npm - @agent-native/core - Versions diffs - 0.14.8 → 0.15.0 - Mend

@agent-native/core 0.14.8 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (420) hide show

package/README.md +1 -1
package/dist/agent/engine/builder-engine.d.ts.map +1 -1
package/dist/agent/engine/builder-engine.js +30 -9
package/dist/agent/engine/builder-engine.js.map +1 -1
package/dist/agent/engine/registry.d.ts.map +1 -1
package/dist/agent/engine/registry.js +14 -4
package/dist/agent/engine/registry.js.map +1 -1
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +71 -4
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/types.d.ts +9 -0
package/dist/agent/types.d.ts.map +1 -1
package/dist/agent/types.js.map +1 -1
package/dist/appearance/actions/change-appearance.d.ts +3 -0
package/dist/appearance/actions/change-appearance.d.ts.map +1 -0
package/dist/appearance/actions/change-appearance.js +29 -0
package/dist/appearance/actions/change-appearance.js.map +1 -0
package/dist/chat-threads/store.d.ts +53 -2
package/dist/chat-threads/store.d.ts.map +1 -1
package/dist/chat-threads/store.js +172 -12
package/dist/chat-threads/store.js.map +1 -1
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +114 -37
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +30 -4
package/dist/cli/index.js.map +1 -1
package/dist/cli/workspace-dev.d.ts +25 -1
package/dist/cli/workspace-dev.d.ts.map +1 -1
package/dist/cli/workspace-dev.js +275 -49
package/dist/cli/workspace-dev.js.map +1 -1
package/dist/client/AgentPanel.d.ts +23 -4
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +276 -53
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AppearancePicker.d.ts +11 -0
package/dist/client/AppearancePicker.d.ts.map +1 -0
package/dist/client/AppearancePicker.js +16 -0
package/dist/client/AppearancePicker.js.map +1 -0
package/dist/client/AssistantChat.d.ts +35 -0
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +315 -32
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
package/dist/client/ConnectBuilderCard.js +5 -2
package/dist/client/ConnectBuilderCard.js.map +1 -1
package/dist/client/ErrorBoundary.d.ts.map +1 -1
package/dist/client/ErrorBoundary.js +8 -10
package/dist/client/ErrorBoundary.js.map +1 -1
package/dist/client/FeedbackButton.d.ts.map +1 -1
package/dist/client/FeedbackButton.js +1 -1
package/dist/client/FeedbackButton.js.map +1 -1
package/dist/client/MultiTabAssistantChat.d.ts +13 -1
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +217 -38
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/NewWorkspaceAppFlow.d.ts.map +1 -1
package/dist/client/NewWorkspaceAppFlow.js +37 -14
package/dist/client/NewWorkspaceAppFlow.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts +5 -0
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +4 -0
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-sidebar-state.d.ts +12 -0
package/dist/client/agent-sidebar-state.d.ts.map +1 -1
package/dist/client/agent-sidebar-state.js +8 -0
package/dist/client/agent-sidebar-state.js.map +1 -1
package/dist/client/analytics.d.ts.map +1 -1
package/dist/client/analytics.js +175 -3
package/dist/client/analytics.js.map +1 -1
package/dist/client/appearance.d.ts +40 -0
package/dist/client/appearance.d.ts.map +1 -0
package/dist/client/appearance.js +114 -0
package/dist/client/appearance.js.map +1 -0
package/dist/client/builder-frame.d.ts +1 -0
package/dist/client/builder-frame.d.ts.map +1 -1
package/dist/client/builder-frame.js +19 -9
package/dist/client/builder-frame.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +10 -2
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/components/ui/dropdown-menu.js +2 -2
package/dist/client/components/ui/dropdown-menu.js.map +1 -1
package/dist/client/components/ui/hover-card.js +1 -1
package/dist/client/components/ui/hover-card.js.map +1 -1
package/dist/client/components/ui/popover.js +1 -1
package/dist/client/components/ui/popover.js.map +1 -1
package/dist/client/composer/PromptComposer.d.ts +7 -0
package/dist/client/composer/PromptComposer.d.ts.map +1 -1
package/dist/client/composer/PromptComposer.js +63 -32
package/dist/client/composer/PromptComposer.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +5 -0
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +36 -6
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
package/dist/client/composer/useVoiceDictation.js +13 -1
package/dist/client/composer/useVoiceDictation.js.map +1 -1
package/dist/client/error-format.d.ts +3 -2
package/dist/client/error-format.d.ts.map +1 -1
package/dist/client/error-format.js +9 -2
package/dist/client/error-format.js.map +1 -1
package/dist/client/extensions/ExtensionViewer.d.ts.map +1 -1
package/dist/client/extensions/ExtensionViewer.js +24 -2
package/dist/client/extensions/ExtensionViewer.js.map +1 -1
package/dist/client/index.d.ts +8 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +7 -0
package/dist/client/index.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +1 -0
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/org/InvitationBanner.d.ts.map +1 -1
package/dist/client/org/InvitationBanner.js +23 -2
package/dist/client/org/InvitationBanner.js.map +1 -1
package/dist/client/org/OrgSwitcher.d.ts +5 -4
package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
package/dist/client/org/OrgSwitcher.js +57 -9
package/dist/client/org/OrgSwitcher.js.map +1 -1
package/dist/client/org/hooks.d.ts.map +1 -1
package/dist/client/org/hooks.js +10 -6
package/dist/client/org/hooks.js.map +1 -1
package/dist/client/org/workspace-app-links.d.ts +31 -0
package/dist/client/org/workspace-app-links.d.ts.map +1 -0
package/dist/client/org/workspace-app-links.js +268 -0
package/dist/client/org/workspace-app-links.js.map +1 -0
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +18 -5
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-resources.d.ts +18 -13
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js +24 -6
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
package/dist/client/settings/BackgroundAgentSection.js +9 -1
package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
