@agent-native/core 0.22.5 → 0.22.7

package/dist/server/embed-route.d.ts

@@ -0,0 +1,8 @@
+import type { H3Event } from "h3";
+import type { AuthSession } from "./auth.js";
+export declare function buildEmbedStartPath(ticket: string): string;
+export interface EmbedStartRouteOptions {
+    getExistingSession?: (event: H3Event) => Promise<AuthSession | null>;
+}
+export declare function createEmbedStartRouteHandler(options?: EmbedStartRouteOptions): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<Response>>;
+//# sourceMappingURL=embed-route.d.ts.map

package/dist/server/embed-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-route.d.ts","sourceRoot":"","sources":["../../src/server/embed-route.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAQlC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AA0C7C,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED,MAAM,WAAW,sBAAsB;IACrC,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACtE;AAED,wBAAgB,4BAA4B,CAC1C,OAAO,GAAE,sBAA2B,2FAuCrC"}

package/dist/server/embed-route.js

@@ -0,0 +1,71 @@
+import { defineEventHandler, getMethod, getQuery, setResponseHeader } from "h3";
+import { consumeEmbedSessionTicket, normalizeEmbedTargetPath, setEmbedSessionCookie, signEmbedSessionToken, } from "./embed-session.js";
+import { getConfiguredAppBasePath } from "./app-base-path.js";
+import { EMBED_MODE_QUERY_PARAM, EMBED_START_PATH, EMBED_TOKEN_QUERY_PARAM, } from "../shared/embed-auth.js";
+import { withCollapsedAgentSidebarParam } from "../shared/agent-sidebar-url.js";
+function withConfiguredBasePath(path) {
+    const base = getConfiguredAppBasePath();
+    if (!base)
+        return path;
+    if (path === base || path.startsWith(`${base}/`))
+        return path;
+    return `${base}${path}`;
+}
+function appendEmbedParams(target, token) {
+    const url = new URL(target, "http://agent-native.invalid");
+    url.searchParams.set(EMBED_MODE_QUERY_PARAM, "1");
+    url.searchParams.set(EMBED_TOKEN_QUERY_PARAM, token);
+    return `${url.pathname}${url.search}${url.hash}`;
+}
+function redirectWithStagedCookies(event, location, status = 302) {
+    const headers = new Headers({ Location: location });
+    const staged = event.res?.headers?.getSetCookie?.() ?? [];
+    for (const cookie of staged)
+        headers.append("set-cookie", cookie);
+    headers.set("Referrer-Policy", "no-referrer");
+    return new Response("", { status, headers });
+}
+function textResponse(message, status) {
+    return new Response(message, {
+        status,
+        headers: { "Content-Type": "text/plain; charset=utf-8" },
+    });
+}
+export function buildEmbedStartPath(ticket) {
+    const qs = new URLSearchParams({ ticket });
+    return `${getConfiguredAppBasePath()}${EMBED_START_PATH}?${qs}`;
+}
+export function createEmbedStartRouteHandler(options = {}) {
+    return defineEventHandler(async (event) => {
+        const method = getMethod(event);
+        if (method !== "GET" && method !== "HEAD") {
+            return textResponse("Method not allowed", 405);
+        }
+        const rawTicket = getQuery(event)?.ticket;
+        const ticket = Array.isArray(rawTicket) ? rawTicket[0] : rawTicket;
+        const existingSession = await options
+            .getExistingSession?.(event)
+            .catch(() => null);
+        const consumed = await consumeEmbedSessionTicket(ticket, {
+            expectedOrgId: existingSession?.orgId ?? null,
+        });
+        if (!consumed) {
+            return textResponse("Invalid or expired embed session.", 401);
+        }
+        const target = normalizeEmbedTargetPath(consumed.targetPath);
+        if (!target) {
+            return textResponse("Invalid embed target.", 400);
+        }
+        const token = signEmbedSessionToken({
+            ownerEmail: consumed.ownerEmail,
+            orgId: consumed.orgId,
+            targetPath: target,
+            scope: consumed.scope,
+        });
+        setEmbedSessionCookie(event, token);
+        setResponseHeader(event, "Referrer-Policy", "no-referrer");
+        const location = withConfiguredBasePath(withCollapsedAgentSidebarParam(appendEmbedParams(target, token)));
+        return redirectWithStagedCookies(event, location);
+    });
+}
+//# sourceMappingURL=embed-route.js.map

