@agent-native/core 0.14.8 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (420) hide show
  1. package/README.md +1 -1
  2. package/dist/agent/engine/builder-engine.d.ts.map +1 -1
  3. package/dist/agent/engine/builder-engine.js +30 -9
  4. package/dist/agent/engine/builder-engine.js.map +1 -1
  5. package/dist/agent/engine/registry.d.ts.map +1 -1
  6. package/dist/agent/engine/registry.js +14 -4
  7. package/dist/agent/engine/registry.js.map +1 -1
  8. package/dist/agent/production-agent.d.ts.map +1 -1
  9. package/dist/agent/production-agent.js +71 -4
  10. package/dist/agent/production-agent.js.map +1 -1
  11. package/dist/agent/types.d.ts +9 -0
  12. package/dist/agent/types.d.ts.map +1 -1
  13. package/dist/agent/types.js.map +1 -1
  14. package/dist/appearance/actions/change-appearance.d.ts +3 -0
  15. package/dist/appearance/actions/change-appearance.d.ts.map +1 -0
  16. package/dist/appearance/actions/change-appearance.js +29 -0
  17. package/dist/appearance/actions/change-appearance.js.map +1 -0
  18. package/dist/chat-threads/store.d.ts +53 -2
  19. package/dist/chat-threads/store.d.ts.map +1 -1
  20. package/dist/chat-threads/store.js +172 -12
  21. package/dist/chat-threads/store.js.map +1 -1
  22. package/dist/cli/create.d.ts.map +1 -1
  23. package/dist/cli/create.js +114 -37
  24. package/dist/cli/create.js.map +1 -1
  25. package/dist/cli/index.js +30 -4
  26. package/dist/cli/index.js.map +1 -1
  27. package/dist/cli/workspace-dev.d.ts +25 -1
  28. package/dist/cli/workspace-dev.d.ts.map +1 -1
  29. package/dist/cli/workspace-dev.js +275 -49
  30. package/dist/cli/workspace-dev.js.map +1 -1
  31. package/dist/client/AgentPanel.d.ts +23 -4
  32. package/dist/client/AgentPanel.d.ts.map +1 -1
  33. package/dist/client/AgentPanel.js +276 -53
  34. package/dist/client/AgentPanel.js.map +1 -1
  35. package/dist/client/AppearancePicker.d.ts +11 -0
  36. package/dist/client/AppearancePicker.d.ts.map +1 -0
  37. package/dist/client/AppearancePicker.js +16 -0
  38. package/dist/client/AppearancePicker.js.map +1 -0
  39. package/dist/client/AssistantChat.d.ts +35 -0
  40. package/dist/client/AssistantChat.d.ts.map +1 -1
  41. package/dist/client/AssistantChat.js +315 -32
  42. package/dist/client/AssistantChat.js.map +1 -1
  43. package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
  44. package/dist/client/ConnectBuilderCard.js +5 -2
  45. package/dist/client/ConnectBuilderCard.js.map +1 -1
  46. package/dist/client/ErrorBoundary.d.ts.map +1 -1
  47. package/dist/client/ErrorBoundary.js +8 -10
  48. package/dist/client/ErrorBoundary.js.map +1 -1
  49. package/dist/client/FeedbackButton.d.ts.map +1 -1
  50. package/dist/client/FeedbackButton.js +1 -1
  51. package/dist/client/FeedbackButton.js.map +1 -1
  52. package/dist/client/MultiTabAssistantChat.d.ts +13 -1
  53. package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
  54. package/dist/client/MultiTabAssistantChat.js +217 -38
  55. package/dist/client/MultiTabAssistantChat.js.map +1 -1
  56. package/dist/client/NewWorkspaceAppFlow.d.ts.map +1 -1
  57. package/dist/client/NewWorkspaceAppFlow.js +37 -14
  58. package/dist/client/NewWorkspaceAppFlow.js.map +1 -1
  59. package/dist/client/agent-chat-adapter.d.ts +5 -0
  60. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  61. package/dist/client/agent-chat-adapter.js +4 -0
  62. package/dist/client/agent-chat-adapter.js.map +1 -1
  63. package/dist/client/agent-sidebar-state.d.ts +12 -0
  64. package/dist/client/agent-sidebar-state.d.ts.map +1 -1
  65. package/dist/client/agent-sidebar-state.js +8 -0
  66. package/dist/client/agent-sidebar-state.js.map +1 -1
  67. package/dist/client/analytics.d.ts.map +1 -1
  68. package/dist/client/analytics.js +175 -3
  69. package/dist/client/analytics.js.map +1 -1
  70. package/dist/client/appearance.d.ts +40 -0
  71. package/dist/client/appearance.d.ts.map +1 -0
  72. package/dist/client/appearance.js +114 -0
  73. package/dist/client/appearance.js.map +1 -0
  74. package/dist/client/builder-frame.d.ts +1 -0
  75. package/dist/client/builder-frame.d.ts.map +1 -1
  76. package/dist/client/builder-frame.js +19 -9
  77. package/dist/client/builder-frame.js.map +1 -1
  78. package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
  79. package/dist/client/components/CodeRequiredDialog.js +10 -2
  80. package/dist/client/components/CodeRequiredDialog.js.map +1 -1
  81. package/dist/client/components/ui/dropdown-menu.js +2 -2
  82. package/dist/client/components/ui/dropdown-menu.js.map +1 -1
  83. package/dist/client/components/ui/hover-card.js +1 -1
  84. package/dist/client/components/ui/hover-card.js.map +1 -1
  85. package/dist/client/components/ui/popover.js +1 -1
  86. package/dist/client/components/ui/popover.js.map +1 -1
  87. package/dist/client/composer/PromptComposer.d.ts +7 -0
  88. package/dist/client/composer/PromptComposer.d.ts.map +1 -1
  89. package/dist/client/composer/PromptComposer.js +63 -32
  90. package/dist/client/composer/PromptComposer.js.map +1 -1
  91. package/dist/client/composer/TiptapComposer.d.ts +5 -0
  92. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  93. package/dist/client/composer/TiptapComposer.js +36 -6
  94. package/dist/client/composer/TiptapComposer.js.map +1 -1
  95. package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
  96. package/dist/client/composer/useVoiceDictation.js +13 -1
  97. package/dist/client/composer/useVoiceDictation.js.map +1 -1
  98. package/dist/client/error-format.d.ts +3 -2
  99. package/dist/client/error-format.d.ts.map +1 -1
  100. package/dist/client/error-format.js +9 -2
  101. package/dist/client/error-format.js.map +1 -1
  102. package/dist/client/extensions/ExtensionViewer.d.ts.map +1 -1
  103. package/dist/client/extensions/ExtensionViewer.js +24 -2
  104. package/dist/client/extensions/ExtensionViewer.js.map +1 -1
  105. package/dist/client/index.d.ts +8 -1
  106. package/dist/client/index.d.ts.map +1 -1
  107. package/dist/client/index.js +7 -0
  108. package/dist/client/index.js.map +1 -1
  109. package/dist/client/onboarding/OnboardingPanel.js +1 -0
  110. package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
  111. package/dist/client/org/InvitationBanner.d.ts.map +1 -1
  112. package/dist/client/org/InvitationBanner.js +23 -2
  113. package/dist/client/org/InvitationBanner.js.map +1 -1
  114. package/dist/client/org/OrgSwitcher.d.ts +5 -4
  115. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  116. package/dist/client/org/OrgSwitcher.js +57 -9
  117. package/dist/client/org/OrgSwitcher.js.map +1 -1
  118. package/dist/client/org/hooks.d.ts.map +1 -1
  119. package/dist/client/org/hooks.js +10 -6
  120. package/dist/client/org/hooks.js.map +1 -1
  121. package/dist/client/org/workspace-app-links.d.ts +31 -0
  122. package/dist/client/org/workspace-app-links.d.ts.map +1 -0
  123. package/dist/client/org/workspace-app-links.js +268 -0
  124. package/dist/client/org/workspace-app-links.js.map +1 -0
  125. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  126. package/dist/client/resources/ResourcesPanel.js +18 -5
  127. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  128. package/dist/client/resources/use-resources.d.ts +18 -13
  129. package/dist/client/resources/use-resources.d.ts.map +1 -1
  130. package/dist/client/resources/use-resources.js +24 -6
  131. package/dist/client/resources/use-resources.js.map +1 -1
  132. package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
  133. package/dist/client/settings/BackgroundAgentSection.js +9 -1
  134. package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
  135. package/dist/client/settings/BrowserSection.d.ts.map +1 -1
  136. package/dist/client/settings/BrowserSection.js +16 -1
  137. package/dist/client/settings/BrowserSection.js.map +1 -1
  138. package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
  139. package/dist/client/settings/SettingsPanel.js +4 -1
  140. package/dist/client/settings/SettingsPanel.js.map +1 -1
  141. package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
  142. package/dist/client/settings/VoiceTranscriptionSection.js +5 -5
  143. package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
  144. package/dist/client/settings/useBuilderStatus.d.ts +8 -0
  145. package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
  146. package/dist/client/settings/useBuilderStatus.js +50 -13
  147. package/dist/client/settings/useBuilderStatus.js.map +1 -1
  148. package/dist/client/settings/useBuilderStatus.spec.d.ts +2 -0
  149. package/dist/client/settings/useBuilderStatus.spec.d.ts.map +1 -0
  150. package/dist/client/settings/useBuilderStatus.spec.js +64 -0
  151. package/dist/client/settings/useBuilderStatus.spec.js.map +1 -0
  152. package/dist/client/sharing/ShareButton.d.ts +5 -0
  153. package/dist/client/sharing/ShareButton.d.ts.map +1 -1
  154. package/dist/client/sharing/ShareButton.js +60 -6
  155. package/dist/client/sharing/ShareButton.js.map +1 -1
  156. package/dist/client/theme.js +1 -1
  157. package/dist/client/theme.js.map +1 -1
  158. package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
  159. package/dist/client/transcription/BuilderTranscriptionCta.js +2 -3
  160. package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
  161. package/dist/client/use-change-version.d.ts +46 -0
  162. package/dist/client/use-change-version.d.ts.map +1 -0
  163. package/dist/client/use-change-version.js +135 -0
  164. package/dist/client/use-change-version.js.map +1 -0
  165. package/dist/client/use-chat-threads.d.ts +16 -2
  166. package/dist/client/use-chat-threads.d.ts.map +1 -1
  167. package/dist/client/use-chat-threads.js +87 -12
  168. package/dist/client/use-chat-threads.js.map +1 -1
  169. package/dist/client/use-chat-threads.spec.d.ts +2 -0
  170. package/dist/client/use-chat-threads.spec.d.ts.map +1 -0
  171. package/dist/client/use-chat-threads.spec.js +85 -0
  172. package/dist/client/use-chat-threads.spec.js.map +1 -0
  173. package/dist/client/use-db-sync.d.ts +5 -2
  174. package/dist/client/use-db-sync.d.ts.map +1 -1
  175. package/dist/client/use-db-sync.js +41 -16
  176. package/dist/client/use-db-sync.js.map +1 -1
  177. package/dist/client/use-pinch-zoom.d.ts +35 -0
  178. package/dist/client/use-pinch-zoom.d.ts.map +1 -0
  179. package/dist/client/use-pinch-zoom.js +105 -0
  180. package/dist/client/use-pinch-zoom.js.map +1 -0
  181. package/dist/deploy/workspace-deploy.d.ts.map +1 -1
  182. package/dist/deploy/workspace-deploy.js +99 -5
  183. package/dist/deploy/workspace-deploy.js.map +1 -1
  184. package/dist/extensions/actions.d.ts.map +1 -1
  185. package/dist/extensions/actions.js +3 -0
  186. package/dist/extensions/actions.js.map +1 -1
  187. package/dist/extensions/store.d.ts +5 -0
  188. package/dist/extensions/store.d.ts.map +1 -1
  189. package/dist/extensions/store.js +16 -1
  190. package/dist/extensions/store.js.map +1 -1
  191. package/dist/file-upload/actions/upload-image.d.ts +3 -0
  192. package/dist/file-upload/actions/upload-image.d.ts.map +1 -0
  193. package/dist/file-upload/actions/upload-image.js +145 -0
  194. package/dist/file-upload/actions/upload-image.js.map +1 -0
  195. package/dist/file-upload/builder.d.ts.map +1 -1
  196. package/dist/file-upload/builder.js +31 -11
  197. package/dist/file-upload/builder.js.map +1 -1
  198. package/dist/file-upload/index.d.ts +1 -0
  199. package/dist/file-upload/index.d.ts.map +1 -1
  200. package/dist/file-upload/index.js +1 -0
  201. package/dist/file-upload/index.js.map +1 -1
  202. package/dist/file-upload/pre-upload-attachments.d.ts +39 -0
  203. package/dist/file-upload/pre-upload-attachments.d.ts.map +1 -0
  204. package/dist/file-upload/pre-upload-attachments.js +110 -0
  205. package/dist/file-upload/pre-upload-attachments.js.map +1 -0
  206. package/dist/file-upload/registry.d.ts.map +1 -1
  207. package/dist/file-upload/registry.js +8 -7
  208. package/dist/file-upload/registry.js.map +1 -1
  209. package/dist/onboarding/default-steps.js +1 -1
  210. package/dist/onboarding/default-steps.js.map +1 -1
  211. package/dist/org/context.d.ts +15 -1
  212. package/dist/org/context.d.ts.map +1 -1
  213. package/dist/org/context.js +25 -0
  214. package/dist/org/context.js.map +1 -1
  215. package/dist/org/handlers.d.ts +2 -2
  216. package/dist/org/handlers.d.ts.map +1 -1
  217. package/dist/org/handlers.js +3 -17
  218. package/dist/org/handlers.js.map +1 -1
  219. package/dist/org/index.d.ts +1 -1
  220. package/dist/org/index.d.ts.map +1 -1
  221. package/dist/org/index.js +1 -1
  222. package/dist/org/index.js.map +1 -1
  223. package/dist/resources/handlers.d.ts +6 -0
  224. package/dist/resources/handlers.d.ts.map +1 -1
  225. package/dist/resources/handlers.js +30 -6
  226. package/dist/resources/handlers.js.map +1 -1
  227. package/dist/resources/script-helpers.d.ts +11 -2
  228. package/dist/resources/script-helpers.d.ts.map +1 -1
  229. package/dist/resources/script-helpers.js +20 -3
  230. package/dist/resources/script-helpers.js.map +1 -1
  231. package/dist/resources/store.d.ts +28 -3
  232. package/dist/resources/store.d.ts.map +1 -1
  233. package/dist/resources/store.js +170 -20
  234. package/dist/resources/store.js.map +1 -1
  235. package/dist/scripts/resources/list.d.ts +1 -1
  236. package/dist/scripts/resources/list.d.ts.map +1 -1
  237. package/dist/scripts/resources/list.js +16 -4
  238. package/dist/scripts/resources/list.js.map +1 -1
  239. package/dist/scripts/resources/write.d.ts +1 -1
  240. package/dist/scripts/resources/write.d.ts.map +1 -1
  241. package/dist/scripts/resources/write.js +47 -3
  242. package/dist/scripts/resources/write.js.map +1 -1
  243. package/dist/server/action-discovery.d.ts.map +1 -1
  244. package/dist/server/action-discovery.js +8 -3
  245. package/dist/server/action-discovery.js.map +1 -1
  246. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  247. package/dist/server/agent-chat-plugin.js +214 -25
  248. package/dist/server/agent-chat-plugin.js.map +1 -1
  249. package/dist/server/agent-discovery.d.ts +35 -0
  250. package/dist/server/agent-discovery.d.ts.map +1 -1
  251. package/dist/server/agent-discovery.js +139 -8
  252. package/dist/server/agent-discovery.js.map +1 -1
  253. package/dist/server/app-url.d.ts +12 -6
  254. package/dist/server/app-url.d.ts.map +1 -1
  255. package/dist/server/app-url.js +58 -11
  256. package/dist/server/app-url.js.map +1 -1
  257. package/dist/server/auth.d.ts +22 -0
  258. package/dist/server/auth.d.ts.map +1 -1
  259. package/dist/server/auth.js +272 -59
  260. package/dist/server/auth.js.map +1 -1
  261. package/dist/server/better-auth-instance.d.ts +0 -4
  262. package/dist/server/better-auth-instance.d.ts.map +1 -1
  263. package/dist/server/better-auth-instance.js +0 -3
  264. package/dist/server/better-auth-instance.js.map +1 -1
  265. package/dist/server/builder-browser.d.ts.map +1 -1
  266. package/dist/server/builder-browser.js +23 -0
  267. package/dist/server/builder-browser.js.map +1 -1
  268. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  269. package/dist/server/core-routes-plugin.js +29 -14
  270. package/dist/server/core-routes-plugin.js.map +1 -1
  271. package/dist/server/credential-provider.d.ts +14 -0
  272. package/dist/server/credential-provider.d.ts.map +1 -1
  273. package/dist/server/credential-provider.js +88 -11
  274. package/dist/server/credential-provider.js.map +1 -1
  275. package/dist/server/google-auth-plugin.d.ts.map +1 -1
  276. package/dist/server/google-auth-plugin.js +53 -13
  277. package/dist/server/google-auth-plugin.js.map +1 -1
  278. package/dist/server/google-oauth.d.ts.map +1 -1
  279. package/dist/server/google-oauth.js +47 -17
  280. package/dist/server/google-oauth.js.map +1 -1
  281. package/dist/server/index.d.ts +1 -1
  282. package/dist/server/index.d.ts.map +1 -1