package/dist/client/settings/BrowserSection.d.ts.map +1 -1
package/dist/client/settings/BrowserSection.js +16 -1
package/dist/client/settings/BrowserSection.js.map +1 -1
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +4 -1
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.js +5 -5
package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
package/dist/client/settings/useBuilderStatus.d.ts +8 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
package/dist/client/settings/useBuilderStatus.js +50 -13
package/dist/client/settings/useBuilderStatus.js.map +1 -1
package/dist/client/settings/useBuilderStatus.spec.d.ts +2 -0
package/dist/client/settings/useBuilderStatus.spec.d.ts.map +1 -0
package/dist/client/settings/useBuilderStatus.spec.js +64 -0
package/dist/client/settings/useBuilderStatus.spec.js.map +1 -0
package/dist/client/sharing/ShareButton.d.ts +5 -0
package/dist/client/sharing/ShareButton.d.ts.map +1 -1
package/dist/client/sharing/ShareButton.js +60 -6
package/dist/client/sharing/ShareButton.js.map +1 -1
package/dist/client/theme.js +1 -1
package/dist/client/theme.js.map +1 -1
package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
package/dist/client/transcription/BuilderTranscriptionCta.js +2 -3
package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
package/dist/client/use-change-version.d.ts +46 -0
package/dist/client/use-change-version.d.ts.map +1 -0
package/dist/client/use-change-version.js +135 -0
package/dist/client/use-change-version.js.map +1 -0
package/dist/client/use-chat-threads.d.ts +16 -2
package/dist/client/use-chat-threads.d.ts.map +1 -1
package/dist/client/use-chat-threads.js +87 -12
package/dist/client/use-chat-threads.js.map +1 -1
package/dist/client/use-chat-threads.spec.d.ts +2 -0
package/dist/client/use-chat-threads.spec.d.ts.map +1 -0
package/dist/client/use-chat-threads.spec.js +85 -0
package/dist/client/use-chat-threads.spec.js.map +1 -0
package/dist/client/use-db-sync.d.ts +5 -2
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +41 -16
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-pinch-zoom.d.ts +35 -0
package/dist/client/use-pinch-zoom.d.ts.map +1 -0
package/dist/client/use-pinch-zoom.js +105 -0
package/dist/client/use-pinch-zoom.js.map +1 -0
package/dist/deploy/workspace-deploy.d.ts.map +1 -1
package/dist/deploy/workspace-deploy.js +99 -5
package/dist/deploy/workspace-deploy.js.map +1 -1
package/dist/extensions/actions.d.ts.map +1 -1
package/dist/extensions/actions.js +3 -0
package/dist/extensions/actions.js.map +1 -1
package/dist/extensions/store.d.ts +5 -0
package/dist/extensions/store.d.ts.map +1 -1
package/dist/extensions/store.js +16 -1
package/dist/extensions/store.js.map +1 -1
package/dist/file-upload/actions/upload-image.d.ts +3 -0
package/dist/file-upload/actions/upload-image.d.ts.map +1 -0
package/dist/file-upload/actions/upload-image.js +145 -0
package/dist/file-upload/actions/upload-image.js.map +1 -0
package/dist/file-upload/builder.d.ts.map +1 -1
package/dist/file-upload/builder.js +31 -11
package/dist/file-upload/builder.js.map +1 -1
package/dist/file-upload/index.d.ts +1 -0
package/dist/file-upload/index.d.ts.map +1 -1
package/dist/file-upload/index.js +1 -0
package/dist/file-upload/index.js.map +1 -1
package/dist/file-upload/pre-upload-attachments.d.ts +39 -0
package/dist/file-upload/pre-upload-attachments.d.ts.map +1 -0
package/dist/file-upload/pre-upload-attachments.js +110 -0
package/dist/file-upload/pre-upload-attachments.js.map +1 -0
package/dist/file-upload/registry.d.ts.map +1 -1
package/dist/file-upload/registry.js +8 -7
package/dist/file-upload/registry.js.map +1 -1
package/dist/onboarding/default-steps.js +1 -1
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/org/context.d.ts +15 -1
package/dist/org/context.d.ts.map +1 -1
package/dist/org/context.js +25 -0
package/dist/org/context.js.map +1 -1
package/dist/org/handlers.d.ts +2 -2
package/dist/org/handlers.d.ts.map +1 -1
package/dist/org/handlers.js +3 -17
package/dist/org/handlers.js.map +1 -1
package/dist/org/index.d.ts +1 -1
package/dist/org/index.d.ts.map +1 -1
package/dist/org/index.js +1 -1
package/dist/org/index.js.map +1 -1
package/dist/resources/handlers.d.ts +6 -0
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +30 -6
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/script-helpers.d.ts +11 -2
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +20 -3
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts +28 -3
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +170 -20
package/dist/resources/store.js.map +1 -1
package/dist/scripts/resources/list.d.ts +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +16 -4
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/write.d.ts +1 -1
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +47 -3
package/dist/scripts/resources/write.js.map +1 -1
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +8 -3
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +214 -25
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts +35 -0
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +139 -8
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/app-url.d.ts +12 -6
package/dist/server/app-url.d.ts.map +1 -1
package/dist/server/app-url.js +58 -11
package/dist/server/app-url.js.map +1 -1
package/dist/server/auth.d.ts +22 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +272 -59
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +0 -4
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +0 -3
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +23 -0
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +29 -14
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/credential-provider.d.ts +14 -0
package/dist/server/credential-provider.d.ts.map +1 -1
package/dist/server/credential-provider.js +88 -11
package/dist/server/credential-provider.js.map +1 -1
package/dist/server/google-auth-plugin.d.ts.map +1 -1
package/dist/server/google-auth-plugin.js +53 -13
package/dist/server/google-auth-plugin.js.map +1 -1
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +47 -17