package/dist/server/embed-route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-route.js","sourceRoot":"","sources":["../../src/server/embed-route.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAChF,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAC;AAEhF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAc,EAAE,KAAa;IACtD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC;IAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;IACrD,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,SAAS,yBAAyB,CAChC,KAAc,EACd,QAAgB,EAChB,MAAM,GAAG,GAAG;IAEZ,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAClE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9C,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,YAAY,CAAC,OAAe,EAAE,MAAc;IACnD,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE;QAC3B,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,2BAA2B,EAAE;KACzD,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,OAAO,GAAG,wBAAwB,EAAE,GAAG,gBAAgB,IAAI,EAAE,EAAE,CAAC;AAClE,CAAC;AAMD,MAAM,UAAU,4BAA4B,CAC1C,UAAkC,EAAE;IAEpC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,MAAM,eAAe,GAAG,MAAM,OAAO;aAClC,kBAAkB,EAAE,CAAC,KAAK,CAAC;aAC3B,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,MAAM,EAAE;YACvD,aAAa,EAAE,eAAe,EAAE,KAAK,IAAI,IAAI;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,mCAAmC,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,MAAM,GAAG,wBAAwB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,uBAAuB,EAAE,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,KAAK,GAAG,qBAAqB,CAAC;YAClC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QACH,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACpC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAE3D,MAAM,QAAQ,GAAG,sBAAsB,CACrC,8BAA8B,CAAC,iBAAiB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CACjE,CAAC;QACF,OAAO,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { H3Event } from \"h3\";\nimport { defineEventHandler, getMethod, getQuery, setResponseHeader } from \"h3\";\nimport {\n  consumeEmbedSessionTicket,\n  normalizeEmbedTargetPath,\n  setEmbedSessionCookie,\n  signEmbedSessionToken,\n} from \"./embed-session.js\";\nimport type { AuthSession } from \"./auth.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_START_PATH,\n  EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\nimport { withCollapsedAgentSidebarParam } from \"../shared/agent-sidebar-url.js\";\n\nfunction withConfiguredBasePath(path: string): string {\n  const base = getConfiguredAppBasePath();\n  if (!base) return path;\n  if (path === base || path.startsWith(`${base}/`)) return path;\n  return `${base}${path}`;\n}\n\nfunction appendEmbedParams(target: string, token: string): string {\n  const url = new URL(target, \"http://agent-native.invalid\");\n  url.searchParams.set(EMBED_MODE_QUERY_PARAM, \"1\");\n  url.searchParams.set(EMBED_TOKEN_QUERY_PARAM, token);\n  return `${url.pathname}${url.search}${url.hash}`;\n}\n\nfunction redirectWithStagedCookies(\n  event: H3Event,\n  location: string,\n  status = 302,\n): Response {\n  const headers = new Headers({ Location: location });\n  const staged = event.res?.headers?.getSetCookie?.() ?? [];\n  for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n  headers.set(\"Referrer-Policy\", \"no-referrer\");\n  return new Response(\"\", { status, headers });\n}\n\nfunction textResponse(message: string, status: number): Response {\n  return new Response(message, {\n    status,\n    headers: { \"Content-Type\": \"text/plain; charset=utf-8\" },\n  });\n}\n\nexport function buildEmbedStartPath(ticket: string): string {\n  const qs = new URLSearchParams({ ticket });\n  return `${getConfiguredAppBasePath()}${EMBED_START_PATH}?${qs}`;\n}\n\nexport interface EmbedStartRouteOptions {\n  getExistingSession?: (event: H3Event) => Promise<AuthSession | null>;\n}\n\nexport function createEmbedStartRouteHandler(\n  options: EmbedStartRouteOptions = {},\n) {\n  return defineEventHandler(async (event: H3Event) => {\n    const method = getMethod(event);\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return textResponse(\"Method not allowed\", 405);\n    }\n\n    const rawTicket = getQuery(event)?.ticket;\n    const ticket = Array.isArray(rawTicket) ? rawTicket[0] : rawTicket;\n    const existingSession = await options\n      .getExistingSession?.(event)\n      .catch(() => null);\n    const consumed = await consumeEmbedSessionTicket(ticket, {\n      expectedOrgId: existingSession?.orgId ?? null,\n    });\n    if (!consumed) {\n      return textResponse(\"Invalid or expired embed session.\", 401);\n    }\n\n    const target = normalizeEmbedTargetPath(consumed.targetPath);\n    if (!target) {\n      return textResponse(\"Invalid embed target.\", 400);\n    }\n\n    const token = signEmbedSessionToken({\n      ownerEmail: consumed.ownerEmail,\n      orgId: consumed.orgId,\n      targetPath: target,\n      scope: consumed.scope,\n    });\n    setEmbedSessionCookie(event, token);\n    setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n\n    const location = withConfiguredBasePath(\n      withCollapsedAgentSidebarParam(appendEmbedParams(target, token)),\n    );\n    return redirectWithStagedCookies(event, location);\n  });\n}\n"]}

