npm - @agent-native/core - Versions diffs - 0.14.8 → 0.15.1 - Mend

@agent-native/core 0.14.8 → 0.15.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (544) hide show

package/README.md +1 -1
package/dist/agent/engine/builder-engine.d.ts.map +1 -1
package/dist/agent/engine/builder-engine.js +30 -9
package/dist/agent/engine/builder-engine.js.map +1 -1
package/dist/agent/engine/registry.d.ts.map +1 -1
package/dist/agent/engine/registry.js +14 -4
package/dist/agent/engine/registry.js.map +1 -1
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +71 -4
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/types.d.ts +9 -0
package/dist/agent/types.d.ts.map +1 -1
package/dist/agent/types.js.map +1 -1
package/dist/appearance/actions/change-appearance.d.ts +3 -0
package/dist/appearance/actions/change-appearance.d.ts.map +1 -0
package/dist/appearance/actions/change-appearance.js +29 -0
package/dist/appearance/actions/change-appearance.js.map +1 -0
package/dist/chat-threads/store.d.ts +53 -2
package/dist/chat-threads/store.d.ts.map +1 -1
package/dist/chat-threads/store.js +172 -12
package/dist/chat-threads/store.js.map +1 -1
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +114 -37
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +30 -4
package/dist/cli/index.js.map +1 -1
package/dist/cli/workspace-dev.d.ts +25 -1
package/dist/cli/workspace-dev.d.ts.map +1 -1
package/dist/cli/workspace-dev.js +275 -49
package/dist/cli/workspace-dev.js.map +1 -1
package/dist/client/AgentPanel.d.ts +23 -4
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +276 -53
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AppearancePicker.d.ts +11 -0
package/dist/client/AppearancePicker.d.ts.map +1 -0
package/dist/client/AppearancePicker.js +16 -0
package/dist/client/AppearancePicker.js.map +1 -0
package/dist/client/AssistantChat.d.ts +35 -0
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +315 -32
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts.map +1 -1
package/dist/client/ConnectBuilderCard.js +5 -2
package/dist/client/ConnectBuilderCard.js.map +1 -1
package/dist/client/ErrorBoundary.d.ts.map +1 -1
package/dist/client/ErrorBoundary.js +8 -10
package/dist/client/ErrorBoundary.js.map +1 -1
package/dist/client/FeedbackButton.d.ts.map +1 -1
package/dist/client/FeedbackButton.js +1 -1
package/dist/client/FeedbackButton.js.map +1 -1
package/dist/client/MultiTabAssistantChat.d.ts +13 -1
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +217 -38
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/NewWorkspaceAppFlow.d.ts.map +1 -1
package/dist/client/NewWorkspaceAppFlow.js +37 -14
package/dist/client/NewWorkspaceAppFlow.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts +5 -0
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +4 -0
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-sidebar-state.d.ts +12 -0
package/dist/client/agent-sidebar-state.d.ts.map +1 -1
package/dist/client/agent-sidebar-state.js +8 -0
package/dist/client/agent-sidebar-state.js.map +1 -1
package/dist/client/analytics.d.ts.map +1 -1
package/dist/client/analytics.js +175 -3
package/dist/client/analytics.js.map +1 -1
package/dist/client/appearance.d.ts +40 -0
package/dist/client/appearance.d.ts.map +1 -0
package/dist/client/appearance.js +114 -0
package/dist/client/appearance.js.map +1 -0
package/dist/client/builder-frame.d.ts +1 -0
package/dist/client/builder-frame.d.ts.map +1 -1
package/dist/client/builder-frame.js +19 -9
package/dist/client/builder-frame.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +10 -2
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/components/ui/dropdown-menu.js +2 -2
package/dist/client/components/ui/dropdown-menu.js.map +1 -1
package/dist/client/components/ui/hover-card.js +1 -1
package/dist/client/components/ui/hover-card.js.map +1 -1
package/dist/client/components/ui/popover.js +1 -1
package/dist/client/components/ui/popover.js.map +1 -1
package/dist/client/composer/PromptComposer.d.ts +7 -0
package/dist/client/composer/PromptComposer.d.ts.map +1 -1
package/dist/client/composer/PromptComposer.js +63 -32
package/dist/client/composer/PromptComposer.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +5 -0
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +36 -6
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/useVoiceDictation.d.ts.map +1 -1
package/dist/client/composer/useVoiceDictation.js +13 -1
package/dist/client/composer/useVoiceDictation.js.map +1 -1
package/dist/client/dev-mode.d.ts +14 -0
package/dist/client/dev-mode.d.ts.map +1 -0
package/dist/client/dev-mode.js +14 -0
package/dist/client/dev-mode.js.map +1 -0
package/dist/client/error-format.d.ts +3 -2
package/dist/client/error-format.d.ts.map +1 -1
package/dist/client/error-format.js +9 -2
package/dist/client/error-format.js.map +1 -1
package/dist/client/extensions/EmbeddedTool.d.ts +20 -0
package/dist/client/extensions/EmbeddedTool.d.ts.map +1 -0
package/dist/client/extensions/EmbeddedTool.js +199 -0
package/dist/client/extensions/EmbeddedTool.js.map +1 -0
package/dist/client/extensions/ExtensionViewer.d.ts.map +1 -1
package/dist/client/extensions/ExtensionViewer.js +24 -2
package/dist/client/extensions/ExtensionViewer.js.map +1 -1
package/dist/client/extensions/ToolEditor.d.ts +5 -0
package/dist/client/extensions/ToolEditor.d.ts.map +1 -0
package/dist/client/extensions/ToolEditor.js +129 -0
package/dist/client/extensions/ToolEditor.js.map +1 -0
package/dist/client/extensions/ToolViewer.d.ts +5 -0
package/dist/client/extensions/ToolViewer.d.ts.map +1 -0
package/dist/client/extensions/ToolViewer.js +400 -0
package/dist/client/extensions/ToolViewer.js.map +1 -0
package/dist/client/extensions/ToolViewerPage.d.ts +2 -0
package/dist/client/extensions/ToolViewerPage.d.ts.map +1 -0
package/dist/client/extensions/ToolViewerPage.js +24 -0
package/dist/client/extensions/ToolViewerPage.js.map +1 -0
package/dist/client/extensions/ToolsListPage.d.ts +2 -0
package/dist/client/extensions/ToolsListPage.d.ts.map +1 -0
package/dist/client/extensions/ToolsListPage.js +67 -0
package/dist/client/extensions/ToolsListPage.js.map +1 -0
package/dist/client/extensions/ToolsSidebarSection.d.ts +2 -0
package/dist/client/extensions/ToolsSidebarSection.d.ts.map +1 -0
package/dist/client/extensions/ToolsSidebarSection.js +236 -0
package/dist/client/extensions/ToolsSidebarSection.js.map +1 -0
package/dist/client/extensions/tool-order.d.ts +7 -0
package/dist/client/extensions/tool-order.d.ts.map +1 -0
package/dist/client/extensions/tool-order.js +47 -0
package/dist/client/extensions/tool-order.js.map +1 -0
package/dist/client/index.d.ts +8 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +7 -0
package/dist/client/index.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +1 -0