  283. package/dist/server/index.js +1 -1
  284. package/dist/server/index.js.map +1 -1
  285. package/dist/server/oauth-public-origin.d.ts.map +1 -1
  286. package/dist/server/oauth-public-origin.js +19 -1
  287. package/dist/server/oauth-public-origin.js.map +1 -1
  288. package/dist/server/onboarding-html.d.ts.map +1 -1
  289. package/dist/server/onboarding-html.js +62 -15
  290. package/dist/server/onboarding-html.js.map +1 -1
  291. package/dist/server/poll.d.ts.map +1 -1
  292. package/dist/server/poll.js +20 -5
  293. package/dist/server/poll.js.map +1 -1
  294. package/dist/server/request-context.d.ts +8 -0
  295. package/dist/server/request-context.d.ts.map +1 -1
  296. package/dist/server/request-context.js.map +1 -1
  297. package/dist/shared/index.d.ts +2 -0
  298. package/dist/shared/index.d.ts.map +1 -1
  299. package/dist/shared/index.js +2 -0
  300. package/dist/shared/index.js.map +1 -1
  301. package/dist/shared/llm-connection.d.ts +10 -0
  302. package/dist/shared/llm-connection.d.ts.map +1 -0
  303. package/dist/shared/llm-connection.js +29 -0
  304. package/dist/shared/llm-connection.js.map +1 -0
  305. package/dist/shared/workspace-app-audience.d.ts +25 -0
  306. package/dist/shared/workspace-app-audience.d.ts.map +1 -0
  307. package/dist/shared/workspace-app-audience.js +126 -0
  308. package/dist/shared/workspace-app-audience.js.map +1 -0
  309. package/dist/shared/workspace-app-id.d.ts +1 -1
  310. package/dist/shared/workspace-app-id.d.ts.map +1 -1
  311. package/dist/shared/workspace-app-id.js +1 -0
  312. package/dist/shared/workspace-app-id.js.map +1 -1
  313. package/dist/sharing/access.d.ts.map +1 -1
  314. package/dist/sharing/access.js +46 -5
  315. package/dist/sharing/access.js.map +1 -1
  316. package/dist/sharing/actions/list-resource-shares.d.ts.map +1 -1
  317. package/dist/sharing/actions/list-resource-shares.js +8 -1
  318. package/dist/sharing/actions/list-resource-shares.js.map +1 -1
  319. package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
  320. package/dist/sharing/actions/set-resource-visibility.js +12 -3
  321. package/dist/sharing/actions/set-resource-visibility.js.map +1 -1
  322. package/dist/sharing/actions/share-resource.d.ts.map +1 -1
  323. package/dist/sharing/actions/share-resource.js +50 -1
  324. package/dist/sharing/actions/share-resource.js.map +1 -1
  325. package/dist/sharing/registry.d.ts +26 -0
  326. package/dist/sharing/registry.d.ts.map +1 -1
  327. package/dist/sharing/registry.js.map +1 -1
  328. package/dist/styles/agent-native.css +91 -0
  329. package/dist/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
  330. package/dist/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
  331. package/dist/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
  332. package/dist/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
  333. package/dist/templates/default/AGENTS.md +22 -19
  334. package/dist/templates/default/actions/navigate.ts +3 -0
  335. package/dist/templates/default/app/hooks/use-navigation-state.ts +29 -5
  336. package/dist/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
  337. package/dist/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
  338. package/dist/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
  339. package/dist/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
  340. package/dist/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
  341. package/dist/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
  342. package/dist/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
  343. package/dist/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
  344. package/dist/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
  345. package/dist/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
  346. package/dist/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
  347. package/dist/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
  348. package/dist/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
  349. package/dist/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
  350. package/dist/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
  351. package/dist/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
  352. package/dist/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
  353. package/dist/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
  354. package/dist/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
  355. package/dist/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
  356. package/dist/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
  357. package/dist/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
  358. package/dist/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
  359. package/dist/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
  360. package/dist/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
  361. package/dist/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
  362. package/dist/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
  363. package/dist/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
  364. package/dist/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
  365. package/dist/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
  366. package/dist/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
  367. package/dist/templates/workspace-core/AGENTS.md +16 -1
  368. package/dist/templates/workspace-root/AGENTS.md +35 -0
  369. package/dist/templates/workspace-root/README.md +7 -0
  370. package/dist/vite/action-types-plugin.d.ts.map +1 -1
  371. package/dist/vite/action-types-plugin.js +4 -0
  372. package/dist/vite/action-types-plugin.js.map +1 -1
  373. package/docs/content/authentication.md +36 -0
  374. package/docs/content/creating-templates.md +15 -0
  375. package/docs/content/dispatch.md +3 -3
  376. package/docs/content/multi-app-workspace.md +5 -0
  377. package/docs/content/tracking.md +12 -0
  378. package/docs/content/workspace-management.md +39 -4
  379. package/package.json +15 -12
  380. package/src/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
  381. package/src/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
  382. package/src/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
  383. package/src/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
  384. package/src/templates/default/AGENTS.md +22 -19
  385. package/src/templates/default/actions/navigate.ts +3 -0
  386. package/src/templates/default/app/hooks/use-navigation-state.ts +29 -5
  387. package/src/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
  388. package/src/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
  389. package/src/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
  390. package/src/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
  391. package/src/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
  392. package/src/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
  393. package/src/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
  394. package/src/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
  395. package/src/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
  396. package/src/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
  397. package/src/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
  398. package/src/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
  399. package/src/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
  400. package/src/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
  401. package/src/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
  402. package/src/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
  403. package/src/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
  404. package/src/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
  405. package/src/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
  406. package/src/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
  407. package/src/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
  408. package/src/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
  409. package/src/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
  410. package/src/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
  411. package/src/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
  412. package/src/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
  413. package/src/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
  414. package/src/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
  415. package/src/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
  416. package/src/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
  417. package/src/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
  418. package/src/templates/workspace-core/AGENTS.md +16 -1
  419. package/src/templates/workspace-root/AGENTS.md +35 -0
  420. package/src/templates/workspace-root/README.md +7 -0
package/dist/server/poll.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"poll.js","sourceRoot":"","sources":["../../src/server/poll.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAoBvC,oEAAoE;AACpE,2EAA2E;AAC3E,MAAM,UAAU,GAAG,GAAG,CAAC;AACvB,IAAI,QAAQ,GAAG,CAAC,CAAC;AACjB,MAAM,OAAO,GAAkB,EAAE,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAC/C,MAAM,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;AACxC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,IAAI,cAAc,GAAG,KAAK,CAAC;AAE3B,sEAAsE;AACtE,IAAI,YAAY,GAAG,CAAC,CAAC;AACrB,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,IAAI,eAAe,GAAG,CAAC,CAAC;AAExB;;;;;;;;;GASG;AACH,IAAI,oBAAoB,GAAG,CAAC,CAAC;AAC7B,IAAI,yBAAyB,GAAG,KAAK,CAAC;AACtC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAChD,IAAI,mBAAmB,GAAG,KAAK,CAAC;AAEhC,SAAS,iBAAiB;IACxB,IAAI,mBAAmB;QAAE,OAAO;IAChC,mBAAmB,GAAG,IAAI,CAAC;IAC3B,kBAAkB,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IACH,kBAAkB,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;QAC5C,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,UAAU;IACxB,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAkB,EAClB,SAAiB,EACjB,KAAyB;IAEzB,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAC1D,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC/D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,YAAY,CAAC,KAK5B;IACC,qEAAqE;IACrE,iEAAiE;IACjE,0DAA0D;IAC1D,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAgB,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IAC3D,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpB,IAAI,OAAO,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC,CAAC;IACjD,CAAC;IACD,YAAY,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,eAAe,CAAC,KAAa;IAI3C,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;IACxD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,SAAiB,EACjB,KAAyB;IAEzB,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,IAAI,mBAAmB,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,CACrE,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB;IAC9B,IAAI,cAAc;QAAE,OAAO;IAC3B,cAAc,GAAG,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QAEvB,MAAM,CAAC,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACnE,EAAE,CAAC,OAAO,CAAC,yDAAyD,CAAC;YACrE,EAAE,CAAC,OAAO,CAAC,gDAAgD,CAAC;YAC5D,EAAE,CAAC,OAAO,CAAC;gBACT,GAAG,EAAE,wDAAwD;gBAC7D,IAAI,EAAE,CAAC,kBAAkB,CAAC;aAC3B,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QAEjE,qDAAqD;QACrD,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAEjD,gEAAgE;QAChE,eAAe,GAAG,KAAK,CAAC;QACxB,eAAe,GAAG,UAAU,CAAC;QAC7B,oBAAoB,GAAG,SAAS,CAAC;QACjC,yBAAyB,GAAG,IAAI,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB;IACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,YAAY,GAAG,IAAI;QAAE,OAAO;IACtC,YAAY,GAAG,GAAG,CAAC;IAEnB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QAEvB,8CAA8C;QAC9C,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,OAAO,CAChC,yDAAyD,CAC1D,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACrD,IAAI,KAAK,GAAG,eAAe,EAAE,CAAC;YAC5B,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACxB,YAAY,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YAClE,CAAC;YACD,eAAe,GAAG,KAAK,CAAC;QAC1B,CAAC;QAED,yEAAyE;QACzE,oEAAoE;QACpE,oEAAoE;QACpE,wEAAwE;QACxE,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YACrC,GAAG,EAAE,+DAA+D;YACpE,IAAI,EAAE,CAAC,kBAAkB,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QACjE,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,oBAAoB,GAAG,SAAS,CAAC;YACjC,yBAAyB,GAAG,IAAI,CAAC;QACnC,CAAC;aAAM,IAAI,SAAS,GAAG,oBAAoB,EAAE,CAAC;YAC5C,IAAI,KAAyB,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;gBACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;oBAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,IAAI,OAAO,MAAM,EAAE,KAAK,KAAK,QAAQ;wBAAE,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;gBAC9D,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,YAAY,CAAC;gBACX,MAAM,EAAE,gBAAgB;gBACxB,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,kBAAkB;gBACvB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC5B,CAAC,CAAC;YACH,oBAAoB,GAAG,SAAS,CAAC;QACnC,CAAC;QAED,qCAAqC;QACrC,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,OAAO,CACrC,gDAAgD,CACjD,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACxB,YAAY,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,eAAe,GAAG,UAAU,CAAC;QAC/B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB;IAC/B,iBAAiB,EAAE,CAAC;IACpB,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,qEAAqE;QACrE,MAAM,iBAAiB,EAAE,CAAC;QAC1B,mDAAmD;QACnD,MAAM,sBAAsB,EAAE,CAAC;QAE/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5D,OAAO,sBAAsB,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Polling-based change notification.\n *\n * Replaces SSE with a simple version counter. Each DB mutation (app-state,\n * settings, resources) increments the version. Clients poll `/_agent-native/poll?since=N`\n * and receive any events that occurred after version N.\n *\n * Works in all deployment environments (serverless, edge, long-lived).\n *\n * Also detects cross-process DB writes by periodically checking the\n * application_state and settings tables' updated_at timestamps. This ensures\n * that changes made by external processes (e.g., CLI actions, cron jobs)\n * are picked up even though they don't call recordChange() in this process.\n */\n\nimport { EventEmitter } from \"node:events\";\nimport { defineEventHandler, getQuery, setResponseStatus } from \"h3\";\nimport { getAppStateEmitter } from \"../application-state/emitter.js\";\nimport { getDbExec } from \"../db/client.js\";\nimport { getSettingsEmitter } from \"../settings/store.js\";\nimport { getSession } from \"./auth.js\";\n\nexport interface ChangeEvent {\n version: number;\n source: string;\n type: string;\n key?: string;\n /**\n * Owner email for tenant-scoped events. When absent, the event is treated\n * as deployment-global (e.g. table-level \"something changed\" pings) and\n * delivered to every authenticated poller. Specific events that should\n * only fan out to one user MUST set this — otherwise polling clients\n * across tenants see each other's signals.\n */\n owner?: string;\n /** Optional org ID for org-scoped events. */\n orgId?: string;\n [k: string]: unknown;\n}\n\n// In-memory ring buffer of recent changes. Kept small since clients\n// poll frequently (every 2-3s) and only need events since their last poll.\nconst MAX_BUFFER = 200;\nlet _version = 0;\nconst _buffer: ChangeEvent[] = [];\nexport const POLL_CHANGE_EVENT = \"poll-change\";\nconst _pollEmitter = new EventEmitter();\n_pollEmitter.setMaxListeners(0);\n\n/**\n * Whether we've seeded _version from the DB. In serverless (Netlify,\n * Vercel, etc.) each invocation starts fresh — without seeding, _version\n * resets to 0 and polling clients see the version jump backwards, causing\n * duplicate events and stuck UI.