@agent-native/core 0.18.1 → 0.19.0

package/dist/server/identity-sso.js

@@ -0,0 +1,425 @@
+/**
+ * Cross-app SSO ("Sign in with Agent-Native") — the CLIENT side.
+ *
+ * Each hosted `*.agent-native.com` app has its OWN Better Auth user store
+ * (a separate database per app). This module lets an app federate sign-in to
+ * an identity authority (Dispatch) so a user logged in there can land in this
+ * app without re-entering credentials.
+ *
+ * Opt-in, OFF by default, fully reversible. Everything here is gated on the
+ * single env var `AGENT_NATIVE_IDENTITY_HUB_URL`:
+ *
+ *   - UNSET  → `isIdentitySsoEnabled()` is false. The route handler 404s, the
+ *     auth-guard bypass does not apply, and the login page renders no SSO
+ *     button. Existing auth is byte-for-byte unchanged.
+ *   - SET    (e.g. `https://dispatch.agent-native.com`) → two routes mount:
+ *       GET /_agent-native/identity/login
+ *         302 → `<HUB>/_agent-native/identity/authorize?app=<id>
+ *                 &redirect_uri=<thisOrigin>/_agent-native/identity/callback
+ *                 &state=<single-use CSRF state>`
+ *       GET /_agent-native/identity/callback?token=<jwt>&state=<state>
+ *         Verifies the hub-issued identity JWT (HS256 over the SHARED A2A
+ *         secret — the exact verify path A2A / MCP `verifyAuth` use), checks
+ *         `scope:"identity"`, `exp`, single-use CSRF `state`, and (best
+ *         effort) `jti` replay, then JIT-links the verified email into this
+ *         app's local Better Auth store and mints a normal framework session
+ *         the SAME way the Google OAuth callback does.
+ *
+ * Crypto reuse: the hub signs with `jose.SignJWT(...).sign(A2A_SECRET)` (the
+ * existing `signA2AToken` builder). We verify with the identical
+ * `jose.jwtVerify(token, A2A_SECRET)` call `mcp/build-server.ts#verifyAuth`
+ * uses — no new crypto, no new keys.
+ *
+ * Session reuse: a NEW email is created via `auth.api.signUpEmail` — the
+ * exact Better Auth signup path `maybeAutoCreateDevSession` already uses, so
+ * the adapter creates the `user` (+ adapter-managed credential `account`)
+ * row schema-correctly and the normal `databaseHooks.user.create.after`
+ * (org auto-join, analytics) fires. The framework session is then minted via
+ * `createOAuthSession` — the literal Google-OAuth session-mint path
+ * (`addSession` + `setFrameworkSessionCookie`). An EXISTING email is never
+ * mutated: we only ADD an inert federated-provider `account` row (if absent)
+ * and mint the same framework session. Removing the env returns the app to
+ * its prior auth with no residue.
+ */
+import { getMethod } from "h3";
+import * as jose from "jose";
+import { createHash } from "node:crypto";
+import { getBetterAuth, getBetterAuthInternalAdapter, } from "./better-auth-instance.js";
+import { getSession, safeReturnPath, isExpectedAuthFailure } from "./auth.js";
+import { createOAuthSession, getOrigin } from "./google-oauth.js";
+import { getAppName } from "./app-name.js";
+import { createSsoState, consumeSsoState, isJtiReplayed, getIdentityHubUrl, isIdentitySsoEnabled, identitySsoLoginButtonHtml, } from "./identity-sso-store.js";
+export { getIdentityHubUrl, isIdentitySsoEnabled, identitySsoLoginButtonHtml };
+/**
+ * The provider id recorded on the additive `account` row we link for an
+ * EXISTING local user. Must match the value the Dispatch authority agent
+ * expects to interoperate with — documented in the report so the two sides
+ * stay in sync. Inert when this provider is unused, so removing the env var
+ * leaves no behavioural residue.
+ */
+export const IDENTITY_SSO_PROVIDER_ID = "agent-native";
+/**
+ * The JWT `scope` claim the hub MUST set on the identity token. The callback
+ * rejects any token whose `scope` is not exactly this value, so an A2A
+ * delegation JWT (no scope, or `scope:"mcp-connect"`) can never be replayed
+ * as an identity assertion.
+ */
+export const IDENTITY_SSO_SCOPE = "identity";
+/** Identity tokens older than this are rejected even if `exp` is generous. */
+const MAX_TOKEN_AGE_SECONDS = 10 * 60;
+/**
+ * A stable id for THIS app, sent to the hub as `?app=` so the authority can
+ * record / display which app requested sign-in. Best-effort, non-secret,
+ * never trusted for identity. Falls back to the request host.
+ */
+function resolveAppId(event) {
+    const configured = process.env.AGENT_NATIVE_APP_ID?.trim() ||
+        process.env.AGENT_NATIVE_WORKSPACE_APP_ID?.trim();
+    if (configured)
+        return configured;
+    const name = getAppName();
+    if (name && name !== "app")
+        return name;
+    try {
+        const origin = getOrigin(event);
+        return new URL(origin).hostname.split(".")[0] || "app";
+    }
+    catch {
+        return "app";
+    }
+}
+function html(body, status = 200) {
+    return new Response(body, {
+        status,
+        headers: { "Content-Type": "text/html; charset=utf-8" },
+    });
+}
+function redirect(event, location) {
+    // Mirror any Set-Cookie staged on the event (e.g. the framework session
+    // cookie set by `createOAuthSession`) onto the 302. h3 v2's
+    // `prepareResponse` only merges staged Set-Cookie into a *2xx* web
+    // Response and drops them for non-2xx — so a bare
+    // `new Response("", { status: 302 })` here would silently lose the
+    // session cookie and the user would finish "Sign in with Agent-Native"
+    // still logged out. This mirrors the framework's `redirectWithStagedCookies`
+    // (auth.ts) exactly; it is a no-op when nothing is staged.
+    const headers = new Headers({ Location: location });
+    const staged = event.res?.headers?.getSetCookie?.() ?? [];
+    for (const cookie of staged)
+        headers.append("set-cookie", cookie);
+    return new Response("", { status: 302, headers });
+}
+/**
+ * Minimal self-contained error page (same inline-HTML approach as the auth /
+ * connect pages). Used when the federated round-trip fails so the user gets
+ * an actionable message instead of a raw 4xx. `message` is plain text.
+ */
+function errorPage(message, loginPath) {
+    const safe = message
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;");
+    const safeHref = loginPath.replace(/"/g, "&quot;");
+    return html(`<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8">` +
+        `<meta name="viewport" content="width=device-width, initial-scale=1">` +
+        `<title>Sign-in failed</title>` +
+        `<style>body{font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",sans-serif;` +
+        `background:#09090b;color:#f4f4f5;display:flex;align-items:center;` +
+        `justify-content:center;min-height:100vh;margin:0;padding:1rem}` +
+        `.card{max-width:420px;padding:2rem;background:#141417;` +
+        `border:1px solid rgba(255,255,255,0.1);border-radius:12px;text-align:center}` +
+        `h1{font-size:1.15rem;margin:0 0 .5rem}p{color:#a1a1aa;font-size:.9rem;margin:0 0 1.25rem}` +
+        `a{color:#f4f4f5;font-weight:600;text-decoration:none;border:1px solid ` +
+        `rgba(255,255,255,0.18);border-radius:8px;padding:.6rem 1.1rem;display:inline-block}</style>` +
+        `</head><body><div class="card"><h1>Could not sign you in</h1>` +
+        `<p>${safe}</p><a href="${safeHref}">Back to sign in</a></div></body></html>`, 400);
+}
+/**
+ * Derive a strong, deterministic, NEVER-exposed credential for a JIT-created
+ * SSO user. Bound to the shared A2A secret + email so it is stable across
+ * function executions but unguessable without the deployment secret. Only
+ * ever used as the `password` argument to Better Auth's own
+ * `signUpEmail` / `signInEmail` — never returned, logged, or sent anywhere.
+ */
+function deriveSsoCredential(email) {
+    const secret = process.env.A2A_SECRET || "";
+    // A salted SHA-256 over secret + email: stable across function executions
+    // (so the same SSO user always derives the same stand-in password) but
+    // unguessable without the deployment secret. This account's only sign-in
+    // path is the signature-verified hub token, so the value is never used by
+    // anyone but Better Auth's own signUpEmail.
+    const digest = createHash("sha256")
+        .update(`${secret}:agent-native-sso:${email}`)
+        .digest("base64url");
+    return `an-sso_${digest}`;
+}
+/**
+ * JIT-link the verified hub identity into THIS app's local Better Auth
+ * store, strictly by verified email and strictly additively.
+ *
+ *   - EXISTING email → the local `user` / `session` / existing `account`
+ *     rows are NEVER read-modify-written. We only ADD (if absent) one
+ *     federated-provider `account` row via Better Auth's OWN
+ *     `internalAdapter.linkAccount` — so id, timestamps, and schema stay
+ *     adapter-correct. The row is inert (no template path reads
+ *     `provider_id = "agent-native"`), so removing the env var leaves zero
+ *     behavioural residue.
+ *   - NEW email → created via the SAME `auth.api.signUpEmail` path the app
+ *     already uses (`maybeAutoCreateDevSession` uses the identical call), so
+ *     the adapter creates the `user` (+ a schema-correct credential
+ *     `account`) and `databaseHooks.user.create.after` (org auto-join,
+ *     analytics) fires exactly as for a normal first-time signup. Idempotent
+ *     under a concurrent create (the "already exists" failure is swallowed).
+ *
+ * Returns nothing — success is implied by not throwing. Account-link
+ * failures for an existing user are swallowed (the verified email already
+ * authenticated them; the link row is bookkeeping and must never block the
+ * session).