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/org/InvitationBanner.d.ts.map +1 -1
package/dist/client/org/InvitationBanner.js +23 -2
package/dist/client/org/InvitationBanner.js.map +1 -1
package/dist/client/org/OrgSwitcher.d.ts +5 -4
package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
package/dist/client/org/OrgSwitcher.js +57 -9
package/dist/client/org/OrgSwitcher.js.map +1 -1
package/dist/client/org/hooks.d.ts.map +1 -1
package/dist/client/org/hooks.js +10 -6
package/dist/client/org/hooks.js.map +1 -1
package/dist/client/org/workspace-app-links.d.ts +31 -0
package/dist/client/org/workspace-app-links.d.ts.map +1 -0
package/dist/client/org/workspace-app-links.js +268 -0
package/dist/client/org/workspace-app-links.js.map +1 -0
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +18 -5
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-resources.d.ts +18 -13
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js +24 -6
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -1
package/dist/client/settings/BackgroundAgentSection.js +9 -1
package/dist/client/settings/BackgroundAgentSection.js.map +1 -1
package/dist/client/settings/BrowserSection.d.ts.map +1 -1
package/dist/client/settings/BrowserSection.js +16 -1
package/dist/client/settings/BrowserSection.js.map +1 -1
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +4 -1
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.d.ts.map +1 -1
package/dist/client/settings/VoiceTranscriptionSection.js +5 -5
package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
package/dist/client/settings/useBuilderStatus.d.ts +8 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -1
package/dist/client/settings/useBuilderStatus.js +50 -13
package/dist/client/settings/useBuilderStatus.js.map +1 -1
package/dist/client/settings/useBuilderStatus.spec.d.ts +2 -0
package/dist/client/settings/useBuilderStatus.spec.d.ts.map +1 -0
package/dist/client/settings/useBuilderStatus.spec.js +64 -0
package/dist/client/settings/useBuilderStatus.spec.js.map +1 -0
package/dist/client/sharing/ShareButton.d.ts +5 -0
package/dist/client/sharing/ShareButton.d.ts.map +1 -1
package/dist/client/sharing/ShareButton.js +60 -6
package/dist/client/sharing/ShareButton.js.map +1 -1
package/dist/client/theme.js +1 -1
package/dist/client/theme.js.map +1 -1
package/dist/client/tools/EmbeddedTool.d.ts +20 -0
package/dist/client/tools/EmbeddedTool.d.ts.map +1 -0
package/dist/client/tools/EmbeddedTool.js +199 -0
package/dist/client/tools/EmbeddedTool.js.map +1 -0
package/dist/client/tools/ExtensionSlot.d.ts +27 -0
package/dist/client/tools/ExtensionSlot.d.ts.map +1 -0
package/dist/client/tools/ExtensionSlot.js +96 -0
package/dist/client/tools/ExtensionSlot.js.map +1 -0
package/dist/client/tools/ToolEditor.d.ts +5 -0
package/dist/client/tools/ToolEditor.d.ts.map +1 -0
package/dist/client/tools/ToolEditor.js +129 -0
package/dist/client/tools/ToolEditor.js.map +1 -0
package/dist/client/tools/ToolViewer.d.ts +5 -0
package/dist/client/tools/ToolViewer.d.ts.map +1 -0
package/dist/client/tools/ToolViewer.js +400 -0
package/dist/client/tools/ToolViewer.js.map +1 -0
package/dist/client/tools/ToolViewerPage.d.ts +2 -0
package/dist/client/tools/ToolViewerPage.d.ts.map +1 -0
package/dist/client/tools/ToolViewerPage.js +24 -0
package/dist/client/tools/ToolViewerPage.js.map +1 -0
package/dist/client/tools/ToolsListPage.d.ts +2 -0
package/dist/client/tools/ToolsListPage.d.ts.map +1 -0
package/dist/client/tools/ToolsListPage.js +67 -0
package/dist/client/tools/ToolsListPage.js.map +1 -0
package/dist/client/tools/ToolsSidebarSection.d.ts +2 -0
package/dist/client/tools/ToolsSidebarSection.d.ts.map +1 -0
package/dist/client/tools/ToolsSidebarSection.js +236 -0
package/dist/client/tools/ToolsSidebarSection.js.map +1 -0
package/dist/client/tools/iframe-bridge.d.ts +38 -0
package/dist/client/tools/iframe-bridge.d.ts.map +1 -0
package/dist/client/tools/iframe-bridge.js +207 -0
package/dist/client/tools/iframe-bridge.js.map +1 -0
package/dist/client/tools/index.d.ts +8 -0
package/dist/client/tools/index.d.ts.map +1 -0
package/dist/client/tools/index.js +8 -0
package/dist/client/tools/index.js.map +1 -0
package/dist/client/tools/tool-order.d.ts +7 -0
package/dist/client/tools/tool-order.d.ts.map +1 -0
package/dist/client/tools/tool-order.js +47 -0
package/dist/client/tools/tool-order.js.map +1 -0
package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
package/dist/client/transcription/BuilderTranscriptionCta.js +2 -3
package/dist/client/transcription/BuilderTranscriptionCta.js.map +1 -1
package/dist/client/use-change-version.d.ts +46 -0
package/dist/client/use-change-version.d.ts.map +1 -0
package/dist/client/use-change-version.js +135 -0
package/dist/client/use-change-version.js.map +1 -0
package/dist/client/use-chat-threads.d.ts +16 -2
package/dist/client/use-chat-threads.d.ts.map +1 -1
package/dist/client/use-chat-threads.js +87 -12
package/dist/client/use-chat-threads.js.map +1 -1
package/dist/client/use-chat-threads.spec.d.ts +2 -0
package/dist/client/use-chat-threads.spec.d.ts.map +1 -0
package/dist/client/use-chat-threads.spec.js +85 -0
package/dist/client/use-chat-threads.spec.js.map +1 -0
package/dist/client/use-db-sync.d.ts +5 -2
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +41 -16
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-pinch-zoom.d.ts +35 -0
package/dist/client/use-pinch-zoom.d.ts.map +1 -0
package/dist/client/use-pinch-zoom.js +105 -0
package/dist/client/use-pinch-zoom.js.map +1 -0
package/dist/deploy/workspace-deploy.d.ts.map +1 -1
package/dist/deploy/workspace-deploy.js +99 -5
package/dist/deploy/workspace-deploy.js.map +1 -1
package/dist/extensions/actions.d.ts.map +1 -1
package/dist/extensions/actions.js +3 -0
package/dist/extensions/actions.js.map +1 -1
package/dist/extensions/store.d.ts +5 -0
package/dist/extensions/store.d.ts.map +1 -1
package/dist/extensions/store.js +16 -1
package/dist/extensions/store.js.map +1 -1
package/dist/file-upload/actions/upload-image.d.ts +3 -0
package/dist/file-upload/actions/upload-image.d.ts.map +1 -0
package/dist/file-upload/actions/upload-image.js +145 -0
package/dist/file-upload/actions/upload-image.js.map +1 -0
package/dist/file-upload/builder.d.ts.map +1 -1
package/dist/file-upload/builder.js +31 -11
package/dist/file-upload/builder.js.map +1 -1
package/dist/file-upload/index.d.ts +1 -0
package/dist/file-upload/index.d.ts.map +1 -1
package/dist/file-upload/index.js +1 -0
package/dist/file-upload/index.js.map +1 -1
package/dist/file-upload/pre-upload-attachments.d.ts +39 -0
package/dist/file-upload/pre-upload-attachments.d.ts.map +1 -0
package/dist/file-upload/pre-upload-attachments.js +110 -0