package/dist/server/embed-session.d.ts

@@ -0,0 +1,65 @@
+import type { H3Event } from "h3";
+declare const TOKEN_KIND = "agent-native-embed-session";
+export interface EmbedSessionTicketInput {
+    ownerEmail: string;
+    orgId?: string | null;
+    targetPath: string;
+    scope?: string | null;
+    ttlSeconds?: number;
+}
+export interface EmbedSessionTicket {
+    ticket: string;
+    ticketHash: string;
+    expiresAt: number;
+}
+export interface ConsumeEmbedSessionTicketOptions {
+    expectedOrgId?: string | null;
+}
+export interface ConsumedEmbedSessionTicket {
+    ownerEmail: string;
+    orgId?: string;
+    targetPath: string;
+    scope?: string;
+    expiresAt: number;
+}
+export interface EmbedSessionTokenClaims {
+    kind: typeof TOKEN_KIND;
+    ownerEmail: string;
+    orgId?: string;
+    targetPath: string;
+    scope?: string;
+    iat: number;
+    exp: number;
+}
+export type VerifyEmbedSessionTokenResult = {
+    ok: true;
+    claims: EmbedSessionTokenClaims;
+} | {
+    ok: false;
+    reason: string;
+};
+export type ResolvedEmbedSession = {
+    email: string;
+    orgId?: string;
+    token: string;
+    targetPath: string;
+    scope?: string;
+};
+export declare function requestMatchesEmbedTarget(event: H3Event, targetPath: string): boolean;
+export declare function normalizeEmbedTargetPath(raw: string | undefined | null, requestOrigin?: string): string | null;
+export declare function createEmbedSessionTicket(input: EmbedSessionTicketInput): Promise<EmbedSessionTicket>;
+export declare function consumeEmbedSessionTicket(ticket: string | undefined | null, options?: ConsumeEmbedSessionTicketOptions): Promise<ConsumedEmbedSessionTicket | null>;
+export declare function signEmbedSessionToken(input: {
+    ownerEmail: string;
+    orgId?: string | null;
+    targetPath: string;
+    scope?: string | null;
+    ttlSeconds?: number;
+}): string;
+export declare function verifyEmbedSessionToken(token: string | undefined | null): VerifyEmbedSessionTokenResult;
+export declare function setEmbedSessionCookie(event: H3Event, token: string): void;
+export declare function resolveEmbedSessionFromRequest(event: H3Event): Promise<ResolvedEmbedSession | null>;
+export declare function requestHasEmbedAuthMarker(event: H3Event): boolean;
+export declare function isEmbedModeRequest(event: H3Event): boolean;
+export {};
+//# sourceMappingURL=embed-session.d.ts.map

package/dist/server/embed-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-session.d.ts","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAkBlC,QAAA,MAAM,UAAU,+BAA+B,CAAC;AAShD,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gCAAgC;IAC/C,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,OAAO,UAAU,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,MAAM,6BAA6B,GACrC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,uBAAuB,CAAA;CAAE,GAC7C;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAElC,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AA6JF,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAST;AAED,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,MAAM,GAAG,IAAI,CA8Bf;AAED,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,CA8B7B;AAED,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACjC,OAAO,GAAE,gCAAqC,GAC7C,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CA6C5C;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CAeT;AAED,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAC/B,6BAA6B,CAsC/B;AAiCD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAQzE;AAcD,wBAAsB,8BAA8B,CAClD,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAyBtC;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAoBjE;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAS1D"}

package/dist/server/embed-session.js

