@agent-native/core 0.22.5 → 0.22.8

package/dist/server/embed-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-session.js","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EACL,SAAS,EACT,SAAS,EACT,QAAQ,EACR,SAAS,EACT,iBAAiB,GAClB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,UAAU,GAAG,4BAA4B,CAAC;AAChD,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,CAAC;AAC1C,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,CAAC;AAC1C,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAC7D,MAAM,eAAe,GAAG,qBAAqB,CAAC;AAE9C,IAAI,YAAuC,CAAC;AAC5C,IAAI,cAAkC,CAAC;AAkDvC,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,CAAC,KAAK,IAAI,EAAE;YACzB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAC3B,MAAM,MAAM,CAAC,OAAO,CAAC;;;;;;;uBAOJ,OAAO,EAAE;uBACT,OAAO,EAAE;wBACR,OAAO,EAAE;;OAE1B,CAAC,CAAC;QACL,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACjB,YAAY,GAAG,SAAS,CAAC;YACzB,MAAM,GAAG,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,4BAA4B,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,4IAA4I,CAC7I,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,GAAoB;IAC3C,MAAM,CAAC,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACnE,OAAO,CAAC;SACL,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,WAAW,CAAC,OAAe;IAClC,OAAO,eAAe,CACpB,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CACtE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IACxB,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AAChE,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,QAAQ,CAAC;IAC3B,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QACjC,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAC5C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,UAAU,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,OAAO,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB;IACrD,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,6BAA6B,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,eAAe,EAAE,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,EAAE,GAAG,wBAAwB,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAChE,IAAI,EAAE;QAAE,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAC;IAEpC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC1D,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,2BAA2B,CAAC,UAAkB;IACrD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,MAAM,MAAM,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC5C,IAAI,MAAM;QAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAC;IAC3D,IAAI,UAAU;QAAE,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACxC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,MAAM,GAAG,GACN,KAAa,CAAC,IAAI;QAClB,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG;QAC3B,KAAa,CAAC,GAAG,EAAE,GAA0B;QAC9C,KAAa,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE;QAChC,GAAG,CAAC;IACN,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,6BAA6B,CAAC,CAAC,QAAQ,CAAC;QACtE,OAAO,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,MAAM,GACT,KAAa,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QAC1D,KAAa,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC;QACjD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QACvD,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC,CAAC;IACzE,IAAI,OAAO,MAAM,KAAK,QAAQ;QAAE,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QAClD,OAAO,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,KAAc,EACd,UAAkB;IAElB,MAAM,OAAO,GAAG,2BAA2B,CAAC,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,MAAM,YAAY,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IACjD,OAAO,CAAC,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,GAA8B,EAC9B,aAAsB;IAEtB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAErD,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;YAC9B,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;gBACxC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;oBAAE,OAAO,IAAI,CAAC;YACrD,CAAC;YACD,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;YACxC,IACE,IAAI;gBACJ,MAAM,CAAC,QAAQ,KAAK,IAAI;gBACxB,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC,EACvC,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IAAI,GAAG,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC5D,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7C,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjE,IAAI,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,KAA8B;IAE9B,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAC9D,IAAI,CAAC,UAAU;QACb,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAEhE,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,0BAA0B,CAAC;IAClE,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,GAAG,IAAI,CAAC;IACvD,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACxB,GAAG,EACD,yCAAyC;YACzC,8FAA8F;YAC9F,iCAAiC;QACnC,IAAI,EAAE;YACJ,UAAU;YACV,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,UAAU;YACV,KAAK,CAAC,KAAK,IAAI,IAAI;YACnB,GAAG;YACH,SAAS;YACT,IAAI;SACL;KACF,CAAC,CAAC;IACH,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAiC,EACjC,UAA4C,EAAE;IAE9C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,WAAW,EAAE,CAAC;IACpB,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACzC,GAAG,EACD,uFAAuF;YACvF,uDAAuD;QACzD,IAAI,EAAE,CAAC,UAAU,CAAC;KACnB,CAAC,CAAC;IACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,GAAG,GAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACzD,IAAI,UAAU,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,SAAS,IAAI,IAAI,IAAI,SAAS,GAAG,GAAG;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,OAAO,CAAC,aAAa,IAAI,KAAK,IAAI,KAAK,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;QACvC,GAAG,EACD,wDAAwD;YACxD,+CAA+C;QACjD,IAAI,EAAE,CAAC,GAAG,EAAE,UAAU,CAAC;KACxB,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,YAAY,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,MAAM,UAAU,GAAG,wBAAwB,CACzC,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CACrD,CAAC;IACF,MAAM,UAAU,GAAG,iBAAiB,CAAC,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IACxE,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,SAAS,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC;IAEjE,OAAO;QACL,UAAU;QACV,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3B,UAAU;QACV,GAAG,CAAC,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC;YAC9B,CAAC,CAAC,EAAE,KAAK,EAAE,iBAAiB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE;YACzC,CAAC,CAAC,EAAE,CAAC;QACP,SAAS;KACV,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAMrC;IACC,MAAM,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,IAAI,yBAAyB,CAAC,CAAC;IACvE,MAAM,MAAM,GAA4B;QACtC,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,UAAU;QACV,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,GAAG;KACf,CAAC;IACF,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,IAAI,KAAK,CAAC,KAAK;QAAE,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5C,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxD,OAAO,GAAG,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,KAAgC;IAEhC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;IACxC,CAAC;IACD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;IACnC,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACtC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,MAA+B,CAAC;IACpC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IACjE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IAED,IACE,CAAC,MAAM;QACP,MAAM,CAAC,IAAI,KAAK,UAAU;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,CAAC,MAAM,CAAC,UAAU;QAClB,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,EAC5B,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IACzC,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;QAC/C,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,CAAC,UAAU,GAAG,wBAAwB,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC;IACvE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACtD,IAAI,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC;QAC1C,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACxE,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,IAAI,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB;IACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IACjD,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAK1C,OAAO,cAAc,CAAC,KAAK,CAAC;QAC1B,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QACvD,CAAC,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAc,EAAE,KAAa;IACjE,SAAS,CAAC,KAAK,EAAE,oBAAoB,EAAE,KAAK,EAAE;QAC5C,QAAQ,EAAE,IAAI;QACd,GAAG,oBAAoB,CAAC,KAAK,CAAC;QAC9B,GAAG,iBAAiB,EAAE;QACtB,IAAI,EAAE,GAAG;QACT,MAAM,EAAE,yBAAyB;KAClC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IAC/C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,SAAS,UAAU,CAAC,KAAc;IAChC,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,uBAAuB,CAAC,CAAC;IACvD,OAAO,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,KAAc;IAEd,MAAM,UAAU,GAAG;QACjB,EAAE,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE;QAC7C,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;QAC/C,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE;KACpE,CAAC;IACF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ,CAAC,EAAE;YAAE,SAAS;QAC3B,IAAI,CAAC,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;YAClE,SAAS;QACX,CAAC;QACD,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACpD,qBAAqB,CAAC,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;YAC9C,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACjC,KAAK,EAAE,SAAS,CAAC,KAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU;YACtC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;YAC1D,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;QAC/B,MAAM,WAAW,GAAG,SAAS,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;QAC3D,KAAK,MAAM,KAAK,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;YAChD,IACE,QAAQ,CAAC,EAAE;gBACX,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAC5D,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,SAAS;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QAChC,OAAO,CACL,CAAC,CAAC,sBAAsB,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,sBAAsB,CAAC,KAAK,MAAM,CAC1E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC","sourcesContent":["import crypto from \"node:crypto\";\nimport type { H3Event } from \"h3\";\nimport {\n  getCookie,\n  getHeader,\n  getQuery,\n  setCookie,\n  setResponseHeader,\n} from \"h3\";\nimport { getDbExec, intType } from \"../db/client.js\";\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_SESSION_COOKIE,\n  EMBED_TARGET_HEADER,\n  EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\n\nconst TOKEN_KIND = \"agent-native-embed-session\";\nconst DEFAULT_TOKEN_TTL_SECONDS = 60 * 60;\nconst DEFAULT_TICKET_TTL_SECONDS = 5 * 60;\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\nconst OPEN_ROUTE_PATH = \"/_agent-native/open\";\n\nlet _initPromise: Promise<void> | undefined;\nlet _devSigningKey: string | undefined;\n\nexport interface EmbedSessionTicketInput {\n  ownerEmail: string;\n  orgId?: string | null;\n  targetPath: string;\n  scope?: string | null;\n  ttlSeconds?: number;\n}\n\nexport interface EmbedSessionTicket {\n  ticket: string;\n  ticketHash: string;\n  expiresAt: number;\n}\n\nexport interface ConsumeEmbedSessionTicketOptions {\n  expectedOrgId?: string | null;\n}\n\nexport interface ConsumedEmbedSessionTicket {\n  ownerEmail: string;\n  orgId?: string;\n  targetPath: string;\n  scope?: string;\n  expiresAt: number;\n}\n\nexport interface EmbedSessionTokenClaims {\n  kind: typeof TOKEN_KIND;\n  ownerEmail: string;\n  orgId?: string;\n  targetPath: string;\n  scope?: string;\n  iat: number;\n  exp: number;\n}\n\nexport type VerifyEmbedSessionTokenResult =\n  | { ok: true; claims: EmbedSessionTokenClaims }\n  | { ok: false; reason: string };\n\nexport type ResolvedEmbedSession = {\n  email: string;\n  orgId?: string;\n  token: string;\n  targetPath: string;\n  scope?: string;\n};\n\nasync function ensureTable(): Promise<void> {\n  if (!