+ */
+async function jitLinkIdentity(identity) {
+    const adapter = await getBetterAuthInternalAdapter();
+    // Look up the local user via Better Auth's own adapter (read-only).
+    let existing = adapter
+        ? await adapter
+            .findUserByEmail(identity.email, { includeAccounts: true })
+            .catch(() => null)
+        : null;
+    if (!existing) {
+        // No local user → create via the SAME signup path the app already uses.
+        const auth = await getBetterAuth();
+        try {
+            await auth.api.signUpEmail({
+                body: {
+                    email: identity.email,
+                    password: deriveSsoCredential(identity.email),
+                    name: identity.name || identity.email.split("@")[0] || "User",
+                },
+            });
+        }
+        catch (e) {
+            // "already exists" (concurrent create / pre-existing user the adapter
+            // lookup missed) is expected and fine — fall through to linking.
+            if (!isExpectedAuthFailure(e))
+                throw e;
+        }
+        if (adapter) {
+            existing = await adapter
+                .findUserByEmail(identity.email, { includeAccounts: true })
+                .catch(() => null);
+        }
+    }
+    // ADD the inert federated-provider link iff a local user resolved and the
+    // link is absent. Better Auth's `linkAccount` is the additive, schema-
+    // correct API — we never UPDATE/DELETE/RENAME any identity row.
+    if (adapter && existing?.user?.id) {
+        const accountId = identity.sub || identity.email;
+        const alreadyLinked = (existing.accounts ?? []).some((a) => a.providerId === IDENTITY_SSO_PROVIDER_ID && a.accountId === accountId);
+        if (!alreadyLinked) {
+            try {
+                await adapter.linkAccount({
+                    userId: existing.user.id,
+                    providerId: IDENTITY_SSO_PROVIDER_ID,
+                    accountId,
+                });
+            }
+            catch {
+                // Inert bookkeeping row — never block sign-in on a link failure.
+            }
+        }
+    }
+}
+/**
+ * Verify the hub-issued identity JWT using the EXACT same path A2A / MCP use:
+ * `jose.jwtVerify(token, A2A_SECRET)`. `jwtVerify` enforces `exp`
+ * automatically. We additionally require:
+ *   - `scope === "identity"` (so an A2A delegation token can't be replayed)
+ *   - `aud` is THIS app's callback URL (so a token minted for one app cannot
+ *     be replayed against another app's callback with a fresh state)
+ *   - a non-empty `email` claim (the join key — comes ONLY from the verified
+ *     token, never a query param)
+ *   - issued no more than `MAX_TOKEN_AGE_SECONDS` ago (belt-and-braces on top
+ *     of `exp` in case the hub mints long-lived tokens)
+ *
+ * Returns the verified identity, or `null` for ANY failure (bad signature,
+ * expired, wrong scope, missing email, malformed). The caller maps `null` to
+ * a generic error — it never leaks which check failed.
+ */
+async function verifyIdentityToken(token, expectedAudience) {
+    const secret = process.env.A2A_SECRET;
+    if (!secret || !token)
+        return null;
+    try {
+        const { payload } = await jose.jwtVerify(token, new TextEncoder().encode(secret));
+        if (payload.scope !== IDENTITY_SSO_SCOPE)
+            return null;
+        const aud = payload.aud;
+        const audienceMatches = Array.isArray(aud)
+            ? aud.includes(expectedAudience)
+            : aud === expectedAudience;
+        if (!audienceMatches)
+            return null;
+        if (typeof payload.redirect_uri === "string" &&
+            payload.redirect_uri !== expectedAudience) {
+            return null;
+        }
+        const email = typeof payload.email === "string" && payload.email.includes("@")
+            ? payload.email.trim().toLowerCase()
+            : null;
+        if (!email)
+            return null;
+        const iat = typeof payload.iat === "number" ? payload.iat : undefined;
+        if (iat !== undefined && Date.now() / 1000 - iat > MAX_TOKEN_AGE_SECONDS) {
+            return null;
+        }
+        const sub = typeof payload.sub === "string" && payload.sub ? payload.sub : email;
+        return {
+            email,
+            name: typeof payload.name === "string" && payload.name.trim()
+                ? payload.name.trim()
+                : "",
+            orgDomain: typeof payload.org_domain === "string" && payload.org_domain
+                ? payload.org_domain
+                : undefined,
+            sub,
+            jti: typeof payload.jti === "string" && payload.jti
+                ? payload.jti
+                : undefined,
+        };
+    }
+    catch {
+        // Bad signature / expired / malformed — never reveal which.
+        return null;
+    }
+}
+// ---------------------------------------------------------------------------
+// Route handler — single entry point; the core-routes-plugin dispatches the
+// subpath, mirroring `handleMcpConnect`.
+// ---------------------------------------------------------------------------
+/**
+ * Handle a `/_agent-native/identity/*` request. `subpath` is the part after
+ * `/identity` (e.g. `/login`, `/callback`). Returns a 404 Response whenever
+ * the feature is disabled so an unset env var is a true no-op even if the
+ * route somehow gets mounted.
+ */
+export async function handleIdentitySso(event, subpath) {
+    const hub = getIdentityHubUrl();
+    if (!hub) {
+        return new Response("Not found", { status: 404 });
+    }
+    const method = getMethod(event);
+    const sub = ("/" + subpath.replace(/^\/+/, "").replace(/\/+$/, "")).replace(/^\/$/, "");
+    const origin = getOrigin(event);
+    const loginPath = "/_agent-native/sign-in";
+    // ---- GET /login → 302 to the hub authorize endpoint ------------------
+    if (sub === "/login") {
+        if (method !== "GET" && method !== "HEAD") {
+            return new Response("Method not allowed", { status: 405 });
+        }
+        // Already signed in here? Skip the round-trip.
+        const existing = await getSession(event).catch(() => null);
+        let returnPath = "/";
+        try {
+            const u = new URL(event.node?.req?.url ?? event.path ?? "/", "http://an.invalid");
+            returnPath = safeReturnPath(u.searchParams.get("return"));
+        }
+        catch {
+            returnPath = "/";
+        }
+        if (existing?.email) {
+            return redirect(event, returnPath);
+        }
+        let state;
+        try {
+            state = await createSsoState(returnPath === "/" ? null : returnPath);
+        }
+        catch (e) {
+            if (e?.message === "RATE_LIMITED") {
+                return errorPage("Too many sign-in attempts. Please wait a moment and try again.", loginPath);
+            }
+            return errorPage("Could not start federated sign-in. Please try again.", loginPath);
+        }
+        const redirectUri = `${origin}/_agent-native/identity/callback`;
+        const authorizeUrl = `${hub}/_agent-native/identity/authorize` +
+            `?app=${encodeURIComponent(resolveAppId(event))}` +
+            `&redirect_uri=${encodeURIComponent(redirectUri)}` +
+            `&state=${encodeURIComponent(state)}`;
+        return redirect(event, authorizeUrl);
+    }
+    // ---- GET /callback → verify token, JIT-link, mint session ------------
+    if (sub === "/callback") {
+        if (method !== "GET" && method !== "HEAD") {
+            return new Response("Method not allowed", { status: 405 });
+        }
+        let token = "";
+        let stateParam = "";
+        try {
+            const u = new URL(event.node?.req?.url ?? event.path ?? "/", "http://an.invalid");
+            token =
+                u.searchParams.get("token") || u.searchParams.get("id_token") || "";
+            stateParam = u.searchParams.get("state") || "";
+        }
+        catch {
+            return errorPage("Malformed sign-in response.", loginPath);
+        }
+        // CSRF: the state must be one we minted, unexpired, and never consumed.
+        // Consume it FIRST (single-use) so a replayed callback can't pass even
+        // with a still-valid token.
+        const stateResult = await consumeSsoState(stateParam);
+        if (!stateResult.ok) {
+            return errorPage("Your sign-in session expired or was already used. Please try again.", loginPath);
+        }
+        // Identity comes ONLY from the signature-verified token. The query
+        // `email` (if any) is never trusted.
+        const expectedAudience = `${origin}/_agent-native/identity/callback`;
+        const identity = await verifyIdentityToken(token, expectedAudience);
+        if (!identity) {
+            return errorPage("We could not verify the sign-in response. Please try again.", loginPath);
+        }
+        // Replay guard (best-effort, defence in depth on top of single-use
+        // state): reject a token whose jti we've already accepted.
+        if (await isJtiReplayed(identity.jti)) {
+            return errorPage("This sign-in link was already used. Please try again.", loginPath);
+        }
+        // JIT link STRICTLY by verified email — additive only. Existing users
+        // are never mutated; new users are created via the app's own signup
+        // path; an inert federated `account` link is added via Better Auth's
+        // own adapter API. A failure here must not leave the user signed out
+        // mid-flow, so surface a retryable error rather than a half state.
+        try {
+            await jitLinkIdentity(identity);
+        }
+        catch {
+            return errorPage("Could not finish linking your account. Please try again.", loginPath);
+        }
+        // Mint a normal framework session EXACTLY the way the Google OAuth
+        // callback does (`createOAuthSession` → addSession + framework cookie).
+        // `hasProductionSession: false` so a fresh session cookie is always set.
+        try {
+            await createOAuthSession(event, identity.email, {
+                hasProductionSession: false,
+            });
+        }
+        catch {
+            return errorPage("Signed in, but could not start your session. Please try again.", loginPath);
+        }
+        // Land the user back where they started (validated same-origin path).