\n */\nlet _versionSeeded = false;\n\n/** Tracks the latest updated_at we've seen from the DB, per table. */\nlet _lastDbCheck = 0;\nlet _lastAppStateTs = 0;\nlet _lastSettingsTs = 0;\n\n/**\n * Tracks the latest updated_at seen on the `__screen_refresh__` key in\n * application_state. Bumped when the agent calls the `refresh-screen` tool,\n * and surfaced as a distinct `screen-refresh` event so clients can remount\n * the main content subtree via React key.\n *\n * `_screenRefreshInitialized` guards against spurious emits on the first\n * poll after a restart (where an existing row would look like a fresh bump).\n * Once we've taken a baseline reading, any subsequent increase emits.\n */\nlet _lastScreenRefreshTs = 0;\nlet _screenRefreshInitialized = false;\nconst SCREEN_REFRESH_KEY = \"__screen_refresh__\";\nlet _localEmittersWired = false;\n\nfunction wireLocalEmitters(): void {\n if (_localEmittersWired) return;\n _localEmittersWired = true;\n getAppStateEmitter().on(\"app-state\", (event) => {\n recordChange(event);\n });\n getSettingsEmitter().on(\"settings\", (event) => {\n recordChange(event);\n });\n}\n\n/** Get the current global version counter. */\nexport function getVersion(): number {\n return _version;\n}\n\nexport function getPollEmitter(): EventEmitter {\n return _pollEmitter;\n}\n\nexport function canSeeChangeForUser(\n event: ChangeEvent,\n userEmail: string,\n orgId: string | undefined,\n): boolean {\n // Global / unowned events: every authenticated user gets them.\n if (!event.owner && !event.orgId) return true;\n if (event.owner && event.owner === userEmail) return true;\n if (event.orgId && orgId && event.orgId === orgId) return true;\n return false;\n}\n\n/** Record a change event. Called by emitter listeners. */\nexport function recordChange(event: {\n source: string;\n type: string;\n key?: string;\n [k: string]: unknown;\n}): void {\n // Use timestamp-aligned versions so all serverless instances produce\n // values in the same range (seeded from DB, then incremented via\n // Date.now). Plain ++counter diverges across cold starts.\n _version = Math.max(_version + 1, Date.now());\n const entry: ChangeEvent = { ...event, version: _version };\n _buffer.push(entry);\n if (_buffer.length > MAX_BUFFER) {\n _buffer.splice(0, _buffer.length - MAX_BUFFER);\n }\n _pollEmitter.emit(POLL_CHANGE_EVENT, entry);\n}\n\n/** Get all changes after a given version. */\nexport function getChangesSince(since: number): {\n version: number;\n events: ChangeEvent[];\n} {\n if (since >= _version) {\n return { version: _version, events: [] };\n }\n const events = _buffer.filter((e) => e.version > since);\n return { version: _version, events };\n}\n\n/**\n * Get changes after a given version, filtered to events the caller is\n * allowed to see.\n *\n * Filtering rules:\n * - Events without an `owner` are deployment-global (table-level pings,\n * screen-refresh, etc.) and visible to every authenticated user.\n * - Events with `owner === userEmail` go to that user.\n * - Events with `orgId === orgId` go to anyone in that org.\n * - All other owned events are filtered out.\n */\nexport function getChangesSinceForUser(\n since: number,\n userEmail: string,\n orgId: string | undefined,\n): { version: number; events: ChangeEvent[] } {\n if (since >= _version) {\n return { version: _version, events: [] };\n }\n const events = _buffer.filter(\n (e) => e.version > since && canSeeChangeForUser(e, userEmail, orgId),\n );\n return { version: _version, events };\n}\n\n/**\n * Seed _version from DB timestamps on the first call so serverless\n * cold starts don't return version 0 and confuse polling clients.\n */\nasync function seedVersionFromDb(): Promise<void> {\n if (_versionSeeded) return;\n _versionSeeded = true;\n\n try {\n const db = getDbExec();\n\n const [appResult, settingsResult, refreshResult] = await Promise.all([\n db.execute(\"SELECT MAX(updated_at) as max_ts FROM application_state\"),\n db.execute(\"SELECT MAX(updated_at) as max_ts FROM settings\"),\n db.execute({\n sql: \"SELECT updated_at FROM application_state WHERE key = ?\",\n args: [SCREEN_REFRESH_KEY],\n }),\n ]);\n\n const appTs = Number(appResult.rows[0]?.max_ts) || 0;\n const settingsTs = Number(settingsResult.rows[0]?.max_ts) || 0;\n const refreshTs = Number(refreshResult.rows[0]?.updated_at) || 0;\n\n // Seed version — never decrease an already-set value\n _version = Math.max(_version, appTs, settingsTs);\n\n // Set baselines so checkExternalDbChanges detects future writes\n _lastAppStateTs = appTs;\n _lastSettingsTs = settingsTs;\n _lastScreenRefreshTs = refreshTs;\n _screenRefreshInitialized = true;\n } catch {\n // Tables may not exist yet — ignore\n }\n}\n\n/**\n * Check for cross-process DB writes by comparing updated_at timestamps.\n * Runs at most once per second to avoid excessive queries.\n */\nasync function checkExternalDbChanges(): Promise<void> {\n const now = Date.now();\n if (now - _lastDbCheck < 1000) return;\n _lastDbCheck = now;\n\n try {\n const db = getDbExec();\n\n // Check application_state for external writes\n const appResult = await db.execute(\n \"SELECT MAX(updated_at) as max_ts FROM application_state\",\n );\n const appTs = Number(appResult.rows[0]?.max_ts) || 0;\n if (appTs > _lastAppStateTs) {\n if (_lastAppStateTs > 0) {\n recordChange({ source: \"app-state\", type: \"change\", key: \"*\" });\n }\n _lastAppStateTs = appTs;\n }\n\n // Check for screen-refresh requests from the agent. The `refresh-screen`\n // tool writes to application_state under a well-known key; when its\n // updated_at bumps, emit a distinct event so the client invalidates\n // all queries (not just the ones matching its default queryKey prefix).\n const refreshResult = await db.execute({\n sql: \"SELECT updated_at, value FROM application_state WHERE key = ?\",\n args: [SCREEN_REFRESH_KEY],\n });\n const refreshTs = Number(refreshResult.rows[0]?.updated_at) || 0;\n if (!_screenRefreshInitialized) {\n _lastScreenRefreshTs = refreshTs;\n _screenRefreshInitialized = true;\n } else if (refreshTs > _lastScreenRefreshTs) {\n let scope: string | undefined;\n try {\n const raw = refreshResult.rows[0]?.value;\n if (typeof raw === \"string\") {\n const parsed = JSON.parse(raw);\n if (typeof parsed?.scope === \"string\") scope = parsed.scope;\n }\n } catch {}\n recordChange({\n source: \"screen-refresh\",\n type: \"change\",\n key: SCREEN_REFRESH_KEY,\n ...(scope ? { scope } : {}),\n });\n _lastScreenRefreshTs = refreshTs;\n }\n\n // Check settings for external writes\n const settingsResult = await db.execute(\n \"SELECT MAX(updated_at) as max_ts FROM settings\",\n );\n const settingsTs = Number(settingsResult.rows[0]?.max_ts) || 0;\n if (settingsTs > _lastSettingsTs) {\n if (_lastSettingsTs > 0) {\n recordChange({ source: \"settings\", type: \"change\", key: \"*\" });\n }\n _lastSettingsTs = settingsTs;\n }\n } catch {\n // Tables may not exist yet — ignore\n }\n}\n\n/**\n * Create an H3 handler for the poll endpoint.\n *\n * GET /_agent-native/poll?since=N → { version, events[] }\n *\n * Requires an authenticated session. Events are filtered to the caller's\n * tenant — global events (owner-less, table-level pings) reach every\n * authenticated caller; owned events reach only the matching user/org.\n * Without auth + filtering, an anonymous attacker could poll the deployment\n * and infer cross-tenant activity from the global event stream.\n */\nexport function createPollHandler() {\n wireLocalEmitters();\n return defineEventHandler(async (event) => {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Unauthenticated\" };\n }\n // On cold start, seed _version from DB so we don't return version: 0\n await seedVersionFromDb();\n // Check for cross-process writes before responding\n await checkExternalDbChanges();\n\n const query = getQuery(event);\n const since = parseInt(String(query.since ?? \"0\"), 10) || 0;\n return getChangesSinceForUser(since, session.email, session.orgId);\n });\n}\n"]}
1
+ {"version":3,"file":"poll.js","sourceRoot":"","sources":["../../src/server/poll.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAoBvC,oEAAoE;AACpE,2EAA2E;AAC3E,MAAM,UAAU,GAAG,GAAG,CAAC;AACvB,IAAI,QAAQ,GAAG,CAAC,CAAC;AACjB,MAAM,OAAO,GAAkB,EAAE,CAAC;AAClC,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAC/C,MAAM,YAAY,GAAG,IAAI,YAAY,EAAE,CAAC;AACxC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,IAAI,cAAc,GAAG,KAAK,CAAC;AAE3B,sEAAsE;AACtE,IAAI,YAAY,GAAG,CAAC,CAAC;AACrB,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,IAAI,eAAe,GAAG,CAAC,CAAC;AAExB;;;;;;;;;GASG;AACH,IAAI,oBAAoB,GAAG,CAAC,CAAC;AAC7B,IAAI,yBAAyB,GAAG,KAAK,CAAC;AACtC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAChD,IAAI,mBAAmB,GAAG,KAAK,CAAC;AAEhC,SAAS,iBAAiB;IACxB,IAAI,mBAAmB;QAAE,OAAO;IAChC,mBAAmB,GAAG,IAAI,CAAC;IAC3B,kBAAkB,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;IACH,kBAAkB,EAAE,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,EAAE;QAC5C,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,UAAU;IACxB,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,KAAkB,EAClB,SAAiB,EACjB,KAAyB;IAEzB,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAC9C,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAC1D,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,IAAI,KAAK,CAAC,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAC/D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,YAAY,CAAC,KAK5B;IACC,qEAAqE;IACrE,iEAAiE;IACjE,0DAA0D;IAC1D,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAgB,EAAE,GAAG,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IAC3D,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACpB,IAAI,OAAO,CAAC,MAAM,GAAG,UAAU,EAAE,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,GAAG,UAAU,CAAC,CAAC;IACjD,CAAC;IACD,YAAY,CAAC,IAAI,CAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,eAAe,CAAC,KAAa;IAI3C,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;IACxD,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CACpC,KAAa,EACb,SAAiB,EACjB,KAAyB;IAEzB,IAAI,KAAK,IAAI,QAAQ,EAAE,CAAC;QACtB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,IAAI,mBAAmB,CAAC,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,CACrE,CAAC;IACF,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB;IAC9B,IAAI,cAAc;QAAE,OAAO;IAC3B,cAAc,GAAG,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QAEvB,MAAM,CAAC,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACnE,EAAE,CAAC,OAAO,CAAC,yDAAyD,CAAC;YACrE,EAAE,CAAC,OAAO,CAAC,gDAAgD,CAAC;YAC5D,EAAE,CAAC,OAAO,CAAC;gBACT,GAAG,EAAE,wDAAwD;gBAC7D,IAAI,EAAE,CAAC,kBAAkB,CAAC;aAC3B,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QAEjE,qDAAqD;QACrD,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAEjD,gEAAgE;QAChE,eAAe,GAAG,KAAK,CAAC;QACxB,eAAe,GAAG,UAAU,CAAC;QAC7B,oBAAoB,GAAG,SAAS,CAAC;QACjC,yBAAyB,GAAG,IAAI,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB;IACnC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,GAAG,GAAG,YAAY,GAAG,IAAI;QAAE,OAAO;IACtC,YAAY,GAAG,GAAG,CAAC;IAEnB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;QAEvB,2EAA2E;QAC3E,8EAA8E;QAC9E,mEAAmE;QACnE,wDAAwD;QACxD,MAAM,SAAS,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YACjC,GAAG,EAAE,wGAAwG;YAC7G,IAAI,EAAE,CAAC,eAAe,CAAC;SACxB,CAAC,CAAC;QACH,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CACjC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,EACxD,eAAe,CAChB,CAAC;YACF,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACxB,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;oBACxD,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;oBAClE,YAAY,CAAC;wBACX,MAAM,EAAE,WAAW;wBACnB,IAAI,EAAE,QAAQ;wBACd,GAAG;wBACH,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAC5B,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,eAAe,GAAG,KAAK,CAAC;QAC1B,CAAC;QAED,yEAAyE;QACzE,oEAAoE;QACpE,oEAAoE;QACpE,wEAAwE;QACxE,MAAM,aAAa,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC;YACrC,GAAG,EAAE,+DAA+D;YACpE,IAAI,EAAE,CAAC,kBAAkB,CAAC;SAC3B,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,CAAC,CAAC;QACjE,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAC/B,oBAAoB,GAAG,SAAS,CAAC;YACjC,yBAAyB,GAAG,IAAI,CAAC;QACnC,CAAC;aAAM,IAAI,SAAS,GAAG,oBAAoB,EAAE,CAAC;YAC5C,IAAI,KAAyB,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC;gBACzC,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;oBAC5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;oBAC/B,IAAI,OAAO,MAAM,EAAE,KAAK,KAAK,QAAQ;wBAAE,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;gBAC9D,CAAC;YACH,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;YACV,YAAY,CAAC;gBACX,MAAM,EAAE,gBAAgB;gBACxB,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,kBAAkB;gBACvB,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAC5B,CAAC,CAAC;YACH,oBAAoB,GAAG,SAAS,CAAC;QACnC,CAAC;QAED,qCAAqC;QACrC,MAAM,cAAc,GAAG,MAAM,EAAE,CAAC,OAAO,CACrC,gDAAgD,CACjD,CAAC;QACF,MAAM,UAAU,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,UAAU,GAAG,eAAe,EAAE,CAAC;YACjC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACxB,YAAY,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,eAAe,GAAG,UAAU,CAAC;QAC/B,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oCAAoC;IACtC,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,iBAAiB;IAC/B,iBAAiB,EAAE,CAAC;IACpB,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC;QACtC,CAAC;QACD,qEAAqE;QACrE,MAAM,iBAAiB,EAAE,CAAC;QAC1B,mDAAmD;QACnD,MAAM,sBAAsB,EAAE,CAAC;QAE/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5D,OAAO,sBAAsB,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Polling-based change notification.\n *\n * Replaces SSE with a simple version counter. Each DB mutation (app-state,\n * settings, resources) increments the version. Clients poll `/_agent-native/poll?since=N`\n * and receive any events that occurred after version N.\n *\n * Works in all deployment environments (serverless, edge, long-lived).\n *\n * Also detects cross-process DB writes by periodically checking the\n * application_state and settings tables' updated_at timestamps. This ensures\n * that changes made by external processes (e.g., CLI actions, cron jobs)\n * are picked up even though they don't call recordChange() in this process.\n */\n\nimport { EventEmitter } from \"node:events\";\nimport { defineEventHandler, getQuery, setResponseStatus } from \"h3\";\nimport { getAppStateEmitter } from \"../application-state/emitter.js\";\nimport { getDbExec } from \"../db/client.js\";\nimport { getSettingsEmitter } from \"../settings/store.js\";\nimport { getSession } from \"./auth.js\";\n\nexport interface ChangeEvent {\n version: number;\n source: string;\n type: string;\n key?: string;\n /**\n * Owner email for tenant-scoped events. When absent, the event is treated\n * as deployment-global (e.g. table-level \"something changed\" pings) and\n * delivered to every authenticated poller. Specific events that should\n * only fan out to one user MUST set this — otherwise polling clients\n * across tenants see each other's signals.\n */\n owner?: string;\n /** Optional org ID for org-scoped events. */\n orgId?: string;\n [k: string]: unknown;\n}\n\n// In-memory ring buffer of recent changes. Kept small since clients\n// poll frequently (every 2-3s) and only need events since their last poll.\nconst MAX_BUFFER = 200;\nlet _version = 0;\nconst _buffer: ChangeEvent[] = [];\nexport const POLL_CHANGE_EVENT = \"poll-change\";\nconst _pollEmitter = new EventEmitter();\n_pollEmitter.setMaxListeners(0);\n\n/**\n * Whether we've seeded _version from the DB. In serverless (Netlify,\n * Vercel, etc.) each invocation starts fresh — without seeding, _version\n * resets to 0 and polling clients see the version jump backwards, causing\n * duplicate events and stuck UI.