_initPromise) {\n    _initPromise = (async () => {\n      const client = getDbExec();\n      await client.execute(`\n        CREATE TABLE IF NOT EXISTS agent_native_embed_tickets (\n          ticket_hash TEXT PRIMARY KEY,\n          owner_email TEXT NOT NULL,\n          org_id TEXT,\n          target_path TEXT NOT NULL,\n          scope TEXT,\n          created_at ${intType()} NOT NULL,\n          expires_at ${intType()} NOT NULL,\n          consumed_at ${intType()}\n        )\n      `);\n    })().catch((err) => {\n      _initPromise = undefined;\n      throw err;\n    });\n  }\n  return _initPromise;\n}\n\nfunction getSigningKey(): string {\n  const secret =\n    process.env.OAUTH_STATE_SECRET ||\n    process.env.BETTER_AUTH_SECRET ||\n    getWorkspaceA2ADerivedSecret(\"short-lived-token\");\n  if (secret) return secret;\n\n  if (process.env.NODE_ENV === \"production\") {\n    throw new Error(\n      \"Embed session signing requires a server secret. Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.\",\n    );\n  }\n\n  if (!_devSigningKey) {\n    _devSigningKey = crypto.randomBytes(32).toString(\"hex\");\n  }\n  return _devSigningKey;\n}\n\nfunction base64UrlEncode(buf: Buffer | string): string {\n  const b = typeof buf === \"string\" ? Buffer.from(buf, \"utf8\") : buf;\n  return b\n    .toString(\"base64\")\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/g, \"\");\n}\n\nfunction base64UrlDecode(input: string): Buffer {\n  const padded = input + \"=\".repeat((4 - (input.length % 4)) % 4);\n  return Buffer.from(padded.replace(/-/g, \"+\").replace(/_/g, \"/\"), \"base64\");\n}\n\nfunction signPayload(payload: string): string {\n  return base64UrlEncode(\n    crypto.createHmac(\"sha256\", getSigningKey()).update(payload).digest(),\n  );\n}\n\nfunction hashTicket(ticket: string): string {\n  return crypto.createHash(\"sha256\").update(ticket).digest(\"hex\");\n}\n\nfunction numberOrNull(value: unknown): number | null {\n  if (value == null) return null;\n  const n = Number(value);\n  return Number.isFinite(n) ? n : null;\n}\n\nfunction stringOrUndefined(value: unknown): string | undefined {\n  return typeof value === \"string\" && value ? value : undefined;\n}\n\nfunction stripConfiguredBasePath(pathname: string): string {\n  const base = getConfiguredAppBasePath();\n  if (!base) return pathname;\n  if (pathname === base) return \"/\";\n  if (pathname.startsWith(`${base}/`))\n    return pathname.slice(base.length) || \"/\";\n  return pathname;\n}\n\nfunction pathnameFromPath(path: string): string | null {\n  const normalized = normalizeEmbedTargetPath(path);\n  if (!normalized) return null;\n  try {\n    return new URL(normalized, \"http://agent-native.invalid\").pathname;\n  } catch {\n    return null;\n  }\n}\n\nfunction safeOpenRouteTargetPathname(targetPath: string): string | null {\n  let url: URL;\n  try {\n    url = new URL(targetPath, \"http://agent-native.invalid\");\n  } catch {\n    return null;\n  }\n  if (url.pathname !== OPEN_ROUTE_PATH) {\n    return null;\n  }\n\n  const to = normalizeEmbedTargetPath(url.searchParams.get(\"to\"));\n  if (to) return pathnameFromPath(to);\n\n  const view = url.searchParams.get(\"view\")?.trim();\n  if (!view || CONTROL_CHARS.test(view)) return null;\n  const viewPath = view.startsWith(\"/\") ? view : `/${view}`;\n  return pathnameFromPath(viewPath);\n}\n\nfunction allowedEmbedTargetPathnames(targetPath: string): Set<string> {\n  const allowed = new Set<string>();\n  const direct = pathnameFromPath(targetPath);\n  if (direct) allowed.add(direct);\n  const openTarget = safeOpenRouteTargetPathname(targetPath);\n  if (openTarget) allowed.add(openTarget);\n  return allowed;\n}\n\nfunction requestPathname(event: H3Event): string | null {\n  const raw =\n    (event as any).path ??\n    (event as any).node?.req?.url ??\n    ((event as any).req?.url as string | undefined) ??\n    (event as any).url?.toString?.() ??\n    \"/\";\n  try {\n    const pathname = new URL(raw, \"http://agent-native.invalid\").pathname;\n    return stripConfiguredBasePath(pathname);\n  } catch {\n    return null;\n  }\n}\n\nfunction headerTargetPathname(event: H3Event): string | null {\n  const direct =\n    (event as any).request?.headers?.get?.(EMBED_TARGET_HEADER) ??\n    (event as any).headers?.get?.(EMBED_TARGET_HEADER) ??\n    (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER] ??\n    (event as any).node?.req?.headers?.[EMBED_TARGET_HEADER.toLowerCase()];\n  if (typeof direct === \"string\") return pathnameFromPath(direct);\n  try {\n    const raw = getHeader(event, EMBED_TARGET_HEADER);\n    return typeof raw === \"string\" ? pathnameFromPath(raw) : null;\n  } catch {\n    return null;\n  }\n}\n\nexport function requestMatchesEmbedTarget(\n  event: H3Event,\n  targetPath: string,\n): boolean {\n  const allowed = allowedEmbedTargetPathnames(targetPath);\n  if (allowed.size === 0) return false;\n\n  const current = requestPathname(event);\n  if (current && allowed.has(current)) return true;\n\n  const headerTarget = headerTargetPathname(event);\n  return !!headerTarget && allowed.has(headerTarget);\n}\n\nexport function normalizeEmbedTargetPath(\n  raw: string | undefined | null,\n  requestOrigin?: string,\n): string | null {\n  const value = String(raw ?? \"\").trim();\n  if (!value || CONTROL_CHARS.test(value)) return null;\n\n  let path = value;\n  try {\n    if (/^[a-z][a-z0-9+.-]*:\\/\\//i.test(value)) {\n      const parsed = new URL(value);\n      if (requestOrigin) {\n        const expected = new URL(requestOrigin);\n        if (parsed.origin !== expected.origin) return null;\n      }\n      const base = getConfiguredAppBasePath();\n      if (\n        base &&\n        parsed.pathname !== base &&\n        !parsed.pathname.startsWith(`${base}/`)\n      ) {\n        return null;\n      }\n      path = `${parsed.pathname}${parsed.search}${parsed.hash}`;\n    }\n  } catch {\n    return null;\n  }\n\n  if (!path.startsWith(\"/\")) path = `/${path}`;\n  if (path.startsWith(\"//\") || path.startsWith(\"/\\\\\")) return null;\n  if (/^\\/[a-z][a-z0-9+.-]*:/i.test(path)) return null;\n  return stripConfiguredBasePath(path);\n}\n\nexport async function createEmbedSessionTicket(\n  input: EmbedSessionTicketInput,\n): Promise<EmbedSessionTicket> {\n  const ownerEmail = input.ownerEmail.trim();\n  if (!ownerEmail) throw new Error(\"Embed session ticket requires ownerEmail.\");\n  const targetPath = normalizeEmbedTargetPath(input.targetPath);\n  if (!targetPath)\n    throw new Error(\"Embed session ticket requires a safe path.\");\n\n  await ensureTable();\n  const ticket = crypto.randomBytes(32).toString(\"base64url\");\n  const ticketHash = hashTicket(ticket);\n  const now = Date.now();\n  const ttlSeconds = input.ttlSeconds ?? DEFAULT_TICKET_TTL_SECONDS;\n  const expiresAt = now + Math.max(1, ttlSeconds) * 1000;\n  await getDbExec().execute({\n    sql:\n      \"INSERT INTO agent_native_embed_tickets \" +\n      \"(ticket_hash, owner_email, org_id, target_path, scope, created_at, expires_at, consumed_at) \" +\n      \"VALUES (?, ?, ?, ?, ?, ?, ?, ?)\",\n    args: [\n      ticketHash,\n      ownerEmail,\n      input.orgId ?? null,\n      targetPath,\n      input.scope ?? null,\n      now,\n      expiresAt,\n      null,\n    ],\n  });\n  return { ticket, ticketHash, expiresAt };\n}\n\nexport async function consumeEmbedSessionTicket(\n  ticket: string | undefined | null,\n  options: ConsumeEmbedSessionTicketOptions = {},\n): Promise<ConsumedEmbedSessionTicket | null> {\n  if (!ticket) return null;\n  await ensureTable();\n  const ticketHash = hashTicket(ticket);\n  const now = Date.now();\n  const { rows } = await getDbExec().execute({\n    sql:\n      \"SELECT ticket_hash, owner_email, org_id, target_path, scope, expires_at, consumed_at \" +\n      \"FROM agent_native_embed_tickets WHERE ticket_hash = ?\",\n    args: [ticketHash],\n  });\n  if (rows.length === 0) return null;\n  const row: any = rows[0];\n  const expiresAt = numberOrNull(row.expires_at ?? row.expiresAt);\n  const consumedAt = numberOrNull(row.consumed_at ?? row.consumedAt);\n  const orgId = stringOrUndefined(row.org_id ?? row.orgId);\n  if (consumedAt != null) return null;\n  if (expiresAt != null && expiresAt < now) return null;\n  if (options.expectedOrgId && orgId && orgId !== options.expectedOrgId) {\n    return null;\n  }\n\n  const result = await getDbExec().execute({\n    sql:\n      \"UPDATE agent_native_embed_tickets SET consumed_at = ? \" +\n      \"WHERE ticket_hash = ? AND consumed_at IS NULL\",\n    args: [now, ticketHash],\n  });\n  if (result.rowsAffected === 0) return null;\n\n  const targetPath = normalizeEmbedTargetPath(\n    stringOrUndefined(row.target_path ?? row.targetPath),\n  );\n  const ownerEmail = stringOrUndefined(row.owner_email ?? row.ownerEmail);\n  if (!targetPath || !ownerEmail || expiresAt == null) return null;\n\n  return {\n    ownerEmail,\n    ...