+        const dest = safeReturnPath(stateResult.returnPath);
+        return redirect(event, dest);
+    }
+    return new Response("Not found", { status: 404 });
+}
+/**
+ * Whether the given (already base-path-stripped) request path is one of the
+ * SSO routes that must bypass the blanket auth guard. Both routes resolve /
+ * mint the browser session themselves: `/login` is the unauthenticated entry
+ * point, and `/callback` is hit by a user who is (by definition) not yet
+ * signed in to THIS app. Returns false when the feature is disabled, so the
+ * guard's behaviour is unchanged with the env unset.
+ */
+export function isIdentitySsoBypassPath(p) {
+    if (!isIdentitySsoEnabled())
+        return false;
+    return (p === "/_agent-native/identity/login" ||
+        p === "/_agent-native/identity/callback");
+}
+//# sourceMappingURL=identity-sso.js.map

package/dist/server/identity-sso.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-sso.js","sourceRoot":"","sources":["../../src/server/identity-sso.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EACL,aAAa,EACb,4BAA4B,GAC7B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAC9E,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EACL,cAAc,EACd,eAAe,EACf,aAAa,EACb,iBAAiB,EACjB,oBAAoB,EACpB,0BAA0B,GAC3B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,CAAC;AAE/E;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,cAAc,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,UAAU,CAAC;AAE7C,8EAA8E;AAC9E,MAAM,qBAAqB,GAAG,EAAE,GAAG,EAAE,CAAC;AAEtC;;;;GAIG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,MAAM,UAAU,GACd,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,EAAE;QACvC,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,IAAI,EAAE,CAAC;IACpD,IAAI,UAAU;QAAE,OAAO,UAAU,CAAC;IAClC,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;IAC1B,IAAI,IAAI,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,MAAM,GAAG,GAAG;IACtC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;KACxD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc,EAAE,QAAgB;IAChD,wEAAwE;IACxE,4DAA4D;IAC5D,mEAAmE;IACnE,kDAAkD;IAClD,mEAAmE;IACnE,uEAAuE;IACvE,6EAA6E;IAC7E,2DAA2D;IAC3D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpD,MAAM,MAAM,GAAI,KAAa,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IACnE,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAClE,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAAC,OAAe,EAAE,SAAiB;IACnD,MAAM,IAAI,GAAG,OAAO;SACjB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACzB,MAAM,QAAQ,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACnD,OAAO,IAAI,CACT,6DAA6D;QAC3D,sEAAsE;QACtE,+BAA+B;QAC/B,iFAAiF;QACjF,mEAAmE;QACnE,gEAAgE;QAChE,wDAAwD;QACxD,8EAA8E;QAC9E,2FAA2F;QAC3F,wEAAwE;QACxE,6FAA6F;QAC7F,+DAA+D;QAC/D,MAAM,IAAI,gBAAgB,QAAQ,2CAA2C,EAC/E,GAAG,CACJ,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,KAAa;IACxC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC;IAC5C,0EAA0E;IAC1E,uEAAuE;IACvE,yEAAyE;IACzE,0EAA0E;IAC1E,4CAA4C;IAC5C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC;SAChC,MAAM,CAAC,GAAG,MAAM,qBAAqB,KAAK,EAAE,CAAC;SAC7C,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,UAAU,MAAM,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,KAAK,UAAU,eAAe,CAAC,QAA0B;IACvD,MAAM,OAAO,GAAG,MAAM,4BAA4B,EAAE,CAAC;IAErD,oEAAoE;IACpE,IAAI,QAAQ,GAAG,OAAO;QACpB,CAAC,CAAC,MAAM,OAAO;aACV,eAAe,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;aAC1D,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC;IAET,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,wEAAwE;QACxE,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;gBACzB,IAAI,EAAE;oBACJ,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,QAAQ,EAAE,mBAAmB,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC7C,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM;iBAC9D;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,sEAAsE;YACtE,iEAAiE;YACjE,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;gBAAE,MAAM,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,GAAG,MAAM,OAAO;iBACrB,eAAe,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;iBAC1D,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,uEAAuE;IACvE,gEAAgE;IAChE,IAAI,OAAO,IAAI,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QAClC,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,IAAI,QAAQ,CAAC,KAAK,CAAC;QACjD,MAAM,aAAa,GAAG,CAAC,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,CAClD,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,UAAU,KAAK,wBAAwB,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,CACzE,CAAC;QACF,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,OAAO,CAAC,WAAW,CAAC;oBACxB,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE;oBACxB,UAAU,EAAE,wBAAwB;oBACpC,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAAC,MAAM,CAAC;gBACP,iEAAiE;YACnE,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAUD;;;;;;;;;;;;;;;GAeG;AACH,KAAK,UAAU,mBAAmB,CAChC,KAAa,EACb,gBAAwB;IAExB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACtC,IAAI,CAAC,MAAM,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACnC,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CACtC,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CACjC,CAAC;QACF,IAAI,OAAO,CAAC,KAAK,KAAK,kBAAkB;YAAE,OAAO,IAAI,CAAC;QACtD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,eAAe,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;YACxC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAChC,CAAC,CAAC,GAAG,KAAK,gBAAgB,CAAC;QAC7B,IAAI,CAAC,eAAe;YAAE,OAAO,IAAI,CAAC;QAClC,IACE,OAAO,OAAO,CAAC,YAAY,KAAK,QAAQ;YACxC,OAAO,CAAC,YAAY,KAAK,gBAAgB,EACzC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GACT,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC9D,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE;YACpC,CAAC,CAAC,IAAI,CAAC;QACX,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;QACtE,IAAI,GAAG,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,GAAG,GAAG,qBAAqB,EAAE,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GACP,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;QACvE,OAAO;YACL,KAAK;YACL,IAAI,EACF,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE;gBACrD,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE;gBACrB,CAAC,CAAC,EAAE;YACR,SAAS,EACP,OAAO,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,CAAC,UAAU;gBAC1D,CAAC,CAAC,OAAO,CAAC,UAAU;gBACpB,CAAC,CAAC,SAAS;YACf,GAAG;YACH,GAAG,EACD,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG;gBAC5C,CAAC,CAAC,OAAO,CAAC,GAAG;gBACb,CAAC,CAAC,SAAS;SAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,4DAA4D;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,4EAA4E;AAC5E,yCAAyC;AACzC,8EAA8E;AAE9E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAc,EACd,OAAe;IAEf,MAAM,GAAG,GAAG,iBAAiB,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CACzE,MAAM,EACN,EAAE,CACH,CAAC;IACF,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,wBAAwB,CAAC;IAE3C,yEAAyE;IACzE,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;QACrB,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,CAAC;QACD,+CAA+C;QAC/C,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,UAAU,GAAG,GAAG,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CACd,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,EAClD,mBAAmB,CACpB,CAAC;YACF,UAAU,GAAG,cAAc,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC5D,CAAC;QAAC,MAAM,CAAC;YACP,UAAU,GAAG,GAAG,CAAC;QACnB,CAAC;QACD,IAAI,QAAQ,EAAE,KAAK,EAAE,CAAC;YACpB,OAAO,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;QACrC,CAAC;QAED,IAAI,KAAa,CAAC;QAClB,IAAI,CAAC;YACH,KAAK,GAAG,MAAM,cAAc,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACvE,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,EAAE,OAAO,KAAK,cAAc,EAAE,CAAC;gBAClC,OAAO,SAAS,CACd,gEAAgE,EAChE,SAAS,CACV,CAAC;YACJ,CAAC;YACD,OAAO,SAAS,CACd,sDAAsD,EACtD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,GAAG,MAAM,kCAAkC,CAAC;QAChE,MAAM,YAAY,GAChB,GAAG,GAAG,mCAAmC;YACzC,QAAQ,kBAAkB,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE;YACjD,iBAAiB,kBAAkB,CAAC,WAAW,CAAC,EAAE;YAClD,UAAU,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;IACvC,CAAC;IAED,yEAAyE;IACzE,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QACxB,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,IAAI,QAAQ,CAAC,oBAAoB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,KAAK,GAAG,EAAE,CAAC;QACf,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,CAAC,GAAG,IAAI,GAAG,CACd,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,CAAC,IAAI,IAAI,GAAG,EAClD,mBAAmB,CACpB,CAAC;YACF,KAAK;gBACH,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YACtE,UAAU,GAAG,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAC,6BAA6B,EAAE,SAAS,CAAC,CAAC;QAC7D,CAAC;QAED,wEAAwE;QACxE,uEAAuE;QACvE,4BAA4B;QAC5B,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;YACpB,OAAO,SAAS,CACd,qEAAqE,EACrE,SAAS,CACV,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,GAAG,MAAM,kCAAkC,CAAC;QACrE,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,SAAS,CACd,6DAA6D,EAC7D,SAAS,CACV,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,2DAA2D;QAC3D,IAAI,MAAM,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,OAAO,SAAS,CACd,uDAAuD,EACvD,SAAS,CACV,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,mEAAmE;QACnE,IAAI,CAAC;YACH,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CACd,0DAA0D,EAC1D,SAAS,CACV,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,wEAAwE;QACxE,yEAAyE;QACzE,IAAI,CAAC;YACH,MAAM,kBAAkB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE;gBAC9C,oBAAoB,EAAE,KAAK;aAC5B,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CACd,gEAAgE,EAChE,SAAS,CACV,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,MAAM,IAAI,GAAG,cAAc,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QACpD,OAAO,QAAQ,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CAAC,CAAS;IAC/C,IAAI,CAAC,oBAAoB,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,CACL,CAAC,KAAK,+BAA+B;QACrC,CAAC,KAAK,kCAAkC,CACzC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Cross-app SSO (\"Sign in with Agent-Native\") — the CLIENT side.