data scoping). */\n getOwnerFromEvent?: (event: any) => string | Promise<string>;\n /** Resolve org ID from the H3 event (for org scoping). */\n resolveOrgId?: (event: any) => string | null | Promise<string | null>;\n}\n\n/**\n * Mount discovered actions as HTTP endpoints.\n *\n * Only actions from `autoDiscoverActions` (template actions) are mounted.\n * Built-in actions (resource-*, chat-*, shell, etc.) are NOT passed here.\n */\nexport function mountActionRoutes(\n nitroApp: any,\n actions: Record<string, ActionEntry>,\n options?: MountActionRoutesOptions,\n) {\n const mounted: string[] = [];\n\n for (const [name, entry] of Object.entries(actions)) {\n // Skip agent-only actions\n if (entry.http === false) continue;\n\n const method = entry.http?.method ?? \"POST\";\n const path = entry.http?.path ?? name;\n const routePath = `${ROUTE_PREFIX}/${path}`;\n\n getH3App(nitroApp).use(\n routePath,\n defineEventHandler(async (event) => {\n const reqMethod = getMethod(event);\n const effectiveMethod =\n reqMethod === \"HEAD\" && method === \"GET\" ? \"GET\" : reqMethod;\n\n if (reqMethod === \"OPTIONS\") {\n return handleOptionsRequest(event);\n }\n\n setResponseHeader(event, \"Cache-Control\", \"no-store\");\n\n // Allow the declared method\n if (effectiveMethod !== method) {\n setResponseStatus(event, 405);\n return { error: `Method not allowed. Use ${method}.` };\n }\n\n // (audit H5) Per-action `toolCallable` opt-out for the tools-iframe\n // bridge. The bridge tags every outbound action call with\n // X-Agent-Native-Tool-Bridge: 1. When that header is present and the\n // action declares `toolCallable: false`, we 403 — used by the\n // framework's share-resource / unshare-resource /\n // set-resource-visibility for defense-in-depth on auth-adjacent\n // operations. Undefined defaults to allow: tools are intra-org and\n // typically authored by trusted teammates, so the default is to\n // trust the org-level access controls.\n // The header is set by the parent (the React host), not by the\n // iframe's user-authored content; sanitizeToolRequestOptions strips\n // iframe attempts to spoof it.\n const fromToolBridge =\n getHeader(event, \"x-agent-native-tool-bridge\") === \"1\";\n if (fromToolBridge && entry.toolCallable === false) {\n setResponseStatus(event, 403);\n return {\n error: `Action '${name}' is not callable from tools.`,\n };\n }\n\n // Resolve auth context for per-request scoping\n const userEmail = options?.getOwnerFromEvent\n ? await options.getOwnerFromEvent(event)\n : undefined;\n const orgId = options?.resolveOrgId\n ? ((await options.resolveOrgId(event)) ?? undefined)\n : undefined;\n const timezone = readTimezoneHeader(event);\n\n return runWithRequestContext(\n { userEmail, orgId, timezone },\n async () => {\n // Parse params based on method. On web-standard runtimes (Netlify\n // Functions, CF Workers), event.req IS the web Request — use .json()\n // directly. H3's readBody fails on those runtimes because it expects\n // a Node.js stream on event.node.req.\n let params: Record<string, any>;\n try {\n if (method === \"GET\") {\n // H3 v2: prefer web Request URL, fallback to getQuery\n const webReq = (event as any).req;\n if (webReq?.url) {\n const url = new URL(webReq.url);\n params = Object.fromEntries(url.searchParams);\n } else {\n params = getQuery(event) as Record<string, any>;\n }\n } else {\n const webReq = (event as any).req;\n if (webReq && typeof webReq.json === \"function\") {\n // H3 v2: event.req is the web Request — use .json() directly\n params = (await webReq.json().catch(() => null)) ?? {};\n } else {\n // Fallback: H3's readBody (Node.js dev)\n params = (await readBody(event)) ?? {};\n }\n }\n } catch {\n params = {};\n }\n\n // Run the action\n try {\n const result = await entry.run(params);\n\n // Auto-refresh the UI after a successful mutating action. GET\n // actions and actions explicitly flagged readOnly are skipped.\n // Other tabs' useDbSync will see source:\"action\" and invalidate\n // their action queries. The calling tab already refetches via\n // useActionMutation's onSuccess, so this is mainly cross-tab\n // sync (and parity with the agent's tool-call path).