(orgId ? { orgId } : {}),\n    targetPath,\n    ...(stringOrUndefined(row.scope)\n      ? { scope: stringOrUndefined(row.scope) }\n      : {}),\n    expiresAt,\n  };\n}\n\nexport function signEmbedSessionToken(input: {\n  ownerEmail: string;\n  orgId?: string | null;\n  targetPath: string;\n  scope?: string | null;\n  ttlSeconds?: number;\n}): string {\n  const targetPath = normalizeEmbedTargetPath(input.targetPath) ?? \"/\";\n  const now = Math.floor(Date.now() / 1000);\n  const ttl = Math.max(1, input.ttlSeconds ?? DEFAULT_TOKEN_TTL_SECONDS);\n  const claims: EmbedSessionTokenClaims = {\n    kind: TOKEN_KIND,\n    ownerEmail: input.ownerEmail,\n    targetPath,\n    iat: now,\n    exp: now + ttl,\n  };\n  if (input.orgId) claims.orgId = input.orgId;\n  if (input.scope) claims.scope = input.scope;\n  const payload = base64UrlEncode(JSON.stringify(claims));\n  return `${payload}.${signPayload(payload)}`;\n}\n\nexport function verifyEmbedSessionToken(\n  token: string | undefined | null,\n): VerifyEmbedSessionTokenResult {\n  if (!token || typeof token !== \"string\") {\n    return { ok: false, reason: \"missing\" };\n  }\n  const parts = token.split(\".\");\n  if (parts.length !== 2 || !parts[0] || !parts[1]) {\n    return { ok: false, reason: \"shape\" };\n  }\n  const [payload, signature] = parts;\n  const expected = signPayload(payload);\n  const sig = Buffer.from(signature);\n  const exp = Buffer.from(expected);\n  if (sig.length !== exp.length || !crypto.timingSafeEqual(sig, exp)) {\n    return { ok: false, reason: \"signature\" };\n  }\n\n  let claims: EmbedSessionTokenClaims;\n  try {\n    claims = JSON.parse(base64UrlDecode(payload).toString(\"utf8\"));\n  } catch {\n    return { ok: false, reason: \"payload\" };\n  }\n\n  if (\n    !claims ||\n    claims.kind !== TOKEN_KIND ||\n    typeof claims.ownerEmail !== \"string\" ||\n    !claims.ownerEmail ||\n    typeof claims.exp !== \"number\" ||\n    !Number.isFinite(claims.exp)\n  ) {\n    return { ok: false, reason: \"claims\" };\n  }\n  if (claims.exp < Math.floor(Date.now() / 1000)) {\n    return { ok: false, reason: \"expired\" };\n  }\n  claims.targetPath = normalizeEmbedTargetPath(claims.targetPath) ?? \"/\";\n  return { ok: true, claims };\n}\n\nfunction isHttpsRequest(event: H3Event): boolean {\n  try {\n    const xfProto = getHeader(event, \"x-forwarded-proto\");\n    if (xfProto && String(xfProto).split(\",\")[0].trim() === \"https\") {\n      return true;\n    }\n    const url = event.url?.toString?.() ?? \"\";\n    if (url.startsWith(\"https://\")) return true;\n    const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || \"\";\n    if (appUrl.startsWith(\"https://\")) return true;\n  } catch {\n    // ignore\n  }\n  return false;\n}\n\nfunction cookieDomainAttrs(): { domain?: string } {\n  const domain = process.env.COOKIE_DOMAIN?.trim();\n  return domain ? { domain } : {};\n}\n\nfunction crossSiteCookieAttrs(event: H3Event): {\n  sameSite: \"lax\" | \"none\";\n  secure: boolean;\n  partitioned?: boolean;\n} {\n  return isHttpsRequest(event)\n    ? { sameSite: \"none\", secure: true, partitioned: true }\n    : { sameSite: \"lax\", secure: false };\n}\n\nexport function setEmbedSessionCookie(event: H3Event, token: string): void {\n  setCookie(event, EMBED_SESSION_COOKIE, token, {\n    httpOnly: true,\n    ...crossSiteCookieAttrs(event),\n    ...cookieDomainAttrs(),\n    path: \"/\",\n    maxAge: DEFAULT_TOKEN_TTL_SECONDS,\n  });\n}\n\nfunction bearerToken(event: H3Event): string | undefined {\n  const auth = getHeader(event, \"authorization\");\n  if (!auth) return undefined;\n  const match = /^Bearer\\s+(.+)$/i.exec(String(auth).trim());\n  return match?.[1]?.trim();\n}\n\nfunction queryToken(event: H3Event): string | undefined {\n  const raw = getQuery(event)?.[EMBED_TOKEN_QUERY_PARAM];\n  return Array.isArray(raw) ? raw[0] : raw;\n}\n\nexport async function resolveEmbedSessionFromRequest(\n  event: H3Event,\n): Promise<ResolvedEmbedSession | null> {\n  const candidates = [\n    { token: queryToken(event), source: \"query\" },\n    { token: bearerToken(event), source: \"bearer\" },\n    { token: getCookie(event, EMBED_SESSION_COOKIE), source: \"cookie\" },\n  ];\n  for (const candidate of candidates) {\n    const verified = verifyEmbedSessionToken(candidate.token);\n    if (!verified.ok) continue;\n    if (!requestMatchesEmbedTarget(event, verified.claims.targetPath)) {\n      continue;\n    }\n    if (candidate.source === \"query\" && candidate.token) {\n      setEmbedSessionCookie(event, candidate.token);\n      setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n    }\n    return {\n      email: verified.claims.ownerEmail,\n      token: candidate.token!,\n      targetPath: verified.claims.targetPath,\n      ...(verified.claims.orgId ? { orgId: verified.claims.orgId } : {}),\n      ...(verified.claims.scope ? { scope: verified.claims.scope } : {}),\n    };\n  }\n  return null;\n}\n\nexport function requestHasEmbedAuthMarker(event: H3Event): boolean {\n  try {\n    const q = getQuery(event) ?? {};\n    const queryToken = Array.isArray(q[EMBED_TOKEN_QUERY_PARAM])\n      ? q[EMBED_TOKEN_QUERY_PARAM][0]\n      : q[EMBED_TOKEN_QUERY_PARAM];\n    const cookieToken = getCookie(event, EMBED_SESSION_COOKIE);\n    for (const token of [queryToken, cookieToken]) {\n      const verified = verifyEmbedSessionToken(token);\n      if (\n        verified.ok &&\n        requestMatchesEmbedTarget(event, verified.claims.targetPath)\n      ) {\n        return true;\n      }\n    }\n  } catch {\n    // ignore\n  }\n  return false;\n}\n\nexport function isEmbedModeRequest(event: H3Event): boolean {\n  try {\n    const q = getQuery(event) ?? {};\n    return (\n      q[EMBED_MODE_QUERY_PARAM] === \"1\" || q[EMBED_MODE_QUERY_PARAM] === \"true\"\n    );\n  } catch {\n    return false;\n  }\n}\n"]}

package/dist/server/index.d.ts

@@ -2,6 +2,8 @@ export { createServer, upsertEnvFile, type CreateServerOptions, type EnvKeyConfi
 export { readBody, streamFile } from "./h3-helpers.js";
 export { buildDeepLink, toAbsoluteOpenUrl, toDesktopOpenUrl, OPEN_ROUTE_SUBPATH, DESKTOP_OPEN_URL, type DeepLinkInput, } from "./deep-link.js";
 export { createOpenRouteHandler, type OpenRouteOptions } from "./open-route.js";
+export { createEmbedStartRouteHandler, buildEmbedStartPath, type EmbedStartRouteOptions, } from "./embed-route.js";
+export { createEmbedSessionTicket, consumeEmbedSessionTicket, normalizeEmbedTargetPath, requestHasEmbedAuthMarker, resolveEmbedSessionFromRequest, setEmbedSessionCookie, signEmbedSessionToken, verifyEmbedSessionToken, type ConsumedEmbedSessionTicket, type ConsumeEmbedSessionTicketOptions, type EmbedSessionTicket, type EmbedSessionTicketInput, type EmbedSessionTokenClaims, type ResolvedEmbedSession, type VerifyEmbedSessionTokenResult, } from "./embed-session.js";
 export { createSSEHandler, type SSEHandlerOptions } from "./sse.js";
 export { mountAuthMiddleware, autoMountAuth, getSession, COOKIE_NAME, addSession, removeSession, getSessionEmail, getFrameworkSessionCookieValues, setFrameworkSessionCookie, clearFrameworkSessionCookies, runAuthGuard, setDesktopExchange, setDesktopExchangeError, safeReturnPath, type DesktopExchangeErrorPayload, type AuthSession, type AuthOptions, } from "./auth.js";
 export { handleIdentitySso, getIdentityHubUrl, isIdentitySsoEnabled, isIdentitySsoBypassPath, identitySsoLoginButtonHtml, IDENTITY_SSO_PROVIDER_ID, IDENTITY_SSO_SCOPE, } from "./identity-sso.js";

package/dist/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,KAAK,mBAAmB,EACxB,KAAK,YAAY,GAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,EAChB,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EACL,4BAA4B,EAC5B,mBAAmB,EACnB,KAAK,sBAAsB,GAC5B,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,EACvB,KAAK,0BAA0B,EAC/B,KAAK,gCAAgC,EACrC,KAAK,kBAAkB,EACvB,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,6BAA6B,GACnC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,EACd,KAAK,2BAA2B,EAChC,KAAK,WAAW,EAChB,KAAK,WAAW,GACjB,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,EAC5B,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,sBAAsB,EAC3B,KAAK,UAAU,EACf,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,mBAAmB,EACxB,KAAK,2BAA2B,EAChC,KAAK,kCAAkC,EACvC,KAAK,iCAAiC,EACtC,KAAK,wBAAwB,EAC7B,KAAK,0BAA0B,GAChC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,EAC5B,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAI7E,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,YAAY,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,EACL,qBAAqB,EACrB,sBAAsB,EACtB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,EACnC,KAAK,8BAA8B,EACnC,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,EACnC,KAAK,gCAAgC,GACtC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,kBAAkB,GACxB,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,EACjC,KAAK,wCAAwC,GAC9C,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,EACzB,KAAK,gCAAgC,GACtC,MAAM,+BAA+B,CAAC;AACvC,YAAY,EACV,yBAAyB,EACzB,+BAA+B,EAC/B,+BAA+B,EAC/B,gCAAgC,EAChC,sCAAsC,EACtC,oCAAoC,EACpC,2CAA2C,EAC3C,sCAAsC,GACvC,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,KAAK,qBAAqB,GAC3B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,EACf,KAAK,SAAS,EACd,KAAK,gBAAgB,GACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,EACd,KAAK,SAAS,GACf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,EACjB,KAAK,wBAAwB,GAC9B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,EAC1B,KAAK,cAAc,EACnB,KAAK,iBAAiB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,EACzB,KAAK,eAAe,EACpB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,GACtB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,yBAAyB,GAC/B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,EACT,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,KAAK,QAAQ,GACd,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,IAAI,2BAA2B,GACjD,MAAM,wBAAwB,CAAC;AAUhC,MAAM,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AACrE,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,cAAc,CAErE"}

package/dist/server/index.js

@@ -2,6 +2,8 @@ export { createServer, upsertEnvFile, } from "./create-server.js";
 export { readBody, streamFile } from "./h3-helpers.js";
 export { buildDeepLink, toAbsoluteOpenUrl, toDesktopOpenUrl, OPEN_ROUTE_SUBPATH, DESKTOP_OPEN_URL, } from "./deep-link.js";
 export { createOpenRouteHandler } from "./open-route.js";