\n *\n * Each hosted `*.agent-native.com` app has its OWN Better Auth user store\n * (a separate database per app). This module lets an app federate sign-in to\n * an identity authority (Dispatch) so a user logged in there can land in this\n * app without re-entering credentials.\n *\n * Opt-in, OFF by default, fully reversible. Everything here is gated on the\n * single env var `AGENT_NATIVE_IDENTITY_HUB_URL`:\n *\n *   - UNSET  → `isIdentitySsoEnabled()` is false. The route handler 404s, the\n *     auth-guard bypass does not apply, and the login page renders no SSO\n *     button. Existing auth is byte-for-byte unchanged.\n *   - SET    (e.g. `https://dispatch.agent-native.com`) → two routes mount:\n *       GET /_agent-native/identity/login\n *         302 → `<HUB>/_agent-native/identity/authorize?app=<id>\n *                 &redirect_uri=<thisOrigin>/_agent-native/identity/callback\n *                 &state=<single-use CSRF state>`\n *       GET /_agent-native/identity/callback?token=<jwt>&state=<state>\n *         Verifies the hub-issued identity JWT (HS256 over the SHARED A2A\n *         secret — the exact verify path A2A / MCP `verifyAuth` use), checks\n *         `scope:\"identity\"`, `exp`, single-use CSRF `state`, and (best\n *         effort) `jti` replay, then JIT-links the verified email into this\n *         app's local Better Auth store and mints a normal framework session\n *         the SAME way the Google OAuth callback does.\n *\n * Crypto reuse: the hub signs with `jose.SignJWT(...).sign(A2A_SECRET)` (the\n * existing `signA2AToken` builder). We verify with the identical\n * `jose.jwtVerify(token, A2A_SECRET)` call `mcp/build-server.ts#verifyAuth`\n * uses — no new crypto, no new keys.\n *\n * Session reuse: a NEW email is created via `auth.api.signUpEmail` — the\n * exact Better Auth signup path `maybeAutoCreateDevSession` already uses, so\n * the adapter creates the `user` (+ adapter-managed credential `account`)\n * row schema-correctly and the normal `databaseHooks.user.create.after`\n * (org auto-join, analytics) fires. The framework session is then minted via\n * `createOAuthSession` — the literal Google-OAuth session-mint path\n * (`addSession` + `setFrameworkSessionCookie`). An EXISTING email is never\n * mutated: we only ADD an inert federated-provider `account` row (if absent)\n * and mint the same framework session. Removing the env returns the app to\n * its prior auth with no residue.\n */\n\nimport type { H3Event } from \"h3\";\nimport { getMethod } from \"h3\";\nimport * as jose from \"jose\";\nimport { createHash } from \"node:crypto\";\nimport {\n  getBetterAuth,\n  getBetterAuthInternalAdapter,\n} from \"./better-auth-instance.js\";\nimport { getSession, safeReturnPath, isExpectedAuthFailure } from \"./auth.js\";\nimport { createOAuthSession, getOrigin } from \"./google-oauth.js\";\nimport { getAppName } from \"./app-name.js\";\nimport {\n  createSsoState,\n  consumeSsoState,\n  isJtiReplayed,\n  getIdentityHubUrl,\n  isIdentitySsoEnabled,\n  identitySsoLoginButtonHtml,\n} from \"./identity-sso-store.js\";\n\nexport { getIdentityHubUrl, isIdentitySsoEnabled, identitySsoLoginButtonHtml };\n\n/**\n * The provider id recorded on the additive `account` row we link for an\n * EXISTING local user. Must match the value the Dispatch authority agent\n * expects to interoperate with — documented in the report so the two sides\n * stay in sync. Inert when this provider is unused, so removing the env var\n * leaves no behavioural residue.\n */\nexport const IDENTITY_SSO_PROVIDER_ID = \"agent-native\";\n\n/**\n * The JWT `scope` claim the hub MUST set on the identity token. The callback\n * rejects any token whose `scope` is not exactly this value, so an A2A\n * delegation JWT (no scope, or `scope:\"mcp-connect\"`) can never be replayed\n * as an identity assertion.\n */\nexport const IDENTITY_SSO_SCOPE = \"identity\";\n\n/** Identity tokens older than this are rejected even if `exp` is generous. */\nconst MAX_TOKEN_AGE_SECONDS = 10 * 60;\n\n/**\n * A stable id for THIS app, sent to the hub as `?app=` so the authority can\n * record / display which app requested sign-in. Best-effort, non-secret,\n * never trusted for identity. Falls back to the request host.\n */\nfunction resolveAppId(event: H3Event): string {\n  const configured =\n    process.env.AGENT_NATIVE_APP_ID?.trim() ||\n    process.env.AGENT_NATIVE_WORKSPACE_APP_ID?.trim();\n  if (configured) return configured;\n  const name = getAppName();\n  if (name && name !== \"app\") return name;\n  try {\n    const origin = getOrigin(event);\n    return new URL(origin).hostname.split(\".\")[0] || \"app\";\n  } catch {\n    return \"app\";\n  }\n}\n\nfunction html(body: string, status = 200): Response {\n  return new Response(body, {\n    status,\n    headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n  });\n}\n\nfunction redirect(event: H3Event, location: string): Response {\n  // Mirror any Set-Cookie staged on the event (e.g. the framework session\n  // cookie set by `createOAuthSession`) onto the 302. h3 v2's\n  // `prepareResponse` only merges staged Set-Cookie into a *2xx* web\n  // Response and drops them for non-2xx — so a bare\n  // `new Response(\"\", { status: 302 })` here would silently lose the\n  // session cookie and the user would finish \"Sign in with Agent-Native\"\n  // still logged out. This mirrors the framework's `redirectWithStagedCookies`\n  // (auth.ts) exactly; it is a no-op when nothing is staged.\n  const headers = new Headers({ Location: location });\n  const staged = (event as any).res?.headers?.getSetCookie?.() ?? [];\n  for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n  return new Response(\"\", { status: 302, headers });\n}\n\n/**\n * Minimal self-contained error page (same inline-HTML approach as the auth /\n * connect pages). Used when the federated round-trip fails so the user gets\n * an actionable message instead of a raw 4xx. `message` is plain text.\n */\nfunction errorPage(message: string, loginPath: string): Response {\n  const safe = message\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\");\n  const safeHref = loginPath.replace(/\"/g, \"&quot;\");\n  return html(\n    `<!DOCTYPE html><html lang=\"en\"><head><meta charset=\"UTF-8\">` +\n      `<meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">` +\n      `<title>Sign-in failed</title>` +\n      `<style>body{font-family:-apple-system,BlinkMacSystemFont,\"Segoe UI\",sans-serif;` +\n      `background:#09090b;color:#f4f4f5;display:flex;align-items:center;` +\n      `justify-content:center;min-height:100vh;margin:0;padding:1rem}` +\n      `.card{max-width:420px;padding:2rem;background:#141417;` +\n      `border:1px solid rgba(255,255,255,0.1);border-radius:12px;text-align:center}` +\n      `h1{font-size:1.15rem;margin:0 0 .5rem}p{color:#a1a1aa;font-size:.9rem;margin:0 0 1.25rem}` +\n      `a{color:#f4f4f5;font-weight:600;text-decoration:none;border:1px solid ` +\n      `rgba(255,255,255,0.18);border-radius:8px;padding:.6rem 1.1rem;display:inline-block}</style>` +\n      `</head><body><div class=\"card\"><h1>Could not sign you in</h1>` +\n      `<p>${safe}</p><a href=\"${safeHref}\">Back to sign in</a></div></body></html>`,\n    400,\n  );\n}\n\n/**\n * Derive a strong, deterministic, NEVER-exposed credential for a JIT-created\n * SSO user. Bound to the shared A2A secret + email so it is stable across\n * function executions but unguessable without the deployment secret. Only\n * ever used as the `password` argument to Better Auth's own\n * `signUpEmail` / `signInEmail` — never returned, logged, or sent anywhere.\n */\nfunction deriveSsoCredential(email: string): string {\n  const secret = process.env.A2A_SECRET || \"\";\n  // A salted SHA-256 over secret + email: stable across function executions\n  // (so the same SSO user always derives the same stand-in password) but\n  // unguessable without the deployment secret. This account's only sign-in\n  // path is the signature-verified hub token, so the value is never used by\n  // anyone but Better Auth's own signUpEmail.\n  const digest = createHash(\"sha256\")\n    .update(`${secret}:agent-native-sso:${email}`)\n    .digest(\"base64url\");\n  return `an-sso_${digest}`;\n}\n\n/**\n * JIT-link the verified hub identity into THIS app's local Better Auth\n * store, strictly by verified email and strictly additively.