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +1 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +1 -1
package/dist/server/index.js.map +1 -1
package/dist/server/oauth-public-origin.d.ts.map +1 -1
package/dist/server/oauth-public-origin.js +19 -1
package/dist/server/oauth-public-origin.js.map +1 -1
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +62 -15
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +20 -5
package/dist/server/poll.js.map +1 -1
package/dist/server/request-context.d.ts +8 -0
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/request-context.js.map +1 -1
package/dist/shared/index.d.ts +2 -0
package/dist/shared/index.d.ts.map +1 -1
package/dist/shared/index.js +2 -0
package/dist/shared/index.js.map +1 -1
package/dist/shared/llm-connection.d.ts +10 -0
package/dist/shared/llm-connection.d.ts.map +1 -0
package/dist/shared/llm-connection.js +29 -0
package/dist/shared/llm-connection.js.map +1 -0
package/dist/shared/workspace-app-audience.d.ts +25 -0
package/dist/shared/workspace-app-audience.d.ts.map +1 -0
package/dist/shared/workspace-app-audience.js +126 -0
package/dist/shared/workspace-app-audience.js.map +1 -0
package/dist/shared/workspace-app-id.d.ts +1 -1
package/dist/shared/workspace-app-id.d.ts.map +1 -1
package/dist/shared/workspace-app-id.js +1 -0
package/dist/shared/workspace-app-id.js.map +1 -1
package/dist/sharing/access.d.ts.map +1 -1
package/dist/sharing/access.js +46 -5
package/dist/sharing/access.js.map +1 -1
package/dist/sharing/actions/list-resource-shares.d.ts.map +1 -1
package/dist/sharing/actions/list-resource-shares.js +8 -1
package/dist/sharing/actions/list-resource-shares.js.map +1 -1
package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
package/dist/sharing/actions/set-resource-visibility.js +12 -3
package/dist/sharing/actions/set-resource-visibility.js.map +1 -1
package/dist/sharing/actions/share-resource.d.ts.map +1 -1
package/dist/sharing/actions/share-resource.js +50 -1
package/dist/sharing/actions/share-resource.js.map +1 -1
package/dist/sharing/registry.d.ts +26 -0
package/dist/sharing/registry.d.ts.map +1 -1
package/dist/sharing/registry.js.map +1 -1
package/dist/styles/agent-native.css +91 -0
package/dist/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
package/dist/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
package/dist/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
package/dist/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/dist/templates/default/AGENTS.md +22 -19
package/dist/templates/default/actions/navigate.ts +3 -0
package/dist/templates/default/app/hooks/use-navigation-state.ts +29 -5
package/dist/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
package/dist/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
package/dist/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
package/dist/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
package/dist/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
package/dist/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
package/dist/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
package/dist/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
package/dist/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
package/dist/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
package/dist/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
package/dist/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
package/dist/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
package/dist/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
package/dist/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
package/dist/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
package/dist/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
package/dist/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
package/dist/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
package/dist/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
package/dist/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
package/dist/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
package/dist/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
package/dist/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
package/dist/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
package/dist/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
package/dist/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/dist/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
package/dist/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
package/dist/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
package/dist/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
package/dist/templates/workspace-core/AGENTS.md +16 -1
package/dist/templates/workspace-root/AGENTS.md +35 -0
package/dist/templates/workspace-root/README.md +7 -0
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +4 -0
package/dist/vite/action-types-plugin.js.map +1 -1
package/docs/content/authentication.md +36 -0
package/docs/content/creating-templates.md +15 -0
package/docs/content/dispatch.md +3 -3
package/docs/content/multi-app-workspace.md +5 -0
package/docs/content/tracking.md +12 -0
package/docs/content/workspace-management.md +39 -4
package/package.json +15 -12
package/src/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
package/src/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
package/src/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
package/src/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/src/templates/default/AGENTS.md +22 -19
package/src/templates/default/actions/navigate.ts +3 -0
package/src/templates/default/app/hooks/use-navigation-state.ts +29 -5
package/src/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
package/src/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
package/src/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
package/src/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
package/src/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