package/dist/file-upload/pre-upload-attachments.js.map +1 -0
package/dist/file-upload/registry.d.ts.map +1 -1
package/dist/file-upload/registry.js +8 -7
package/dist/file-upload/registry.js.map +1 -1
package/dist/onboarding/default-steps.js +1 -1
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/org/context.d.ts +15 -1
package/dist/org/context.d.ts.map +1 -1
package/dist/org/context.js +25 -0
package/dist/org/context.js.map +1 -1
package/dist/org/handlers.d.ts +2 -2
package/dist/org/handlers.d.ts.map +1 -1
package/dist/org/handlers.js +3 -17
package/dist/org/handlers.js.map +1 -1
package/dist/org/index.d.ts +1 -1
package/dist/org/index.d.ts.map +1 -1
package/dist/org/index.js +1 -1
package/dist/org/index.js.map +1 -1
package/dist/resources/handlers.d.ts +6 -0
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +30 -6
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/script-helpers.d.ts +11 -2
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +20 -3
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts +28 -3
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +170 -20
package/dist/resources/store.js.map +1 -1
package/dist/scripts/resources/list.d.ts +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +16 -4
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/write.d.ts +1 -1
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +47 -3
package/dist/scripts/resources/write.js.map +1 -1
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +8 -3
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +214 -25
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts +35 -0
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +139 -8
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/app-url.d.ts +12 -6
package/dist/server/app-url.d.ts.map +1 -1
package/dist/server/app-url.js +58 -11
package/dist/server/app-url.js.map +1 -1
package/dist/server/auth.d.ts +22 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +316 -65
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +0 -4
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +0 -3
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +23 -0
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +29 -14
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/credential-provider.d.ts +14 -0
package/dist/server/credential-provider.d.ts.map +1 -1
package/dist/server/credential-provider.js +88 -11
package/dist/server/credential-provider.js.map +1 -1
package/dist/server/google-auth-plugin.d.ts.map +1 -1
package/dist/server/google-auth-plugin.js +65 -17
package/dist/server/google-auth-plugin.js.map +1 -1
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +47 -17
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +1 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +1 -1
package/dist/server/index.js.map +1 -1
package/dist/server/local-migration.d.ts +41 -0
package/dist/server/local-migration.d.ts.map +1 -0
package/dist/server/local-migration.js +235 -0
package/dist/server/local-migration.js.map +1 -0
package/dist/server/oauth-public-origin.d.ts.map +1 -1
package/dist/server/oauth-public-origin.js +19 -1
package/dist/server/oauth-public-origin.js.map +1 -1
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +74 -19
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +20 -5
package/dist/server/poll.js.map +1 -1
package/dist/server/request-context.d.ts +8 -0
package/dist/server/request-context.d.ts.map +1 -1
package/dist/server/request-context.js.map +1 -1
package/dist/shared/index.d.ts +2 -0
package/dist/shared/index.d.ts.map +1 -1
package/dist/shared/index.js +2 -0
package/dist/shared/index.js.map +1 -1
package/dist/shared/llm-connection.d.ts +10 -0
package/dist/shared/llm-connection.d.ts.map +1 -0
package/dist/shared/llm-connection.js +29 -0
package/dist/shared/llm-connection.js.map +1 -0
package/dist/shared/workspace-app-audience.d.ts +25 -0
package/dist/shared/workspace-app-audience.d.ts.map +1 -0
package/dist/shared/workspace-app-audience.js +126 -0
package/dist/shared/workspace-app-audience.js.map +1 -0
package/dist/shared/workspace-app-id.d.ts +1 -1
package/dist/shared/workspace-app-id.d.ts.map +1 -1
package/dist/shared/workspace-app-id.js +1 -0
package/dist/shared/workspace-app-id.js.map +1 -1
package/dist/sharing/access.d.ts.map +1 -1
package/dist/sharing/access.js +46 -5
package/dist/sharing/access.js.map +1 -1
package/dist/sharing/actions/list-resource-shares.d.ts.map +1 -1
package/dist/sharing/actions/list-resource-shares.js +8 -1
package/dist/sharing/actions/list-resource-shares.js.map +1 -1
package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
package/dist/sharing/actions/set-resource-visibility.js +12 -3
package/dist/sharing/actions/set-resource-visibility.js.map +1 -1
package/dist/sharing/actions/share-resource.d.ts.map +1 -1
package/dist/sharing/actions/share-resource.js +50 -1
package/dist/sharing/actions/share-resource.js.map +1 -1
package/dist/sharing/registry.d.ts +26 -0
package/dist/sharing/registry.d.ts.map +1 -1
package/dist/sharing/registry.js.map +1 -1
package/dist/styles/agent-native.css +91 -0
package/dist/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
package/dist/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
package/dist/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
package/dist/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/dist/templates/default/AGENTS.md +22 -19
package/dist/templates/default/actions/navigate.ts +3 -0
package/dist/templates/default/app/hooks/use-navigation-state.ts +29 -5
package/dist/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
package/dist/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
package/dist/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
package/dist/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
package/dist/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
package/dist/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
package/dist/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
package/dist/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
package/dist/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
package/dist/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
package/dist/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
package/dist/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
package/dist/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
package/dist/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
package/dist/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
package/dist/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
package/dist/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
package/dist/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