\n *\n *   - EXISTING email → the local `user` / `session` / existing `account`\n *     rows are NEVER read-modify-written. We only ADD (if absent) one\n *     federated-provider `account` row via Better Auth's OWN\n *     `internalAdapter.linkAccount` — so id, timestamps, and schema stay\n *     adapter-correct. The row is inert (no template path reads\n *     `provider_id = \"agent-native\"`), so removing the env var leaves zero\n *     behavioural residue.\n *   - NEW email → created via the SAME `auth.api.signUpEmail` path the app\n *     already uses (`maybeAutoCreateDevSession` uses the identical call), so\n *     the adapter creates the `user` (+ a schema-correct credential\n *     `account`) and `databaseHooks.user.create.after` (org auto-join,\n *     analytics) fires exactly as for a normal first-time signup. Idempotent\n *     under a concurrent create (the \"already exists\" failure is swallowed).\n *\n * Returns nothing — success is implied by not throwing. Account-link\n * failures for an existing user are swallowed (the verified email already\n * authenticated them; the link row is bookkeeping and must never block the\n * session).\n */\nasync function jitLinkIdentity(identity: VerifiedIdentity): Promise<void> {\n  const adapter = await getBetterAuthInternalAdapter();\n\n  // Look up the local user via Better Auth's own adapter (read-only).\n  let existing = adapter\n    ? await adapter\n        .findUserByEmail(identity.email, { includeAccounts: true })\n        .catch(() => null)\n    : null;\n\n  if (!existing) {\n    // No local user → create via the SAME signup path the app already uses.\n    const auth = await getBetterAuth();\n    try {\n      await auth.api.signUpEmail({\n        body: {\n          email: identity.email,\n          password: deriveSsoCredential(identity.email),\n          name: identity.name || identity.email.split(\"@\")[0] || \"User\",\n        },\n      });\n    } catch (e) {\n      // \"already exists\" (concurrent create / pre-existing user the adapter\n      // lookup missed) is expected and fine — fall through to linking.\n      if (!isExpectedAuthFailure(e)) throw e;\n    }\n    if (adapter) {\n      existing = await adapter\n        .findUserByEmail(identity.email, { includeAccounts: true })\n        .catch(() => null);\n    }\n  }\n\n  // ADD the inert federated-provider link iff a local user resolved and the\n  // link is absent. Better Auth's `linkAccount` is the additive, schema-\n  // correct API — we never UPDATE/DELETE/RENAME any identity row.\n  if (adapter && existing?.user?.id) {\n    const accountId = identity.sub || identity.email;\n    const alreadyLinked = (existing.accounts ?? []).some(\n      (a) =>\n        a.providerId === IDENTITY_SSO_PROVIDER_ID && a.accountId === accountId,\n    );\n    if (!alreadyLinked) {\n      try {\n        await adapter.linkAccount({\n          userId: existing.user.id,\n          providerId: IDENTITY_SSO_PROVIDER_ID,\n          accountId,\n        });\n      } catch {\n        // Inert bookkeeping row — never block sign-in on a link failure.\n      }\n    }\n  }\n}\n\ninterface VerifiedIdentity {\n  email: string;\n  name: string;\n  orgDomain?: string;\n  sub: string;\n  jti?: string;\n}\n\n/**\n * Verify the hub-issued identity JWT using the EXACT same path A2A / MCP use:\n * `jose.jwtVerify(token, A2A_SECRET)`. `jwtVerify` enforces `exp`\n * automatically. We additionally require:\n *   - `scope === \"identity\"` (so an A2A delegation token can't be replayed)\n *   - `aud` is THIS app's callback URL (so a token minted for one app cannot\n *     be replayed against another app's callback with a fresh state)\n *   - a non-empty `email` claim (the join key — comes ONLY from the verified\n *     token, never a query param)\n *   - issued no more than `MAX_TOKEN_AGE_SECONDS` ago (belt-and-braces on top\n *     of `exp` in case the hub mints long-lived tokens)\n *\n * Returns the verified identity, or `null` for ANY failure (bad signature,\n * expired, wrong scope, missing email, malformed). The caller maps `null` to\n * a generic error — it never leaks which check failed.\n */\nasync function verifyIdentityToken(\n  token: string,\n  expectedAudience: string,\n): Promise<VerifiedIdentity | null> {\n  const secret = process.env.A2A_SECRET;\n  if (!secret || !token) return null;\n  try {\n    const { payload } = await jose.jwtVerify(\n      token,\n      new TextEncoder().encode(secret),\n    );\n    if (payload.scope !== IDENTITY_SSO_SCOPE) return null;\n    const aud = payload.aud;\n    const audienceMatches = Array.isArray(aud)\n      ? aud.includes(expectedAudience)\n      : aud === expectedAudience;\n    if (!audienceMatches) return null;\n    if (\n      typeof payload.redirect_uri === \"string\" &&\n      payload.redirect_uri !== expectedAudience\n    ) {\n      return null;\n    }\n    const email =\n      typeof payload.email === \"string\" && payload.email.includes(\"@\")\n        ? payload.email.trim().toLowerCase()\n        : null;\n    if (!email) return null;\n    const iat = typeof payload.iat === \"number\" ? payload.iat : undefined;\n    if (iat !== undefined && Date.now() / 1000 - iat > MAX_TOKEN_AGE_SECONDS) {\n      return null;\n    }\n    const sub =\n      typeof payload.sub === \"string\" && payload.sub ? payload.sub : email;\n    return {\n      email,\n      name:\n        typeof payload.name === \"string\" && payload.name.trim()\n          ? payload.name.trim()\n          : \"\",\n      orgDomain:\n        typeof payload.org_domain === \"string\" && payload.org_domain\n          ? payload.org_domain\n          : undefined,\n      sub,\n      jti:\n        typeof payload.jti === \"string\" && payload.jti\n          ? payload.jti\n          : undefined,\n    };\n  } catch {\n    // Bad signature / expired / malformed — never reveal which.\n    return null;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Route handler — single entry point; the core-routes-plugin dispatches the\n// subpath, mirroring `handleMcpConnect`.\n// ---------------------------------------------------------------------------\n\n/**\n * Handle a `/_agent-native/identity/*` request. `subpath` is the part after\n * `/identity` (e.g. `/login`, `/callback`). Returns a 404 Response whenever\n * the feature is disabled so an unset env var is a true no-op even if the\n * route somehow gets mounted.\n */\nexport async function handleIdentitySso(\n  event: H3Event,\n  subpath: string,\n): Promise<Response> {\n  const hub = getIdentityHubUrl();\n  if (!hub) {\n    return new Response(\"Not found\", { status: 404 });\n  }\n\n  const method = getMethod(event);\n  const sub = (\"/\" + subpath.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\")).replace(\n    /^\\/$/,\n    \"\",\n  );\n  const origin = getOrigin(event);\n  const loginPath = \"/_agent-native/sign-in\";\n\n  // ---- GET /login → 302 to the hub authorize endpoint ------------------\n  if (sub === \"/login\") {\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return new Response(\"Method not allowed\", { status: 405 });\n    }\n    // Already signed in here? Skip the round-trip.\n    const existing = await getSession(event).catch(() => null);\n    let returnPath = \"/\";\n    try {\n      const u = new URL(\n        (event as any).node?.req?.url ?? event.path ?? \"/\",\n        \"http://an.invalid\",\n      );\n      returnPath = safeReturnPath(u.searchParams.get(\"return\"));\n    } catch {\n      returnPath = \"/\";\n    }\n    if (existing?.email) {\n      return redirect(event, returnPath);\n    }\n\n    let state: string;\n    try {\n      state = await createSsoState(returnPath === \"/\" ? null : returnPath);\n    } catch (e: any) {\n      if (e?.message === \"RATE_LIMITED\") {\n        return errorPage(\n          \"Too many sign-in attempts. Please wait a moment and try again.\",\n          loginPath,\n        );\n      }\n      return errorPage(\n        \"Could not start federated sign-in. Please try again.\",\n        loginPath,\n      );\n    }\n\n    const redirectUri = `${origin}/_agent-native/identity/callback`;\n    const authorizeUrl =\n      `${hub}/_agent-native/identity/authorize` +\n      `?app=${encodeURIComponent(resolveAppId(event))}` +\n      `&redirect_uri=${encodeURIComponent(redirectUri)}` +\n      `&state=${encodeURIComponent(state)}`;\n    return redirect(event, authorizeUrl);\n  }\n\n  // ---- GET /callback → verify token, JIT-link, mint session ------------\n  if (sub === \"/callback\") {\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return new Response(\"Method not allowed\", { status: 405 });\n    }\n\n    let token = \"\";\n    let stateParam = \"\";\n    try {\n      const u = new URL(\n        (event as any).node?.req?.url ?? event.path ?? \"/\",\n        \"http://an.invalid\",\n      );\n      token =\n        u.searchParams.get(\"token\") || u.searchParams.get(\"id_token\") || \"\";\n      stateParam = u.searchParams.get(\"state\") || \"\";\n    } catch {\n      return errorPage(\"Malformed sign-in response.\", loginPath);\n    }\n\n    // CSRF: the state must be one we minted, unexpired, and never consumed.\n    // Consume it FIRST (single-use) so a replayed callback can't pass even\n    // with a still-valid token.\n    const stateResult = await consumeSsoState(stateParam);\n    if (!stateResult.ok) {\n      return errorPage(\n        \"Your sign-in session expired or was already used. Please try again.