\n // Explicit entry.readOnly (true OR false) wins over the method\n // heuristic. defineAction already auto-infers GET → readOnly=true,\n // so for actions registered through that path entry.readOnly is\n // always set and the fallback just guards legacy wrap paths.\n const isReadOnly =\n typeof entry.readOnly === \"boolean\"\n ? entry.readOnly\n : method === \"GET\";\n if (!isReadOnly) {\n try {\n recordChange({\n source: \"action\",\n type: \"change\",\n key: name,\n owner: userEmail,\n });\n } catch {\n // ignore\n }\n }\n\n // If the action returned a string, try to parse as JSON for a clean response\n if (typeof result === \"string\") {\n try {\n return JSON.parse(result);\n } catch {\n return result;\n }\n }\n\n return result;\n } catch (err: any) {\n const msg = err?.message ?? String(err);\n // Return 400 for validation errors, 500 for everything else\n setResponseStatus(\n event,\n msg.startsWith(\"Invalid action parameters\")\n ? 400\n : typeof err?.statusCode === \"number\"\n ? err.statusCode\n : 500,\n );\n return { error: msg };\n }\n },\n ); // end runWithRequestContext\n }),\n );\n\n mounted.push(`${method} ${routePath}`);\n }\n\n if (mounted.length > 0 && process.env.DEBUG)\n console.log(\n `[action-routes] Mounted ${mounted.length} action route(s): ${mounted.join(\", \")}`,\n );\n}\n"]}
package/dist/server/agent-chat-plugin.d.ts CHANGED
@@ -53,6 +53,20 @@ export interface AgentChatPluginOptions {
53
53
  * need custom org resolution logic (e.g., Atlassian org mapping).
54
54
  */
55
55
  resolveOrgId?: (event: any) => string | null | Promise<string | null>;
56
+ /**
57
+ * Optional owner resolver for public/anonymous chat surfaces. When the
58
+ * normal app session is missing, this callback may return a synthetic
59
+ * owner id for a narrowly-scoped public request (for example, a public
60
+ * shared document page). Anonymous requests use a read-only tool set by
61
+ * default so public viewers cannot mutate app data through the agent.
62
+ */
63
+ anonymousOwner?: (event: any) => string | null | Promise<string | null>;
64
+ /**
65
+ * Keep anonymous-owner requests on read-only template actions. Defaults to
66
+ * true. Only disable for single-tenant apps that intentionally allow public
67
+ * agent mutations.
68
+ */
69
+ anonymousReadOnly?: boolean;
56
70
  /**
57
71
  * Optional callback to append template-specific context to the system
58
72
  * prompt on each request. Runs after AGENTS.md / skills / memory are
package/dist/server/agent-chat-plugin.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EAUL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AAmDhC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AAkIrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAmiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;sDAGkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAywBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CA0gFhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}
1
+ {"version":3,"file":"agent-chat-plugin.d.ts","sourceRoot":"","sources":["../../src/server/agent-chat-plugin.ts"],"names":[],"mappings":"AAaA,OAAO,EAUL,KAAK,WAAW,EACjB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,KAAK,EACV,cAAc,EAEd,eAAe,EAEhB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,gBAAgB,EAUjB,MAAM,wBAAwB,CAAC;AAmDhC,OAAO,EAGL,KAAK,0BAA0B,EAC/B,KAAK,oBAAoB,EAC1B,MAAM,6BAA6B,CAAC;AA0IrC,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,SAAS,cAAc,EAAE,EACjC,WAAW,EAAE,SAAS,oBAAoB,EAAE,EAC5C,OAAO,GAAE,0BAA0B,GAAG;IAAE,KAAK,CAAC,EAAE,GAAG,CAAA;CAAO,GACzD;IAAE,YAAY,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAO7C;AAmiCD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,sBAAsB;IACrC,+DAA+D;IAC/D,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,wCAAwC;IACxC,OAAO,CAAC,EACJ,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,GAC3B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IAC9C,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qDAAqD;IACrD,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;sDAGkD;IAClD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,iEAAiE;IACjE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