package/dist/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
package/dist/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
package/dist/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
package/dist/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
package/dist/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
package/dist/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
package/dist/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
package/dist/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
package/dist/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/dist/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
package/dist/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
package/dist/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
package/dist/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
package/dist/templates/workspace-core/AGENTS.md +16 -1
package/dist/templates/workspace-root/AGENTS.md +35 -0
package/dist/templates/workspace-root/README.md +7 -0
package/dist/tools/actions.d.ts +3 -0
package/dist/tools/actions.d.ts.map +1 -0
package/dist/tools/actions.js +272 -0
package/dist/tools/actions.js.map +1 -0
package/dist/tools/fetch-tool.d.ts +23 -0
package/dist/tools/fetch-tool.d.ts.map +1 -0
package/dist/tools/fetch-tool.js +178 -0
package/dist/tools/fetch-tool.js.map +1 -0
package/dist/tools/html-shell.d.ts +45 -0
package/dist/tools/html-shell.d.ts.map +1 -0
package/dist/tools/html-shell.js +514 -0
package/dist/tools/html-shell.js.map +1 -0
package/dist/tools/proxy-security.d.ts +12 -0
package/dist/tools/proxy-security.d.ts.map +1 -0
package/dist/tools/proxy-security.js +158 -0
package/dist/tools/proxy-security.js.map +1 -0
package/dist/tools/routes.d.ts +2 -0
package/dist/tools/routes.d.ts.map +1 -0
package/dist/tools/routes.js +627 -0
package/dist/tools/routes.js.map +1 -0
package/dist/tools/schema.d.ts +664 -0
package/dist/tools/schema.d.ts.map +1 -0
package/dist/tools/schema.js +146 -0
package/dist/tools/schema.js.map +1 -0
package/dist/tools/slots/routes.d.ts +15 -0
package/dist/tools/slots/routes.d.ts.map +1 -0
package/dist/tools/slots/routes.js +94 -0
package/dist/tools/slots/routes.js.map +1 -0
package/dist/tools/slots/schema.d.ts +303 -0
package/dist/tools/slots/schema.d.ts.map +1 -0
package/dist/tools/slots/schema.js +76 -0
package/dist/tools/slots/schema.js.map +1 -0
package/dist/tools/slots/store.d.ts +66 -0
package/dist/tools/slots/store.d.ts.map +1 -0
package/dist/tools/slots/store.js +227 -0
package/dist/tools/slots/store.js.map +1 -0
package/dist/tools/store.d.ts +40 -0
package/dist/tools/store.d.ts.map +1 -0
package/dist/tools/store.js +193 -0
package/dist/tools/store.js.map +1 -0
package/dist/tools/theme.d.ts +2 -0
package/dist/tools/theme.d.ts.map +1 -0
package/dist/tools/theme.js +67 -0
package/dist/tools/theme.js.map +1 -0
package/dist/tools/url-safety.d.ts +24 -0
package/dist/tools/url-safety.d.ts.map +1 -0
package/dist/tools/url-safety.js +224 -0
package/dist/tools/url-safety.js.map +1 -0
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +4 -0
package/dist/vite/action-types-plugin.js.map +1 -1
package/docs/content/authentication.md +36 -0
package/docs/content/creating-templates.md +15 -0
package/docs/content/dispatch.md +3 -3
package/docs/content/multi-app-workspace.md +5 -0
package/docs/content/tracking.md +12 -0
package/docs/content/workspace-management.md +39 -4
package/package.json +15 -12
package/src/templates/default/.agents/skills/adding-a-feature/SKILL.md +72 -0
package/src/templates/default/.agents/skills/frontend-design/SKILL.md +60 -37
package/src/templates/default/.agents/skills/real-time-sync/SKILL.md +28 -17
package/src/templates/default/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/src/templates/default/AGENTS.md +22 -19
package/src/templates/default/actions/navigate.ts +3 -0
package/src/templates/default/app/hooks/use-navigation-state.ts +29 -5
package/src/templates/workspace-core/.agents/skills/a2a-protocol/SKILL.md +251 -0
package/src/templates/workspace-core/.agents/skills/actions/SKILL.md +264 -0
package/src/templates/workspace-core/.agents/skills/adding-a-feature/SKILL.md +130 -0
package/src/templates/workspace-core/.agents/skills/address-feedback/SKILL.md +112 -0
package/src/templates/workspace-core/.agents/skills/authentication/SKILL.md +88 -0
package/src/templates/workspace-core/.agents/skills/automations/SKILL.md +191 -0
package/src/templates/workspace-core/.agents/skills/capture-learnings/SKILL.md +74 -0
package/src/templates/workspace-core/.agents/skills/client-side-routing/SKILL.md +75 -0
package/src/templates/workspace-core/.agents/skills/context-awareness/SKILL.md +190 -0
package/src/templates/workspace-core/.agents/skills/create-skill/SKILL.md +168 -0
package/src/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +163 -0
package/src/templates/workspace-core/.agents/skills/extension-points/SKILL.md +205 -0
package/src/templates/workspace-core/.agents/skills/extensions/SKILL.md +720 -0
package/src/templates/workspace-core/.agents/skills/frontend-design/SKILL.md +92 -0
package/src/templates/workspace-core/.agents/skills/integration-webhooks/SKILL.md +285 -0
package/src/templates/workspace-core/.agents/skills/observability/SKILL.md +192 -0
package/src/templates/workspace-core/.agents/skills/onboarding/SKILL.md +43 -0
package/src/templates/workspace-core/.agents/skills/portability/SKILL.md +84 -0
package/src/templates/workspace-core/.agents/skills/qa/SKILL.md +313 -0
package/src/templates/workspace-core/.agents/skills/real-time-collab/SKILL.md +112 -0
package/src/templates/workspace-core/.agents/skills/real-time-sync/SKILL.md +165 -0
package/src/templates/workspace-core/.agents/skills/recurring-jobs/SKILL.md +41 -0
package/src/templates/workspace-core/.agents/skills/secrets/SKILL.md +239 -0
package/src/templates/workspace-core/.agents/skills/security/SKILL.md +191 -0
package/src/templates/workspace-core/.agents/skills/self-modifying-code/SKILL.md +79 -0
package/src/templates/workspace-core/.agents/skills/server-plugins/SKILL.md +73 -0
package/src/templates/workspace-core/.agents/skills/shadcn-ui/SKILL.md +79 -0
package/src/templates/workspace-core/.agents/skills/sharing/SKILL.md +217 -0
package/src/templates/workspace-core/.agents/skills/storing-data/SKILL.md +132 -0
package/src/templates/workspace-core/.agents/skills/tracking/SKILL.md +150 -0
package/src/templates/workspace-core/.agents/skills/voice-transcription/SKILL.md +124 -0
package/src/templates/workspace-core/AGENTS.md +16 -1
package/src/templates/workspace-root/AGENTS.md +35 -0
package/src/templates/workspace-root/README.md +7 -0

package/dist/tools/fetch-tool.js ADDED Viewed

@@ -0,0 +1,178 @@
+/**
+ * Fetch tool — outbound HTTP for automations and agent use.