\",\n        loginPath,\n      );\n    }\n\n    // Identity comes ONLY from the signature-verified token. The query\n    // `email` (if any) is never trusted.\n    const expectedAudience = `${origin}/_agent-native/identity/callback`;\n    const identity = await verifyIdentityToken(token, expectedAudience);\n    if (!identity) {\n      return errorPage(\n        \"We could not verify the sign-in response. Please try again.\",\n        loginPath,\n      );\n    }\n\n    // Replay guard (best-effort, defence in depth on top of single-use\n    // state): reject a token whose jti we've already accepted.\n    if (await isJtiReplayed(identity.jti)) {\n      return errorPage(\n        \"This sign-in link was already used. Please try again.\",\n        loginPath,\n      );\n    }\n\n    // JIT link STRICTLY by verified email — additive only. Existing users\n    // are never mutated; new users are created via the app's own signup\n    // path; an inert federated `account` link is added via Better Auth's\n    // own adapter API. A failure here must not leave the user signed out\n    // mid-flow, so surface a retryable error rather than a half state.\n    try {\n      await jitLinkIdentity(identity);\n    } catch {\n      return errorPage(\n        \"Could not finish linking your account. Please try again.\",\n        loginPath,\n      );\n    }\n\n    // Mint a normal framework session EXACTLY the way the Google OAuth\n    // callback does (`createOAuthSession` → addSession + framework cookie).\n    // `hasProductionSession: false` so a fresh session cookie is always set.\n    try {\n      await createOAuthSession(event, identity.email, {\n        hasProductionSession: false,\n      });\n    } catch {\n      return errorPage(\n        \"Signed in, but could not start your session. Please try again.\",\n        loginPath,\n      );\n    }\n\n    // Land the user back where they started (validated same-origin path).\n    const dest = safeReturnPath(stateResult.returnPath);\n    return redirect(event, dest);\n  }\n\n  return new Response(\"Not found\", { status: 404 });\n}\n\n/**\n * Whether the given (already base-path-stripped) request path is one of the\n * SSO routes that must bypass the blanket auth guard. Both routes resolve /\n * mint the browser session themselves: `/login` is the unauthenticated entry\n * point, and `/callback` is hit by a user who is (by definition) not yet\n * signed in to THIS app. Returns false when the feature is disabled, so the\n * guard's behaviour is unchanged with the env unset.\n */\nexport function isIdentitySsoBypassPath(p: string): boolean {\n  if (!isIdentitySsoEnabled()) return false;\n  return (\n    p === \"/_agent-native/identity/login\" ||\n    p === \"/_agent-native/identity/callback\"\n  );\n}\n"]}

package/dist/server/index.d.ts

@@ -4,6 +4,7 @@ export { buildDeepLink, toAbsoluteOpenUrl, toDesktopOpenUrl, OPEN_ROUTE_SUBPATH,
 export { createOpenRouteHandler, type OpenRouteOptions } from "./open-route.js";
 export { createSSEHandler, type SSEHandlerOptions } from "./sse.js";
 export { mountAuthMiddleware, autoMountAuth, getSession, addSession, removeSession, getSessionEmail, runAuthGuard, setDesktopExchange, setDesktopExchangeError, safeReturnPath, type DesktopExchangeErrorPayload, type AuthSession, type AuthOptions, } from "./auth.js";
+export { handleIdentitySso, getIdentityHubUrl, isIdentitySsoEnabled, isIdentitySsoBypassPath, identitySsoLoginButtonHtml, IDENTITY_SSO_PROVIDER_ID, IDENTITY_SSO_SCOPE, } from "./identity-sso.js";
 export { requireEnvKey, type MissingKeyResponse } from "./missing-key.js";
 export { verifyCaptcha, type CaptchaVerifyResult } from "./captcha.js";
 export { createProductionAgentHandler, type ActionEntry, type ScriptEntry, type ProductionAgentOptions, type ActionTool, type ScriptTool, type AgentMessage, type AgentChatRequest, type AgentChatEvent, type AgentChatAttachment, type AgentChatReference, type MentionProvider, type MentionProviderItem, type AgentLoopFinalResponseGuard, type AgentLoopFinalResponseGuardContext, type AgentLoopFinalResponseGuardResult, type AgentLoopToolCallSummary, type AgentLoopToolResultSummary, } from "../agent/index.js";

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}

package/dist/server/index.js

@@ -4,6 +4,7 @@ export { buildDeepLink, toAbsoluteOpenUrl, toDesktopOpenUrl, OPEN_ROUTE_SUBPATH,
 export { createOpenRouteHandler } from "./open-route.js";
 export { createSSEHandler } from "./sse.js";
 export { mountAuthMiddleware, autoMountAuth, getSession, addSession, removeSession, getSessionEmail, runAuthGuard, setDesktopExchange, setDesktopExchangeError, safeReturnPath, } from "./auth.js";
+export { handleIdentitySso, getIdentityHubUrl, isIdentitySsoEnabled, isIdentitySsoBypassPath, identitySsoLoginButtonHtml, IDENTITY_SSO_PROVIDER_ID, IDENTITY_SSO_SCOPE, } from "./identity-sso.js";
 export { requireEnvKey } from "./missing-key.js";
 export { verifyCaptcha } from "./captcha.js";
 export { createProductionAgentHandler, } from "../agent/index.js";

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GAEjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAyB,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,GAIf,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAkB7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,GAElB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,GAG7B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC7E,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,GAKpC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,GAKf,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,GAElC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,GAE1B,MAAM,+BAA+B,CAAC;AAWvC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,GAI1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,GAMb,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,GAIzB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,GAEhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,GAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,GAIV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC;AAWhC,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC","sourcesContent":["export {\n  createServer,\n  upsertEnvFile,\n  type CreateServerOptions,\n  type EnvKeyConfig,\n} from \"./create-server.js\";\n\nexport { readBody, streamFile } from \"./h3-helpers.js\";\nexport {\n  buildDeepLink,\n  toAbsoluteOpenUrl,\n  toDesktopOpenUrl,\n  OPEN_ROUTE_SUBPATH,\n  DESKTOP_OPEN_URL,\n  type DeepLinkInput,\n} from \"./deep-link.js\";\nexport { createOpenRouteHandler, type OpenRouteOptions } from \"./open-route.js\";\nexport { createSSEHandler, type SSEHandlerOptions } from \"./sse.js\";\nexport {\n  mountAuthMiddleware,\n  autoMountAuth,\n  getSession,\n  addSession,\n  removeSession,\n  getSessionEmail,\n  runAuthGuard,\n  setDesktopExchange,\n  setDesktopExchangeError,\n  safeReturnPath,\n  type DesktopExchangeErrorPayload,\n  type AuthSession,\n  type AuthOptions,\n} from \"./auth.js\";\nexport { requireEnvKey, type MissingKeyResponse } from \"./missing-key.js\";\nexport { verifyCaptcha, type CaptchaVerifyResult } from \"./captcha.js\";\nexport {\n  createProductionAgentHandler,\n  type ActionEntry,\n  type ScriptEntry,\n  type ProductionAgentOptions,\n  type ActionTool,\n  type ScriptTool,\n  type AgentMessage,\n  type AgentChatRequest,\n  type AgentChatEvent,\n  type AgentChatAttachment,\n  type AgentChatReference,\n  type MentionProvider,\n  type MentionProviderItem,\n  type AgentLoopFinalResponseGuard,\n  type AgentLoopFinalResponseGuardContext,\n  type AgentLoopFinalResponseGuardResult,\n  type AgentLoopToolCallSummary,\n  type AgentLoopToolResultSummary,\n} from \"../agent/index.js\";\nexport {\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  runAgentLoop,\n} from \"../agent/production-agent.js\";\nexport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nexport { createDevScriptRegistry } from \"../scripts/dev/index.js\";\n\nexport {\n  createPollHandler,\n  recordChange,\n  getVersion,\n  getChangesSince,\n  getPollEmitter,\n  canSeeChangeForUser,\n  POLL_CHANGE_EVENT,\n} from \"./poll.js\";\nexport { createPollEventsHandler } from \"./poll-events.js\";\nexport { createAuthPlugin, defaultAuthPlugin } from \"./auth-plugin.js\";\nexport {\n  initServerSentry,\n  isServerSentryEnabled,\n  setSentryUserForRequest,\n  captureRouteError,\n  type RouteErrorContext,\n} from \"./sentry.js\";\nexport {\n  captureError,\n  captureServerError,\n  registerErrorCaptureProvider,\n  type CaptureErrorContext,\n  type CaptureErrorProvider,\n} from \"./capture-error.js\";\nexport { createSentryPlugin, defaultSentryPlugin } from \"./sentry-plugin.js\";\n// Re-export the org plugin so the auto-discovery's DEFAULT_PLUGIN_REGISTRY\n// (which references \"defaultOrgPlugin\" from @agent-native/core/server) can\n// resolve it during the deploy build worker-entry generation.