,MAAM,CAAC,EACH,OAAO,0BAA0B,EAAE,WAAW,GAC9C,MAAM,GACN;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,CAAC;IACtD,qDAAqD;IACrD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+DAA+D;IAC/D,gBAAgB,CAAC,EACb,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,CAAC,MACG,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,GAC/B,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;IAClD,kFAAkF;IAClF,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;;;;;;;OASG;IACH,YAAY,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACtE;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IACxE;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;;;;;;;;OAcG;IACH,YAAY,CAAC,EAAE,CACb,KAAK,EAAE,GAAG,EACV,KAAK,EAAE,MAAM,KACV,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC5C;;;;;;;;;;;;;;OAcG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;;;;;;OAaG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;;;;;;;;;;;;;;OAkBG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAywBD,wBAAgB,qBAAqB,CACnC,OAAO,CAAC,EAAE,sBAAsB,GAC/B,cAAc,CAwlFhB;AAED;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,EAAE,cAAwC,CAAC;AAa9E,yEAAyE;AACzE,wBAAgB,mBAAmB,IAAI,gBAAgB,GAAG,IAAI,CAE7D"}
package/dist/server/agent-chat-plugin.js CHANGED
@@ -58,6 +58,9 @@ function wrapCliScript(tool, cliDefault, opts) {
58
58
  },
59
59
  };
60
60
  }
61
+ function filterReadOnlyActions(actions) {
62
+ return Object.fromEntries(Object.entries(actions).filter(([, entry]) => entry.readOnly === true));
63
+ }
61
64
  function resolveArtifactBaseUrl(event) {
62
65
  const fromEnv = process.env.APP_URL ||
63
66
  process.env.URL ||
@@ -2530,17 +2533,36 @@ export function createAgentChatPlugin(options) {
2530
2533
  return accumulatedText || "(no response)";
2531
2534
  },
2532
2535
  });
2533
- // Resolve owner from the H3 event's session — matches how resources are created
2534
- const getOwnerFromEvent = async (event) => {
2535
- const session = await getSession(event);
2536
- if (!session?.email) {
2537
- const { createError } = await import("h3");
2538
- throw createError({
2539
- statusCode: 401,
2540
- statusMessage: "Unauthenticated",
2541
- });
2536
+ const OWNER_CONTEXT_KEY = "__agentNativeOwnerContext";
2537
+ // Resolve owner from the H3 event's session, with an optional
2538
+ // template-provided anonymous owner for public read-only surfaces.
2539
+ const resolveOwnerContext = async (event) => {
2540
+ const eventContext = event?.context;
2541
+ if (eventContext?.[OWNER_CONTEXT_KEY]) {
2542
+ return eventContext[OWNER_CONTEXT_KEY];
2542
2543
  }
2543
- return session.email;
2544
+ const session = await getSession(event);
2545
+ if (session?.email) {
2546
+ const resolved = { owner: session.email, anonymous: false };
2547
+ if (eventContext)
2548
+ eventContext[OWNER_CONTEXT_KEY] = resolved;
2549
+ return resolved;
2550
+ }
2551
+ const anonymousOwner = await options?.anonymousOwner?.(event);
2552
+ if (anonymousOwner) {
2553
+ const resolved = { owner: anonymousOwner, anonymous: true };
2554
+ if (eventContext)
2555
+ eventContext[OWNER_CONTEXT_KEY] = resolved;
2556
+ return resolved;
2557
+ }
2558
+ const { createError } = await import("h3");
2559
+ throw createError({
2560
+ statusCode: 401,
2561
+ statusMessage: "Unauthenticated",
2562
+ });
2563
+ };
2564
+ const getOwnerFromEvent = async (event) => {
2565
+ return (await resolveOwnerContext(event)).owner;
2544
2566
  };
2545
2567
  // Auto-mount template actions as HTTP endpoints under /_agent-native/actions/
2546
2568
  // Include engine management script so the UI can call manage-agent-engine.
@@ -2776,6 +2798,7 @@ export function createAgentChatPlugin(options) {
2776
2798
  ...chatScripts,
2777
2799
  ...toolActions,
2778
2800
  });
2801
+ const anonymousReadOnlyActions = attachToolSearch(filterReadOnlyActions(templateScripts));
2779
2802
  const prodActions = attachToolSearch({
2780
2803
  ...templateScripts,
2781
2804
  ...resourceScripts,
@@ -2810,6 +2833,9 @@ export function createAgentChatPlugin(options) {
2810
2833
  // Skip resource loading and schema block — those add DB round-trips
2811
2834
  // and tokens that minimal/voice apps don't need.