\n */\nlet _versionSeeded = false;\n\n/** Tracks the latest updated_at we've seen from the DB, per table. */\nlet _lastDbCheck = 0;\nlet _lastAppStateTs = 0;\nlet _lastSettingsTs = 0;\n\n/**\n * Tracks the latest updated_at seen on the `__screen_refresh__` key in\n * application_state. Bumped when the agent calls the `refresh-screen` tool,\n * and surfaced as a distinct `screen-refresh` event so clients can remount\n * the main content subtree via React key.\n *\n * `_screenRefreshInitialized` guards against spurious emits on the first\n * poll after a restart (where an existing row would look like a fresh bump).\n * Once we've taken a baseline reading, any subsequent increase emits.\n */\nlet _lastScreenRefreshTs = 0;\nlet _screenRefreshInitialized = false;\nconst SCREEN_REFRESH_KEY = \"__screen_refresh__\";\nlet _localEmittersWired = false;\n\nfunction wireLocalEmitters(): void {\n if (_localEmittersWired) return;\n _localEmittersWired = true;\n getAppStateEmitter().on(\"app-state\", (event) => {\n recordChange(event);\n });\n getSettingsEmitter().on(\"settings\", (event) => {\n recordChange(event);\n });\n}\n\n/** Get the current global version counter. */\nexport function getVersion(): number {\n return _version;\n}\n\nexport function getPollEmitter(): EventEmitter {\n return _pollEmitter;\n}\n\nexport function canSeeChangeForUser(\n event: ChangeEvent,\n userEmail: string,\n orgId: string | undefined,\n): boolean {\n // Global / unowned events: every authenticated user gets them.\n if (!event.owner && !event.orgId) return true;\n if (event.owner && event.owner === userEmail) return true;\n if (event.orgId && orgId && event.orgId === orgId) return true;\n return false;\n}\n\n/** Record a change event. Called by emitter listeners. */\nexport function recordChange(event: {\n source: string;\n type: string;\n key?: string;\n [k: string]: unknown;\n}): void {\n // Use timestamp-aligned versions so all serverless instances produce\n // values in the same range (seeded from DB, then incremented via\n // Date.now). Plain ++counter diverges across cold starts.\n _version = Math.max(_version + 1, Date.now());\n const entry: ChangeEvent = { ...event, version: _version };\n _buffer.push(entry);\n if (_buffer.length > MAX_BUFFER) {\n _buffer.splice(0, _buffer.length - MAX_BUFFER);\n }\n _pollEmitter.emit(POLL_CHANGE_EVENT, entry);\n}\n\n/** Get all changes after a given version. */\nexport function getChangesSince(since: number): {\n version: number;\n events: ChangeEvent[];\n} {\n if (since >= _version) {\n return { version: _version, events: [] };\n }\n const events = _buffer.filter((e) => e.version > since);\n return { version: _version, events };\n}\n\n/**\n * Get changes after a given version, filtered to events the caller is\n * allowed to see.\n *\n * Filtering rules:\n * - Events without an `owner` are deployment-global (table-level pings,\n * screen-refresh, etc.) and visible to every authenticated user.\n * - Events with `owner === userEmail` go to that user.\n * - Events with `orgId === orgId` go to anyone in that org.\n * - All other owned events are filtered out.\n */\nexport function getChangesSinceForUser(\n since: number,\n userEmail: string,\n orgId: string | undefined,\n): { version: number; events: ChangeEvent[] } {\n if (since >= _version) {\n return { version: _version, events: [] };\n }\n const events = _buffer.filter(\n (e) => e.version > since && canSeeChangeForUser(e, userEmail, orgId),\n );\n return { version: _version, events };\n}\n\n/**\n * Seed _version from DB timestamps on the first call so serverless\n * cold starts don't return version 0 and confuse polling clients.\n */\nasync function seedVersionFromDb(): Promise<void> {\n if (_versionSeeded) return;\n _versionSeeded = true;\n\n try {\n const db = getDbExec();\n\n const [appResult, settingsResult, refreshResult] = await Promise.all([\n db.execute(\"SELECT MAX(updated_at) as max_ts FROM application_state\"),\n db.execute(\"SELECT MAX(updated_at) as max_ts FROM settings\"),\n db.execute({\n sql: \"SELECT updated_at FROM application_state WHERE key = ?\",\n args: [SCREEN_REFRESH_KEY],\n }),\n ]);\n\n const appTs = Number(appResult.rows[0]?.max_ts) || 0;\n const settingsTs = Number(settingsResult.rows[0]?.max_ts) || 0;\n const refreshTs = Number(refreshResult.rows[0]?.updated_at) || 0;\n\n // Seed version — never decrease an already-set value\n _version = Math.max(_version, appTs, settingsTs);\n\n // Set baselines so checkExternalDbChanges detects future writes\n _lastAppStateTs = appTs;\n _lastSettingsTs = settingsTs;\n _lastScreenRefreshTs = refreshTs;\n _screenRefreshInitialized = true;\n } catch {\n // Tables may not exist yet — ignore\n }\n}\n\n/**\n * Check for cross-process DB writes by comparing updated_at timestamps.\n * Runs at most once per second to avoid excessive queries.\n */\nasync function checkExternalDbChanges(): Promise<void> {\n const now = Date.now();\n if (now - _lastDbCheck < 1000) return;\n _lastDbCheck = now;\n\n try {\n const db = getDbExec();\n\n // Check application_state for external writes. Preserve the changed key so\n // clients can invalidate one-shot command queries (`navigate`, `__set_url__`)\n // only when those command rows actually change; noisy keys such as\n // `slide-fit-check` should not wake navigation readers.\n const appResult = await db.execute({\n sql: \"SELECT session_id, key, updated_at FROM application_state WHERE updated_at > ? ORDER BY updated_at ASC\",\n args: [_lastAppStateTs],\n });\n if (appResult.rows.length > 0) {\n const appTs = appResult.rows.reduce(\n (max, row) => Math.max(max, Number(row.updated_at) || 0),\n _lastAppStateTs,\n );\n if (_lastAppStateTs > 0) {\n for (const row of appResult.rows) {\n const key = typeof row.key === \"string\" ? row.key : \"*\";\n const owner =\n typeof row.session_id === \"string\" ? row.session_id : undefined;\n recordChange({\n source: \"app-state\",\n type: \"change\",\n key,\n ...(owner ? { owner } : {}),\n });\n }\n }\n _lastAppStateTs = appTs;\n }\n\n // Check for screen-refresh requests from the agent. The `refresh-screen`\n // tool writes to application_state under a well-known key; when its\n // updated_at bumps, emit a distinct event so the client invalidates\n // all queries (not just the ones matching its default queryKey prefix).\n const refreshResult = await db.execute({\n sql: \"SELECT updated_at, value FROM application_state WHERE key = ?\",\n args: [SCREEN_REFRESH_KEY],\n });\n const refreshTs = Number(refreshResult.rows[0]?.updated_at) || 0;\n if (!_screenRefreshInitialized) {\n _lastScreenRefreshTs = refreshTs;\n _screenRefreshInitialized = true;\n } else if (refreshTs > _lastScreenRefreshTs) {\n let scope: string | undefined;\n try {\n const raw = refreshResult.rows[0]?.value;\n if (typeof raw === \"string\") {\n const parsed = JSON.parse(raw);\n if (typeof parsed?.scope === \"string\") scope = parsed.scope;\n }\n } catch {}\n recordChange({\n source: \"screen-refresh\",\n type: \"change\",\n key: SCREEN_REFRESH_KEY,\n ...(scope ? { scope } : {}),\n });\n _lastScreenRefreshTs = refreshTs;\n }\n\n // Check settings for external writes\n const settingsResult = await db.execute(\n \"SELECT MAX(updated_at) as max_ts FROM settings\",\n );\n const settingsTs = Number(settingsResult.rows[0]?.max_ts) || 0;\n if (settingsTs > _lastSettingsTs) {\n if (_lastSettingsTs > 0) {\n recordChange({ source: \"settings\", type: \"change\", key: \"*\" });\n }\n _lastSettingsTs = settingsTs;\n }\n } catch {\n // Tables may not exist yet — ignore\n }\n}\n\n/**\n * Create an H3 handler for the poll endpoint.\n *\n * GET /_agent-native/poll?since=N → { version, events[] }\n *\n * Requires an authenticated session. Events are filtered to the caller's\n * tenant — global events (owner-less, table-level pings) reach every\n * authenticated caller; owned events reach only the matching user/org.\n * Without auth + filtering, an anonymous attacker could poll the deployment\n * and infer cross-tenant activity from the global event stream.\n */\nexport function createPollHandler() {\n wireLocalEmitters();\n return defineEventHandler(async (event) => {\n const session = await getSession(event).catch(() => null);\n if (!session?.email) {\n setResponseStatus(event, 401);\n return { error: \"Unauthenticated\" };\n }\n // On cold start, seed _version from DB so we don't return version: 0\n await seedVersionFromDb();\n // Check for cross-process writes before responding\n await checkExternalDbChanges();\n\n const query = getQuery(event);\n const since = parseInt(String(query.since ?? \"0\"), 10) || 0;\n return getChangesSinceForUser(since, session.email, session.orgId);\n });\n}\n"]}
package/dist/server/request-context.d.ts CHANGED
@@ -12,6 +12,14 @@
12
12
  export interface RequestRunContext {
13
13
  /** Origin of the current request (used by the builder-browser tool). */
14
14
  requestOrigin?: string;
15
+ /** Stable browser tab id for tab-scoped app-state reads/writes. */
16
+ browserTabId?: string;
17
+ /** Resource scope for the current chat thread, e.g. the active deck. */
18
+ chatScope?: {
19
+ type: string;
20
+ id: string;
21
+ label?: string;
22
+ } | null;
15
23
  /** Resolved owner email (set by prepareRun). */
16
24
  owner?: string;
17
25
  /** Owner's active Anthropic API key (set by prepareRun). */
package/dist/server/request-context.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request-context.d.ts","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAmBA;;;;;;;;;;GAUG;AACH,MAAM,WAAW,iBAAiB;IAChC,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,OAAO,0BAA0B,EAAE,WAAW,CAAC;IACxD,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,SAAS,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACpD,8DAA8D;IAC9D,WAAW,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,WAAW,CAAC,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,OAAO,0BAA0B,EAAE,eAAe,CAAC;QAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF;;;OAGG;IACH,GAAG,CAAC,EAAE,iBAAiB,CAAC;CACzB;AAID,KAAK,sBAAsB,GAAG,CAAC,GAAG,EAAE,cAAc,KAAK,IAAI,CAAC;AAe5D;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,sBAAsB,GAC/B,MAAM,IAAI,CAMZ;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAahB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,SAAS,CAE9D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAIxD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAIvD;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAIpD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAIvD;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED,wBAAgB,4BAA4B,IACxC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,GAC1C,SAAS,CAEZ;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,IAAI;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GAAG,IAAI,CAIP;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,IAAI,iBAAiB,GAAG,SAAS,CAIpE;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,IAAI,iBAAiB,GAAG,SAAS,CAKvE"}
1
+ {"version":3,"file":"request-context.d.ts","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAmBA;;;;;;;;;;GAUG;AACH,MAAM,WAAW,iBAAiB;IAChC,wEAAwE;IACxE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mEAAmE;IACnE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,wEAAwE;IACxE,SAAS,CAAC,EAAE;QACV,IAAI,EAAE,MAAM,CAAC;QACb,EAAE,EAAE,MAAM,CAAC;QACX,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,GAAG,IAAI,CAAC;IACT,gDAAgD;IAChD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,MAAM,CAAC,EAAE,OAAO,0BAA0B,EAAE,WAAW,CAAC;IACxD,yDAAyD;IACzD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,SAAS,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACpD,8DAA8D;IAC9D,WAAW,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;;;;OAMG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B;;;;OAIG;IACH,WAAW,CAAC,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,EAAE,OAAO,0BAA0B,EAAE,eAAe,CAAC;QAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IACF;;;OAGG;IACH,GAAG,CAAC,EAAE,iBAAiB,CAAC;CACzB;AAID,KAAK,sBAAsB,GAAG,CAAC,GAAG,EAAE,cAAc,KAAK,IAAI,CAAC;AAe5D;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,sBAAsB,GAC/B,MAAM,IAAI,CAMZ;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAahB;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,GAAG,SAAS,CAE9D;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,IAAI,OAAO,CAE3C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAIxD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAIvD;AAED;;;;;;GAMG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAIpD;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAIvD;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,IAAI,OAAO,CAEpD;AAED,wBAAgB,4BAA4B,IACxC,WAAW,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC,GAC1C,SAAS,CAEZ;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,IAAI;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,GAAG,IAAI,CAIP;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,IAAI,iBAAiB,GAAG,SAAS,CAIpE;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,IAAI,iBAAiB,GAAG,SAAS,CAKvE"}
package/dist/server/request-context.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request-context.js","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAiErD,MAAM,UAAU,GAAG,gCAAyC,CAAC;AAC7D,MAAM,aAAa,GAAG,sCAA+C,CAAC;AAMtE,MAAM,SAAS,GAAG,UAAsC,CAAC;AACzD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;IAC3B,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAClE,CAAC;AACD,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;IAC9B,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;AAChC,CAAC;AACD,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAE,CAAC;AACnC,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,CAAE,CAAC;AAE5C;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgC;IAEhC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,OAAO,GAAG,EAAE;QACV,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC;YAAE,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAmB,EACnB,EAAwB;IAExB,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE;QACvB,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,GAAG,CAAC,GAAG,CAAC,CAAC;gBACX,CAAC;gBAAC,MAAM,CAAC;oBACP,+CAA+C;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,KAAK,SAAS,CAAC;AACtC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC;IAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,mBAAmB,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,4BAA4B;IAG1C,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB;IAIlC,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC,GAAG;QAAE,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;IAC/B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC","sourcesContent":["/**\n * Per-request context using AsyncLocalStorage.\n *\n * Replaces the unsafe pattern of mutating `process.env.AGENT_USER_EMAIL` /\n * `process.env.AGENT_ORG_ID` on every request. On Node.js (Netlify, self-hosted)\n * concurrent requests would overwrite each other's env vars. AsyncLocalStorage\n * gives each async call-chain its own isolated context.\n *\n * Supported on all deployment targets:\n * - Node.js (native)\n * - Cloudflare Workers (via nodejs_compat flag)\n * - Deno Deploy (via node:async_hooks compat)\n *\n * For CLI scripts that run outside a request context, the getters fall back to\n * process.env so existing `AGENT_USER_EMAIL=x pnpm action foo` invocations\n * continue to work.\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\n\n/**\n * Per-request agent-run state. Lives on `RequestContext.run` so the\n * agent-chat plugin can populate fields as the run progresses (owner,\n * resolved API key, system prompt, engine, model, threadId) without\n * mutating module-scope `let` bindings — those leak across concurrent\n * requests on a single Node.js process.\n *\n * Mutated in-place by `prepareRun`, `onEngineResolved`, `onRunStart` so\n * tool factory closures (automation, fetch, team, builder-browser) read\n * the live per-request value via `getRequestRunContext()`.