package/src/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
package/src/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
package/src/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
package/src/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
package/src/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
package/src/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
package/src/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
package/src/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
package/src/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
package/src/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
package/src/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
package/src/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
package/src/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
package/src/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
package/src/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
package/src/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
package/src/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
package/src/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
package/src/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
package/src/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
package/src/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
package/src/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/src/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
package/src/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
package/src/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
package/src/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
package/src/templates/workspace-core/AGENTS.md +16 -1
package/src/templates/workspace-root/AGENTS.md +35 -0
package/src/templates/workspace-root/README.md +7 -0

package/dist/server/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAMlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;~~AAyB5D~~;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;;OAUG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAwCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAKpD;AAID,eAAO,MAAM,WAAW,QAMJ,CAAC;AAErB;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;~~AAqFD~~;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AA8ND;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;~~AA8CD~~,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;~~AAwUD~~;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,~~CA6E5E~~;AA0CD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,~~CAQ7E~~;~~AAuyCD~~;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,~~CAqKlB~~;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAsChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAMlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAE7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;;OAUG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAwCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAKpD;AAID,eAAO,MAAM,WAAW,QAMJ,CAAC;AAErB;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AA2JD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AA8ND;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAsED,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAsbD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAqE5E;AA0CD,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AA8zCD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAmMlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}

package/dist/server/auth.js CHANGED Viewed

@@ -45,6 +45,7 @@ import { safeOAuthReturnUrl } from "./oauth-return-url.js";
 import { captureAuthError } from "./sentry.js";
 import { extractOAuthStateAppId } from "../shared/oauth-state.js";
 import { isValidWorkspaceAppIdFormat } from "../shared/workspace-app-id.js";
+import { normalizeWorkspaceAppAudience, workspaceAppAudienceFromEnv, workspaceAppRouteAccessFromEnv, } from "../shared/workspace-app-audience.js";
 /**
  * Get the configured session max age. Desktop SSO broker writes from
  * OAuth flows read this so expiration stays consistent with the cookie.
@@ -117,6 +118,72 @@ export function cookieDomainAttrs() {
     const domain = getCookieDomain();
     return domain ? { domain } : {};
 }
+function getCookieValues(event, name) {
+    const values = [];
+    const raw = getHeader(event, "cookie");
+    if (raw) {
+        for (const part of String(raw).split(";")) {
+            const trimmed = part.trim();
+            if (!trimmed)
+                continue;
+            const eq = trimmed.indexOf("=");
+            if (eq <= 0)
+                continue;
+            if (trimmed.slice(0, eq).trim() !== name)
+                continue;
+            let value = trimmed.slice(eq + 1).trim();
+            if (value.startsWith('"') && value.endsWith('"')) {
+                value = value.slice(1, -1);
+            }
+            try {
+                value = decodeURIComponent(value);
+            }
+            catch {
+                // Keep the raw cookie value if it was not percent-encoded.
+            }
+            if (value && !values.includes(value))
+                values.push(value);
+        }
+    }
+    // H3's cookie parser keeps only the first duplicate name. Preserve it as a
+    // fallback for mock/runtime shapes that do not expose the raw Cookie header.
+    const parsed = getCookie(event, name);
+    if (parsed && !values.includes(parsed))
+        values.push(parsed);
+    return values;
+}
+function getFrameworkSessionCookieValues(event) {
+    return getCookieValues(event, COOKIE_NAME);
+}
+function frameworkSessionCookieNamesToClear() {
+    const names = new Set([COOKIE_NAME]);
+    if (APP_NAME_SLUG)
+        names.add(`an_session_${APP_NAME_SLUG}`);
+    return [...names];
+}
+function deleteCookieFromEveryScope(event, name) {
+    // Clear host-only cookies first. When COOKIE_DOMAIN was introduced, stale
+    // host-only `an_session` cookies could shadow the new domain cookie because
+    // browsers send older same-path duplicates first.