+ *
+ * Supports ${keys.NAME} reference substitution in URL, headers, and body.
+ * Values are resolved server-side AFTER the model emits the tool call —
+ * the raw secret never enters the model's context.
+ */
+import { collectSecretValues, MAX_TOOL_PROXY_RESPONSE_SIZE, normalizeToolProxyMethod, readResponseTextWithLimit, redactSecrets, redactString, sanitizeOutboundHeaders, } from "./proxy-security.js";
+import { isBlockedToolUrlWithDns } from "./url-safety.js";
+const DEFAULT_TIMEOUT_MS = 15_000;
+/**
+ * Create the fetch tool entry for the agent tool registry.
+ */
+export function createFetchToolEntry(opts = {}) {
+    return {
+        "web-request": {
+            tool: {
+                description: `Make an outbound HTTP request to EXTERNAL APIs, webhooks, and services only. Supports \${keys.NAME} placeholders in url, headers, and body — these are resolved server-side from the user's saved keys (the raw value never enters your context). Example: \${keys.SLACK_WEBHOOK} in the url field. IMPORTANT: Never use this to call internal /_agent-native/ endpoints or localhost action URLs — use the registered action tools directly (e.g. \`log-meal\`, \`bigquery\`, \`hubspot-deals\`). Actions are already available as native tools; calling them via HTTP is slower and bypasses validation.`,
+                parameters: {
+                    type: "object",
+                    properties: {
+                        url: {
+                            type: "string",
+                            description: 'Full URL. May contain ${keys.NAME} references, e.g. "${keys.SLACK_WEBHOOK}".',
+                        },
+                        method: {
+                            type: "string",
+                            description: "HTTP method. Default: GET.",
+                            enum: ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"],
+                        },
+                        headers: {
+                            type: "string",
+                            description: 'JSON object of headers. May contain ${keys.NAME} references. Example: \'{"Authorization": "Bearer ${keys.API_TOKEN}"}\'.',
+                        },
+                        body: {
+                            type: "string",
+                            description: "Request body (for POST/PUT/PATCH). May contain ${keys.NAME} references.",
+                        },
+                        timeout_ms: {
+                            type: "number",
+                            description: `Timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: 30000.`,
+                        },
+                    },
+                    required: ["url"],
+                },
+            },
+            run: async (args) => {
+                const startTime = Date.now();
+                const rawUrl = args.url;
+                const method = normalizeToolProxyMethod(args.method || "GET");
+                if (!method) {
+                    return "Unsupported HTTP method. Allowed methods: GET, POST, PUT, PATCH, DELETE, HEAD.";
+                }
+                const rawHeaders = args.headers || "{}";
+                const rawBody = args.body;
+                const timeoutMs = Math.min(Number(args.timeout_ms) || DEFAULT_TIMEOUT_MS, 30_000);
+                // Resolve key references
+                let resolvedUrl = rawUrl;
+                let resolvedHeaders = rawHeaders;
+                let resolvedBody = rawBody;
+                const allUsedKeys = [];
+                const allSecretValues = [];
+                if (opts.resolveKeys) {
+                    try {
+                        const urlResult = await opts.resolveKeys(rawUrl);
+                        resolvedUrl = urlResult.resolved;
+                        allUsedKeys.push(...urlResult.usedKeys);
+                        allSecretValues.push(...(urlResult.secretValues ?? []));
+                        const headerResult = await opts.resolveKeys(rawHeaders);
+                        resolvedHeaders = headerResult.resolved;
+                        allUsedKeys.push(...headerResult.usedKeys);
+                        allSecretValues.push(...(headerResult.secretValues ?? []));
+                        if (rawBody) {
+                            const bodyResult = await opts.resolveKeys(rawBody);
+                            resolvedBody = bodyResult.resolved;
+                            allUsedKeys.push(...bodyResult.usedKeys);
+                            allSecretValues.push(...(bodyResult.secretValues ?? []));
+                        }
+                    }
+                    catch (err) {
+                        return `Error resolving key references: ${err?.message ?? err}`;
+                    }
+                }
+                const secretValues = collectSecretValues(allSecretValues);
+                // Block SSRF targets regardless of key usage
+                if (await isBlockedToolUrlWithDns(resolvedUrl)) {
+                    return `Requests to private/internal addresses are not allowed: "${rawUrl}".`;
+                }
+                // Validate URL against per-key allowlists
+                if (opts.validateUrl && allUsedKeys.length > 0) {
+                    try {
+                        const allowed = await opts.validateUrl(resolvedUrl, allUsedKeys);
+                        if (!allowed) {
+                            return `URL "${rawUrl}" is not in the allowlist for the referenced keys. Check your key settings.`;
+                        }
+                    }
+                    catch (err) {
+                        return `URL validation error: ${err?.message ?? err}`;
+                    }
+                }
+                // Parse headers
+                let headers;
+                try {
+                    headers = sanitizeOutboundHeaders(JSON.parse(resolvedHeaders));
+                }
+                catch {
+                    return `Invalid headers JSON: ${rawHeaders}`;
+                }
+                // Make the request
+                const controller = new AbortController();
+                const timeout = setTimeout(() => controller.abort(), timeoutMs);
+                try {
+                    const fetchOpts = {
+                        method,
+                        headers,
+                        signal: controller.signal,
+                        redirect: "manual",
+                    };
+                    if (resolvedBody && ["POST", "PUT", "PATCH"].includes(method)) {
+                        fetchOpts.body = resolvedBody;
+                        if (!headers["content-type"] && !headers["Content-Type"]) {