\n */\nexport interface RequestRunContext {\n /** Origin of the current request (used by the builder-browser tool). */\n requestOrigin?: string;\n /** Resolved owner email (set by prepareRun). */\n owner?: string;\n /** Owner's active Anthropic API key (set by prepareRun). */\n userApiKey?: string;\n /** Thread ID for the current run (set by onRunStart). */\n threadId?: string;\n /** System prompt actually sent to the model for this run. */\n systemPrompt?: string;\n /** Engine instance for this run (set by onEngineResolved). */\n engine?: import(\"../agent/engine/types.js\").AgentEngine;\n /** Model name for this run (set by onEngineResolved). */\n model?: string;\n /** Tool calls made so far in the current agent loop. */\n toolCalls?: Array<{ name: string; input: unknown }>;\n /** Tool results returned so far in the current agent loop. */\n toolResults?: Array<{ name: string; content: string; isError: boolean }>;\n}\n\nexport interface RequestContext {\n userEmail?: string;\n userName?: string;\n orgId?: string;\n timezone?: string;\n /**\n * True when this request is being processed by an integration-platform\n * webhook (Slack, Telegram, etc.) where the function timeout is the\n * binding constraint. Code that calls slow remote APIs can use this to apply\n * tighter budgets on this path while leaving normal agent-chat callers\n * (5+ min budget) unaffected.\n */\n isIntegrationCaller?: boolean;\n /**\n * Metadata for the currently-processing integration task. This lets tools\n * that start long-running remote work persist a continuation that can update\n * the originating platform thread after the current function budget ends.\n */\n integration?: {\n taskId: string;\n attempts?: number;\n incoming: import(\"../integrations/types.js\").IncomingMessage;\n placeholderRef?: string;\n };\n /**\n * Mutable per-request agent-run state. Populated by the agent-chat plugin\n * during a run; tool closures dereference it on each invocation.\n */\n run?: RequestRunContext;\n}\n\nconst GLOBAL_KEY = \"__agentNativeRequestContextAls\" as const;\nconst OBSERVERS_KEY = \"__agentNativeRequestContextObservers\" as const;\ntype RequestContextObserver = (ctx: RequestContext) => void;\ntype GlobalWithRequestContext = typeof globalThis & {\n [GLOBAL_KEY]?: AsyncLocalStorage<RequestContext>;\n [OBSERVERS_KEY]?: RequestContextObserver[];\n};\nconst globalRef = globalThis as GlobalWithRequestContext;\nif (!globalRef[GLOBAL_KEY]) {\n globalRef[GLOBAL_KEY] = new AsyncLocalStorage<RequestContext>();\n}\nif (!globalRef[OBSERVERS_KEY]) {\n globalRef[OBSERVERS_KEY] = [];\n}\nconst als = globalRef[GLOBAL_KEY]!;\nconst observers = globalRef[OBSERVERS_KEY]!;\n\n/**\n * Register a callback fired every time `runWithRequestContext` enters a new\n * scope. The hook runs INSIDE the AsyncLocalStorage scope, so observability\n * helpers that read the current isolation scope (e.g. Sentry) attach to the\n * right per-request context.\n *\n * Returned function unregisters the observer. Observers must never throw —\n * any error is swallowed so a misbehaving observer can't break the request\n * path.\n */\nexport function addRequestContextObserver(\n observer: RequestContextObserver,\n): () => void {\n observers.push(observer);\n return () => {\n const i = observers.indexOf(observer);\n if (i !== -1) observers.splice(i, 1);\n };\n}\n\n/**\n * Run a callback within a per-request context. The context is available to all\n * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.\n *\n * Any registered `addRequestContextObserver` callbacks fire inside the new\n * scope before `fn` runs, so observability code can pin user/org info onto\n * isolation-scoped backends (Sentry, OpenTelemetry, etc.).\n */\nexport function runWithRequestContext<T>(\n ctx: RequestContext,\n fn: () => T | Promise<T>,\n): T | Promise<T> {\n return als.run(ctx, () => {\n if (observers.length > 0) {\n for (const obs of observers) {\n try {\n obs(ctx);\n } catch {\n // Observers must never break the request path.\n }\n }\n }\n return fn();\n });\n}\n\n/**\n * Return the active request context, if this call chain is running under one.\n *\n * This is intentionally distinct from `getRequestUserEmail()`: callers that\n * have an active context with no authenticated user must not fall through to\n * process-wide CLI fallbacks such as `AGENT_USER_EMAIL` or \"latest session\".\n */\nexport function getRequestContext(): RequestContext | undefined {\n return als.getStore();\n}\n\n/**\n * True when AsyncLocalStorage has an active context for this call chain.\n * Useful for helpers that support both HTTP requests and standalone CLI runs.\n */\nexport function hasRequestContext(): boolean {\n return als.getStore() !== undefined;\n}\n\n/**\n * Get the current request's user email.\n *\n * - If a request context exists (HTTP/A2A path), returns its `userEmail` —\n * even when that value is `undefined`. The env fallback MUST NOT fire here:\n * a stale process-wide `AGENT_USER_EMAIL` from a CLI run or previous bug\n * would leak into an unauthenticated A2A/API call (e.g. unsigned or API-key\n * modes where `runWithRequestContext({ userEmail: undefined })` is used).\n * - Only when there is NO request context (CLI scripts) do we fall back to\n * `process.env.AGENT_USER_EMAIL`.\n */\nexport function getRequestUserEmail(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.userEmail;\n return process.env.AGENT_USER_EMAIL;\n}\n\n/**\n * Get the current request's display name, when the auth provider supplied one.\n *\n * The same request-context fallback rules as `getRequestUserEmail()` apply:\n * HTTP/A2A calls only read AsyncLocalStorage, while CLI scripts may opt in via\n * `AGENT_USER_NAME`.\n */\nexport function getRequestUserName(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.userName;\n return process.env.AGENT_USER_NAME;\n}\n\n/**\n * Get the current request's org ID.\n *\n * Same store-aware semantics as `getRequestUserEmail()` — env fallback is\n * CLI-only, so a request that explicitly has no org doesn't inherit a stale\n * `process.env.AGENT_ORG_ID` from a prior request on the same Lambda instance.\n */\nexport function getRequestOrgId(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.orgId;\n return process.env.AGENT_ORG_ID;\n}\n\n/**\n * Get the current request's IANA timezone (e.g. \"America/Los_Angeles\").\n * The UI sends this via the `x-user-timezone` header on every action call, and\n * the agent chat plugin propagates it into the request context so that\n * agent-initiated tool calls also see the user's timezone. Falls back to\n * `process.env.AGENT_USER_TIMEZONE` only for CLI scripts (no request context).\n */\nexport function getRequestTimezone(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.timezone;\n return process.env.AGENT_USER_TIMEZONE;\n}\n\n/**\n * Returns true when this request is on an integration-platform path (Slack,\n * Telegram, etc.) — i.e. we're inside the integration plugin's processor\n * function and the platform's deliver-by deadline plus the host's function\n * timeout are the binding budget. Non-integration callers (CLI, normal\n * agent chat) should treat this as `false`.\n */\nexport function isIntegrationCallerRequest(): boolean {\n return als.getStore()?.isIntegrationCaller === true;\n}\n\nexport function getIntegrationRequestContext():\n | NonNullable<RequestContext[\"integration\"]>\n | undefined {\n return als.getStore()?.integration;\n}\n\n/**\n * Convenience: returns `{ userEmail, orgId }` from the active request context,\n * suitable for passing to `resolveCredential(key, ctx)`. Returns `null` when\n * no user is associated with the call (e.g. an unauthenticated public route).\n *\n * For framework actions auto-mounted at `/_agent-native/actions/...` this is\n * always populated because action-routes wraps every invocation in\n * `runWithRequestContext`. For hand-written `/api/*` routes the calling code\n * is responsible for setting up the context (see `runWithRequestContext`).\n */\nexport function getCredentialContext(): {\n userEmail: string;\n orgId: string | null;\n} | null {\n const userEmail = getRequestUserEmail();\n if (!userEmail) return null;\n return { userEmail, orgId: getRequestOrgId() ?? null };\n}\n\n/**\n * Get the active request's mutable agent-run state. Returns `undefined` when\n * called outside an agent run (e.g. before `prepareRun` or in a non-agent\n * code path). Callers must tolerate the field absence; use the helper\n * `requireRequestRunContext()` if missing context is a programming error.\n */\nexport function getRequestRunContext(): RequestRunContext | undefined {\n const store = als.getStore();\n if (!store) return undefined;\n return store.run;\n}\n\n/**\n * Ensure a `RequestRunContext` exists on the active request store and\n * return it. Used by the agent-chat handler to attach run state once it\n * starts processing a chat request. Returns `undefined` if there is no\n * active request store (caller should not be invoking this outside ALS).\n */\nexport function ensureRequestRunContext(): RequestRunContext | undefined {\n const store = als.getStore();\n if (!store) return undefined;\n if (!store.run) store.run = {};\n return store.run;\n}\n"]}
1
+ {"version":3,"file":"request-context.js","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAyErD,MAAM,UAAU,GAAG,gCAAyC,CAAC;AAC7D,MAAM,aAAa,GAAG,sCAA+C,CAAC;AAMtE,MAAM,SAAS,GAAG,UAAsC,CAAC;AACzD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;IAC3B,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAClE,CAAC;AACD,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;IAC9B,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;AAChC,CAAC;AACD,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAE,CAAC;AACnC,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,CAAE,CAAC;AAE5C;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgC;IAEhC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,OAAO,GAAG,EAAE;QACV,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC;YAAE,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAmB,EACnB,EAAwB;IAExB,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE;QACvB,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,GAAG,CAAC,GAAG,CAAC,CAAC;gBACX,CAAC;gBAAC,MAAM,CAAC;oBACP,+CAA+C;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,KAAK,SAAS,CAAC;AACtC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC;IAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,mBAAmB,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,4BAA4B;IAG1C,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB;IAIlC,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC,GAAG;QAAE,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;IAC/B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC","sourcesContent":["/**\n * Per-request context using AsyncLocalStorage.\n *\n * Replaces the unsafe pattern of mutating `process.env.AGENT_USER_EMAIL` /\n * `process.env.AGENT_ORG_ID` on every request. On Node.js (Netlify, self-hosted)\n * concurrent requests would overwrite each other's env vars. AsyncLocalStorage\n * gives each async call-chain its own isolated context.\n *\n * Supported on all deployment targets:\n * - Node.js (native)\n * - Cloudflare Workers (via nodejs_compat flag)\n * - Deno Deploy (via node:async_hooks compat)\n *\n * For CLI scripts that run outside a request context, the getters fall back to\n * process.env so existing `AGENT_USER_EMAIL=x pnpm action foo` invocations\n * continue to work.\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\n\n/**\n * Per-request agent-run state. Lives on `RequestContext.run` so the\n * agent-chat plugin can populate fields as the run progresses (owner,\n * resolved API key, system prompt, engine, model, threadId) without\n * mutating module-scope `let` bindings — those leak across concurrent\n * requests on a single Node.js process.\n *\n * Mutated in-place by `prepareRun`, `onEngineResolved`, `onRunStart` so\n * tool factory closures (automation, fetch, team, builder-browser) read\n * the live per-request value via `getRequestRunContext()`.\n */\nexport interface RequestRunContext {\n /** Origin of the current request (used by the builder-browser tool). */\n requestOrigin?: string;\n /** Stable browser tab id for tab-scoped app-state reads/writes. */\n browserTabId?: string;\n /** Resource scope for the current chat thread, e.g. the active deck. */\n chatScope?: {\n type: string;\n id: string;\n label?: string;\n } | null;\n /** Resolved owner email (set by prepareRun). */\n owner?: string;\n /** Owner's active Anthropic API key (set by prepareRun). */\n userApiKey?: string;\n /** Thread ID for the current run (set by onRunStart). */\n threadId?: string;\n /** System prompt actually sent to the model for this run. */\n systemPrompt?: string;\n /** Engine instance for this run (set by onEngineResolved). */\n engine?: import(\"../agent/engine/types.js\").AgentEngine;\n /** Model name for this run (set by onEngineResolved). */\n model?: string;\n /** Tool calls made so far in the current agent loop. */\n toolCalls?: Array<{ name: string; input: unknown }>;\n /** Tool results returned so far in the current agent loop. */\n toolResults?: Array<{ name: string; content: string; isError: boolean }>;\n}\n\nexport interface RequestContext {\n userEmail?: string;\n userName?: string;\n orgId?: string;\n timezone?: string;\n /**\n * True when this request is being processed by an integration-platform\n * webhook (Slack, Telegram, etc.) where the function timeout is the\n * binding constraint. Code that calls slow remote APIs can use this to apply\n * tighter budgets on this path while leaving normal agent-chat callers\n * (5+ min budget) unaffected.\n */\n isIntegrationCaller?: boolean;\n /**\n * Metadata for the currently-processing integration task. This lets tools\n * that start long-running remote work persist a continuation that can update\n * the originating platform thread after the current function budget ends.\n */\n integration?: {\n taskId: string;\n attempts?: number;\n incoming: import(\"../integrations/types.js\").IncomingMessage;\n placeholderRef?: string;\n };\n /**\n * Mutable per-request agent-run state. Populated by the agent-chat plugin\n * during a run; tool closures dereference it on each invocation.\n */\n run?: RequestRunContext;\n}\n\nconst GLOBAL_KEY = \"__agentNativeRequestContextAls\" as const;\nconst OBSERVERS_KEY = \"__agentNativeRequestContextObservers\" as const;\ntype RequestContextObserver = (ctx: RequestContext) => void;\ntype GlobalWithRequestContext = typeof globalThis & {\n [GLOBAL_KEY]?: AsyncLocalStorage<RequestContext>;\n [OBSERVERS_KEY]?: RequestContextObserver[];\n};\nconst globalRef = globalThis as GlobalWithRequestContext;\nif (!globalRef[GLOBAL_KEY]) {\n globalRef[GLOBAL_KEY] = new AsyncLocalStorage<RequestContext>();\n}\nif (!globalRef[OBSERVERS_KEY]) {\n globalRef[OBSERVERS_KEY] = [];\n}\nconst als = globalRef[GLOBAL_KEY]!;\nconst observers = globalRef[OBSERVERS_KEY]!;\n\n/**\n * Register a callback fired every time `runWithRequestContext` enters a new\n * scope. The hook runs INSIDE the AsyncLocalStorage scope, so observability\n * helpers that read the current isolation scope (e.g. Sentry) attach to the\n * right per-request context.\n *\n * Returned function unregisters the observer. Observers must never throw —\n * any error is swallowed so a misbehaving observer can't break the request\n * path.\n */\nexport function addRequestContextObserver(\n observer: RequestContextObserver,\n): () => void {\n observers.push(observer);\n return () => {\n const i = observers.indexOf(observer);\n if (i !== -1) observers.splice(i, 1);\n };\n}\n\n/**\n * Run a callback within a per-request context. The context is available to all\n * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.\n *\n * Any registered `addRequestContextObserver` callbacks fire inside the new\n * scope before `fn` runs, so observability code can pin user/org info onto\n * isolation-scoped backends (Sentry, OpenTelemetry, etc.).