\nexport { createOrgPlugin, defaultOrgPlugin } from \"../org/plugin.js\";\nexport {\n  createGoogleAuthPlugin,\n  type GoogleAuthPluginOptions,\n} from \"./google-auth-plugin.js\";\nexport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nexport {\n  createAgentChatPlugin,\n  defaultAgentChatPlugin,\n  type AgentChatPluginOptions,\n} from \"./agent-chat-plugin.js\";\nexport {\n  configureAgentNativeEmbeddedEnvironment,\n  createAgentNativeEmbeddedAuthOptions,\n  createAgentNativeEmbeddedPlugin,\n  mountAgentNativeEmbedded,\n  normalizeAgentNativeEmbeddedSession,\n  type AgentNativeEmbeddedAuthOptions,\n  type AgentNativeEmbeddedGetSession,\n  type AgentNativeEmbeddedHostSession,\n  type AgentNativeEmbeddedPluginOptions,\n} from \"./embedded.js\";\nexport {\n  createThread,\n  getThread,\n  listThreads,\n  updateThreadData,\n  deleteThread,\n  setThreadScope,\n  type ChatThread,\n  type ChatThreadScope,\n  type ChatThreadSummary,\n  type ListThreadsOptions,\n} from \"../chat-threads/store.js\";\nexport {\n  createResourcesPlugin,\n  defaultResourcesPlugin,\n} from \"./resources-plugin.js\";\nexport {\n  createCoreRoutesPlugin,\n  defaultCoreRoutesPlugin,\n  FRAMEWORK_ROUTE_PREFIX,\n  type CoreRoutesPluginOptions,\n} from \"./core-routes-plugin.js\";\nexport {\n  createBrowserSessionActionEntries,\n  type CreateBrowserSessionActionEntriesOptions,\n} from \"../browser-sessions/actions.js\";\nexport {\n  DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS,\n  DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS,\n  DEFAULT_BROWSER_SESSION_TTL_MS,\n  callBrowserSession,\n  claimBrowserSessionRequest,\n  completeBrowserSessionRequest,\n  createBrowserSessionRequest,\n  disconnectBrowserSession,\n  getBrowserSession,\n  getBrowserSessionRequest,\n  listBrowserSessions,\n  registerBrowserSession,\n  waitForBrowserSessionRequest,\n} from \"../browser-sessions/store.js\";\nexport {\n  mountBrowserSessionRoutes,\n  type MountBrowserSessionRoutesOptions,\n} from \"../browser-sessions/routes.js\";\nexport type {\n  AgentNativeBrowserSession,\n  AgentNativeBrowserSessionAction,\n  AgentNativeBrowserSessionRecord,\n  AgentNativeBrowserSessionRequest,\n  AgentNativeBrowserSessionRequestStatus,\n  AgentNativeBrowserSessionRequestType,\n  CreateAgentNativeBrowserSessionRequestInput,\n  RegisterAgentNativeBrowserSessionInput,\n} from \"../browser-sessions/types.js\";\nexport {\n  createTerminalPlugin,\n  defaultTerminalPlugin,\n  type TerminalPluginOptions,\n} from \"../terminal/terminal-plugin.js\";\nexport {\n  createCollabPlugin,\n  type CollabPluginOptions,\n} from \"./collab-plugin.js\";\n\nexport {\n  spawnTask,\n  getTask,\n  getTaskByThread,\n  listTasks,\n  sendToTask,\n  markTaskErrored,\n  type AgentTask,\n  type SpawnTaskOptions,\n} from \"./agent-teams.js\";\nexport { isOAuthConnected, getOAuthAccounts } from \"./oauth-helpers.js\";\nexport { wrapWithAnalytics } from \"./analytics.js\";\nexport {\n  getH3App,\n  awaitBootstrap,\n  type H3AppShim,\n} from \"./framework-request-handler.js\";\nexport {\n  autoDiscoverActions,\n  autoDiscoverScripts,\n  loadActionsFromStaticRegistry,\n  mergeCoreSharingActions,\n  registerPackageActions,\n} from \"./action-discovery.js\";\nexport {\n  mountActionRoutes,\n  type MountActionRoutesOptions,\n} from \"./action-routes.js\";\nexport {\n  runWithRequestContext,\n  hasRequestContext,\n  getRequestContext,\n  getRequestUserEmail,\n  getRequestUserName,\n  getRequestOrgId,\n  getRequestTimezone,\n  getRequestRunContext,\n  getCredentialContext,\n  isIntegrationCallerRequest,\n  type RequestContext,\n  type RequestRunContext,\n} from \"./request-context.js\";\nexport { formatDateInTimezone, todayInTimezone } from \"./date-utils.js\";\n\nexport {\n  createOnboardingPlugin,\n  defaultOnboardingPlugin,\n} from \"../onboarding/plugin.js\";\n\nexport {\n  registerFileUploadProvider,\n  unregisterFileUploadProvider,\n  listFileUploadProviders,\n  getActiveFileUploadProvider,\n  uploadFile,\n  builderFileUploadProvider,\n  type FileUploadInput,\n  type FileUploadProvider,\n  type FileUploadResult,\n} from \"../file-upload/index.js\";\n\nexport {\n  createIntegrationsPlugin,\n  defaultIntegrationsPlugin,\n  enqueueRemoteCommand,\n  slackAdapter,\n  telegramAdapter,\n  whatsappAdapter,\n  emailAdapter,\n  type PlatformAdapter,\n  type IncomingMessage,\n  type OutgoingMessage,\n  type IntegrationStatus,\n  type IntegrationsPluginOptions,\n} from \"../integrations/index.js\";\n\nexport {\n  isElectron,\n  isMobile,\n  getOrigin,\n  getAppBasePath,\n  getAppUrl,\n  resolveOAuthRedirectUri,\n  isAllowedOAuthRedirectUri,\n  encodeOAuthState,\n  decodeOAuthState,\n  resolveOAuthOwner,\n  createOAuthSession,\n  oauthCallbackResponse,\n  oauthErrorPage,\n  oauthDesktopExchangePage,\n  type OAuthStatePayload,\n  type OAuthOwnerResult,\n  type OAuthSessionResult,\n} from \"./google-oauth.js\";\n\nexport {\n  FeatureNotConfiguredError,\n  hasBuilderPrivateKey,\n  isBuilderEnvManaged,\n  getBuilderProxyOrigin,\n  getBuilderImageGenerationBaseUrl,\n  getBuilderAuthHeader,\n  resolveBuilderPrivateKey,\n  resolveBuilderAuthHeader,\n  resolveHasBuilderPrivateKey,\n  resolveBuilderCredentials,\n  resolveBuilderCredential,\n  writeBuilderCredentials,\n  deleteBuilderCredentials,\n  resolveSecret,\n} from \"./credential-provider.js\";\nexport {\n  getBuilderBranchProjectId,\n  isBuilderBranchingEnabled,\n  resolveBuilderBranchProjectId,\n  resolveIsBuilderBranchingEnabled,\n  runBuilderAgent,\n  type RunBuilderAgentResult,\n} from \"./builder-browser.js\";\n\nexport {\n  sendEmail,\n  isEmailConfigured,\n  getEmailProvider,\n  type EmailProvider,\n  type SendEmailArgs,\n} from \"./email.js\";\nexport {\n  renderEmail,\n  emailStrong,\n  emailLink,\n  type RenderEmailArgs,\n  type RenderedEmail,\n  type EmailCta,\n} from \"./email-template.js\";\nexport { getAppProductionUrl, getFirstPartyProdUrl } from \"./app-url.js\";\nexport {\n  getConfiguredAppBasePath,\n  normalizeAppBasePath,\n  withConfiguredAppBasePath,\n} from \"./app-base-path.js\";\nexport {\n  signShortLivedToken,\n  verifyShortLivedToken,\n  type ShortLivedTokenClaims,\n  type VerifyResult as ShortLivedTokenVerifyResult,\n} from \"./short-lived-token.js\";\n\n// SSR handler is NOT re-exported here — it uses a virtual module\n// (virtual:react-router/server-build) that only exists at Vite dev/build time.\n// Including it in this barrel would break the esbuild CF Pages bundler.\n// Templates import directly: import { ssrHandler } from \"@agent-native/core/server/ssr-handler\"\n\n// Nitro plugin helper — re-exported so templates don't need nitro as a direct dependency.\n// defineNitroPlugin is an identity function; this typed wrapper lets templates use it\n// without resolving `nitro/runtime` (which requires Nitro's virtual modules at runtime).\nexport type NitroPluginDef = (nitroApp: any) => void | Promise<void>;\nexport function defineNitroPlugin(def: NitroPluginDef): NitroPluginDef {\n  return def;\n}\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GAEjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAyB,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,GAIf,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAkB7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,GAElB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,GAG7B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC7E,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,GAKpC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,GAKf,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,GAElC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,GAE1B,MAAM,+BAA+B,CAAC;AAWvC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,GAI1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,GAMb,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,GAIzB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,GAEhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,GAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,GAIV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC;AAWhC,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC","sourcesContent":["export {\n  createServer,\n  upsertEnvFile,\n  type CreateServerOptions,\n  type EnvKeyConfig,\n} from \"./create-server.js\";\n\nexport { readBody, streamFile } from \"./h3-helpers.js\";\nexport {\n  buildDeepLink,\n  toAbsoluteOpenUrl,\n  toDesktopOpenUrl,\n  OPEN_ROUTE_SUBPATH,\n  DESKTOP_OPEN_URL,\n  type DeepLinkInput,\n} from \"./deep-link.js\";\nexport { createOpenRouteHandler, type OpenRouteOptions } from \"./open-route.js\";\nexport { createSSEHandler, type SSEHandlerOptions } from \"./sse.js\";\nexport {\n  mountAuthMiddleware,\n  autoMountAuth,\n  getSession,\n  addSession,\n  removeSession,\n  getSessionEmail,\n  runAuthGuard,\n  setDesktopExchange,\n  setDesktopExchangeError,\n  safeReturnPath,\n  type DesktopExchangeErrorPayload,\n  type AuthSession,\n  type AuthOptions,\n} from \"./auth.js\";\nexport {\n  handleIdentitySso,\n  getIdentityHubUrl,\n  isIdentitySsoEnabled,\n  isIdentitySsoBypassPath,\n  identitySsoLoginButtonHtml,\n  IDENTITY_SSO_PROVIDER_ID,\n  IDENTITY_SSO_SCOPE,\n} from \"./identity-sso.js\";\nexport { requireEnvKey, type MissingKeyResponse } from \"./missing-key.js\";\nexport { verifyCaptcha, type CaptchaVerifyResult } from \"./captcha.js\";\nexport {\n  createProductionAgentHandler,\n  type ActionEntry,\n  type ScriptEntry,\n  type ProductionAgentOptions,\n  type ActionTool,\n  type ScriptTool,\n  type AgentMessage,\n  type AgentChatRequest,\n  type AgentChatEvent,\n  type