@@ -0,0 +1,433 @@
+import crypto from "node:crypto";
+import { getCookie, getHeader, getQuery, setCookie, setResponseHeader, } from "h3";
+import { getDbExec, intType } from "../db/client.js";
+import { getWorkspaceA2ADerivedSecret } from "./derived-secret.js";
+import { getConfiguredAppBasePath } from "./app-base-path.js";
+import { EMBED_MODE_QUERY_PARAM, EMBED_SESSION_COOKIE, EMBED_TARGET_HEADER, EMBED_TOKEN_QUERY_PARAM, } from "../shared/embed-auth.js";
+const TOKEN_KIND = "agent-native-embed-session";
+const DEFAULT_TOKEN_TTL_SECONDS = 60 * 60;
+const DEFAULT_TICKET_TTL_SECONDS = 5 * 60;
+const CONTROL_CHARS = new RegExp("[\\u0000-\\u001f\\u007f]");
+const OPEN_ROUTE_PATH = "/_agent-native/open";
+let _initPromise;
+let _devSigningKey;
+async function ensureTable() {
+    if (!_initPromise) {
+        _initPromise = (async () => {
+            const client = getDbExec();
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS agent_native_embed_tickets (
+          ticket_hash TEXT PRIMARY KEY,
+          owner_email TEXT NOT NULL,
+          org_id TEXT,
+          target_path TEXT NOT NULL,
+          scope TEXT,
+          created_at ${intType()} NOT NULL,
+          expires_at ${intType()} NOT NULL,
+          consumed_at ${intType()}
+        )
+      `);
+        })().catch((err) => {
+            _initPromise = undefined;
+            throw err;
+        });
+    }
+    return _initPromise;
+}
+function getSigningKey() {
+    const secret = process.env.OAUTH_STATE_SECRET ||
+        process.env.BETTER_AUTH_SECRET ||
+        getWorkspaceA2ADerivedSecret("short-lived-token");
+    if (secret)
+        return secret;
+    if (process.env.NODE_ENV === "production") {
+        throw new Error("Embed session signing requires a server secret. Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.");
+    }
+    if (!_devSigningKey) {
+        _devSigningKey = crypto.randomBytes(32).toString("hex");
+    }
+    return _devSigningKey;
+}
+function base64UrlEncode(buf) {
+    const b = typeof buf === "string" ? Buffer.from(buf, "utf8") : buf;
+    return b
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/g, "");
+}
+function base64UrlDecode(input) {
+    const padded = input + "=".repeat((4 - (input.length % 4)) % 4);
+    return Buffer.from(padded.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function signPayload(payload) {
+    return base64UrlEncode(crypto.createHmac("sha256", getSigningKey()).update(payload).digest());
+}
+function hashTicket(ticket) {
+    return crypto.createHash("sha256").update(ticket).digest("hex");
+}
+function numberOrNull(value) {
+    if (value == null)
+        return null;
+    const n = Number(value);
+    return Number.isFinite(n) ? n : null;
+}
+function stringOrUndefined(value) {
+    return typeof value === "string" && value ? value : undefined;
+}
+function stripConfiguredBasePath(pathname) {
+    const base = getConfiguredAppBasePath();
+    if (!base)
+        return pathname;
+    if (pathname === base)
+        return "/";
+    if (pathname.startsWith(`${base}/`))
+        return pathname.slice(base.length) || "/";
+    return pathname;
+}
+function pathnameFromPath(path) {
+    const normalized = normalizeEmbedTargetPath(path);
+    if (!normalized)
+        return null;
+    try {
+        return new URL(normalized, "http://agent-native.invalid").pathname;
+    }
+    catch {
+        return null;
+    }
+}
+function safeOpenRouteTargetPathname(targetPath) {
+    let url;
+    try {
+        url = new URL(targetPath, "http://agent-native.invalid");
+    }
+    catch {
+        return null;
+    }
+    if (url.pathname !== OPEN_ROUTE_PATH) {
+        return null;
+    }
+    const to = normalizeEmbedTargetPath(url.searchParams.get("to"));
+    if (to)
+        return pathnameFromPath(to);
+    const view = url.searchParams.get("view")?.trim();
+    if (!view || CONTROL_CHARS.test(view))
+        return null;
+    const viewPath = view.startsWith("/") ? view : `/${view}`;
+    return pathnameFromPath(viewPath);
+}
+function allowedEmbedTargetPathnames(targetPath) {
+    const allowed = new Set();
+    const direct = pathnameFromPath(targetPath);
+    if (direct)
+        allowed.add(direct);
+    const openTarget = safeOpenRouteTargetPathname(targetPath);
+    if (openTarget)
+        allowed.add(openTarget);
+    return allowed;
+}
+function requestPathname(event) {
+    const raw = event.path ??