\n */\nexport function runWithRequestContext<T>(\n ctx: RequestContext,\n fn: () => T | Promise<T>,\n): T | Promise<T> {\n return als.run(ctx, () => {\n if (observers.length > 0) {\n for (const obs of observers) {\n try {\n obs(ctx);\n } catch {\n // Observers must never break the request path.\n }\n }\n }\n return fn();\n });\n}\n\n/**\n * Return the active request context, if this call chain is running under one.\n *\n * This is intentionally distinct from `getRequestUserEmail()`: callers that\n * have an active context with no authenticated user must not fall through to\n * process-wide CLI fallbacks such as `AGENT_USER_EMAIL` or \"latest session\".\n */\nexport function getRequestContext(): RequestContext | undefined {\n return als.getStore();\n}\n\n/**\n * True when AsyncLocalStorage has an active context for this call chain.\n * Useful for helpers that support both HTTP requests and standalone CLI runs.\n */\nexport function hasRequestContext(): boolean {\n return als.getStore() !== undefined;\n}\n\n/**\n * Get the current request's user email.\n *\n * - If a request context exists (HTTP/A2A path), returns its `userEmail` —\n * even when that value is `undefined`. The env fallback MUST NOT fire here:\n * a stale process-wide `AGENT_USER_EMAIL` from a CLI run or previous bug\n * would leak into an unauthenticated A2A/API call (e.g. unsigned or API-key\n * modes where `runWithRequestContext({ userEmail: undefined })` is used).\n * - Only when there is NO request context (CLI scripts) do we fall back to\n * `process.env.AGENT_USER_EMAIL`.\n */\nexport function getRequestUserEmail(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.userEmail;\n return process.env.AGENT_USER_EMAIL;\n}\n\n/**\n * Get the current request's display name, when the auth provider supplied one.\n *\n * The same request-context fallback rules as `getRequestUserEmail()` apply:\n * HTTP/A2A calls only read AsyncLocalStorage, while CLI scripts may opt in via\n * `AGENT_USER_NAME`.\n */\nexport function getRequestUserName(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.userName;\n return process.env.AGENT_USER_NAME;\n}\n\n/**\n * Get the current request's org ID.\n *\n * Same store-aware semantics as `getRequestUserEmail()` — env fallback is\n * CLI-only, so a request that explicitly has no org doesn't inherit a stale\n * `process.env.AGENT_ORG_ID` from a prior request on the same Lambda instance.\n */\nexport function getRequestOrgId(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.orgId;\n return process.env.AGENT_ORG_ID;\n}\n\n/**\n * Get the current request's IANA timezone (e.g. \"America/Los_Angeles\").\n * The UI sends this via the `x-user-timezone` header on every action call, and\n * the agent chat plugin propagates it into the request context so that\n * agent-initiated tool calls also see the user's timezone. Falls back to\n * `process.env.AGENT_USER_TIMEZONE` only for CLI scripts (no request context).\n */\nexport function getRequestTimezone(): string | undefined {\n const store = als.getStore();\n if (store !== undefined) return store.timezone;\n return process.env.AGENT_USER_TIMEZONE;\n}\n\n/**\n * Returns true when this request is on an integration-platform path (Slack,\n * Telegram, etc.) — i.e. we're inside the integration plugin's processor\n * function and the platform's deliver-by deadline plus the host's function\n * timeout are the binding budget. Non-integration callers (CLI, normal\n * agent chat) should treat this as `false`.\n */\nexport function isIntegrationCallerRequest(): boolean {\n return als.getStore()?.isIntegrationCaller === true;\n}\n\nexport function getIntegrationRequestContext():\n | NonNullable<RequestContext[\"integration\"]>\n | undefined {\n return als.getStore()?.integration;\n}\n\n/**\n * Convenience: returns `{ userEmail, orgId }` from the active request context,\n * suitable for passing to `resolveCredential(key, ctx)`. Returns `null` when\n * no user is associated with the call (e.g. an unauthenticated public route).\n *\n * For framework actions auto-mounted at `/_agent-native/actions/...` this is\n * always populated because action-routes wraps every invocation in\n * `runWithRequestContext`. For hand-written `/api/*` routes the calling code\n * is responsible for setting up the context (see `runWithRequestContext`).\n */\nexport function getCredentialContext(): {\n userEmail: string;\n orgId: string | null;\n} | null {\n const userEmail = getRequestUserEmail();\n if (!userEmail) return null;\n return { userEmail, orgId: getRequestOrgId() ?? null };\n}\n\n/**\n * Get the active request's mutable agent-run state. Returns `undefined` when\n * called outside an agent run (e.g. before `prepareRun` or in a non-agent\n * code path). Callers must tolerate the field absence; use the helper\n * `requireRequestRunContext()` if missing context is a programming error.\n */\nexport function getRequestRunContext(): RequestRunContext | undefined {\n const store = als.getStore();\n if (!store) return undefined;\n return store.run;\n}\n\n/**\n * Ensure a `RequestRunContext` exists on the active request store and\n * return it. Used by the agent-chat handler to attach run state once it\n * starts processing a chat request. Returns `undefined` if there is no\n * active request store (caller should not be invoking this outside ALS).\n */\nexport function ensureRequestRunContext(): RequestRunContext | undefined {\n const store = als.getStore();\n if (!store) return undefined;\n if (!store.run) store.run = {};\n return store.run;\n}\n"]}
package/dist/shared/index.d.ts CHANGED
@@ -2,5 +2,7 @@ export { agentChat, type AgentChatMessage, type AgentChatCallOptions, type Agent
2
2
  export { agentEnv, type EnvVar } from "./agent-env.js";
3
3
  export { extractOAuthStateAppId } from "./oauth-state.js";
4
4
  export { truncate } from "./truncate.js";
5
+ export { llmConnectionTrackingProperties, normalizeLlmConnection, type LlmConnectionStatus, } from "./llm-connection.js";
5
6
  export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
7
+ export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, type WorkspaceAppRouteAccess, type WorkspaceAppRouteAccessFromConfig, type WorkspaceAppAudience, } from "./workspace-app-audience.js";
6
8
  //# sourceMappingURL=index.d.ts.map
package/dist/shared/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,EACtB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,KAAK,iCAAiC,EACtC,KAAK,oBAAoB,GAC1B,MAAM,6BAA6B,CAAC"}
package/dist/shared/index.js CHANGED
@@ -2,5 +2,7 @@ export { agentChat, } from "./agent-chat.js";
2
2
  export { agentEnv } from "./agent-env.js";
3
3
  export { extractOAuthStateAppId } from "./oauth-state.js";
4
4
  export { truncate } from "./truncate.js";
5
+ export { llmConnectionTrackingProperties, normalizeLlmConnection, } from "./llm-connection.js";
5
6
  export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
7
+ export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, } from "./workspace-app-audience.js";
6
8
  //# sourceMappingURL=index.js.map
package/dist/shared/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC","sourcesContent":["export {\n agentChat,\n type AgentChatMessage,\n type AgentChatCallOptions,\n type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n RESERVED_WORKSPACE_APP_IDS,\n assertValidWorkspaceAppId,\n getWorkspaceAppIdValidationError,\n isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,GAEvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,GAIvC,MAAM,6BAA6B,CAAC","sourcesContent":["export {\n agentChat,\n type AgentChatMessage,\n type AgentChatCallOptions,\n type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n llmConnectionTrackingProperties,\n normalizeLlmConnection,\n type LlmConnectionStatus,\n} from \"./llm-connection.js\";\nexport {\n DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n RESERVED_WORKSPACE_APP_IDS,\n assertValidWorkspaceAppId,\n getWorkspaceAppIdValidationError,\n isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\nexport {\n DEFAULT_WORKSPACE_APP_AUDIENCE,\n WORKSPACE_APP_AUDIENCES,\n normalizeWorkspaceAppAudience,\n normalizeWorkspaceAppPathList,\n workspaceAppAudienceFromEnv,\n workspaceAppAudienceFromPackageJson,\n workspaceAppRouteAccessFromEnv,\n workspaceAppRouteAccessFromPackageJson,\n type WorkspaceAppRouteAccess,\n type WorkspaceAppRouteAccessFromConfig,\n type WorkspaceAppAudience,\n} from \"./workspace-app-audience.js\";\n"]}
package/dist/shared/llm-connection.d.ts ADDED
@@ -0,0 +1,10 @@
1
+ export interface LlmConnectionStatus {
2
+ configured?: boolean;
3
+ engine?: string | null;
4
+ model?: string | null;
5
+ source?: string | null;
6
+ envVar?: string | null;
7
+ }
8
+ export declare function normalizeLlmConnection(engine: string | null | undefined): string;
9
+ export declare function llmConnectionTrackingProperties(status: LlmConnectionStatus | null | undefined): Record<string, unknown>;
10
+ //# sourceMappingURL=llm-connection.d.ts.map
package/dist/shared/llm-connection.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"llm-connection.d.ts","sourceRoot":"","sources":["../../src/shared/llm-connection.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,MAAM,CAOR;AAED,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,mBAAmB,GAAG,IAAI,GAAG,SAAS,GAC7C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAoBzB"}
package/dist/shared/llm-connection.js ADDED
@@ -0,0 +1,29 @@
1
+ export function normalizeLlmConnection(engine) {
2
+ const value = typeof engine === "string" ? engine.trim() : "";
3
+ if (!value)
4
+ return "none";
5
+ if (value.startsWith("ai-sdk:")) {
6
+ return value.slice("ai-sdk:".length) || value;
7
+ }
8
+ return value;
9
+ }
10
+ export function llmConnectionTrackingProperties(status) {
11
+ if (!status) {
12
+ return { llm_connection: "unknown" };
13
+ }
14
+ if (!status.configured || !status.engine) {
15
+ return {
16
+ llm_connection: "none",
17
+ llm_connection_configured: false,
18
+ };
19
+ }
20
+ return {
21
+ llm_connection: normalizeLlmConnection(status.engine),
22
+ llm_connection_configured: true,
23
+ llm_engine: status.engine,
24
+ ...(status.model ? { llm_model: status.model } : {}),
25
+ ...(status.source ? { llm_connection_source: status.source } : {}),
26
+ ...(status.envVar ? { llm_connection_env_var: status.envVar } : {}),
27
+ };
28
+ }
29
+ //# sourceMappingURL=llm-connection.js.map
package/dist/shared/llm-connection.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"llm-connection.js","sourceRoot":"","sources":["../../src/shared/llm-connection.ts"],"names":[],"mappings":"AAQA,MAAM,UAAU,sBAAsB,CACpC,MAAiC;IAEjC,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,IAAI,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,MAA8C;IAE9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,OAAO;YACL,cAAc,EAAE,MAAM;YACtB,yBAAyB,EAAE,KAAK;SACjC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc,EAAE,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC;QACrD,yBAAyB,EAAE,IAAI;QAC/B,UAAU,EAAE,MAAM,CAAC,MAAM;QACzB,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpE,CAAC;AACJ,CAAC","sourcesContent":["export interface LlmConnectionStatus {\n configured?: boolean;\n engine?: string | null;\n model?: string | null;\n source?: string | null;\n envVar?: string | null;\n}\n\nexport function normalizeLlmConnection(\n engine: string | null | undefined,\n): string {\n const value = typeof engine === \"string\" ? engine.trim() : \"\";\n if (!value) return \"none\";\n if (value.startsWith(\"ai-sdk:\")) {\n return value.slice(\"ai-sdk:\".length) || value;\n }\n return value;\n}\n\nexport function llmConnectionTrackingProperties(\n status: LlmConnectionStatus | null | undefined,\n): Record<string, unknown> {\n if (!status) {\n return { llm_connection: \"unknown\" };\n }\n\n if (!status.configured || !status.engine) {\n return {\n llm_connection: \"none\",\n llm_connection_configured: false,\n };\n }\n\n return {\n llm_connection: normalizeLlmConnection(status.engine),\n llm_connection_configured: true,\n llm_engine: status.engine,\n ...(status.model ? { llm_model: status.model } : {}),\n ...(status.source ? { llm_connection_source: status.source } : {}),\n ...(status.envVar ? { llm_connection_env_var: status.envVar } : {}),\n };\n}\n"]}
package/dist/shared/workspace-app-audience.d.ts ADDED
@@ -0,0 +1,25 @@
1
+ export declare const WORKSPACE_APP_AUDIENCES: readonly ["internal", "public"];
2
+ export type WorkspaceAppAudience = (typeof WORKSPACE_APP_AUDIENCES)[number];
3
+ export declare const DEFAULT_WORKSPACE_APP_AUDIENCE: WorkspaceAppAudience;
4
+ export interface WorkspaceAppRouteAccess {
5
+ publicPaths: string[];
6
+ protectedPaths: string[];
7
+ }
8
+ export declare function normalizeWorkspaceAppAudience(value: unknown): WorkspaceAppAudience;
9
+ export declare function normalizeWorkspaceAppPathList(value: unknown): string[];
10
+ export declare function workspaceAppAudienceFromEnv(env?: Record<string, string | undefined>): WorkspaceAppAudience | undefined;
11
+ export declare function workspaceAppRouteAccessFromEnv(env?: Record<string, string | undefined>): WorkspaceAppRouteAccess;
12
+ export declare function workspaceAppAudienceFromPackageJson(pkg: unknown): WorkspaceAppAudience | undefined;
13
+ /**
14
+ * Per-app route-access config read from a `package.json`. Each field is
15
+ * `undefined` when the corresponding key is fully absent from every
16
+ * supported alias chain — that lets callers distinguish "user didn't say"
17
+ * from "user set [] to clear inherited overrides". `workspaceAppRouteAccess`
18
+ * always emits a full `WorkspaceAppRouteAccess` for runtime consumption.
19
+ */
20
+ export interface WorkspaceAppRouteAccessFromConfig {
21
+ publicPaths?: string[];
22
+ protectedPaths?: string[];
23
+ }
24
+ export declare function workspaceAppRouteAccessFromPackageJson(pkg: unknown): WorkspaceAppRouteAccessFromConfig;
25
+ //# sourceMappingURL=workspace-app-audience.d.ts.map
package/dist/shared/workspace-app-audience.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workspace-app-audience.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-audience.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,uBAAuB,iCAAkC,CAAC;AAEvE,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,uBAAuB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E,eAAO,MAAM,8BAA8B,EAAE,oBAAiC,CAAC;AAE/E,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,OAAO,GACb,oBAAoB,CAEtB;AAED,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAyBtE;AAED,wBAAgB,2BAA2B,CACzC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACvC,oBAAoB,GAAG,SAAS,CAOlC;AAED,wBAAgB,8BAA8B,CAC5C,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACvC,uBAAuB,CAYzB;AAED,wBAAgB,mCAAmC,CACjD,GAAG,EAAE,OAAO,GACX,oBAAoB,GAAG,SAAS,CASlC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iCAAiC;IAChD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,wBAAgB,sCAAsC,CACpD,GAAG,EAAE,OAAO,GACX,iCAAiC,CAuBnC"}
package/dist/shared/workspace-app-audience.js ADDED
@@ -0,0 +1,126 @@
1
+ export const WORKSPACE_APP_AUDIENCES = ["internal", "public"];
2
+ export const DEFAULT_WORKSPACE_APP_AUDIENCE = "internal";
3
+ export function normalizeWorkspaceAppAudience(value) {
4
+ return value === "public" ? "public" : DEFAULT_WORKSPACE_APP_AUDIENCE;
5
+ }
6
+ export function normalizeWorkspaceAppPathList(value) {
7
+ let rawPaths = [];
8
+ if (Array.isArray(value)) {
9
+ rawPaths = value;
10
+ }
11
+ else if (typeof value === "string") {
12
+ const trimmed = value.trim();
13
+ if (!trimmed)
14
+ return [];
15
+ try {
16
+ const parsed = JSON.parse(trimmed);
17
+ // When JSON parses to a non-array (e.g. a single quoted string
18
+ // `"/api"`), use the parsed value, not the original quoted form —
19
+ // otherwise the `/`-prefix filter below silently drops it.