+export { createEmbedStartRouteHandler, buildEmbedStartPath, } from "./embed-route.js";
+export { createEmbedSessionTicket, consumeEmbedSessionTicket, normalizeEmbedTargetPath, requestHasEmbedAuthMarker, resolveEmbedSessionFromRequest, setEmbedSessionCookie, signEmbedSessionToken, verifyEmbedSessionToken, } from "./embed-session.js";
 export { createSSEHandler } from "./sse.js";
 export { mountAuthMiddleware, autoMountAuth, getSession, COOKIE_NAME, addSession, removeSession, getSessionEmail, getFrameworkSessionCookieValues, setFrameworkSessionCookie, clearFrameworkSessionCookies, runAuthGuard, setDesktopExchange, setDesktopExchangeError, safeReturnPath, } from "./auth.js";
 export { handleIdentitySso, getIdentityHubUrl, isIdentitySsoEnabled, isIdentitySsoBypassPath, identitySsoLoginButtonHtml, IDENTITY_SSO_PROVIDER_ID, IDENTITY_SSO_SCOPE, } from "./identity-sso.js";

package/dist/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GAEjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAyB,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,GAIf,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAkB7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,GAElB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,GAG7B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC7E,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,GAKpC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,GAKf,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,GAElC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,GAE1B,MAAM,+BAA+B,CAAC;AAWvC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,GAI1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,GAMb,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,GAIzB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,GAEhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,GAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,GAIV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC;AAWhC,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC","sourcesContent":["export {\n  createServer,\n  upsertEnvFile,\n  type CreateServerOptions,\n  type EnvKeyConfig,\n} from \"./create-server.js\";\n\nexport { readBody, streamFile } from \"./h3-helpers.js\";\nexport {\n  buildDeepLink,\n  toAbsoluteOpenUrl,\n  toDesktopOpenUrl,\n  OPEN_ROUTE_SUBPATH,\n  DESKTOP_OPEN_URL,\n  type DeepLinkInput,\n} from \"./deep-link.js\";\nexport { createOpenRouteHandler, type OpenRouteOptions } from \"./open-route.js\";\nexport { createSSEHandler, type SSEHandlerOptions } from \"./sse.js\";\nexport {\n  mountAuthMiddleware,\n  autoMountAuth,\n  getSession,\n  COOKIE_NAME,\n  addSession,\n  removeSession,\n  getSessionEmail,\n  getFrameworkSessionCookieValues,\n  setFrameworkSessionCookie,\n  clearFrameworkSessionCookies,\n  runAuthGuard,\n  setDesktopExchange,\n  setDesktopExchangeError,\n  safeReturnPath,\n  type DesktopExchangeErrorPayload,\n  type AuthSession,\n  type AuthOptions,\n} from \"./auth.js\";\nexport {\n  handleIdentitySso,\n  getIdentityHubUrl,\n  isIdentitySsoEnabled,\n  isIdentitySsoBypassPath,\n  identitySsoLoginButtonHtml,\n  IDENTITY_SSO_PROVIDER_ID,\n  IDENTITY_SSO_SCOPE,\n} from \"./identity-sso.js\";\nexport { requireEnvKey, type MissingKeyResponse } from \"./missing-key.js\";\nexport { verifyCaptcha, type CaptchaVerifyResult } from \"./captcha.js\";\nexport {\n  createProductionAgentHandler,\n  type ActionEntry,\n  type ScriptEntry,\n  type ProductionAgentOptions,\n  type ActionTool,\n  type ScriptTool,\n  type AgentMessage,\n  type AgentChatRequest,\n  type AgentChatEvent,\n  type AgentChatAttachment,\n  type AgentChatReference,\n  type MentionProvider,\n  type MentionProviderItem,\n  type AgentLoopFinalResponseGuard,\n  type AgentLoopFinalResponseGuardContext,\n  type AgentLoopFinalResponseGuardResult,\n  type AgentLoopToolCallSummary,\n  type AgentLoopToolResultSummary,\n} from \"../agent/index.js\";\nexport {\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  runAgentLoop,\n} from \"../agent/production-agent.js\";\nexport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nexport { createDevScriptRegistry } from \"../scripts/dev/index.js\";\n\nexport {\n  createPollHandler,\n  recordChange,\n  getVersion,\n  getChangesSince,\n  getPollEmitter,\n  canSeeChangeForUser,\n  POLL_CHANGE_EVENT,\n} from \"./poll.js\";\nexport { createPollEventsHandler } from \"./poll-events.js\";\nexport { createAuthPlugin, defaultAuthPlugin } from \"./auth-plugin.js\";\nexport {\n  initServerSentry,\n  isServerSentryEnabled,\n  setSentryUserForRequest,\n  captureRouteError,\n  type RouteErrorContext,\n} from \"./sentry.js\";\nexport {\n  captureError,\n  captureServerError,\n  registerErrorCaptureProvider,\n  type CaptureErrorContext,\n  type CaptureErrorProvider,\n} from \"./capture-error.js\";\nexport { createSentryPlugin, defaultSentryPlugin } from \"./sentry-plugin.js\";\n// Re-export the org plugin so the auto-discovery's DEFAULT_PLUGIN_REGISTRY\n// (which references \"defaultOrgPlugin\" from @agent-native/core/server) can\n// resolve it during the deploy build worker-entry generation.\nexport { createOrgPlugin, defaultOrgPlugin } from \"../org/plugin.js\";\nexport {\n  createGoogleAuthPlugin,\n  type GoogleAuthPluginOptions,\n} from \"./google-auth-plugin.js\";\nexport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nexport {\n  createAgentChatPlugin,\n  defaultAgentChatPlugin,\n  type AgentChatPluginOptions,\n} from \"./agent-chat-plugin.js\";\nexport {\n  configureAgentNativeEmbeddedEnvironment,\n  createAgentNativeEmbeddedAuthOptions,\n  createAgentNativeEmbeddedPlugin,\n  mountAgentNativeEmbedded,\n  normalizeAgentNativeEmbeddedSession,\n  type AgentNativeEmbeddedAuthOptions,\n  type AgentNativeEmbeddedGetSession,\n  type AgentNativeEmbeddedHostSession,\n  type AgentNativeEmbeddedPluginOptions,\n} from \"./embedded.js\";\nexport {\n  createThread,\n  getThread,\n  listThreads,\n  updateThreadData,\n  deleteThread,\n  setThreadScope,\n  type ChatThread,\n  type ChatThreadScope,\n  type ChatThreadSummary,\n  type ListThreadsOptions,\n} from \"../chat-threads/store.js\";\nexport {\n  createResourcesPlugin,\n  defaultResourcesPlugin,\n} from \"./resources-plugin.js\";\nexport {\n  createCoreRoutesPlugin,\n  defaultCoreRoutesPlugin,\n  FRAMEWORK_ROUTE_PREFIX,\n  type CoreRoutesPluginOptions,\n} from \"./core-routes-plugin.js\";\nexport {\n  createBrowserSessionActionEntries,\n  type CreateBrowserSessionActionEntriesOptions,\n} from \"../browser-sessions/actions.js\";\nexport {\n  DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS,\n  DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS,\n  DEFAULT_BROWSER_SESSION_TTL_MS,\n  callBrowserSession,\n  claimBrowserSessionRequest,\n  completeBrowserSessionRequest,\n  createBrowserSessionRequest,\n  disconnectBrowserSession,\n  getBrowserSession,\n  getBrowserSessionRequest,\n  listBrowserSessions,\n  registerBrowserSession,\n  waitForBrowserSessionRequest,\n} from \"../browser-sessions/store.js\";\nexport {\n  mountBrowserSessionRoutes,\n  type MountBrowserSessionRoutesOptions,\n} from \"../browser-sessions/routes.js\";\nexport type {\n  AgentNativeBrowserSession,\n  AgentNativeBrowserSessionAction,\n  AgentNativeBrowserSessionRecord,\n  AgentNativeBrowserSessionRequest,\n  AgentNativeBrowserSessionRequestStatus,\n  AgentNativeBrowserSessionRequestType,\n  CreateAgentNativeBrowserSessionRequestInput,\n  RegisterAgentNativeBrowserSessionInput,\n} from \"../browser-sessions/types.js\";\nexport {\n  createTerminalPlugin,\n  defaultTerminalPlugin,\n  type TerminalPluginOptions,\n} from \"../terminal/terminal-plugin.js\";\nexport {\n  createCollabPlugin,\n  type CollabPluginOptions,\n} from \"./collab-plugin.js\";\n\nexport {\n  spawnTask,\n  getTask,\n  getTaskByThread,\n  listTasks,\n  sendToTask,\n  markTaskErrored,\n  type AgentTask,\n  type SpawnTaskOptions,\n} from \"./agent-teams.js\";\nexport { isOAuthConnected, getOAuthAccounts } from \"./oauth-helpers.js\";\nexport { wrapWithAnalytics } from \"./analytics.js\";\nexport {\n  getH3App,\n  awaitBootstrap,\n  type H3AppShim,\n} from \"./framework-request-handler.js\";\nexport {\n  autoDiscoverActions,\n  autoDiscoverScripts,\n  loadActionsFromStaticRegistry,\n  mergeCoreSharingActions,\n  registerPackageActions,\n} from \"./action-discovery.js\";\nexport {\n  mountActionRoutes,\n  type MountActionRoutesOptions,\n} from \"./action-routes.js\";\nexport {\n  runWithRequestContext,\n  hasRequestContext,\n  getRequestContext,\n  getRequestUserEmail,\n  getRequestUserName,\n  getRequestOrgId,\n  getRequestTimezone,\n  getRequestRunContext,\n  getCredentialContext,\n  isIntegrationCallerRequest,\n  type RequestContext,\n  type RequestRunContext,\n} from \"./request-context.js\";\nexport { formatDateInTimezone, todayInTimezone } from \"./date-utils.js\";\n\nexport {\n  createOnboardingPlugin,\n  defaultOnboardingPlugin,\n} from \"../onboarding/plugin.js\";\n\nexport {\n  registerFileUploadProvider,\n  unregisterFileUploadProvider,\n  listFileUploadProviders,\n  getActiveFileUploadProvider,\n  uploadFile,\n  builderFileUploadProvider,\n  type FileUploadInput,\n  type FileUploadProvider,\n  type FileUploadResult,\n} from \"../file-upload/index.js\";\n\nexport {\n  createIntegrationsPlugin,\n  defaultIntegrationsPlugin,\n  enqueueRemoteCommand,\n  slackAdapter,\n  telegramAdapter,\n  whatsappAdapter,\n  emailAdapter,\n  type PlatformAdapter,\n  type IncomingMessage,\n  type OutgoingMessage,\n  type IntegrationStatus,\n  type IntegrationsPluginOptions,\n} from \"../integrations/index.js\";\n\nexport {\n  isElectron,\n  isMobile,\n  getOrigin,\n  getAppBasePath,\n  getAppUrl,\n  resolveOAuthRedirectUri,\n  isAllowedOAuthRedirectUri,\n  encodeOAuthState,\n  decodeOAuthState,\n  resolveOAuthOwner,\n  createOAuthSession,\n  oauthCallbackResponse,\n  oauthErrorPage,\n  oauthDesktopExchangePage,\n  type OAuthStatePayload,\n  type OAuthOwnerResult,\n  type OAuthSessionResult,\n} from \"./google-oauth.js\";\n\nexport {\n  FeatureNotConfiguredError,\n  hasBuilderPrivateKey,\n  isBuilderEnvManaged,\n  getBuilderProxyOrigin,\n  getBuilderImageGenerationBaseUrl,\n  getBuilderAuthHeader,\n  resolveBuilderPrivateKey,\n  resolveBuilderAuthHeader,\n  resolveHasBuilderPrivateKey,\n  resolveBuilderCredentials,\n  resolveBuilderCredential,\n  writeBuilderCredentials,\n  deleteBuilderCredentials,\n  resolveSecret,\n} from \"./credential-provider.js\";\nexport {\n  getBuilderBranchProjectId,\n  isBuilderBranchingEnabled,\n  resolveBuilderBranchProjectId,\n  resolveIsBuilderBranchingEnabled,\n  runBuilderAgent,\n  type RunBuilderAgentResult,\n} from \"./builder-browser.js\";\n\nexport {\n  sendEmail,\n  isEmailConfigured,\n  getEmailProvider,\n  type EmailProvider,\n  type SendEmailArgs,\n} from \"./email.js\";\nexport {\n  renderEmail,\n  emailStrong,\n  emailLink,\n  type RenderEmailArgs,\n  type RenderedEmail,\n  type EmailCta,\n} from \"./email-template.js\";\nexport { getAppProductionUrl, getFirstPartyProdUrl } from \"./app-url.js\";\nexport {\n  getConfiguredAppBasePath,\n  normalizeAppBasePath,\n  withConfiguredAppBasePath,\n} from \"./app-base-path.js\";\nexport {\n  signShortLivedToken,\n  verifyShortLivedToken,\n  type ShortLivedTokenClaims,\n  type VerifyResult as ShortLivedTokenVerifyResult,\n} from \"./short-lived-token.js\";\n\n// SSR handler is NOT re-exported here — it uses a virtual module\n// (virtual:react-router/server-build) that only exists at Vite dev/build time.