+    deleteCookie(event, name, { path: "/" });
+    const domainAttrs = cookieDomainAttrs();
+    if (domainAttrs.domain) {
+        deleteCookie(event, name, { path: "/", ...domainAttrs });
+    }
+}
+function clearFrameworkSessionCookies(event) {
+    for (const name of frameworkSessionCookieNamesToClear()) {
+        deleteCookieFromEveryScope(event, name);
+    }
+}
+async function getLegacyCookieSession(event) {
+    for (const cookie of getFrameworkSessionCookieValues(event)) {
+        const email = await getSessionEmail(cookie);
+        if (email)
+            return { email, token: cookie };
+    }
+    return null;
+}
 function getOAuthStateAppId() {
     const raw = process.env.APP_NAME || process.env.npm_package_name;
     if (!raw)
@@ -478,6 +545,16 @@ export async function getSessionEmail(token) {
 let customGetSession = null;
 let _authGuardConfig = null;
 const _genericGoogleOAuthRoutesEnabled = new WeakMap();
+function resolveWorkspaceAppAudience(options = {}) {
+    return normalizeWorkspaceAppAudience(options.workspaceAppAudience ?? workspaceAppAudienceFromEnv());
+}
+function resolveWorkspaceAppRouteAccess(options = {}) {
+    const env = workspaceAppRouteAccessFromEnv();
+    return {
+        publicPaths: options.workspaceAppPublicPaths ?? env.publicPaths,
+        protectedPaths: options.workspaceAppProtectedPaths ?? env.protectedPaths,
+    };
+}
 function setGenericGoogleOAuthRoutesEnabled(app, enabled) {
     if (app && typeof app === "object") {
         _genericGoogleOAuthRoutesEnabled.set(app, enabled);
@@ -850,6 +927,9 @@ function createAuthGuardFn() {
             return;
         if (isPublicPath(normalizedUrl, publicPaths))
             return;
+        if (isPublicWorkspacePageRequest(event, p, config)) {
+            return;
+        }
         const session = await getSession(event);
         if (session)
             return;
@@ -857,12 +937,116 @@ function createAuthGuardFn() {
             setResponseStatus(event, 401);
             return { error: "Unauthorized" };
         }
+        // Local-dev convenience: on the first page GET of a freshly-scaffolded
+        // app, transparently create + sign in `dev@local` instead of showing the
+        // sign-up form. Gated on NODE_ENV=development AND no real users in the
+        // DB, so production and any app that has ever had a real signup are
+        // unaffected. See maybeAutoCreateDevSession for full conditions.
+        if (getMethod(event) === "GET") {
+            const autoSession = await maybeAutoCreateDevSession(event, url);
+            if (autoSession)
+                return autoSession;
+        }
         return new Response(loginHtml, {
             status: 200,
             headers: { "Content-Type": "text/html; charset=utf-8" },
         });
     };
 }
+const AUTO_DEV_ACCOUNT_EMAIL = "dev@local";
+const AUTO_DEV_ACCOUNT_PASSWORD = "local-dev-account";
+/**
+ * Local-dev convenience: skip the sign-up wall on first run.
+ *
+ * When NODE_ENV=development AND the `user` table has no rows for any
+ * email other than `dev@local`, transparently sign up (or sign back in
+ * to) the auto-managed dev account and return a 302 to the original URL
+ * with a session cookie set. A developer who just ran `pnpm dev` lands
+ * in the app immediately instead of being asked to fill in name + email
+ * + password to try the framework.
+ *
+ * Auto-create fires exactly once per local DB: as soon as `dev@local`
+ * (or any real user) exists in the `user` table, the helper returns
+ * null and the normal login flow takes over. Signing out then leaves
+ * the user on the regular sign-in form; without this guard the
+ * post-logout reload would silently re-create the session.
+ *
+ * The fixed password is intentional: it means a developer who signs
+ * out can sign back in with `dev@local` / `local-dev-account` from
+ * the regular login form. To get the auto-flow back, drop the user
+ * row or wipe the local DB. Set
+ * `AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1` to opt out entirely
+ * (useful for tests that exercise the unauthenticated branch). This
+ * is local-only — the helper is gated on NODE_ENV.
+ */
+async function maybeAutoCreateDevSession(event, redirectTo) {
+    if (!isDevEnvironment())
+        return null;
+    if (process.env.AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT === "1")
+        return null;
+    try {
+        const db = getDbExec();
+        const { rows: realUsers } = await db.execute({
+            sql: 'SELECT 1 FROM "user" WHERE email != ? LIMIT 1',
+            args: [AUTO_DEV_ACCOUNT_EMAIL],
+        });
+        if (realUsers.length > 0)
+            return null;
+        // If `dev@local` already exists, this is not a freshly-scaffolded
+        // app — the user has been through the auto-create flow at least
+        // once. Skip auto-create so signing out actually works: without
+        // this guard, the post-logout reload immediately re-creates the
+        // session and the user is stuck in dev@local forever (or has to
+        // set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1). To get the demo
+        // experience back, drop the row or wipe the local DB.