20
+ rawPaths = Array.isArray(parsed) ? parsed : [parsed];
21
+ }
22
+ catch {
23
+ rawPaths = trimmed.split(",");
24
+ }
25
+ }
26
+ const paths = rawPaths
27
+ .map((entry) => (typeof entry === "string" ? entry.trim() : ""))
28
+ .filter((entry) => entry.startsWith("/"))
29
+ .map((entry) => entry.length > 1 && entry.endsWith("/") ? entry.slice(0, -1) : entry);
30
+ return Array.from(new Set(paths));
31
+ }
32
+ export function workspaceAppAudienceFromEnv(env) {
33
+ const source = env ?? (typeof process !== "undefined" ? process.env : {});
34
+ const raw = source.AGENT_NATIVE_WORKSPACE_APP_AUDIENCE ??
35
+ source.VITE_AGENT_NATIVE_WORKSPACE_APP_AUDIENCE;
36
+ if (raw === undefined)
37
+ return undefined;
38
+ return normalizeWorkspaceAppAudience(raw);
39
+ }
40
+ export function workspaceAppRouteAccessFromEnv(env) {
41
+ const source = env ?? (typeof process !== "undefined" ? process.env : {});
42
+ return {
43
+ publicPaths: normalizeWorkspaceAppPathList(source.AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS ??
44
+ source.VITE_AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS),
45
+ protectedPaths: normalizeWorkspaceAppPathList(source.AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS ??
46
+ source.VITE_AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS),
47
+ };
48
+ }
49
+ export function workspaceAppAudienceFromPackageJson(pkg) {
50
+ const config = workspaceAppConfigFromPackageJson(pkg);
51
+ const raw = config?.workspaceApp?.audience ??
52
+ config?.workspace?.audience ??
53
+ config?.audience ??
54
+ config?.root?.workspaceAppAudience;
55
+ if (raw === undefined)
56
+ return undefined;
57
+ return normalizeWorkspaceAppAudience(raw);
58
+ }
59
+ export function workspaceAppRouteAccessFromPackageJson(pkg) {
60
+ const config = workspaceAppConfigFromPackageJson(pkg);
61
+ const rawPublic = config?.workspaceApp?.publicPaths ??
62
+ config?.workspaceApp?.publicPagePaths ??
63
+ config?.workspace?.publicPaths ??
64
+ config?.publicPaths ??
65
+ config?.root?.workspaceAppPublicPaths;
66
+ const rawProtected = config?.workspaceApp?.protectedPaths ??
67
+ config?.workspaceApp?.privatePaths ??
68
+ config?.workspaceApp?.authRequiredPaths ??
69
+ config?.workspace?.protectedPaths ??
70
+ config?.protectedPaths ??
71
+ config?.root?.workspaceAppProtectedPaths;
72
+ return {
73
+ ...(isPathConfigValueSet(rawPublic)
74
+ ? { publicPaths: normalizeWorkspaceAppPathList(rawPublic) }
75
+ : {}),
76
+ ...(isPathConfigValueSet(rawProtected)
77
+ ? { protectedPaths: normalizeWorkspaceAppPathList(rawProtected) }
78
+ : {}),
79
+ };
80
+ }
81
+ /**
82
+ * Only treat a package.json field as "explicitly set" when its raw value is a
83
+ * supported type — an array, a string, or explicit null. Garbage types like
84
+ * `false`, `0`, or `{}` are ignored (left as undefined) so a typo such as
85
+ * `"publicPaths": false` doesn't silently clear an inherited manifest
86
+ * override. (`normalizeWorkspaceAppPathList` happily turns those into `[]`,
87
+ * which without this guard would be indistinguishable from a deliberate
88
+ * empty array.)
89
+ */
90
+ function isPathConfigValueSet(value) {
91
+ if (value === undefined)
92
+ return false;
93
+ if (value === null)
94
+ return true;
95
+ if (Array.isArray(value))
96
+ return true;
97
+ return typeof value === "string";
98
+ }
99
+ function workspaceAppConfigFromPackageJson(pkg) {
100
+ if (!pkg || typeof pkg !== "object" || Array.isArray(pkg))
101
+ return undefined;
102
+ const record = pkg;
103
+ const config = record["agent-native"] ?? record.agentNative;
104
+ const nested = config && typeof config === "object" && !Array.isArray(config)
105
+ ? config
106
+ : {};
107
+ const workspaceApp = nested.workspaceApp &&
108
+ typeof nested.workspaceApp === "object" &&
109
+ !Array.isArray(nested.workspaceApp)
110
+ ? nested.workspaceApp
111
+ : undefined;
112
+ const workspace = nested.workspace &&
113
+ typeof nested.workspace === "object" &&
114
+ !Array.isArray(nested.workspace)
115
+ ? nested.workspace
116
+ : undefined;
117
+ return {
118
+ root: record,
119
+ workspaceApp,
120
+ workspace,
121
+ audience: nested.audience,
122
+ publicPaths: nested.publicPaths,
123
+ protectedPaths: nested.protectedPaths,
124
+ };
125
+ }
126
+ //# sourceMappingURL=workspace-app-audience.js.map
package/dist/shared/workspace-app-audience.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"workspace-app-audience.js","sourceRoot":"","sources":["../../src/shared/workspace-app-audience.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAU,CAAC;AAIvE,MAAM,CAAC,MAAM,8BAA8B,GAAyB,UAAU,CAAC;AAO/E,MAAM,UAAU,6BAA6B,CAC3C,KAAc;IAEd,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,8BAA8B,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAAc;IAC1D,IAAI,QAAQ,GAAc,EAAE,CAAC;IAC7B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,QAAQ,GAAG,KAAK,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,+DAA+D;YAC/D,kEAAkE;YAClE,2DAA2D;YAC3D,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ;SACnB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SAC/D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SACxC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACb,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CACrE,CAAC;IACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,GAAwC;IAExC,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1E,MAAM,GAAG,GACP,MAAM,CAAC,mCAAmC;QAC1C,MAAM,CAAC,wCAAwC,CAAC;IAClD,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,6BAA6B,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,GAAwC;IAExC,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1E,OAAO;QACL,WAAW,EAAE,6BAA6B,CACxC,MAAM,CAAC,uCAAuC;YAC5C,MAAM,CAAC,4CAA4C,CACtD;QACD,cAAc,EAAE,6BAA6B,CAC3C,MAAM,CAAC,0CAA0C;YAC/C,MAAM,CAAC,+CAA+C,CACzD;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mCAAmC,CACjD,GAAY;IAEZ,MAAM,MAAM,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,GAAG,GACP,MAAM,EAAE,YAAY,EAAE,QAAQ;QAC9B,MAAM,EAAE,SAAS,EAAE,QAAQ;QAC3B,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,IAAI,EAAE,oBAAoB,CAAC;IACrC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,6BAA6B,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAcD,MAAM,UAAU,sCAAsC,CACpD,GAAY;IAEZ,MAAM,MAAM,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,SAAS,GACb,MAAM,EAAE,YAAY,EAAE,WAAW;QACjC,MAAM,EAAE,YAAY,EAAE,eAAe;QACrC,MAAM,EAAE,SAAS,EAAE,WAAW;QAC9B,MAAM,EAAE,WAAW;QACnB,MAAM,EAAE,IAAI,EAAE,uBAAuB,CAAC;IACxC,MAAM,YAAY,GAChB,MAAM,EAAE,YAAY,EAAE,cAAc;QACpC,MAAM,EAAE,YAAY,EAAE,YAAY;QAClC,MAAM,EAAE,YAAY,EAAE,iBAAiB;QACvC,MAAM,EAAE,SAAS,EAAE,cAAc;QACjC,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,IAAI,EAAE,0BAA0B,CAAC;IAC3C,OAAO;QACL,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC;YACjC,CAAC,CAAC,EAAE,WAAW,EAAE,6BAA6B,CAAC,SAAS,CAAC,EAAE;YAC3D,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,oBAAoB,CAAC,YAAY,CAAC;YACpC,CAAC,CAAC,EAAE,cAAc,EAAE,6BAA6B,CAAC,YAAY,CAAC,EAAE;YACjE,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED,SAAS,iCAAiC,CAAC,GAAY;IAUrD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5E,MAAM,MAAM,GAAG,GAA0B,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC;IAC5D,MAAM,MAAM,GACV,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAE,MAA8B;QACjC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,YAAY,GAChB,MAAM,CAAC,YAAY;QACnB,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;QACvC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;QACjC,CAAC,CAAE,MAAM,CAAC,YAAoC;QAC9C,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,SAAS,GACb,MAAM,CAAC,SAAS;QAChB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;QAC9B,CAAC,CAAE,MAAM,CAAC,SAAiC;QAC3C,CAAC,CAAC,SAAS,CAAC;IAChB,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,YAAY;QACZ,SAAS;QACT,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC;AACJ,CAAC","sourcesContent":["export const WORKSPACE_APP_AUDIENCES = [\"internal\", \"public\"] as const;\n\nexport type WorkspaceAppAudience = (typeof WORKSPACE_APP_AUDIENCES)[number];\n\nexport const DEFAULT_WORKSPACE_APP_AUDIENCE: WorkspaceAppAudience = \"internal\";\n\nexport interface WorkspaceAppRouteAccess {\n publicPaths: string[];\n protectedPaths: string[];\n}\n\nexport function normalizeWorkspaceAppAudience(\n value: unknown,\n): WorkspaceAppAudience {\n return value === \"public\" ? \"public\" : DEFAULT_WORKSPACE_APP_AUDIENCE;\n}\n\nexport function normalizeWorkspaceAppPathList(value: unknown): string[] {\n let rawPaths: unknown[] = [];\n if (Array.isArray(value)) {\n rawPaths = value;\n } else if (typeof value === \"string\") {\n const trimmed = value.trim();\n if (!trimmed) return [];\n try {\n const parsed = JSON.parse(trimmed);\n // When JSON parses to a non-array (e.g. a single quoted string\n // `\"/api\"`), use the parsed value, not the original quoted form —\n // otherwise the `/`-prefix filter below silently drops it.\n rawPaths = Array.isArray(parsed) ? parsed : [parsed];\n } catch {\n rawPaths = trimmed.split(\",\");\n }\n }\n\n const paths = rawPaths\n .map((entry) => (typeof entry === \"string\" ? entry.trim() : \"\"))\n .filter((entry) => entry.startsWith(\"/\"))\n .map((entry) =>\n entry.length > 1 && entry.endsWith(\"/\") ? entry.slice(0, -1) : entry,\n );\n return Array.from(new Set(paths));\n}\n\nexport function workspaceAppAudienceFromEnv(\n env?: Record<string, string | undefined>,\n): WorkspaceAppAudience | undefined {\n const source = env ?? (typeof process !== \"undefined\" ? process.env : {});\n const raw =\n source.AGENT_NATIVE_WORKSPACE_APP_AUDIENCE ??\n source.VITE_AGENT_NATIVE_WORKSPACE_APP_AUDIENCE;\n if (raw === undefined) return undefined;\n return normalizeWorkspaceAppAudience(raw);\n}\n\nexport function workspaceAppRouteAccessFromEnv(\n env?: Record<string, string | undefined>,\n): WorkspaceAppRouteAccess {\n const source = env ?? (typeof process !== \"undefined\" ? process.env : {});\n return {\n publicPaths: normalizeWorkspaceAppPathList(\n source.AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS ??\n source.VITE_AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS,\n ),\n protectedPaths: normalizeWorkspaceAppPathList(\n source.AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS ??\n source.VITE_AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS,\n ),\n };\n}\n\nexport function workspaceAppAudienceFromPackageJson(\n pkg: unknown,\n): WorkspaceAppAudience | undefined {\n const config = workspaceAppConfigFromPackageJson(pkg);\n const raw =\n config?.workspaceApp?.audience ??\n config?.workspace?.audience ??\n config?.audience ??\n config?.root?.workspaceAppAudience;\n if (raw === undefined) return undefined;\n return normalizeWorkspaceAppAudience(raw);\n}\n\n/**\n * Per-app route-access config read from a `package.json`. Each field is\n * `undefined` when the corresponding key is fully absent from every\n * supported alias chain — that lets callers distinguish \"user didn't say\"\n * from \"user set [] to clear inherited overrides\". `workspaceAppRouteAccess`\n * always emits a full `WorkspaceAppRouteAccess` for runtime consumption.\n */\nexport interface WorkspaceAppRouteAccessFromConfig {\n publicPaths?: string[];\n protectedPaths?: string[];\n}\n\nexport function workspaceAppRouteAccessFromPackageJson(\n pkg: unknown,\n): WorkspaceAppRouteAccessFromConfig {\n const config = workspaceAppConfigFromPackageJson(pkg);\n const rawPublic =\n config?.workspaceApp?.publicPaths ??\n config?.workspaceApp?.publicPagePaths ??\n config?.workspace?.publicPaths ??\n config?.publicPaths ??\n config?.root?.workspaceAppPublicPaths;\n const rawProtected =\n config?.workspaceApp?.protectedPaths ??\n config?.workspaceApp?.privatePaths ??\n config?.workspaceApp?.authRequiredPaths ??\n config?.workspace?.protectedPaths ??\n config?.protectedPaths ??\n config?.root?.workspaceAppProtectedPaths;\n return {\n ...(isPathConfigValueSet(rawPublic)\n ? { publicPaths: normalizeWorkspaceAppPathList(rawPublic) }\n : {}),\n ...(isPathConfigValueSet(rawProtected)\n ? { protectedPaths: normalizeWorkspaceAppPathList(rawProtected) }\n : {}),\n };\n}\n\n/**\n * Only treat a package.json field as \"explicitly set\" when its raw value is a\n * supported type — an array, a string, or explicit null. Garbage types like\n * `false`, `0`, or `{}` are ignored (left as undefined) so a typo such as\n * `\"publicPaths\": false` doesn't silently clear an inherited manifest\n * override. (`normalizeWorkspaceAppPathList` happily turns those into `[]`,\n * which without this guard would be indistinguishable from a deliberate\n * empty array.)\n */\nfunction isPathConfigValueSet(value: unknown): boolean {\n if (value === undefined) return false;\n if (value === null) return true;\n if (Array.isArray(value)) return true;\n return typeof value === \"string\";\n}\n\nfunction workspaceAppConfigFromPackageJson(pkg: unknown):\n | {\n root: Record<string, any>;\n workspaceApp?: Record<string, any>;\n workspace?: Record<string, any>;\n audience?: unknown;\n publicPaths?: unknown;\n protectedPaths?: unknown;\n }\n | undefined {\n if (!pkg || typeof pkg !== \"object\" || Array.isArray(pkg)) return undefined;\n const record = pkg as Record<string, any>;\n const config = record[\"agent-native\"] ?? record.agentNative;\n const nested =\n config && typeof config === \"object\" && !Array.isArray(config)\n ? (config as Record<string, any>)\n : {};\n const workspaceApp =\n nested.workspaceApp &&\n typeof nested.workspaceApp === \"object\" &&\n !Array.isArray(nested.workspaceApp)\n ? (nested.workspaceApp as Record<string, any>)\n : undefined;\n const workspace =\n nested.workspace &&\n typeof nested.workspace === \"object\" &&\n !Array.isArray(nested.workspace)\n ? (nested.workspace as Record<string, any>)\n : undefined;\n return {\n root: record,\n workspaceApp,\n workspace,\n audience: nested.audience,\n publicPaths: nested.publicPaths,\n protectedPaths: nested.protectedPaths,\n };\n}\n"]}