\n// Including it in this barrel would break the esbuild CF Pages bundler.\n// Templates import directly: import { ssrHandler } from \"@agent-native/core/server/ssr-handler\"\n\n// Nitro plugin helper — re-exported so templates don't need nitro as a direct dependency.\n// defineNitroPlugin is an identity function; this typed wrapper lets templates use it\n// without resolving `nitro/runtime` (which requires Nitro's virtual modules at runtime).\nexport type NitroPluginDef = (nitroApp: any) => void | Promise<void>;\nexport function defineNitroPlugin(def: NitroPluginDef): NitroPluginDef {\n  return def;\n}\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EACL,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,kBAAkB,EAClB,gBAAgB,GAEjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAyB,MAAM,iBAAiB,CAAC;AAChF,OAAO,EACL,4BAA4B,EAC5B,mBAAmB,GAEpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,wBAAwB,EACxB,yBAAyB,EACzB,8BAA8B,EAC9B,qBAAqB,EACrB,qBAAqB,EACrB,uBAAuB,GAQxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,eAAe,EACf,+BAA+B,EAC/B,yBAAyB,EACzB,4BAA4B,EAC5B,YAAY,EACZ,kBAAkB,EAClB,uBAAuB,EACvB,cAAc,GAIf,MAAM,WAAW,CAAC;AACnB,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,uBAAuB,EACvB,0BAA0B,EAC1B,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAkB7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,YAAY,GACb,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,uBAAuB,EACvB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,EACf,cAAc,EACd,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,iBAAiB,GAElB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,4BAA4B,GAG7B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC7E,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,uCAAuC,EACvC,oCAAoC,EACpC,+BAA+B,EAC/B,wBAAwB,EACxB,mCAAmC,GAKpC,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,EACZ,cAAc,GAKf,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,iCAAiC,GAElC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,uCAAuC,EACvC,0CAA0C,EAC1C,8BAA8B,EAC9B,kBAAkB,EAClB,0BAA0B,EAC1B,6BAA6B,EAC7B,2BAA2B,EAC3B,wBAAwB,EACxB,iBAAiB,EACjB,wBAAwB,EACxB,mBAAmB,EACnB,sBAAsB,EACtB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,yBAAyB,GAE1B,MAAM,+BAA+B,CAAC;AAWvC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,6BAA6B,EAC7B,uBAAuB,EACvB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,qBAAqB,EACrB,iBAAiB,EACjB,iBAAiB,EACjB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,0BAA0B,GAG3B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAExE,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,GAI1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,eAAe,EACf,YAAY,GAMb,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,cAAc,EACd,SAAS,EACT,uBAAuB,EACvB,yBAAyB,EACzB,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,wBAAwB,GAIzB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,gCAAgC,EAChC,oBAAoB,EACpB,wBAAwB,EACxB,wBAAwB,EACxB,2BAA2B,EAC3B,yBAAyB,EACzB,wBAAwB,EACxB,uBAAuB,EACvB,wBAAwB,EACxB,aAAa,GACd,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,6BAA6B,EAC7B,gCAAgC,EAChC,eAAe,GAEhB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,SAAS,EACT,iBAAiB,EACjB,gBAAgB,GAGjB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,WAAW,EACX,WAAW,EACX,SAAS,GAIV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EACL,wBAAwB,EACxB,oBAAoB,EACpB,yBAAyB,GAC1B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,mBAAmB,EACnB,qBAAqB,GAGtB,MAAM,wBAAwB,CAAC;AAWhC,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC","sourcesContent":["export {\n  createServer,\n  upsertEnvFile,\n  type CreateServerOptions,\n  type EnvKeyConfig,\n} from \"./create-server.js\";\n\nexport { readBody, streamFile } from \"./h3-helpers.js\";\nexport {\n  buildDeepLink,\n  toAbsoluteOpenUrl,\n  toDesktopOpenUrl,\n  OPEN_ROUTE_SUBPATH,\n  DESKTOP_OPEN_URL,\n  type DeepLinkInput,\n} from \"./deep-link.js\";\nexport { createOpenRouteHandler, type OpenRouteOptions } from \"./open-route.js\";\nexport {\n  createEmbedStartRouteHandler,\n  buildEmbedStartPath,\n  type EmbedStartRouteOptions,\n} from \"./embed-route.js\";\nexport {\n  createEmbedSessionTicket,\n  consumeEmbedSessionTicket,\n  normalizeEmbedTargetPath,\n  requestHasEmbedAuthMarker,\n  resolveEmbedSessionFromRequest,\n  setEmbedSessionCookie,\n  signEmbedSessionToken,\n  verifyEmbedSessionToken,\n  type ConsumedEmbedSessionTicket,\n  type ConsumeEmbedSessionTicketOptions,\n  type EmbedSessionTicket,\n  type EmbedSessionTicketInput,\n  type EmbedSessionTokenClaims,\n  type ResolvedEmbedSession,\n  type VerifyEmbedSessionTokenResult,\n} from \"./embed-session.js\";\nexport { createSSEHandler, type SSEHandlerOptions } from \"./sse.js\";\nexport {\n  mountAuthMiddleware,\n  autoMountAuth,\n  getSession,\n  COOKIE_NAME,\n  addSession,\n  removeSession,\n  getSessionEmail,\n  getFrameworkSessionCookieValues,\n  setFrameworkSessionCookie,\n  clearFrameworkSessionCookies,\n  runAuthGuard,\n  setDesktopExchange,\n  setDesktopExchangeError,\n  safeReturnPath,\n  type DesktopExchangeErrorPayload,\n  type AuthSession,\n  type AuthOptions,\n} from \"./auth.js\";\nexport {\n  handleIdentitySso,\n  getIdentityHubUrl,\n  isIdentitySsoEnabled,\n  isIdentitySsoBypassPath,\n  identitySsoLoginButtonHtml,\n  IDENTITY_SSO_PROVIDER_ID,\n  IDENTITY_SSO_SCOPE,\n} from \"./identity-sso.js\";\nexport { requireEnvKey, type MissingKeyResponse } from \"./missing-key.js\";\nexport { verifyCaptcha, type CaptchaVerifyResult } from \"./captcha.js\";\nexport {\n  createProductionAgentHandler,\n  type ActionEntry,\n  type ScriptEntry,\n  type ProductionAgentOptions,\n  type ActionTool,\n  type ScriptTool,\n  type AgentMessage,\n  type AgentChatRequest,\n  type AgentChatEvent,\n  type AgentChatAttachment,\n  type AgentChatReference,\n  type MentionProvider,\n  type MentionProviderItem,\n  type AgentLoopFinalResponseGuard,\n  type AgentLoopFinalResponseGuardContext,\n  type AgentLoopFinalResponseGuardResult,\n  type AgentLoopToolCallSummary,\n  type AgentLoopToolResultSummary,\n} from \"../agent/index.js\";\nexport {\n  actionsToEngineTools,\n  getOwnerActiveApiKey,\n  runAgentLoop,\n} from \"../agent/production-agent.js\";\nexport {\n  getStoredModelForEngine,\n  resolveEngine,\n} from \"../agent/engine/index.js\";\nexport { createDevScriptRegistry } from \"../scripts/dev/index.js\";\n\nexport {\n  createPollHandler,\n  recordChange,\n  getVersion,\n  getChangesSince,\n  getPollEmitter,\n  canSeeChangeForUser,\n  POLL_CHANGE_EVENT,\n} from \"./poll.js\";\nexport { createPollEventsHandler } from \"./poll-events.js\";\nexport { createAuthPlugin, defaultAuthPlugin } from \"./auth-plugin.js\";\nexport {\n  initServerSentry,\n  isServerSentryEnabled,\n  setSentryUserForRequest,\n  captureRouteError,\n  type RouteErrorContext,\n} from \"./sentry.js\";\nexport {\n  captureError,\n  captureServerError,\n  registerErrorCaptureProvider,\n  type CaptureErrorContext,\n  type CaptureErrorProvider,\n} from \"./capture-error.js\";\nexport { createSentryPlugin, defaultSentryPlugin } from \"./sentry-plugin.js\";\n// Re-export the org plugin so the auto-discovery's DEFAULT_PLUGIN_REGISTRY\n// (which references \"defaultOrgPlugin\" from @agent-native/core/server) can\n// resolve it during the deploy build worker-entry generation.\nexport { createOrgPlugin, defaultOrgPlugin } from \"../org/plugin.js\";\nexport {\n  createGoogleAuthPlugin,\n  type GoogleAuthPluginOptions,\n} from \"./google-auth-plugin.js\";\nexport type { GoogleAuthMode } from \"./google-auth-mode.js\";\nexport {\n  createAgentChatPlugin,\n  defaultAgentChatPlugin,\n  type AgentChatPluginOptions,\n} from \"./agent-chat-plugin.js\";\nexport {\n  configureAgentNativeEmbeddedEnvironment,\n  createAgentNativeEmbeddedAuthOptions,\n  createAgentNativeEmbeddedPlugin,\n  mountAgentNativeEmbedded,\n  normalizeAgentNativeEmbeddedSession,\n  type AgentNativeEmbeddedAuthOptions,\n  type AgentNativeEmbeddedGetSession,\n  type AgentNativeEmbeddedHostSession,\n  type AgentNativeEmbeddedPluginOptions,\n} from \"./embedded.js\";\nexport {\n  createThread,\n  getThread,\n  listThreads,\n  updateThreadData,\n  deleteThread,\n  setThreadScope,\n  type ChatThread,\n  type ChatThreadScope,\n  type ChatThreadSummary,\n  type ListThreadsOptions,\n} from \"../chat-threads/store.js\";\nexport {\n  createResourcesPlugin,\n  defaultResourcesPlugin,\n} from \"./resources-plugin.js\";\nexport {\n  createCoreRoutesPlugin,\n  defaultCoreRoutesPlugin,\n  FRAMEWORK_ROUTE_PREFIX,\n  type CoreRoutesPluginOptions,\n} from \"./core-routes-plugin.js\";\nexport {\n  createBrowserSessionActionEntries,\n  type CreateBrowserSessionActionEntriesOptions,\n} from \"../browser-sessions/actions.js\";\nexport {\n  DEFAULT_BROWSER_SESSION_REQUEST_POLL_MS,\n  DEFAULT_BROWSER_SESSION_REQUEST_TIMEOUT_MS,\n  DEFAULT_BROWSER_SESSION_TTL_MS,\n  callBrowserSession,\n  claimBrowserSessionRequest,\n  completeBrowserSessionRequest,\n  createBrowserSessionRequest,\n  disconnectBrowserSession,\n  getBrowserSession,\n  getBrowserSessionRequest,\n  listBrowserSessions,\n  registerBrowserSession,\n  waitForBrowserSessionRequest,\n} from \"../browser-sessions/store.js\";\nexport {\n  mountBrowserSessionRoutes,\n  type MountBrowserSessionRoutesOptions,\n} from \"../browser-sessions/routes.js\";\nexport type {\n  