+                            headers["Content-Type"] = "application/json";
+                        }
+                    }
+                    const response = await fetch(resolvedUrl, fetchOpts);
+                    const elapsed = Date.now() - startTime;
+                    if (response.status >= 300 && response.status < 400) {
+                        const location = response.headers.get("location");
+                        const redirectUrl = location
+                            ? new URL(location, resolvedUrl).href
+                            : null;
+                        if (redirectUrl && (await isBlockedToolUrlWithDns(redirectUrl))) {
+                            return "Redirect to private/internal address blocked.";
+                        }
+                        if (redirectUrl && opts.validateUrl && allUsedKeys.length > 0) {
+                            const allowed = await opts.validateUrl(redirectUrl, allUsedKeys);
+                            if (!allowed) {
+                                return "Redirect URL is not in the allowlist for the referenced keys.";
+                            }
+                        }
+                        return `HTTP ${response.status} ${response.statusText}\n\nRedirect: ${redirectUrl ? redactString(redirectUrl, secretValues) : "(none)"}`;
+                    }
+                    let body;
+                    try {
+                        const result = await readResponseTextWithLimit(response, MAX_TOOL_PROXY_RESPONSE_SIZE);
+                        body = result.text;
+                    }
+                    catch {
+                        body = "(could not read response body)";
+                    }
+                    body = redactString(body, secretValues);
+                    // Truncate very long responses for the agent
+                    if (body.length > 8000) {
+                        body = body.slice(0, 8000) + "\n... (truncated)";
+                    }
+                    // Audit log
+                    console.log(`[fetch-tool] ${method} ${rawUrl} → ${response.status} (${elapsed}ms, keys: ${allUsedKeys.join(",") || "none"})`);
+                    return `HTTP ${response.status} ${response.statusText}\n\n${body}`;
+                }
+                catch (err) {
+                    const elapsed = Date.now() - startTime;
+                    if (err?.name === "AbortError") {
+                        console.log(`[fetch-tool] ${method} ${rawUrl} → TIMEOUT (${elapsed}ms)`);
+                        return `Request timed out after ${timeoutMs}ms.`;
+                    }
+                    const message = redactSecrets(err?.message ?? String(err), secretValues);
+                    console.log(`[fetch-tool] ${method} ${rawUrl} → ERROR: ${message} (${elapsed}ms)`);
+                    return `Request failed: ${message}`;
+                }
+                finally {
+                    clearTimeout(timeout);
+                }
+            },
+            readOnly: true,
+        },
+    };
+}
+//# sourceMappingURL=fetch-tool.js.map

package/dist/tools/fetch-tool.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"fetch-tool.js","sourceRoot":"","sources":["../../src/tools/fetch-tool.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,mBAAmB,EACnB,4BAA4B,EAC5B,wBAAwB,EACxB,yBAAyB,EACzB,aAAa,EACb,YAAY,EACZ,uBAAuB,GACxB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAalC;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAyB,EAAE;IAE3B,OAAO;QACL,aAAa,EAAE;YACb,IAAI,EAAE;gBACJ,WAAW,EAAE,4kBAA4kB;gBACzlB,UAAU,EAAE;oBACV,IAAI,EAAE,QAAiB;oBACvB,UAAU,EAAE;wBACV,GAAG,EAAE;4BACH,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,8EAA8E;yBACjF;wBACD,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,4BAA4B;4BACzC,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC;yBACxD;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,0HAA0H;yBAC7H;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,yEAAyE;yBAC5E;wBACD,UAAU,EAAE;4BACV,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,qCAAqC,kBAAkB,eAAe;yBACpF;qBACF;oBACD,QAAQ,EAAE,CAAC,KAAK,CAAC;iBAClB;aACF;YACD,GAAG,EAAE,KAAK,EAAE,IAA4B,EAAE,EAAE;gBAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;gBAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC;gBACxB,MAAM,MAAM,GAAG,wBAAwB,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;gBAC9D,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,gFAAgF,CAAC;gBAC1F,CAAC;gBACD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;gBACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CACxB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,kBAAkB,EAC7C,MAAM,CACP,CAAC;gBAEF,yBAAyB;gBACzB,IAAI,WAAW,GAAG,MAAM,CAAC;gBACzB,IAAI,eAAe,GAAG,UAAU,CAAC;gBACjC,IAAI,YAAY,GAAG,OAAO,CAAC;gBAC3B,MAAM,WAAW,GAAa,EAAE,CAAC;gBACjC,MAAM,eAAe,GAAa,EAAE,CAAC;gBAErC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;oBACrB,IAAI,CAAC;wBACH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;wBACjD,WAAW,GAAG,SAAS,CAAC,QAAQ,CAAC;wBACjC,WAAW,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;wBACxC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAExD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;wBACxD,eAAe,GAAG,YAAY,CAAC,QAAQ,CAAC;wBACxC,WAAW,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;wBAC3C,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAE3D,IAAI,OAAO,EAAE,CAAC;4BACZ,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;4BACnD,YAAY,GAAG,UAAU,CAAC,QAAQ,CAAC;4BACnC,WAAW,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;4BACzC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,CAAC;wBAC3D,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,OAAO,mCAAmC,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;oBAClE,CAAC;gBACH,CAAC;gBACD,MAAM,YAAY,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAC;gBAE1D,6CAA6C;gBAC7C,IAAI,MAAM,uBAAuB,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/C,OAAO,4DAA4D,MAAM,IAAI,CAAC;gBAChF,CAAC;gBAED,0CAA0C;gBAC1C,IAAI,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC/C,IAAI,CAAC;wBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;wBACjE,IAAI,CAAC,OAAO,EAAE,CAAC;4BACb,OAAO,QAAQ,MAAM,6EAA6E,CAAC;wBACrG,CAAC;oBACH,CAAC;oBAAC,OAAO,GAAQ,EAAE,CAAC;wBAClB,OAAO,yBAAyB,GAAG,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;oBACxD,CAAC;gBACH,CAAC;gBAED,gBAAgB;gBAChB,IAAI,OAA+B,CAAC;gBACpC,IAAI,CAAC;oBACH,OAAO,GAAG,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;gBACjE,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,yBAAyB,UAAU,EAAE,CAAC;gBAC/C,CAAC;gBAED,mBAAmB;gBACnB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