package/dist/shared/workspace-app-id.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export declare const DISPATCH_WORKSPACE_ROOT_REDIRECTS: readonly [readonly ["overview", "overview"], readonly ["login", "login"], readonly ["signup", "signup"], readonly ["apps", "apps"], readonly ["apps/new-app", "new-app"], readonly ["new-app", "new-app"], readonly ["vault", "vault"], readonly ["integrations", "integrations"], readonly ["agents", "agents"], readonly ["workspace", "workspace"], readonly ["messaging", "messaging"], readonly ["extensions", "extensions"], readonly ["destinations", "destinations"], readonly ["identities", "identities"], readonly ["approval", "approval"], readonly ["approvals", "approvals"], readonly ["audit", "audit"], readonly ["team", "team"]];
1
+ export declare const DISPATCH_WORKSPACE_ROOT_REDIRECTS: readonly [readonly ["overview", "overview"], readonly ["login", "login"], readonly ["signup", "signup"], readonly ["apps", "apps"], readonly ["apps/new-app", "new-app"], readonly ["new-app", "new-app"], readonly ["vault", "vault"], readonly ["integrations", "integrations"], readonly ["agents", "agents"], readonly ["workspace", "workspace"], readonly ["messaging", "messaging"], readonly ["extensions", "extensions"], readonly ["destinations", "destinations"], readonly ["identities", "identities"], readonly ["approval", "approval"], readonly ["approvals", "approvals"], readonly ["audit", "audit"], readonly ["thread-debug", "thread-debug"], readonly ["team", "team"]];
2
2
  export declare const RESERVED_WORKSPACE_APP_IDS: Set<string>;
3
3
  export declare function isValidWorkspaceAppIdFormat(appId: string): boolean;
4
4
  export declare function getWorkspaceAppIdValidationError(appId: string): string | null;
package/dist/shared/workspace-app-id.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workspace-app-id.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,snBAmBpC,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAYrC,CAAC;AAEH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wBAAgB,gCAAgC,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ7E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAG7D"}
1
+ {"version":3,"file":"workspace-app-id.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,iqBAoBpC,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAYrC,CAAC;AAEH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wBAAgB,gCAAgC,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ7E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAG7D"}
package/dist/shared/workspace-app-id.js CHANGED
@@ -16,6 +16,7 @@ export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [
16
16
  ["approval", "approval"],
17
17
  ["approvals", "approvals"],
18
18
  ["audit", "audit"],
19
+ ["thread-debug", "thread-debug"],
19
20
  ["team", "team"],
20
21
  ];
21
22
  export const RESERVED_WORKSPACE_APP_IDS = new Set([
package/dist/shared/workspace-app-id.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workspace-app-id.js","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,MAAM,EAAE,MAAM,CAAC;IAChB,CAAC,cAAc,EAAE,SAAS,CAAC;IAC3B,CAAC,SAAS,EAAE,SAAS,CAAC;IACtB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,MAAM,EAAE,MAAM,CAAC;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IAChD,eAAe;IACf,mBAAmB;IACnB,KAAK;IACL,MAAM;IACN,UAAU;IACV,SAAS;IACT,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,OAAO;IACP,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;CAC3D,CAAC,CAAC;AAEH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,KAAa;IAC5D,IAAI,0BAA0B,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,aAAa,KAAK,uEAAuE,CAAC;IACnG,CAAC;IACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,qBAAqB,KAAK,iDAAiD,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,MAAM,KAAK,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC","sourcesContent":["export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [\n [\"overview\", \"overview\"],\n [\"login\", \"login\"],\n [\"signup\", \"signup\"],\n [\"apps\", \"apps\"],\n [\"apps/new-app\", \"new-app\"],\n [\"new-app\", \"new-app\"],\n [\"vault\", \"vault\"],\n [\"integrations\", \"integrations\"],\n [\"agents\", \"agents\"],\n [\"workspace\", \"workspace\"],\n [\"messaging\", \"messaging\"],\n [\"extensions\", \"extensions\"],\n [\"destinations\", \"destinations\"],\n [\"identities\", \"identities\"],\n [\"approval\", \"approval\"],\n [\"approvals\", \"approvals\"],\n [\"audit\", \"audit\"],\n [\"team\", \"team\"],\n] as const;\n\nexport const RESERVED_WORKSPACE_APP_IDS = new Set([\n \"_agent-native\",\n \"_workspace_static\",\n \"api\",\n \"auth\",\n \"dispatch\",\n \"netlify\",\n // Legacy alias — `tools` was the previous name for `extensions`. Keep it\n // reserved so a user can't create a workspace app whose mount path collides\n // with the legacy `/tools` redirect (still served by core-routes-plugin).\n \"tools\",\n ...DISPATCH_WORKSPACE_ROOT_REDIRECTS.map(([from]) => from),\n]);\n\nexport function isValidWorkspaceAppIdFormat(appId: string): boolean {\n return /^[a-z][a-z0-9-]*$/.test(appId);\n}\n\nexport function getWorkspaceAppIdValidationError(appId: string): string | null {\n if (RESERVED_WORKSPACE_APP_IDS.has(appId)) {\n return `App name \"${appId}\" conflicts with a reserved workspace route. Choose a different name.`;\n }\n if (!isValidWorkspaceAppIdFormat(appId)) {\n return `Invalid app name \"${appId}\". Use lowercase letters, numbers, and hyphens.`;\n }\n return null;\n}\n\nexport function assertValidWorkspaceAppId(appId: string): void {\n const error = getWorkspaceAppIdValidationError(appId);\n if (error) throw new Error(error);\n}\n"]}
1
+ {"version":3,"file":"workspace-app-id.js","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,MAAM,EAAE,MAAM,CAAC;IAChB,CAAC,cAAc,EAAE,SAAS,CAAC;IAC3B,CAAC,SAAS,EAAE,SAAS,CAAC;IACtB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,MAAM,EAAE,MAAM,CAAC;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IAChD,eAAe;IACf,mBAAmB;IACnB,KAAK;IACL,MAAM;IACN,UAAU;IACV,SAAS;IACT,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,OAAO;IACP,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;CAC3D,CAAC,CAAC;AAEH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,KAAa;IAC5D,IAAI,0BAA0B,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,aAAa,KAAK,uEAAuE,CAAC;IACnG,CAAC;IACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,qBAAqB,KAAK,iDAAiD,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,MAAM,KAAK,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC","sourcesContent":["export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [\n [\"overview\", \"overview\"],\n [\"login\", \"login\"],\n [\"signup\", \"signup\"],\n [\"apps\", \"apps\"],\n [\"apps/new-app\", \"new-app\"],\n [\"new-app\", \"new-app\"],\n [\"vault\", \"vault\"],\n [\"integrations\", \"integrations\"],\n [\"agents\", \"agents\"],\n [\"workspace\", \"workspace\"],\n [\"messaging\", \"messaging\"],\n [\"extensions\", \"extensions\"],\n [\"destinations\", \"destinations\"],\n [\"identities\", \"identities\"],\n [\"approval\", \"approval\"],\n [\"approvals\", \"approvals\"],\n [\"audit\", \"audit\"],\n [\"thread-debug\", \"thread-debug\"],\n [\"team\", \"team\"],\n] as const;\n\nexport const RESERVED_WORKSPACE_APP_IDS = new Set([\n \"_agent-native\",\n \"_workspace_static\",\n \"api\",\n \"auth\",\n \"dispatch\",\n \"netlify\",\n // Legacy alias — `tools` was the previous name for `extensions`. Keep it\n // reserved so a user can't create a workspace app whose mount path collides\n // with the legacy `/tools` redirect (still served by core-routes-plugin).\n \"tools\",\n ...DISPATCH_WORKSPACE_ROOT_REDIRECTS.map(([from]) => from),\n]);\n\nexport function isValidWorkspaceAppIdFormat(appId: string): boolean {\n return /^[a-z][a-z0-9-]*$/.test(appId);\n}\n\nexport function getWorkspaceAppIdValidationError(appId: string): string | null {\n if (RESERVED_WORKSPACE_APP_IDS.has(appId)) {\n return `App name \"${appId}\" conflicts with a reserved workspace route. Choose a different name.`;\n }\n if (!isValidWorkspaceAppIdFormat(appId)) {\n return `Invalid app name \"${appId}\". Use lowercase letters, numbers, and hyphens.`;\n }\n return null;\n}\n\nexport function assertValidWorkspaceAppId(appId: string): void {\n const error = getWorkspaceAppIdValidationError(appId);\n if (error) throw new Error(error);\n}\n"]}
package/dist/sharing/access.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAoB,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AASzD,OAAO,EAAa,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAExD,qBAAa,cAAe,SAAQ,KAAK;IACvC,UAAU,SAAO;gBACL,OAAO,SAAc;CAIlC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wEAAwE;AACxE,wBAAgB,aAAa,IAAI,aAAa,CAK7C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,GAAG,EAClB,WAAW,EAAE,GAAG,EAChB,GAAG,GAAE,aAA+B,EACpC,OAAO,GAAE,SAAoB,EAC7B,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACxC,GAAG,CAyCL;AAaD,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,yCAAyC;IACzC,QAAQ,EAAE,GAAG,CAAC;CACf;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CA2BhC;AA4CD;;;GAGG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,SAAS,GAAG,OAAkB,EACvC,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,CAAC,CAWzB"}
1
+ {"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAoB,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AAUzD,OAAO,EAAa,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAmBxD,qBAAa,cAAe,SAAQ,KAAK;IACvC,UAAU,SAAO;gBACL,OAAO,SAAc;CAIlC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wEAAwE;AACxE,wBAAgB,aAAa,IAAI,aAAa,CAK7C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,GAAG,EAClB,WAAW,EAAE,GAAG,EAChB,GAAG,GAAE,aAA+B,EACpC,OAAO,GAAE,SAAoB,EAC7B,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACxC,GAAG,CAoDL;AAgCD,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,yCAAyC;IACzC,QAAQ,EAAE,GAAG,CAAC;CACf;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAkChC;AA4CD;;;GAGG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,SAAS,GAAG,OAAkB,EACvC,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,CAAC,CAWzB"}
package/dist/sharing/access.js CHANGED
@@ -14,8 +14,23 @@
14
14
  */
15
15
  import { and, eq, or, sql } from "drizzle-orm";
16
16
  import { getRequestUserEmail, getRequestOrgId, } from "../server/request-context.js";
17
- import { requireShareableResource, } from "./registry.js";
17
+ import { listShareableResources, requireShareableResource, } from "./registry.js";
18
18
  import { ROLE_RANK } from "./schema.js";
19
+ /**
20
+ * Find a registration by its drizzle table identity. Used to look up
21
+ * per-resource policy flags (e.g. `allowPublic`) inside `accessFilter`,
22
+ * which receives only the table — not the resource-type name.
23
+ *
24
+ * Identity is stable within a single bundle (Vite dedupes module instances);
25
+ * the SSR/server side is the only caller, so per-bundle identity is fine.
26
+ */
27
+ function findRegistrationByTable(resourceTable) {
28
+ for (const reg of listShareableResources()) {
29
+ if (reg.resourceTable === resourceTable)
30
+ return reg;
31
+ }
32
+ return undefined;
33
+ }
19
34
  export class ForbiddenError extends Error {
20
35
  statusCode = 403;
21
36
  constructor(message = "Forbidden") {
@@ -50,10 +65,16 @@ export function currentAccess() {
50
65
  */
51
66
  export function accessFilter(resourceTable, sharesTable, ctx = currentAccess(), minRole = "viewer", options = {}) {
52
67
  const { userEmail, orgId } = ctx;
53
- const { includePublic = false } = options;
68
+ // Defense in depth resources registered with `allowPublic: false` must
69
+ // never participate in cross-user "public" discovery, even if a caller
70
+ // accidentally passes `includePublic: true` or if a stale public row sits
71
+ // in the DB.
72
+ const reg = findRegistrationByTable(resourceTable);
73
+ const publicAllowed = reg?.allowPublic !== false;
74
+ const includePublic = (options.includePublic ?? false) && publicAllowed;
54
75
  const clauses = [];
55
76
  if (userEmail) {
56
- clauses.push(eq(resourceTable.ownerEmail, userEmail));
77
+ clauses.push(and(eq(resourceTable.ownerEmail, userEmail), ownerScopeFilter(resourceTable, ctx)));
57
78
  }
58
79
  if (minRole === "viewer") {
59
80
  if (includePublic) {
@@ -79,6 +100,21 @@ export function accessFilter(resourceTable, sharesTable, ctx = currentAccess(),
79
100
  }
80
101
  return or(...clauses) ?? sql `1=0`;
81
102
  }
103
+ function ownerScopeFilter(resourceTable, ctx) {
104
+ if (ctx.orgId) {
105
+ // Rows created before org-scoping, or in solo mode, have no org_id. Keep
106
+ // them manageable by their owner after the owner joins or switches into an
107
+ // organization, while still keeping rows from other orgs out of scope.
108
+ return or(eq(resourceTable.orgId, ctx.orgId), sql `${resourceTable.orgId} IS NULL`);
109
+ }
110
+ return sql `${resourceTable.orgId} IS NULL`;
111
+ }
112
+ function ownerMatchesActiveScope(resource, ctx) {
113
+ const resourceOrgId = resource?.orgId ?? null;
114
+ if (!resourceOrgId)
115
+ return true;
116
+ return ctx.orgId === resourceOrgId;
117
+ }
82
118
  function minRoleSql(minRole) {
83
119
  if (minRole === "viewer") {
84
120
  // any role satisfies viewer
@@ -103,14 +139,19 @@ export async function resolveAccess(resourceType, resourceId, ctx = currentAcces
103
139
  if (!resource)
104
140
  return null;
105
141
  const { userEmail, orgId } = ctx;
106
- if (userEmail && resource.ownerEmail === userEmail) {
142
+ if (userEmail &&
143
+ resource.ownerEmail === userEmail &&
144
+ ownerMatchesActiveScope(resource, ctx)) {
107
145
  return { role: "owner", resource };
108
146
  }
109
- if (resource.visibility === "public") {
147
+ if (resource.visibility === "public" && reg.allowPublic !== false) {
110
148
  // No share row needed; default viewer unless upgraded below.
111
149
  const role = await highestShareRole(reg, resourceId, ctx);
112
150
  return { role: role ?? "viewer", resource };
113
151
  }
152
+ // `visibility === "public"` on an `allowPublic: false` resource is treated
153
+ // as private: only owner + explicit shares grant access. Falls through to
154
+ // the explicit-share lookup below.
114
155
  if (resource.visibility === "org" && orgId && resource.orgId === orgId) {
115
156
  const role = await highestShareRole(reg, resourceId, ctx);
116
157
  return { role: role ?? "viewer", resource };