AgentNativeBrowserSession,\n  AgentNativeBrowserSessionAction,\n  AgentNativeBrowserSessionRecord,\n  AgentNativeBrowserSessionRequest,\n  AgentNativeBrowserSessionRequestStatus,\n  AgentNativeBrowserSessionRequestType,\n  CreateAgentNativeBrowserSessionRequestInput,\n  RegisterAgentNativeBrowserSessionInput,\n} from \"../browser-sessions/types.js\";\nexport {\n  createTerminalPlugin,\n  defaultTerminalPlugin,\n  type TerminalPluginOptions,\n} from \"../terminal/terminal-plugin.js\";\nexport {\n  createCollabPlugin,\n  type CollabPluginOptions,\n} from \"./collab-plugin.js\";\n\nexport {\n  spawnTask,\n  getTask,\n  getTaskByThread,\n  listTasks,\n  sendToTask,\n  markTaskErrored,\n  type AgentTask,\n  type SpawnTaskOptions,\n} from \"./agent-teams.js\";\nexport { isOAuthConnected, getOAuthAccounts } from \"./oauth-helpers.js\";\nexport { wrapWithAnalytics } from \"./analytics.js\";\nexport {\n  getH3App,\n  awaitBootstrap,\n  type H3AppShim,\n} from \"./framework-request-handler.js\";\nexport {\n  autoDiscoverActions,\n  autoDiscoverScripts,\n  loadActionsFromStaticRegistry,\n  mergeCoreSharingActions,\n  registerPackageActions,\n} from \"./action-discovery.js\";\nexport {\n  mountActionRoutes,\n  type MountActionRoutesOptions,\n} from \"./action-routes.js\";\nexport {\n  runWithRequestContext,\n  hasRequestContext,\n  getRequestContext,\n  getRequestUserEmail,\n  getRequestUserName,\n  getRequestOrgId,\n  getRequestTimezone,\n  getRequestRunContext,\n  getCredentialContext,\n  isIntegrationCallerRequest,\n  type RequestContext,\n  type RequestRunContext,\n} from \"./request-context.js\";\nexport { formatDateInTimezone, todayInTimezone } from \"./date-utils.js\";\n\nexport {\n  createOnboardingPlugin,\n  defaultOnboardingPlugin,\n} from \"../onboarding/plugin.js\";\n\nexport {\n  registerFileUploadProvider,\n  unregisterFileUploadProvider,\n  listFileUploadProviders,\n  getActiveFileUploadProvider,\n  uploadFile,\n  builderFileUploadProvider,\n  type FileUploadInput,\n  type FileUploadProvider,\n  type FileUploadResult,\n} from \"../file-upload/index.js\";\n\nexport {\n  createIntegrationsPlugin,\n  defaultIntegrationsPlugin,\n  enqueueRemoteCommand,\n  slackAdapter,\n  telegramAdapter,\n  whatsappAdapter,\n  emailAdapter,\n  type PlatformAdapter,\n  type IncomingMessage,\n  type OutgoingMessage,\n  type IntegrationStatus,\n  type IntegrationsPluginOptions,\n} from \"../integrations/index.js\";\n\nexport {\n  isElectron,\n  isMobile,\n  getOrigin,\n  getAppBasePath,\n  getAppUrl,\n  resolveOAuthRedirectUri,\n  isAllowedOAuthRedirectUri,\n  encodeOAuthState,\n  decodeOAuthState,\n  resolveOAuthOwner,\n  createOAuthSession,\n  oauthCallbackResponse,\n  oauthErrorPage,\n  oauthDesktopExchangePage,\n  type OAuthStatePayload,\n  type OAuthOwnerResult,\n  type OAuthSessionResult,\n} from \"./google-oauth.js\";\n\nexport {\n  FeatureNotConfiguredError,\n  hasBuilderPrivateKey,\n  isBuilderEnvManaged,\n  getBuilderProxyOrigin,\n  getBuilderImageGenerationBaseUrl,\n  getBuilderAuthHeader,\n  resolveBuilderPrivateKey,\n  resolveBuilderAuthHeader,\n  resolveHasBuilderPrivateKey,\n  resolveBuilderCredentials,\n  resolveBuilderCredential,\n  writeBuilderCredentials,\n  deleteBuilderCredentials,\n  resolveSecret,\n} from \"./credential-provider.js\";\nexport {\n  getBuilderBranchProjectId,\n  isBuilderBranchingEnabled,\n  resolveBuilderBranchProjectId,\n  resolveIsBuilderBranchingEnabled,\n  runBuilderAgent,\n  type RunBuilderAgentResult,\n} from \"./builder-browser.js\";\n\nexport {\n  sendEmail,\n  isEmailConfigured,\n  getEmailProvider,\n  type EmailProvider,\n  type SendEmailArgs,\n} from \"./email.js\";\nexport {\n  renderEmail,\n  emailStrong,\n  emailLink,\n  type RenderEmailArgs,\n  type RenderedEmail,\n  type EmailCta,\n} from \"./email-template.js\";\nexport { getAppProductionUrl, getFirstPartyProdUrl } from \"./app-url.js\";\nexport {\n  getConfiguredAppBasePath,\n  normalizeAppBasePath,\n  withConfiguredAppBasePath,\n} from \"./app-base-path.js\";\nexport {\n  signShortLivedToken,\n  verifyShortLivedToken,\n  type ShortLivedTokenClaims,\n  type VerifyResult as ShortLivedTokenVerifyResult,\n} from \"./short-lived-token.js\";\n\n// SSR handler is NOT re-exported here — it uses a virtual module\n// (virtual:react-router/server-build) that only exists at Vite dev/build time.\n// Including it in this barrel would break the esbuild CF Pages bundler.\n// Templates import directly: import { ssrHandler } from \"@agent-native/core/server/ssr-handler\"\n\n// Nitro plugin helper — re-exported so templates don't need nitro as a direct dependency.\n// defineNitroPlugin is an identity function; this typed wrapper lets templates use it\n// without resolving `nitro/runtime` (which requires Nitro's virtual modules at runtime).\nexport type NitroPluginDef = (nitroApp: any) => void | Promise<void>;\nexport function defineNitroPlugin(def: NitroPluginDef): NitroPluginDef {\n  return def;\n}\n"]}

package/dist/server/open-route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"open-route.d.ts","sourceRoot":"","sources":["../../src/server/open-route.ts"],"names":[],"mappings":"AAmDA,MAAM,WAAW,gBAAgB;IAC/B;;yEAEqE;IACrE,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE;QACzB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CACjC;AA0CD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,gBAAqB,2FAyHpE"}
+{"version":3,"file":"open-route.d.ts","sourceRoot":"","sources":["../../src/server/open-route.ts"],"names":[],"mappings":"AAyDA,MAAM,WAAW,gBAAgB;IAC/B;;yEAEqE;IACrE,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE;QACzB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAChC,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CACjC;AA0CD,wBAAgB,sBAAsB,CAAC,OAAO,GAAE,gBAAqB,2FA+HpE"}

package/dist/server/open-route.js

@@ -2,12 +2,15 @@ import { defineEventHandler, getMethod } from "h3";
 import { getSession, getConfiguredLoginHtml } from "./auth.js";
 import { appStatePut, appStateGet } from "../application-state/store.js";
 import { AGENT_SIDEBAR_QUERY_PARAM, withCollapsedAgentSidebarParam, } from "../shared/agent-sidebar-url.js";
+import { EMBED_MODE_QUERY_PARAM, EMBED_TOKEN_QUERY_PARAM, } from "../shared/embed-auth.js";
 /** Query keys that are route control, not navigation payload. */
 const RESERVED = new Set([
     "app",
     "view",
     "to",
     "compose",
+    EMBED_MODE_QUERY_PARAM,
+    EMBED_TOKEN_QUERY_PARAM,
     AGENT_SIDEBAR_QUERY_PARAM,
 ]);
 // Control-char guard (NUL..US + DEL). Defined via codepoints so the source
@@ -171,6 +174,13 @@ export function createOpenRouteHandler(options = {}) {
                 filters.set(k, v);
         }
         target = appendSearchParams(target, filters);
+        const embedParams = new URLSearchParams();
+        for (const key of [EMBED_MODE_QUERY_PARAM, EMBED_TOKEN_QUERY_PARAM]) {
+            const value = search.get(key);
+            if (value)
+                embedParams.set(key, value);
+        }
+        target = appendSearchParams(target, embedParams);
         target = withCollapsedAgentSidebarParam(target);
         return redirect(target);
     });

package/dist/server/open-route.js.map

@@ -1 +1 @@
-{"version":3,"file":"open-route.js","sourceRoot":"","sources":["../../src/server/open-route.ts"],"names":[],"mappings":"AAwBA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AAExC,iEAAiE;AACjE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IACvB,KAAK;IACL,MAAM;IACN,IAAI;IACJ,SAAS;IACT,yBAAyB;CAC1B,CAAC,CAAC;AAEH,2EAA2E;AAC3E,0BAA0B;AAC1B,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE7D,yDAAyD;AACzD,2EAA2E;AAC3E,sEAAsE;AACtE,0CAA0C;AAC1C,MAAM,UAAU,GAAG,uBAAuB,CAAC;AAa3C,SAAS,aAAa,CAAC,KAAc;IACnC,OAAQ,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAK,KAAa,CAAC,IAAI,IAAI,GAAG,CAAC;AACrE,CAAC;AAED,iFAAiF;AACjF,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAA8B;IACtD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB;IAChC,wEAAwE;IACxE,8CAA8C;IAC9C,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,MAAuB;IACjE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;QACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC;IAChB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAA4B,EAAE;IACnE,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;gBACnE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,MAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,YAAY,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACjC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;QAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;QAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;QAC9C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;QAEnD,0EAA0E;QAC1E,wEAAwE;QACxE,sBAAsB;QACtB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;iBACxD,CAAC,CAAC;YACL,CAAC;YACD,sEAAsE;YACtE,gEAAgE;QAClE,CAAC;QAED,mEAAmE;QACnE,oEAAoE;QACpE,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,SAAS;YAC9B,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,MAAM,UAAU,GAA4B,EAAE,GAAG,SAAS,EAAE,CAAC;QAC7D,IAAI,IAAI;YAAE,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC;QAEjC,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE;oBACvD,aAAa,EAAE,WAAW;iBAC3B,CAAC,CAAC;gBACH,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;wBACnD,iEAAiE;wBACjE,iEAAiE;wBACjE,gEAAgE;wBAChE,gDAAgD;wBAChD,IACE,KAAK;4BACL,OAAO,KAAK,KAAK,QAAQ;4BACzB,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;4BAC5B,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,EACzB,CAAC;4BACD,MAAM,UAAU,GAAG,WAAW,KAAK,CAAC,EAAE,EAAE,CAAC;4BACzC,gEAAgE;4BAChE,8DAA8D;4BAC9D,+DAA+D;4BAC/D,gEAAgE;4BAChE,8DAA8D;4BAC9D,gEAAgE;4BAChE,gEAAgE;4BAChE,MAAM,UAAU,GACd,CAAC,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;gCACzD,CAAC,CAAC,KAAK,CAAC,EAAE;gCACV,CAAC,CAAC,KAAK,CAAC,EAAE;gCACV,CAAC,CAAC,KAAK,CAAC,GAAG;gCACX,CAAC,CAAC,KAAK,CAAC,IAAI;gCACZ,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC;4BAC1B,MAAM,QAAQ,GAAG,UAAU;gCACzB,CAAC,CAAC,IAAI;gCACN,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;4BACjD,IAAI,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;gCAC5B,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;oCAClD,aAAa,EAAE,WAAW;iCAC3B,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,0DAA0D;oBAC5D,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,gDAAgD;YAClD,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,IAAI,MAAM,GACR,gBAAgB,CAAC,OAAO,CAAC;YACzB,gBAAgB,CACd,OAAO,CAAC,eAAe,EAAE,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;gBACzD,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC7B;YACD,GAAG,CAAC;QAEN,yEAAyE;QACzE,4DAA4D;QAC5D,MAAM,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,GAAG,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,GAAG,8BAA8B,CAAC,MAAM,CAAC,CAAC;QAEhD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * `/_agent-native/open` — the stable deep-link route.