+        const { rows: devUsers } = await db.execute({
+            sql: 'SELECT 1 FROM "user" WHERE email = ? LIMIT 1',
+            args: [AUTO_DEV_ACCOUNT_EMAIL],
+        });
+        if (devUsers.length > 0)
+            return null;
+        const auth = await getBetterAuth();
+        if (!auth)
+            return null;
+        // Idempotent sign-up: succeeds on first run, throws an "already exists"
+        // failure on subsequent runs (which we swallow before falling through
+        // to the sign-in path below).
+        try {
+            await auth.api.signUpEmail({
+                body: {
+                    email: AUTO_DEV_ACCOUNT_EMAIL,
+                    password: AUTO_DEV_ACCOUNT_PASSWORD,
+                    name: "Dev",
+                },
+            });
+        }
+        catch (e) {
+            if (!isExpectedAuthFailure(e))
+                throw e;
+        }
+        const result = await auth.api.signInEmail({
+            body: {
+                email: AUTO_DEV_ACCOUNT_EMAIL,
+                password: AUTO_DEV_ACCOUNT_PASSWORD,
+            },
+        });
+        if (!result?.token)
+            return null;
+        setFrameworkSessionCookie(event, result.token);
+        await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);
+        return new Response("", {
+            status: 302,
+            headers: { Location: redirectTo },
+        });
+    }
+    catch (e) {
+        // Local-dev only — log to console for debugging, but don't surface
+        // through Sentry. Falling back to the regular login form is the
+        // correct user-facing behavior when this path fails.
+        console.warn("[agent-native] auto dev account skipped:", e);
+        return null;
+    }
+}
 /**
  * Map a Better Auth session to our AuthSession type.
  */
@@ -896,12 +1080,9 @@ export async function getSession(event) {
     // 1. ACCESS_TOKEN check (programmatic/agent access)
     const accessTokens = getAccessTokens();
     if (accessTokens.length > 0) {
-        const cookie = getCookie(event, COOKIE_NAME);
-        if (cookie) {
-            const email = await getSessionEmail(cookie);
-            if (email)
-                return { email, token: cookie };
-        }
+        const cookieSession = await getLegacyCookieSession(event);
+        if (cookieSession)
+            return cookieSession;
     }
     // 2. BYOA custom getSession
     if (customGetSession) {
@@ -943,13 +1124,9 @@ export async function getSession(event) {
             console.error("[auth] ba.api.getSession error:", e);
         }
         // 5. Legacy cookie fallback (for sessions created before migration)
-        const cookie = getCookie(event, COOKIE_NAME);
-        if (cookie) {
-            const email = await getSessionEmail(cookie);
-            if (email) {
-                return { email, token: cookie };
-            }
-        }
+        const cookieSession = await getLegacyCookieSession(event);
+        if (cookieSession)
+            return cookieSession;
         // 6. Desktop SSO broker fallback.
         // Each template in the Electron desktop app has its own database, so
         // a session token created by one template doesn't resolve in another.
@@ -1004,6 +1181,7 @@ function crossSiteCookieAttrs(event) {
         : { sameSite: "lax", secure: false };
 }
 export function setFrameworkSessionCookie(event, token) {
+    clearFrameworkSessionCookies(event);
     setCookie(event, COOKIE_NAME, token, {
         httpOnly: true,
         ...crossSiteCookieAttrs(event),
@@ -1036,7 +1214,32 @@ function isHttpsRequest(event) {
 // ---------------------------------------------------------------------------
 function isPublicPath(url, publicPaths) {
     const p = url.split("?")[0];
-    return publicPaths.some((pp) => p === pp || p.startsWith(pp + "/"));
+    return matchesPathList(p, publicPaths);
+}
+function matchesPathList(path, paths) {
+    return paths.some((candidate) => {
+        const normalized = candidate.length > 1 && candidate.endsWith("/")
+            ? candidate.slice(0, -1)
+            : candidate;
+        return path === normalized || path.startsWith(normalized + "/");
+    });
+}
+function isPublicWorkspacePageRequest(event, path, config) {
+    if (!isReadMethod(event))
+        return false;
+    if (path === "/_agent-native" ||
+        path.startsWith("/_agent-native/") ||
+        path === "/api" ||
+        path.startsWith("/api/") ||
+        path === "/.well-known" ||
+        path.startsWith("/.well-known/")) {
+        return false;
+    }
+    if (matchesPathList(path, config.workspaceAppProtectedPaths))
+        return false;
+    if (matchesPathList(path, config.workspaceAppPublicPaths))
+        return true;
+    return config.workspaceAppAudience === "public";
 }
 function stripAppBasePath(pathname) {
     const basePath = getAppBasePath();
@@ -1384,6 +1587,8 @@ function getTokenLoginHtml(options = {}) {
 // ---------------------------------------------------------------------------
 async function mountBetterAuthRoutes(app, options) {
     const publicPaths = [...(options.publicPaths ?? [])];
+    const workspaceAppAudience = resolveWorkspaceAppAudience(options);
+    const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);
     // The A2A agent card is part of an open protocol — other agents must be
     // able to discover it without auth. Same for favicons and similar probes.