;gBAEhE,IAAI,CAAC;oBACH,MAAM,SAAS,GAAgB;wBAC7B,MAAM;wBACN,OAAO;wBACP,MAAM,EAAE,UAAU,CAAC,MAAM;wBACzB,QAAQ,EAAE,QAAQ;qBACnB,CAAC;oBACF,IAAI,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC9D,SAAS,CAAC,IAAI,GAAG,YAAY,CAAC;wBAC9B,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;4BACzD,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;wBAC/C,CAAC;oBACH,CAAC;oBAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;oBACrD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBAEvC,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;wBACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;wBAClD,MAAM,WAAW,GAAG,QAAQ;4BAC1B,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC,IAAI;4BACrC,CAAC,CAAC,IAAI,CAAC;wBACT,IAAI,WAAW,IAAI,CAAC,MAAM,uBAAuB,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;4BAChE,OAAO,+CAA+C,CAAC;wBACzD,CAAC;wBACD,IAAI,WAAW,IAAI,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;4BACjE,IAAI,CAAC,OAAO,EAAE,CAAC;gCACb,OAAO,+DAA+D,CAAC;4BACzE,CAAC;wBACH,CAAC;wBACD,OAAO,QAAQ,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,iBACnD,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,EAAE,YAAY,CAAC,CAAC,CAAC,CAAC,QAC1D,EAAE,CAAC;oBACL,CAAC;oBAED,IAAI,IAAY,CAAC;oBACjB,IAAI,CAAC;wBACH,MAAM,MAAM,GAAG,MAAM,yBAAyB,CAC5C,QAAQ,EACR,4BAA4B,CAC7B,CAAC;wBACF,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;oBACrB,CAAC;oBAAC,MAAM,CAAC;wBACP,IAAI,GAAG,gCAAgC,CAAC;oBAC1C,CAAC;oBACD,IAAI,GAAG,YAAY,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;oBAExC,6CAA6C;oBAC7C,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;wBACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,mBAAmB,CAAC;oBACnD,CAAC;oBAED,YAAY;oBACZ,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,MAAM,QAAQ,CAAC,MAAM,KAAK,OAAO,aAAa,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,MAAM,GAAG,CACjH,CAAC;oBAEF,OAAO,QAAQ,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,OAAO,IAAI,EAAE,CAAC;gBACrE,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;oBACvC,IAAI,GAAG,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC/B,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,eAAe,OAAO,KAAK,CAC5D,CAAC;wBACF,OAAO,2BAA2B,SAAS,KAAK,CAAC;oBACnD,CAAC;oBACD,MAAM,OAAO,GAAG,aAAa,CAC3B,GAAG,EAAE,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,EAC3B,YAAY,CACb,CAAC;oBACF,OAAO,CAAC,GAAG,CACT,gBAAgB,MAAM,IAAI,MAAM,aAAa,OAAO,KAAK,OAAO,KAAK,CACtE,CAAC;oBACF,OAAO,mBAAmB,OAAO,EAAE,CAAC;gBACtC,CAAC;wBAAS,CAAC;oBACT,YAAY,CAAC,OAAO,CAAC,CAAC;gBACxB,CAAC;YACH,CAAC;YACD,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Fetch tool — outbound HTTP for automations and agent use.\n *\n * Supports ${keys.NAME} reference substitution in URL, headers, and body.\n * Values are resolved server-side AFTER the model emits the tool call —\n * the raw secret never enters the model's context.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport {\n collectSecretValues,\n MAX_TOOL_PROXY_RESPONSE_SIZE,\n normalizeToolProxyMethod,\n readResponseTextWithLimit,\n redactSecrets,\n redactString,\n sanitizeOutboundHeaders,\n} from \"./proxy-security.js\";\nimport { isBlockedToolUrlWithDns } from \"./url-safety.js\";\n\nconst DEFAULT_TIMEOUT_MS = 15_000;\n\nexport interface FetchToolOptions {\n /** Resolve ${keys.NAME} references. Injected by the plugin at setup time. */\n resolveKeys?: (text: string) => Promise<{\n resolved: string;\n usedKeys: string[];\n secretValues?: string[];\n }>;\n /** Validate URL against per-key allowlists. */\n validateUrl?: (url: string, usedKeys: string[]) => Promise<boolean>;\n}\n\n/**\n * Create the fetch tool entry for the agent tool registry.\n */\nexport function createFetchToolEntry(\n opts: FetchToolOptions = {},\n): Record<string, ActionEntry> {\n return {\n \"web-request\": {\n tool: {\n description: `Make an outbound HTTP request to EXTERNAL APIs, webhooks, and services only. Supports \\${keys.NAME} placeholders in url, headers, and body — these are resolved server-side from the user's saved keys (the raw value never enters your context). Example: \\${keys.SLACK_WEBHOOK} in the url field. IMPORTANT: Never use this to call internal /_agent-native/ endpoints or localhost action URLs — use the registered action tools directly (e.g. \\`log-meal\\`, \\`bigquery\\`, \\`hubspot-deals\\`). Actions are already available as native tools; calling them via HTTP is slower and bypasses validation.`,\n parameters: {\n type: \"object\" as const,\n properties: {\n url: {\n type: \"string\",\n description:\n 'Full URL. May contain ${keys.NAME} references, e.g. \"${keys.SLACK_WEBHOOK}\".',\n },\n method: {\n type: \"string\",\n description: \"HTTP method. Default: GET.\",\n enum: [\"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", \"HEAD\"],\n },\n headers: {\n type: \"string\",\n description:\n 'JSON object of headers. May contain ${keys.NAME} references. Example: \\'{\"Authorization\": \"Bearer ${keys.API_TOKEN}\"}\\'.',\n },\n body: {\n type: \"string\",\n description:\n \"Request body (for POST/PUT/PATCH). May contain ${keys.NAME} references.\",\n },\n timeout_ms: {\n type: \"number\",\n description: `Timeout in milliseconds. Default: ${DEFAULT_TIMEOUT_MS}. Max: 30000.`,\n },\n },\n required: [\"url\"],\n },\n },\n run: async (args: Record<string, string>) => {\n const startTime = Date.now();\n const rawUrl = args.url;\n const method = normalizeToolProxyMethod(args.method || \"GET\");\n if (!method) {\n return \"Unsupported HTTP method. Allowed methods: GET, POST, PUT, PATCH, DELETE, HEAD.\";\n }\n const rawHeaders = args.headers || \"{}\";\n const rawBody = args.body;\n const timeoutMs = Math.min(\n Number(args.timeout_ms) || DEFAULT_TIMEOUT_MS,\n 30_000,\n );\n\n // Resolve key references\n let resolvedUrl = rawUrl;\n let resolvedHeaders = rawHeaders;\n let resolvedBody = rawBody;\n const allUsedKeys: string[] = [];\n const allSecretValues: string[] = [];\n\n if (opts.resolveKeys) {\n try {\n const urlResult = await opts.resolveKeys(rawUrl);\n resolvedUrl = urlResult.resolved;\n allUsedKeys.push(...urlResult.usedKeys);\n allSecretValues.push(...(urlResult.secretValues ?? []));\n\n const headerResult = await opts.resolveKeys(rawHeaders);\n resolvedHeaders = headerResult.resolved;\n allUsedKeys.push(...headerResult.usedKeys);\n allSecretValues.push(...(headerResult.secretValues ?? []));\n\n if (rawBody) {\n const bodyResult = await opts.resolveKeys(rawBody);\n resolvedBody = bodyResult.resolved;\n allUsedKeys.push(...bodyResult.usedKeys);\n allSecretValues.push(...