\n *\n * An external coding agent (Claude Code / Cowork / Codex) surfaces an\n * \"Open in <app> →\" link (built by an action's `link` builder, see\n * `deep-link.ts`). When the user clicks it in any browser / inline webview,\n * this route:\n *   1. Resolves the *browser* session (NOT the agent token) — so the record\n *      always lands where the human is logged in.\n *   2. When unauthenticated, serves the same sign-in form the auth guard\n *      would, *at this same URL*. The login form's success handler reloads\n *      `window.location.href`, so the now-authenticated request re-enters\n *      this route and proceeds. No `?next=` plumbing needed.\n *   3. Writes the existing one-shot `navigate` application-state command (the\n *      exact key the UI already drains every 2s — we don't invent a new\n *      navigation mechanism, we bridge to it), plus an optional `compose-<id>`\n *      draft.\n *   4. 302-redirects to the rendered SPA view so the page loads immediately;\n *      the polled `navigate` command then applies record-level focus.\n *\n * The link itself is a pure pointer (view + record ids + filters) and carries\n * no privileged state.\n */\nimport type { H3Event } from \"h3\";\nimport { defineEventHandler, getMethod } from \"h3\";\nimport { getSession, getConfiguredLoginHtml } from \"./auth.js\";\nimport { appStatePut, appStateGet } from \"../application-state/store.js\";\nimport {\n  AGENT_SIDEBAR_QUERY_PARAM,\n  withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\n\n/** Query keys that are route control, not navigation payload. */\nconst RESERVED = new Set([\n  \"app\",\n  \"view\",\n  \"to\",\n  \"compose\",\n  AGENT_SIDEBAR_QUERY_PARAM,\n]);\n\n// Control-char guard (NUL..US + DEL). Defined via codepoints so the source\n// file stays plain ASCII.\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\n\n// Compose-draft id charset. Mirrors `sanitizeDraftId` in\n// templates/mail/actions/manage-draft.ts so the id we concatenate into the\n// `compose-<id>` application-state key can't escape the key namespace\n// (path-traversal / key injection guard).\nconst COMPOSE_ID = /^[a-zA-Z0-9_-]{1,64}$/;\n\nexport interface OpenRouteOptions {\n  /** Per-template override that turns the parsed deep-link params into the\n   *  client-side SPA path to redirect to. Return `null` to use the default\n   *  (`/<view>`). Filter params (`f_*`) are appended automatically. */\n  resolveOpenPath?: (params: {\n    app?: string;\n    view?: string;\n    params: Record<string, string>;\n  }) => string | null | undefined;\n}\n\nfunction getRequestUrl(event: H3Event): string {\n  return (event as any).node?.req?.url ?? (event as any).path ?? \"/\";\n}\n\n/** Decode a base64url string to UTF-8 (Node Buffer; this route is Node-only). */\nfunction decodeBase64Url(input: string): string {\n  return Buffer.from(input, \"base64url\").toString(\"utf8\");\n}\n\n/**\n * Normalize a candidate redirect path to a safe, same-origin, leading-slash\n * relative path. Rejects absolute URLs, scheme-relative `//host`, and control\n * chars (open-redirect guard). Returns `null` when unsafe.\n */\nfunction safeRelativePath(raw: string | undefined | null): string | null {\n  if (!raw) return null;\n  if (CONTROL_CHARS.test(raw)) return null;\n  if (!raw.startsWith(\"/\")) return null;\n  if (raw.startsWith(\"//\") || raw.startsWith(\"/\\\\\")) return null;\n  if (/^\\/[a-z][a-z0-9+.-]*:/i.test(raw)) return null;\n  return raw;\n}\n\nfunction redirect(location: string): Response {\n  // Native web Response (not h3 v2's reworked sendRedirect) — matches the\n  // redirect pattern used elsewhere in auth.ts.\n  return new Response(\"\", { status: 302, headers: { Location: location } });\n}\n\nfunction appendSearchParams(target: string, params: URLSearchParams): string {\n  if (!params.toString()) return target;\n  try {\n    const url = new URL(target, \"http://an.invalid\");\n    for (const [k, v] of params.entries()) url.searchParams.set(k, v);\n    return `${url.pathname}${url.search}${url.hash}`;\n  } catch {\n    return target;\n  }\n}\n\nexport function createOpenRouteHandler(options: OpenRouteOptions = {}) {\n  return defineEventHandler(async (event: H3Event) => {\n    const method = getMethod(event);\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return new Response(JSON.stringify({ error: \"Method not allowed\" }), {\n        status: 405,\n        headers: { \"Content-Type\": \"application/json\" },\n      });\n    }\n\n    const rawUrl = getRequestUrl(event);\n    let search: URLSearchParams;\n    try {\n      search = new URL(rawUrl, \"http://an.invalid\").searchParams;\n    } catch {\n      search = new URLSearchParams();\n    }\n\n    const app = search.get(\"app\") ?? undefined;\n    const view = search.get(\"view\") ?? undefined;\n    const toParam = search.get(\"to\") ?? undefined;\n    const compose = search.get(\"compose\") ?? undefined;\n\n    // Resolve the BROWSER session. When unauthenticated, serve the same login\n    // form the guard would — at this URL — so the post-login reload returns\n    // here authenticated.\n    const session = await getSession(event);\n    if (!session?.email) {\n      const html = getConfiguredLoginHtml(event);\n      if (html) {\n        return new Response(html, {\n          status: 200,\n          headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n        });\n      }\n      // No auth guard configured (fully open app) — best effort: still send\n      // the user to the view; nothing to scope the navigate write to.\n    }\n\n    // Build the navigation payload from every non-reserved query param\n    // (record ids + filters: threadId, eventId, dashboardId, f_*, ...).\n    const navParams: Record<string, string> = {};\n    for (const [k, v] of search.entries()) {\n      if (RESERVED.has(k)) continue;\n      navParams[k] = v;\n    }\n    const navPayload: Record<string, unknown> = { ...navParams };\n    if (view) navPayload.view = view;\n\n    if (session?.email) {\n      try {\n        await appStatePut(session.email, \"navigate\", navPayload, {\n          requestSource: \"deep-link\",\n        });\n        if (compose) {\n          try {\n            const draft = JSON.parse(decodeBase64Url(compose));\n            // Validate the id before using it as a key segment. An unsafe id\n            // could escape the `compose-` namespace and clobber an unrelated\n            // application-state key; skip the write (the view still opens),\n            // mirroring the malformed-payload branch below.\n            if (\n              draft &&\n              typeof draft === \"object\" &&\n              typeof draft.id === \"string\" &&\n              COMPOSE_ID.test(draft.id)\n            ) {\n              const composeKey = `compose-${draft.id}`;\n              // A compact deep link may carry only `{ id, subject }` when the\n              // full draft was too large to inline in the URL. The complete\n              // draft is already persisted at `compose-<id>` by manage-draft\n              // on create/update. Never let the truncated stub overwrite that\n              // richer saved draft (would silently lose body / recipients /\n              // reply metadata). Only write when the payload actually carries\n              // content, or when nothing is saved yet (composer still opens).\n              const hasContent =\n                (typeof draft.body === \"string\" && draft.body.length > 0) ||\n                !!draft.to ||\n                !!draft.cc ||\n                !!draft.bcc ||\n                !!draft.html ||\n                !!draft.replyToThreadId;\n              const existing = hasContent\n                ? null\n                : await appStateGet(session.email, composeKey);\n              if (hasContent || !existing) {\n                await appStatePut(session.email, composeKey, draft, {\n                  requestSource: \"deep-link\",\n                });\n              }\n            }\n          } catch {\n            // Malformed compose payload — skip; the view still opens.\n          }\n        }\n      } catch {\n        // App-state write failure shouldn't 500 the click; the redirect\n        // below still lands the user on the right view.\n      }\n    }\n\n    // Resolve the SPA path to redirect to.\n    let target =\n      safeRelativePath(toParam) ??\n      safeRelativePath(\n        options.resolveOpenPath?.({ app, view, params: navParams }) ??\n          (view ? `/${view}` : null),\n      ) ??\n      \"/\";\n\n    // Forward filter params (f_*) onto the redirect so dashboards/lists open\n    // pre-filtered even before the navigate command is drained.\n    const filters = new URLSearchParams();\n    for (const [k, v] of search.entries()) {\n      if (k.startsWith(\"f_\")) filters.set(k, v);\n    }\n    target = appendSearchParams(target, filters);\n    target = withCollapsedAgentSidebarParam(target);\n\n    return redirect(target);\n  });\n}\n"]}