     for (const pp of ["/.well-known", "/favicon.ico", "/favicon.png"]) {
@@ -1821,13 +2026,7 @@ async function mountBetterAuthRoutes(app, options) {
             }
             const sessionToken = crypto.randomBytes(32).toString("hex");
             await addSession(sessionToken, "user");
-            setCookie(event, COOKIE_NAME, sessionToken, {
-                httpOnly: true,
-                ...crossSiteCookieAttrs(event),
-                ...cookieDomainAttrs(),
-                path: "/",
-                maxAge: sessionMaxAge,
-            });
+            setFrameworkSessionCookie(event, sessionToken);
             return authLoginResponse(event, sessionToken, "user");
         }
         // Email/password login via Better Auth
@@ -1842,13 +2041,7 @@ async function mountBetterAuthRoutes(app, options) {
                 body: { email, password },
             });
             if (result?.token) {
-                setCookie(event, COOKIE_NAME, result.token, {
-                    httpOnly: true,
-                    ...crossSiteCookieAttrs(event),
-                    ...cookieDomainAttrs(),
-                    path: "/",
-                    maxAge: sessionMaxAge,
-                });
+                setFrameworkSessionCookie(event, result.token);
                 await addSession(result.token, email);
                 if (isElectronRequest(event)) {
                     await writeDesktopSso({
@@ -1911,13 +2104,13 @@ async function mountBetterAuthRoutes(app, options) {
     }));
     // Backward-compat: POST /_agent-native/auth/logout
     app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
-        const cookie = getCookie(event, COOKIE_NAME);
-        if (cookie)
+        for (const cookie of getFrameworkSessionCookieValues(event)) {
             await removeSession(cookie);
+        }
         const bearerToken = getBearerSessionToken(event);
         if (bearerToken)
             await removeSession(bearerToken);
-        deleteCookie(event, COOKIE_NAME, { path: "/", ...cookieDomainAttrs() });
+        clearFrameworkSessionCookies(event);
         try {
             await auth.api.signOut({ headers: event.headers });
         }
@@ -1980,7 +2173,7 @@ async function mountBetterAuthRoutes(app, options) {
             }
             // 3. Drop the current request's cookie and best-effort sign out
             // of Better Auth (so the response sets the proper expiry header).
-            deleteCookie(event, COOKIE_NAME, { path: "/", ...cookieDomainAttrs() });
+            clearFrameworkSessionCookies(event);
             try {
                 await auth.api.signOut({ headers: event.headers });
             }
@@ -2026,7 +2219,13 @@ async function mountBetterAuthRoutes(app, options) {
             googleSignInNotice: options.googleSignInNotice,
             googleAuthMode: options.googleAuthMode,
         });
-    _authGuardConfig = { loginHtml, publicPaths };
+    _authGuardConfig = {
+        loginHtml,
+        publicPaths,
+        workspaceAppAudience,
+        workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,
+        workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,
+    };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
     app.use(defineEventHandler(guardFn));
@@ -2034,7 +2233,7 @@ async function mountBetterAuthRoutes(app, options) {
 // ---------------------------------------------------------------------------
 // mountTokenOnlyRoutes — ACCESS_TOKEN-only auth (no Better Auth)
 // ---------------------------------------------------------------------------
-function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
+function mountTokenOnlyRoutes(app, accessTokens, publicPaths = [], workspaceAppAudience = resolveWorkspaceAppAudience(), workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess()) {
     app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
         if (getMethod(event) !== "POST") {
             setResponseStatus(event, 405);
@@ -2049,23 +2248,17 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         }
         const sessionToken = crypto.randomBytes(32).toString("hex");
         await addSession(sessionToken, "user");
-        setCookie(event, COOKIE_NAME, sessionToken, {
-            httpOnly: true,
-            ...crossSiteCookieAttrs(event),
-            ...cookieDomainAttrs(),
-            path: "/",
-            maxAge: sessionMaxAge,
-        });
+        setFrameworkSessionCookie(event, sessionToken);
         return authLoginResponse(event, sessionToken, "user");
     }));
     app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
-        const cookie = getCookie(event, COOKIE_NAME);
-        if (cookie)
+        for (const cookie of getFrameworkSessionCookieValues(event)) {
             await removeSession(cookie);
+        }
         const bearerToken = getBearerSessionToken(event);
         if (bearerToken)
             await removeSession(bearerToken);
-        deleteCookie(event, COOKIE_NAME, { path: "/", ...cookieDomainAttrs() });
+        clearFrameworkSessionCookies(event);
         if (isElectronRequest(event))
             await clearDesktopSso();
         return { ok: true };
@@ -2082,6 +2275,9 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         loginHtml: getTokenLoginHtml(),
         getLoginHtml: (_event, rawPath) => getTokenLoginHtml({ requestPath: rawPath }),
         publicPaths,