+        event.node?.req?.url ??
+        event.req?.url ??
+        event.url?.toString?.() ??
+        "/";
+    try {
+        const pathname = new URL(raw, "http://agent-native.invalid").pathname;
+        return stripConfiguredBasePath(pathname);
+    }
+    catch {
+        return null;
+    }
+}
+function headerTargetPathname(event) {
+    const direct = event.request?.headers?.get?.(EMBED_TARGET_HEADER) ??
+        event.headers?.get?.(EMBED_TARGET_HEADER) ??
+        event.node?.req?.headers?.[EMBED_TARGET_HEADER] ??
+        event.node?.req?.headers?.[EMBED_TARGET_HEADER.toLowerCase()];
+    if (typeof direct === "string")
+        return pathnameFromPath(direct);
+    try {
+        const raw = getHeader(event, EMBED_TARGET_HEADER);
+        return typeof raw === "string" ? pathnameFromPath(raw) : null;
+    }
+    catch {
+        return null;
+    }
+}
+export function requestMatchesEmbedTarget(event, targetPath) {
+    const allowed = allowedEmbedTargetPathnames(targetPath);
+    if (allowed.size === 0)
+        return false;
+    const current = requestPathname(event);
+    if (current && allowed.has(current))
+        return true;
+    const headerTarget = headerTargetPathname(event);
+    return !!headerTarget && allowed.has(headerTarget);
+}
+export function normalizeEmbedTargetPath(raw, requestOrigin) {
+    const value = String(raw ?? "").trim();
+    if (!value || CONTROL_CHARS.test(value))
+        return null;
+    let path = value;
+    try {
+        if (/^[a-z][a-z0-9+.-]*:\/\//i.test(value)) {
+            const parsed = new URL(value);
+            if (requestOrigin) {
+                const expected = new URL(requestOrigin);
+                if (parsed.origin !== expected.origin)
+                    return null;
+            }
+            const base = getConfiguredAppBasePath();
+            if (base &&
+                parsed.pathname !== base &&
+                !parsed.pathname.startsWith(`${base}/`)) {
+                return null;
+            }
+            path = `${parsed.pathname}${parsed.search}${parsed.hash}`;
+        }
+    }
+    catch {
+        return null;
+    }
+    if (!path.startsWith("/"))
+        path = `/${path}`;
+    if (path.startsWith("//") || path.startsWith("/\\"))
+        return null;
+    if (/^\/[a-z][a-z0-9+.-]*:/i.test(path))
+        return null;
+    return stripConfiguredBasePath(path);
+}
+export async function createEmbedSessionTicket(input) {
+    const ownerEmail = input.ownerEmail.trim();
+    if (!ownerEmail)
+        throw new Error("Embed session ticket requires ownerEmail.");
+    const targetPath = normalizeEmbedTargetPath(input.targetPath);
+    if (!targetPath)
+        throw new Error("Embed session ticket requires a safe path.");
+    await ensureTable();
+    const ticket = crypto.randomBytes(32).toString("base64url");
+    const ticketHash = hashTicket(ticket);
+    const now = Date.now();
+    const ttlSeconds = input.ttlSeconds ?? DEFAULT_TICKET_TTL_SECONDS;
+    const expiresAt = now + Math.max(1, ttlSeconds) * 1000;
+    await getDbExec().execute({
+        sql: "INSERT INTO agent_native_embed_tickets " +
+            "(ticket_hash, owner_email, org_id, target_path, scope, created_at, expires_at, consumed_at) " +
+            "VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+        args: [
+            ticketHash,
+            ownerEmail,
+            input.orgId ?? null,
+            targetPath,
+            input.scope ?? null,
+            now,
+            expiresAt,
+            null,
+        ],
+    });
+    return { ticket, ticketHash, expiresAt };
+}
