@agent-native/core 0.22.2 → 0.22.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/dist/mcp/connect-route.d.ts.map +1 -1
  2. package/dist/mcp/connect-route.js +173 -1
  3. package/dist/mcp/connect-route.js.map +1 -1
  4. package/dist/server/auth.d.ts +3 -2
  5. package/dist/server/auth.d.ts.map +1 -1
  6. package/dist/server/auth.js +43 -45
  7. package/dist/server/auth.js.map +1 -1
  8. package/dist/server/better-auth-instance.d.ts.map +1 -1
  9. package/dist/server/better-auth-instance.js +27 -16
  10. package/dist/server/better-auth-instance.js.map +1 -1
  11. package/dist/server/cookie-namespace.d.ts +14 -0
  12. package/dist/server/cookie-namespace.d.ts.map +1 -0
  13. package/dist/server/cookie-namespace.js +118 -0
  14. package/dist/server/cookie-namespace.js.map +1 -0
  15. package/dist/server/derived-secret.d.ts +3 -0
  16. package/dist/server/derived-secret.d.ts.map +1 -0
  17. package/dist/server/derived-secret.js +19 -0
  18. package/dist/server/derived-secret.js.map +1 -0
  19. package/dist/server/google-oauth.d.ts.map +1 -1
  20. package/dist/server/google-oauth.js +8 -4
  21. package/dist/server/google-oauth.js.map +1 -1
  22. package/dist/server/short-lived-token.d.ts +3 -2
  23. package/dist/server/short-lived-token.d.ts.map +1 -1
  24. package/dist/server/short-lived-token.js +8 -4
  25. package/dist/server/short-lived-token.js.map +1 -1
  26. package/docs/content/authentication.md +21 -0
  27. package/docs/content/external-agents.md +80 -6
  28. package/docs/content/security.md +3 -3
  29. package/package.json +1 -1
package/docs/content/security.md CHANGED
@@ -157,7 +157,7 @@ OAuth flows (Google, Atlassian, Zoom) sign their state envelope with a dedicated
157
157
  OAUTH_STATE_SECRET=$(openssl rand -hex 32)
158
158
  ```
159
159
 
160
- This used to fall back to `GOOGLE_CLIENT_SECRET` (a credential shared with Google) — a leak of the Google secret would have let attackers forge OAuth state envelopes. The dedicated key is independent of any third-party secret. If `OAUTH_STATE_SECRET` is unset, the framework falls back to `BETTER_AUTH_SECRET`; if both are unset, the OAuth flows fail in production.
160
+ This used to fall back to `GOOGLE_CLIENT_SECRET` (a credential shared with Google) — a leak of the Google secret would have let attackers forge OAuth state envelopes. The dedicated key is independent of any third-party secret. If `OAUTH_STATE_SECRET` is unset, the framework falls back to `BETTER_AUTH_SECRET`; hosted workspace deploys can also derive a per-purpose OAuth key from the already-required `A2A_SECRET`. If none of those server secrets are available, OAuth flows fail in production.
161
161
 
162
162
  `redirect_uri` query parameters are also validated against an allowlist (same-origin + framework `/_agent-native/...` paths). Custom OAuth flows in templates should use the framework's `isAllowedOAuthRedirectUri()` helper before signing state.
163
163
 
@@ -177,8 +177,8 @@ Workspace-scope secret writes still require org owner/admin role regardless of t
177
177
 
178
178
  ### Auth & secrets
179
179
 
180
- - [ ] `BETTER_AUTH_SECRET` set to a random 32+ char string (`openssl rand -hex 32`)
181
- - [ ] `OAUTH_STATE_SECRET` set to a separate random 32+ char string (don't reuse `BETTER_AUTH_SECRET`)
180
+ - [ ] `BETTER_AUTH_SECRET` set to a random 32+ char string (`openssl rand -hex 32`), unless this is a hosted workspace deploy deriving it from `A2A_SECRET`
181
+ - [ ] `OAUTH_STATE_SECRET` set to a separate random 32+ char string (don't reuse `BETTER_AUTH_SECRET`), unless this is a hosted workspace deploy deriving it from `A2A_SECRET`
182
182
  - [ ] `A2A_SECRET` set on every app that calls or receives A2A traffic
183
183
  - [ ] `SECRETS_ENCRYPTION_KEY` set (or rely on the `BETTER_AUTH_SECRET` fallback)
184
184
  - [ ] `AUTH_SKIP_EMAIL_VERIFICATION` is **not** set in production (or set only on QA preview deploys)
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-native/core",
3
- "version": "0.22.2",
3
+ "version": "0.22.4",
4
4
  "type": "module",
5
5
  "description": "Framework for agent-native application development — where AI agents and UI share state via files",
6
6
  "license": "MIT",