(bodyResult.secretValues ?? []));\n }\n } catch (err: any) {\n return `Error resolving key references: ${err?.message ?? err}`;\n }\n }\n const secretValues = collectSecretValues(allSecretValues);\n\n // Block SSRF targets regardless of key usage\n if (await isBlockedToolUrlWithDns(resolvedUrl)) {\n return `Requests to private/internal addresses are not allowed: \"${rawUrl}\".`;\n }\n\n // Validate URL against per-key allowlists\n if (opts.validateUrl && allUsedKeys.length > 0) {\n try {\n const allowed = await opts.validateUrl(resolvedUrl, allUsedKeys);\n if (!allowed) {\n return `URL \"${rawUrl}\" is not in the allowlist for the referenced keys. Check your key settings.`;\n }\n } catch (err: any) {\n return `URL validation error: ${err?.message ?? err}`;\n }\n }\n\n // Parse headers\n let headers: Record<string, string>;\n try {\n headers = sanitizeOutboundHeaders(JSON.parse(resolvedHeaders));\n } catch {\n return `Invalid headers JSON: ${rawHeaders}`;\n }\n\n // Make the request\n const controller = new AbortController();\n const timeout = setTimeout(() => controller.abort(), timeoutMs);\n\n try {\n const fetchOpts: RequestInit = {\n method,\n headers,\n signal: controller.signal,\n redirect: \"manual\",\n };\n if (resolvedBody && [\"POST\", \"PUT\", \"PATCH\"].includes(method)) {\n fetchOpts.body = resolvedBody;\n if (!headers[\"content-type\"] && !headers[\"Content-Type\"]) {\n headers[\"Content-Type\"] = \"application/json\";\n }\n }\n\n const response = await fetch(resolvedUrl, fetchOpts);\n const elapsed = Date.now() - startTime;\n\n if (response.status >= 300 && response.status < 400) {\n const location = response.headers.get(\"location\");\n const redirectUrl = location\n ? new URL(location, resolvedUrl).href\n : null;\n if (redirectUrl && (await isBlockedToolUrlWithDns(redirectUrl))) {\n return \"Redirect to private/internal address blocked.\";\n }\n if (redirectUrl && opts.validateUrl && allUsedKeys.length > 0) {\n const allowed = await opts.validateUrl(redirectUrl, allUsedKeys);\n if (!allowed) {\n return \"Redirect URL is not in the allowlist for the referenced keys.\";\n }\n }\n return `HTTP ${response.status} ${response.statusText}\\n\\nRedirect: ${\n redirectUrl ? redactString(redirectUrl, secretValues) : \"(none)\"\n }`;\n }\n\n let body: string;\n try {\n const result = await readResponseTextWithLimit(\n response,\n MAX_TOOL_PROXY_RESPONSE_SIZE,\n );\n body = result.text;\n } catch {\n body = \"(could not read response body)\";\n }\n body = redactString(body, secretValues);\n\n // Truncate very long responses for the agent\n if (body.length > 8000) {\n body = body.slice(0, 8000) + \"\\n... (truncated)\";\n }\n\n // Audit log\n console.log(\n `[fetch-tool] ${method} ${rawUrl} → ${response.status} (${elapsed}ms, keys: ${allUsedKeys.join(\",\") || \"none\"})`,\n );\n\n return `HTTP ${response.status} ${response.statusText}\\n\\n${body}`;\n } catch (err: any) {\n const elapsed = Date.now() - startTime;\n if (err?.name === \"AbortError\") {\n console.log(\n `[fetch-tool] ${method} ${rawUrl} → TIMEOUT (${elapsed}ms)`,\n );\n return `Request timed out after ${timeoutMs}ms.`;\n }\n const message = redactSecrets(\n err?.message ?? String(err),\n secretValues,\n );\n console.log(\n `[fetch-tool] ${method} ${rawUrl} → ERROR: ${message} (${elapsed}ms)`,\n );\n return `Request failed: ${message}`;\n } finally {\n clearTimeout(timeout);\n }\n },\n readOnly: true,\n },\n };\n}\n"]}

package/dist/tools/html-shell.d.ts ADDED Viewed

@@ -0,0 +1,45 @@
+export declare const TOOL_IFRAME_CSP = "default-src 'none'; script-src 'self' https://cdn.jsdelivr.net 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; font-src https://fonts.gstatic.com; connect-src 'self'; img-src 'self' data: blob:; media-src 'self' data: blob:; frame-src 'none'; object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'self';";
+export declare const TOOL_IFRAME_META_CSP: string;
+/**
+ * SECURITY — TOOL CONTENT IS UNTRUSTED.
+ *
+ * `${content}` (line ~Body) interpolates raw HTML/JS authored by a user. This
+ * file is the boundary between framework-controlled HTML and user-controlled
+ * HTML. Two non-negotiable invariants for every change here:
+ *
+ *   1. The iframe MUST be rendered with a `sandbox` attribute that does NOT
+ *      include `allow-same-origin`. The viewer (`ToolViewer.tsx`,
+ *      `EmbeddedTool.tsx`) sets `sandbox="allow-scripts allow-forms"` — and
+ *      that is the only acceptable shape. Adding `allow-same-origin` would
+ *      give the tool full DOM access to the parent window via cross-frame
+ *      script.
+ *
+ *   2. Every reachable parent action must treat the postMessage payload as
+ *      hostile. The bridge in `iframe-bridge.ts` enforces a path allowlist,
+ *      header sanitization, and method allowlist; do not relax those gates
+ *      for "convenience" in this file or any caller.
+ *
+ * For the trust model rationale, see audit 05-tools-sandbox.md (C1) and the
+ * `tools` skill. When in doubt, fail closed.
+ */
+export interface ToolRenderBinding {
+    /** Email of the user who authored / owns the tool. */
+    authorEmail: string;
+    /** Email of the user currently viewing/running the tool. */
+    viewerEmail: string;
+    /** True when viewer === author. */
+    isAuthor: boolean;
+    /**
+     * Resolved role for the viewer ("owner" | "admin" | "editor" | "viewer").
+     *
+     * TODO(security, audit H4): the host-side bridge does not yet gate any
+     * helper based on this value — every viewer gets the same powers as the
+     * author. The role is plumbed through so a follow-up PR can constrain
+     * `appAction` / `dbExec` / `toolFetch` for non-author viewers (and
+     * eventually require an explicit consent step before running a shared
+     * tool, audit C1). For now this is metadata only.
+     */
+    role: "owner" | "admin" | "editor" | "viewer";
+}
+export declare function buildToolHtml(content: string, themeVars: string, isDark: boolean, toolId?: string, binding?: ToolRenderBinding): string;
+//# sourceMappingURL=html-shell.d.ts.map

package/dist/tools/html-shell.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"html-shell.d.ts","sourceRoot":"","sources":["../../src/tools/html-shell.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,eAAe,8YACiX,CAAC;AAE9Y,eAAO,MAAM,oBAAoB,QAGhC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,MAAM,WAAW,iBAAiB;IAChC,sDAAsD;IACtD,WAAW,EAAE,MAAM,CAAC;IACpB,4DAA4D;IAC5D,WAAW,EAAE,MAAM,CAAC;IACpB,mCAAmC;IACnC,QAAQ,EAAE,OAAO,CAAC;IAClB;;;;;;;;;OASG;IACH,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC;CAC/C;AAED,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,OAAO,EACf,MAAM,CAAC,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,iBAAiB,GAC1B,MAAM,CA0fR"}