+export async function consumeEmbedSessionTicket(ticket, options = {}) {
+    if (!ticket)
+        return null;
+    await ensureTable();
+    const ticketHash = hashTicket(ticket);
+    const now = Date.now();
+    const { rows } = await getDbExec().execute({
+        sql: "SELECT ticket_hash, owner_email, org_id, target_path, scope, expires_at, consumed_at " +
+            "FROM agent_native_embed_tickets WHERE ticket_hash = ?",
+        args: [ticketHash],
+    });
+    if (rows.length === 0)
+        return null;
+    const row = rows[0];
+    const expiresAt = numberOrNull(row.expires_at ?? row.expiresAt);
+    const consumedAt = numberOrNull(row.consumed_at ?? row.consumedAt);
+    const orgId = stringOrUndefined(row.org_id ?? row.orgId);
+    if (consumedAt != null)
+        return null;
+    if (expiresAt != null && expiresAt < now)
+        return null;
+    if (options.expectedOrgId && orgId && orgId !== options.expectedOrgId) {
+        return null;
+    }
+    const result = await getDbExec().execute({
+        sql: "UPDATE agent_native_embed_tickets SET consumed_at = ? " +
+            "WHERE ticket_hash = ? AND consumed_at IS NULL",
+        args: [now, ticketHash],
+    });
+    if (result.rowsAffected === 0)
+        return null;
+    const targetPath = normalizeEmbedTargetPath(stringOrUndefined(row.target_path ?? row.targetPath));
+    const ownerEmail = stringOrUndefined(row.owner_email ?? row.ownerEmail);
+    if (!targetPath || !ownerEmail || expiresAt == null)
+        return null;
+    return {
+        ownerEmail,
+        ...(orgId ? { orgId } : {}),
+        targetPath,
+        ...(stringOrUndefined(row.scope)
+            ? { scope: stringOrUndefined(row.scope) }
+            : {}),
+        expiresAt,
+    };
+}
+export function signEmbedSessionToken(input) {
+    const targetPath = normalizeEmbedTargetPath(input.targetPath) ?? "/";
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = Math.max(1, input.ttlSeconds ?? DEFAULT_TOKEN_TTL_SECONDS);
+    const claims = {
+        kind: TOKEN_KIND,
+        ownerEmail: input.ownerEmail,
+        targetPath,
+        iat: now,
+        exp: now + ttl,
+    };
+    if (input.orgId)
+        claims.orgId = input.orgId;
+    if (input.scope)
+        claims.scope = input.scope;
+    const payload = base64UrlEncode(JSON.stringify(claims));
+    return `${payload}.${signPayload(payload)}`;
+}
+export function verifyEmbedSessionToken(token) {
+    if (!token || typeof token !== "string") {
+        return { ok: false, reason: "missing" };
+    }
+    const parts = token.split(".");
+    if (parts.length !== 2 || !parts[0] || !parts[1]) {
+        return { ok: false, reason: "shape" };
+    }
+    const [payload, signature] = parts;
+    const expected = signPayload(payload);
+    const sig = Buffer.from(signature);
+    const exp = Buffer.from(expected);
+    if (sig.length !== exp.length || !crypto.timingSafeEqual(sig, exp)) {
+        return { ok: false, reason: "signature" };
+    }
+    let claims;
+    try {
+        claims = JSON.parse(base64UrlDecode(payload).toString("utf8"));
+    }
+    catch {
+        return { ok: false, reason: "payload" };
+    }
+    if (!claims ||
+        claims.kind !== TOKEN_KIND ||
+        typeof claims.ownerEmail !== "string" ||
+        !claims.ownerEmail ||
+        typeof claims.exp !== "number" ||
+        !Number.isFinite(claims.exp)) {
+        return { ok: false, reason: "claims" };
+    }
+    if (claims.exp < Math.floor(Date.now() / 1000)) {
+        return { ok: false, reason: "expired" };
+    }
+    claims.targetPath = normalizeEmbedTargetPath(claims.targetPath) ?? "/";