+        workspaceAppAudience,
+        workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,
+        workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,
     };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
@@ -2109,13 +2305,7 @@ function mountAuthFallbackRoutes(app) {
                 body: { email, password },
             });
             if (result?.token) {
-                setCookie(event, COOKIE_NAME, result.token, {
-                    httpOnly: true,
-                    ...crossSiteCookieAttrs(event),
-                    ...cookieDomainAttrs(),
-                    path: "/",
-                    maxAge: sessionMaxAge,
-                });
+                setFrameworkSessionCookie(event, result.token);
                 await addSession(result.token, email);
                 if (isElectronRequest(event)) {
                     await writeDesktopSso({
@@ -2171,13 +2361,13 @@ function mountAuthFallbackRoutes(app) {
         }
     }));
     app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
-        const cookie = getCookie(event, COOKIE_NAME);
-        if (cookie)
+        for (const cookie of getFrameworkSessionCookieValues(event)) {
             await removeSession(cookie);
+        }
         const bearerToken = getBearerSessionToken(event);
         if (bearerToken)
             await removeSession(bearerToken);
-        deleteCookie(event, COOKIE_NAME, { path: "/", ...cookieDomainAttrs() });
+        clearFrameworkSessionCookies(event);
         try {
             const auth = await getBetterAuth();
             await auth.api.signOut({ headers: event.headers });
@@ -2257,6 +2447,18 @@ export async function autoMountAuth(app, options = {}) {
                     ...options.publicPaths,
                 ];
             }
+            if (options.workspaceAppAudience) {
+                _authGuardConfig.workspaceAppAudience =
+                    resolveWorkspaceAppAudience(options);
+            }
+            if (options.workspaceAppPublicPaths) {
+                _authGuardConfig.workspaceAppPublicPaths =
+                    options.workspaceAppPublicPaths;
+            }
+            if (options.workspaceAppProtectedPaths) {
+                _authGuardConfig.workspaceAppProtectedPaths =
+                    options.workspaceAppProtectedPaths;
+            }
         }
         return true;
     }
@@ -2276,6 +2478,8 @@ export async function autoMountAuth(app, options = {}) {
     customGetSession = null;
     sessionMaxAge = options.maxAge ?? DEFAULT_MAX_AGE;
     const publicPaths = options.publicPaths ?? [];
+    const workspaceAppAudience = resolveWorkspaceAppAudience(options);
+    const workspaceAppRouteAccess = resolveWorkspaceAppRouteAccess(options);
     mountAuthCorsMiddleware(app);
     if (options.getSession) {
         customGetSession = options.getSession;
@@ -2292,13 +2496,13 @@ export async function autoMountAuth(app, options = {}) {
         }));
         app.use("/_agent-native/auth/login", defineEventHandler(() => ({ ok: true })));
         app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
-            const cookie = getCookie(event, COOKIE_NAME);
-            if (cookie)
+            for (const cookie of getFrameworkSessionCookieValues(event)) {
                 await removeSession(cookie);
+            }
             const bearerToken = getBearerSessionToken(event);
             if (bearerToken)
                 await removeSession(bearerToken);
-            deleteCookie(event, COOKIE_NAME, { path: "/", ...cookieDomainAttrs() });
+            clearFrameworkSessionCookies(event);
             if (isElectronRequest(event))
                 await clearDesktopSso();
             return { ok: true };
@@ -2312,6 +2516,9 @@ export async function autoMountAuth(app, options = {}) {
                     getLoginHtml: (_event, rawPath) => getTokenLoginHtml({ requestPath: rawPath }),
                 }),
             publicPaths,
+            workspaceAppAudience,
+            workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,
+            workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,
         };
         const guardFn = createAuthGuardFn();
         _authGuardFn = guardFn;
@@ -2323,7 +2530,7 @@ export async function autoMountAuth(app, options = {}) {
     // ACCESS_TOKEN-only mode
     const tokens = getAccessTokens();
     if (tokens.length > 0) {
-        mountTokenOnlyRoutes(app, tokens, publicPaths);
+        mountTokenOnlyRoutes(app, tokens, publicPaths, workspaceAppAudience, workspaceAppRouteAccess);
         if (process.env.DEBUG)
             console.log(`[agent-native] Auth enabled — ${tokens.length} access token(s) configured.`);
         return true;
@@ -2347,7 +2554,13 @@ export async function autoMountAuth(app, options = {}) {
                 googleSignInNotice: options.googleSignInNotice,
                 googleAuthMode: options.googleAuthMode,
             });
-        _authGuardConfig = { loginHtml, publicPaths };
+        _authGuardConfig = {
+            loginHtml,
+            publicPaths,
+            workspaceAppAudience,
+            workspaceAppPublicPaths: workspaceAppRouteAccess.publicPaths,
+            workspaceAppProtectedPaths: workspaceAppRouteAccess.protectedPaths,
+        };
         const guardFn = createAuthGuardFn();
         _authGuardFn = guardFn;
         app.use(defineEventHandler(guardFn));