AgentChatAttachment,\n  type AgentChatReference,\n  type MentionProvider,\n  type MentionProviderItem,\n  type AgentLoopFinalResponseGuard,\n  type AgentLoopFinalResponseGuardContext,\n  type AgentLoopFinalResponseGuardResult,\n  type AgentLoopToolCallSummary,\n  type AgentLoopToolResultSummary,\n} from \"../agent/index.js\";\nexport {\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  runAgentLoop,\n} from \"../agent/production-agent.js\";\nexport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nexport { createDevScriptRegistry } from \"../scripts/dev/index.js\";\n\nexport {\n  createPollHandler,\n  recordChange,\n  getVersion,\n  getChangesSince,\n  getPollEmitter,\n  canSeeChangeForUser,\n  POLL_CHANGE_EVENT,\n} from \"./poll.js\";\nexport { createPollEventsHandler } from \"./poll-events.js\";\nexport { createAuthPlugin, defaultAuthPlugin } from \"./auth-plugin.js\";\nexport {\n  initServerSentry,\n  isServerSentryEnabled,\n  setSentryUserForRequest,\n  captureRouteError,\n  type RouteErrorContext,\n} from \"./sentry.js\";\nexport {\n  captureError,\n  captureServerError,\n  registerErrorCaptureProvider,\n  type CaptureErrorContext,\n  type CaptureErrorProvider,\n} from \"./capture-error.js\";\nexport { createSentryPlugin, defaultSentryPlugin } from \"./sentry-plugin.js\";\n// Re-export the org plugin so the auto-discovery's DEFAULT_PLUGIN_REGISTRY\n// (which references \"defaultOrgPlugin\" from @agent-native/core/server) can\n// resolve it during the deploy build worker-entry generation.\nexport { createOrgPlugin, defaultOrgPlugin } from \"../org/plugin.js\";\nexport {\n  createGoogleAuthPlugin,\n  type GoogleAuthPluginOptions,\n} from \"./google-auth-plugin.js\";\nexport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nexport {\n  createAgentChatPlugin,\n  defaultAgentChatPlugin,\n  type AgentChatPluginOptions,\n} from \"./agent-chat-plugin.js\";\nexport {\n  configureAgentNativeEmbeddedEnvironment,\n  createAgentNativeEmbeddedAuthOptions,\n  createAgentNativeEmbeddedPlugin,\n  mountAgentNativeEmbedded,\n  normalizeAgentNativeEmbeddedSession,\n  type AgentNativeEmbeddedAuthOptions,\n  type AgentNativeEmbeddedGetSession,\n  type AgentNativeEmbeddedHostSession,\n  type AgentNativeEmbeddedPluginOptions,\n} from \"./embedded.js\";\nexport {\n  createThread,\n  getThread,\n  listThreads,\n  updateThreadData,\n  deleteThread,\n  setThreadScope,\n  type ChatThread,\n  type ChatThreadScope,\n  type ChatThreadSummary,\n  type ListThreadsOptions,\n} from \"../chat-threads/store.js\";\nexport {\n  createResourcesPlugin,\n  defaultResourcesPlugin,\n} from \"./resources-plugin.js\";\nexport {\n  createCoreRoutesPlugin,\n  defaultCoreRoutesPlugin,\n  FRAMEWORK_ROUTE_PREFIX,\n  type CoreRoutesPluginOptions,\n} from \"./core-routes-plugin.js\";\nexport {\n  createBrowserSessionActionEntries,\n  type CreateBrowserSessionActionEntriesOptions,\n} from \"../browser-sessions/actions.js\";\nexport {\n  DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS,\n  DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS,\n  DEFAULT_BROWSER_SESSION_TTL_MS,\n  callBrowserSession,\n  claimBrowserSessionRequest,\n  completeBrowserSessionRequest,\n  createBrowserSessionRequest,\n  disconnectBrowserSession,\n  getBrowserSession,\n  getBrowserSessionRequest,\n  listBrowserSessions,\n  registerBrowserSession,\n  waitForBrowserSessionRequest,\n} from \"../browser-sessions/store.js\";\nexport {\n  mountBrowserSessionRoutes,\n  type MountBrowserSessionRoutesOptions,\n} from \"../browser-sessions/routes.js\";\nexport type {\n  AgentNativeBrowserSession,\n  AgentNativeBrowserSessionAction,\n  AgentNativeBrowserSessionRecord,\n  AgentNativeBrowserSessionRequest,\n  AgentNativeBrowserSessionRequestStatus,\n  AgentNativeBrowserSessionRequestType,\n  CreateAgentNativeBrowserSessionRequestInput,\n  RegisterAgentNativeBrowserSessionInput,\n} from \"../browser-sessions/types.js\";\nexport {\n  createTerminalPlugin,\n  defaultTerminalPlugin,\n  type TerminalPluginOptions,\n} from \"../terminal/terminal-plugin.js\";\nexport {\n  createCollabPlugin,\n  type CollabPluginOptions,\n} from \"./collab-plugin.js\";\n\nexport {\n  spawnTask,\n  getTask,\n  getTaskByThread,\n  listTasks,\n  sendToTask,\n  markTaskErrored,\n  type AgentTask,\n  type SpawnTaskOptions,\n} from \"./agent-teams.js\";\nexport { isOAuthConnected, getOAuthAccounts } from \"./oauth-helpers.js\";\nexport { wrapWithAnalytics } from \"./analytics.js\";\nexport {\n  getH3App,\n  awaitBootstrap,\n  type H3AppShim,\n} from \"./framework-request-handler.js\";\nexport {\n  autoDiscoverActions,\n  autoDiscoverScripts,\n  loadActionsFromStaticRegistry,\n  mergeCoreSharingActions,\n  registerPackageActions,\n} from \"./action-discovery.js\";\nexport {\n  mountActionRoutes,\n  type MountActionRoutesOptions,\n} from \"./action-routes.js\";\nexport {\n  runWithRequestContext,\n  hasRequestContext,\n  getRequestContext,\n  getRequestUserEmail,\n  getRequestUserName,\n  getRequestOrgId,\n  getRequestTimezone,\n  getRequestRunContext,\n  getCredentialContext,\n  isIntegrationCallerRequest,\n  type RequestContext,\n  type RequestRunContext,\n} from \"./request-context.js\";\nexport { formatDateInTimezone, todayInTimezone } from \"./date-utils.js\";\n\nexport {\n  createOnboardingPlugin,\n  defaultOnboardingPlugin,\n} from \"../onboarding/plugin.js\";\n\nexport {\n  registerFileUploadProvider,\n  unregisterFileUploadProvider,\n  listFileUploadProviders,\n  getActiveFileUploadProvider,\n  uploadFile,\n  builderFileUploadProvider,\n  type FileUploadInput,\n  type FileUploadProvider,\n  type FileUploadResult,\n} from \"../file-upload/index.js\";\n\nexport {\n  createIntegrationsPlugin,\n  defaultIntegrationsPlugin,\n  enqueueRemoteCommand,\n  slackAdapter,\n  telegramAdapter,\n  whatsappAdapter,\n  emailAdapter,\n  type PlatformAdapter,\n  type IncomingMessage,\n  type OutgoingMessage,\n  type IntegrationStatus,\n  type IntegrationsPluginOptions,\n} from \"../integrations/index.js\";\n\nexport {\n  isElectron,\n  isMobile,\n  getOrigin,\n  getAppBasePath,\n  getAppUrl,\n  resolveOAuthRedirectUri,\n  isAllowedOAuthRedirectUri,\n  encodeOAuthState,\n  decodeOAuthState,\n  resolveOAuthOwner,\n  createOAuthSession,\n  oauthCallbackResponse,\n  oauthErrorPage,\n  oauthDesktopExchangePage,\n  type OAuthStatePayload,\n  type OAuthOwnerResult,\n  type OAuthSessionResult,\n} from \"./google-oauth.js\";\n\nexport {\n  FeatureNotConfiguredError,\n  hasBuilderPrivateKey,\n  isBuilderEnvManaged,\n  getBuilderProxyOrigin,\n  getBuilderImageGenerationBaseUrl,\n  getBuilderAuthHeader,\n  resolveBuilderPrivateKey,\n  resolveBuilderAuthHeader,\n  resolveHasBuilderPrivateKey,\n  resolveBuilderCredentials,\n  resolveBuilderCredential,\n  writeBuilderCredentials,\n  deleteBuilderCredentials,\n  resolveSecret,\n} from \"./credential-provider.js\";\nexport {\n  getBuilderBranchProjectId,\n  isBuilderBranchingEnabled,\n  resolveBuilderBranchProjectId,\n  resolveIsBuilderBranchingEnabled,\n  runBuilderAgent,\n  type RunBuilderAgentResult,\n} from \"./builder-browser.js\";\n\nexport {\n  sendEmail,\n  isEmailConfigured,\n  getEmailProvider,\n  type EmailProvider,\n  type SendEmailArgs,\n} from \"./email.js\";\nexport {\n  renderEmail,\n  emailStrong,\n  emailLink,\n  type RenderEmailArgs,\n  type RenderedEmail,\n  type EmailCta,\n} from \"./email-template.js\";\nexport { getAppProductionUrl, getFirstPartyProdUrl } from \"./app-url.js\";\nexport {\n  getConfiguredAppBasePath,\n  normalizeAppBasePath,\n  withConfiguredAppBasePath,\n} from \"./app-base-path.js\";\nexport {\n  signShortLivedToken,\n  verifyShortLivedToken,\n  type ShortLivedTokenClaims,\n  type VerifyResult as ShortLivedTokenVerifyResult,\n} from \"./short-lived-token.js\";\n\n// SSR handler is NOT re-exported here — it uses a virtual module\n// (virtual:react-router/server-build) that only exists at Vite dev/build time.\n// Including it in this barrel would break the esbuild CF Pages bundler.\n// Templates import directly: import { ssrHandler } from \"@agent-native/core/server/ssr-handler\"\n\n// Nitro plugin helper — re-exported so templates don't need nitro as a direct dependency.\n// defineNitroPlugin is an identity function; this typed wrapper lets templates use it\n// without resolving `nitro/runtime` (which requires Nitro's virtual modules at runtime).\nexport type NitroPluginDef = (nitroApp: any) => void | Promise<void>;\nexport function defineNitroPlugin(def: NitroPluginDef): NitroPluginDef {\n  return def;\n}\n"]}

package/dist/server/onboarding-html.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,uBAAuB,CAAC;AAmC/B,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;;OAIG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,CA+qD1E;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CA0G7C"}
+{"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAEL,KAAK,cAAc,EACpB,MAAM,uBAAuB,CAAC;AAoC/B,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;;OAIG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;OAIG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;CACjC;AAED,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,CA+qD1E;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC;AAEnD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CA0G7C"}