+    return { ok: true, claims };
+}
+function isHttpsRequest(event) {
+    try {
+        const xfProto = getHeader(event, "x-forwarded-proto");
+        if (xfProto && String(xfProto).split(",")[0].trim() === "https") {
+            return true;
+        }
+        const url = event.url?.toString?.() ?? "";
+        if (url.startsWith("https://"))
+            return true;
+        const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || "";
+        if (appUrl.startsWith("https://"))
+            return true;
+    }
+    catch {
+        // ignore
+    }
+    return false;
+}
+function cookieDomainAttrs() {
+    const domain = process.env.COOKIE_DOMAIN?.trim();
+    return domain ? { domain } : {};
+}
+function crossSiteCookieAttrs(event) {
+    return isHttpsRequest(event)
+        ? { sameSite: "none", secure: true, partitioned: true }
+        : { sameSite: "lax", secure: false };
+}
+export function setEmbedSessionCookie(event, token) {
+    setCookie(event, EMBED_SESSION_COOKIE, token, {
+        httpOnly: true,
+        ...crossSiteCookieAttrs(event),
+        ...cookieDomainAttrs(),
+        path: "/",
+        maxAge: DEFAULT_TOKEN_TTL_SECONDS,
+    });
+}
+function bearerToken(event) {
+    const auth = getHeader(event, "authorization");
+    if (!auth)
+        return undefined;
+    const match = /^Bearer\s+(.+)$/i.exec(String(auth).trim());
+    return match?.[1]?.trim();
+}
+function queryToken(event) {
+    const raw = getQuery(event)?.[EMBED_TOKEN_QUERY_PARAM];
+    return Array.isArray(raw) ? raw[0] : raw;
+}
+export async function resolveEmbedSessionFromRequest(event) {
+    const candidates = [
+        { token: queryToken(event), source: "query" },
+        { token: bearerToken(event), source: "bearer" },
+        { token: getCookie(event, EMBED_SESSION_COOKIE), source: "cookie" },
+    ];
+    for (const candidate of candidates) {
+        const verified = verifyEmbedSessionToken(candidate.token);
+        if (!verified.ok)
+            continue;
+        if (!requestMatchesEmbedTarget(event, verified.claims.targetPath)) {
+            continue;
+        }
+        if (candidate.source === "query" && candidate.token) {
+            setEmbedSessionCookie(event, candidate.token);
+            setResponseHeader(event, "Referrer-Policy", "no-referrer");
+        }
+        return {
+            email: verified.claims.ownerEmail,
+            token: candidate.token,
+            targetPath: verified.claims.targetPath,
+            ...(verified.claims.orgId ? { orgId: verified.claims.orgId } : {}),
+            ...(verified.claims.scope ? { scope: verified.claims.scope } : {}),
+        };
+    }
+    return null;
+}
+export function requestHasEmbedAuthMarker(event) {
+    try {
+        const q = getQuery(event) ?? {};
+        const queryToken = Array.isArray(q[EMBED_TOKEN_QUERY_PARAM])
+            ? q[EMBED_TOKEN_QUERY_PARAM][0]
+            : q[EMBED_TOKEN_QUERY_PARAM];
+        const cookieToken = getCookie(event, EMBED_SESSION_COOKIE);
+        for (const token of [queryToken, cookieToken]) {
+            const verified = verifyEmbedSessionToken(token);
+            if (verified.ok &&
+                requestMatchesEmbedTarget(event, verified.claims.targetPath)) {
+                return true;
+            }
+        }
+    }
+    catch {
+        // ignore
+    }
+    return false;
+}
+export function isEmbedModeRequest(event) {
+    try {
+        const q = getQuery(event) ?? {};
+        return (q[EMBED_MODE_QUERY_PARAM] === "1" || q[EMBED_MODE_QUERY_PARAM] === "true");
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=embed-session.js.map