2812
2835
  const leanBasePrompt = (options?.systemPrompt ?? "") + prodActionsPrompt;
2836
+ const anonymousReadOnlyPrompt = (options?.systemPrompt ?? PROD_FRAMEWORK_PROMPT_COMPACT) +
2837
+ generateActionsPrompt(filterReadOnlyActions(templateScripts), "tool") +
2838
+ "\n\nYou are answering from a public shared page. Treat the visible resource as read-only: do not create, edit, delete, comment on, share, or otherwise mutate app data. If the user asks for a change, describe what you would change or suggest signing in to edit.";
2813
2839
  // Per-request preamble shared by both prod and dev handlers. Resolves
2814
2840
  // owner + user API key onto the AsyncLocalStorage run context so
2815
2841
  // downstream tool closures (automation, fetch, team) read the
@@ -2886,6 +2912,40 @@ export function createAgentChatPlugin(options) {
2886
2912
  // Resolve owner from session for usage attribution in hosted prod
2887
2913
  resolveOwnerEmail: isHostedProd ? getOwnerFromEvent : undefined,
2888
2914
  });
2915
+ const anonymousHandler = options?.anonymousOwner && options.anonymousReadOnly !== false
2916
+ ? createProductionAgentHandler({
2917
+ actions: anonymousReadOnlyActions,
2918
+ systemPrompt: async (event) => {
2919
+ const { extra } = await prepareRun(event);
2920
+ return setSystemPromptOnContext(anonymousReadOnlyPrompt +
2921
+ runtimeContextForEvent(event) +
2922
+ extra);
2923
+ },
2924
+ model: options?.model ?? DEFAULT_MODEL,
2925
+ apiKey: options?.apiKey,
2926
+ runSoftTimeoutMs: options?.runSoftTimeoutMs,
2927
+ skipFilesContext: true,
2928
+ onEngineResolved: (engine, model) => {
2929
+ const runCtx = ensureRequestRunContext();
2930
+ if (runCtx) {
2931
+ runCtx.engine = engine;
2932
+ runCtx.model = model;
2933
+ }
2934
+ },
2935
+ onRunStart: (send, threadId) => {
2936
+ _runSendByThread.set(threadId, send);
2937
+ const runCtx = ensureRequestRunContext();
2938
+ if (runCtx)
2939
+ runCtx.threadId = threadId;
2940
+ },
2941
+ onRunComplete: async (run, threadId) => {
2942
+ if (threadId)
2943
+ _runSendByThread.delete(threadId);
2944
+ await onRunComplete(run, threadId);
2945
+ },
2946
+ resolveOwnerEmail: getOwnerFromEvent,
2947
+ })
2948
+ : null;
2889
2949
  // Build the dev handler (with filesystem/shell/db tools) if environment allows toggling
2890
2950
  let devHandler = null;
2891
2951
  if (canToggle) {
@@ -3800,7 +3860,8 @@ export function createAgentChatPlugin(options) {
3800
3860
  return { error: "Not found" };
3801
3861
  }
3802
3862
  // Resolve per-request auth context
3803
- const owner = await getOwnerFromEvent(event);
3863
+ const ownerContext = await resolveOwnerContext(event);
3864
+ const owner = ownerContext.owner;
3804
3865
  // Resolve org ID: explicit callback > session.orgId from Better Auth
3805
3866
  let resolvedOrgId;
3806
3867
  if (options?.resolveOrgId) {
@@ -3825,7 +3886,11 @@ export function createAgentChatPlugin(options) {
3825
3886
  ? tzRaw.trim()
3826
3887
  : undefined;
3827
3888
  return runWithRequestContext({ userEmail: owner, orgId: resolvedOrgId, timezone }, () => {
3828
- const handler = currentDevMode && devHandler ? devHandler : prodHandler;
3889
+ const handler = ownerContext.anonymous && anonymousHandler
3890
+ ? anonymousHandler
3891
+ : currentDevMode && devHandler
3892
+ ? devHandler
3893
+ : prodHandler;
3829
3894
  return handler(event);
3830
3895
  });
3831
3896
  }));