+{"version":3,"file":"open-route.js","sourceRoot":"","sources":["../../src/server/open-route.ts"],"names":[],"mappings":"AAwBA,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,IAAI,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,sBAAsB,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AACzE,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,iEAAiE;AACjE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;IACvB,KAAK;IACL,MAAM;IACN,IAAI;IACJ,SAAS;IACT,sBAAsB;IACtB,uBAAuB;IACvB,yBAAyB;CAC1B,CAAC,CAAC;AAEH,2EAA2E;AAC3E,0BAA0B;AAC1B,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,0BAA0B,CAAC,CAAC;AAE7D,yDAAyD;AACzD,2EAA2E;AAC3E,sEAAsE;AACtE,0CAA0C;AAC1C,MAAM,UAAU,GAAG,uBAAuB,CAAC;AAa3C,SAAS,aAAa,CAAC,KAAc;IACnC,OAAQ,KAAa,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,IAAK,KAAa,CAAC,IAAI,IAAI,GAAG,CAAC;AACrE,CAAC;AAED,iFAAiF;AACjF,SAAS,eAAe,CAAC,KAAa;IACpC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAA8B;IACtD,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/D,IAAI,wBAAwB,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB;IAChC,wEAAwE;IACxE,8CAA8C;IAC9C,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,MAAuB;IACjE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE;QAAE,OAAO,MAAM,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC;QACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAClE,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC;IAChB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,UAA4B,EAAE;IACnE,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,EAAE;gBACnE,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;aAChD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACpC,IAAI,MAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,mBAAmB,CAAC,CAAC,YAAY,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QACjC,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC;QAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;QAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;QAC9C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;QAEnD,0EAA0E;QAC1E,wEAAwE;QACxE,sBAAsB;QACtB,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;YAC3C,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;iBACxD,CAAC,CAAC;YACL,CAAC;YACD,sEAAsE;YACtE,gEAAgE;QAClE,CAAC;QAED,mEAAmE;QACnE,oEAAoE;QACpE,MAAM,SAAS,GAA2B,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,SAAS;YAC9B,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,MAAM,UAAU,GAA4B,EAAE,GAAG,SAAS,EAAE,CAAC;QAC7D,IAAI,IAAI;YAAE,UAAU,CAAC,IAAI,GAAG,IAAI,CAAC;QAEjC,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE;oBACvD,aAAa,EAAE,WAAW;iBAC3B,CAAC,CAAC;gBACH,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,CAAC;wBACH,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;wBACnD,iEAAiE;wBACjE,iEAAiE;wBACjE,gEAAgE;wBAChE,gDAAgD;wBAChD,IACE,KAAK;4BACL,OAAO,KAAK,KAAK,QAAQ;4BACzB,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;4BAC5B,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,EACzB,CAAC;4BACD,MAAM,UAAU,GAAG,WAAW,KAAK,CAAC,EAAE,EAAE,CAAC;4BACzC,gEAAgE;4BAChE,8DAA8D;4BAC9D,+DAA+D;4BAC/D,gEAAgE;4BAChE,8DAA8D;4BAC9D,gEAAgE;4BAChE,gEAAgE;4BAChE,MAAM,UAAU,GACd,CAAC,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;gCACzD,CAAC,CAAC,KAAK,CAAC,EAAE;gCACV,CAAC,CAAC,KAAK,CAAC,EAAE;gCACV,CAAC,CAAC,KAAK,CAAC,GAAG;gCACX,CAAC,CAAC,KAAK,CAAC,IAAI;gCACZ,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC;4BAC1B,MAAM,QAAQ,GAAG,UAAU;gCACzB,CAAC,CAAC,IAAI;gCACN,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;4BACjD,IAAI,UAAU,IAAI,CAAC,QAAQ,EAAE,CAAC;gCAC5B,MAAM,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE;oCAClD,aAAa,EAAE,WAAW;iCAC3B,CAAC,CAAC;4BACL,CAAC;wBACH,CAAC;oBACH,CAAC;oBAAC,MAAM,CAAC;wBACP,0DAA0D;oBAC5D,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gEAAgE;gBAChE,gDAAgD;YAClD,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,IAAI,MAAM,GACR,gBAAgB,CAAC,OAAO,CAAC;YACzB,gBAAgB,CACd,OAAO,CAAC,eAAe,EAAE,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;gBACzD,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAC7B;YACD,GAAG,CAAC;QAEN,yEAAyE;QACzE,4DAA4D;QAC5D,MAAM,OAAO,GAAG,IAAI,eAAe,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC;gBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,GAAG,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAG,IAAI,eAAe,EAAE,CAAC;QAC1C,KAAK,MAAM,GAAG,IAAI,CAAC,sBAAsB,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACpE,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,KAAK;gBAAE,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,kBAAkB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QACjD,MAAM,GAAG,8BAA8B,CAAC,MAAM,CAAC,CAAC;QAEhD,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * `/_agent-native/open` — the stable deep-link route.\n *\n * An external coding agent (Claude Code / Cowork / Codex) surfaces an\n * \"Open in <app> →\" link (built by an action's `link` builder, see\n * `deep-link.ts`). When the user clicks it in any browser / inline webview,\n * this route:\n *   1. Resolves the *browser* session (NOT the agent token) — so the record\n *      always lands where the human is logged in.\n *   2. When unauthenticated, serves the same sign-in form the auth guard\n *      would, *at this same URL*. The login form's success handler reloads\n *      `window.location.href`, so the now-authenticated request re-enters\n *      this route and proceeds. No `?next=` plumbing needed.\n *   3. Writes the existing one-shot `navigate` application-state command (the\n *      exact key the UI already drains every 2s — we don't invent a new\n *      navigation mechanism, we bridge to it), plus an optional `compose-<id>`\n *      draft.\n *   4. 302-redirects to the rendered SPA view so the page loads immediately;\n *      the polled `navigate` command then applies record-level focus.\n *\n * The link itself is a pure pointer (view + record ids + filters) and carries\n * no privileged state.\n */\nimport type { H3Event } from \"h3\";\nimport { defineEventHandler, getMethod } from \"h3\";\nimport { getSession, getConfiguredLoginHtml } from \"./auth.js\";\nimport { appStatePut, appStateGet } from \"../application-state/store.js\";\nimport {\n  AGENT_SIDEBAR_QUERY_PARAM,\n  withCollapsedAgentSidebarParam,\n} from \"../shared/agent-sidebar-url.js\";\nimport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\n\n/** Query keys that are route control, not navigation payload. */\nconst RESERVED = new Set([\n  \"app\",\n  \"view\",\n  \"to\",\n  \"compose\",\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_TOKEN_QUERY_PARAM,\n  AGENT_SIDEBAR_QUERY_PARAM,\n]);\n\n// Control-char guard (NUL..US + DEL). Defined via codepoints so the source\n// file stays plain ASCII.\nconst CONTROL_CHARS = new RegExp(\"[\\\\u0000-\\\\u001f\\\\u007f]\");\n\n// Compose-draft id charset. Mirrors `sanitizeDraftId` in\n// templates/mail/actions/manage-draft.ts so the id we concatenate into the\n// `compose-<id>` application-state key can't escape the key namespace\n// (path-traversal / key injection guard).\nconst COMPOSE_ID = /^[a-zA-Z0-9_-]{1,64}$/;\n\nexport interface OpenRouteOptions {\n  /** Per-template override that turns the parsed deep-link params into the\n   *  client-side SPA path to redirect to. Return `null` to use the default\n   *  (`/<view>`). Filter params (`f_*`) are appended automatically. */\n  resolveOpenPath?: (params: {\n    app?: string;\n    view?: string;\n    params: Record<string, string>;\n  }) => string | null | undefined;\n}\n\nfunction getRequestUrl(event: H3Event): string {\n  return (event as any).node?.req?.url ?? (event as any).path ?? \"/\";\n}\n\n/** Decode a base64url string to UTF-8 (Node Buffer; this route is Node-only). */\nfunction decodeBase64Url(input: string): string {\n  return Buffer.from(input, \"base64url\").toString(\"utf8\");\n}\n\n/**\n * Normalize a candidate redirect path to a safe, same-origin, leading-slash\n * relative path. Rejects absolute URLs, scheme-relative `//host`, and control\n * chars (open-redirect guard). Returns `null` when unsafe.\n */\nfunction safeRelativePath(raw: string | undefined | null): string | null {\n  if (!raw) return null;\n  if (CONTROL_CHARS.test(raw)) return null;\n  if (!raw.startsWith(\"/\")) return null;\n  if (raw.startsWith(\"//\") || raw.startsWith(\"/\\\\\")) return null;\n  if (/^\\/[a-z][a-z0-9+.-]*:/i.test(raw)) return null;\n  return raw;\n}\n\nfunction redirect(location: string): Response {\n  // Native web Response (not h3 v2's reworked sendRedirect) — matches the\n  // redirect pattern used elsewhere in auth.ts.\n  return new Response(\"\", { status: 302, headers: { Location: location } });\n}\n\nfunction appendSearchParams(target: string, params: URLSearchParams): string {\n  if (!params.toString()) return target;\n  try {\n    const url = new URL(target, \"http://an.invalid\");\n    for (const [k, v] of params.entries()) url.searchParams.set(k, v);\n    return `${url.pathname}${url.search}${url.hash}`;\n  } catch {\n    return target;\n  }\n}\n\nexport function createOpenRouteHandler(options: OpenRouteOptions = {}) {\n  return defineEventHandler(async (event: H3Event) => {\n    const method = getMethod(event);\n    if (method !== \"GET\" && method !== \"HEAD\") {\n      return new Response(JSON.stringify({ error: \"Method not allowed\" }), {\n        status: 405,\n        headers: { \"Content-Type\": \"application/json\" },\n      });\n    }\n\n    const rawUrl = getRequestUrl(event);\n    let search: URLSearchParams;\n    try {\n      search = new URL(rawUrl, \"http://an.invalid\").searchParams;\n    } catch {\n      search = new URLSearchParams();\n    }\n\n    const app = search.get(\"app\") ?? undefined;\n    const view = search.get(\"view\") ?? undefined;\n    const toParam = search.get(\"to\") ?? undefined;\n    const compose = search.get(\"compose\") ?? undefined;\n\n    // Resolve the BROWSER session. When unauthenticated, serve the same login\n    // form the guard would — at this URL — so the post-login reload returns\n    // here authenticated.\n    const session = await getSession(event);\n    if (!session?.email) {\n      const html = getConfiguredLoginHtml(event);\n      if (html) {\n        return new Response(html, {\n          status: 200,\n          headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n        });\n      }\n      // No auth guard configured (fully open app) — best effort: still send\n      // the user to the view; nothing to scope the navigate write to.\n    }\n\n    // Build the navigation payload from every non-reserved query param\n    // (record ids + filters: threadId, eventId, dashboardId, f_*, ...).\n    const navParams: Record<string, string> = {};\n    for (const [k, v] of search.entries()) {\n      if (RESERVED.has(k)) continue;\n      navParams[k] = v;\n    }\n    const navPayload: Record<string, unknown> = { ...navParams };\n    if (view) navPayload.view = view;\n\n    if (session?.email) {\n      try {\n        await appStatePut(session.email, \"navigate\", navPayload, {\n          requestSource: \"deep-link\",\n        });\n        if (compose) {\n          try {\n            const draft = JSON.parse(decodeBase64Url(compose));\n            // Validate the id before using it as a key segment. An unsafe id\n            // could escape the `compose-` namespace and clobber an unrelated\n            // application-state key; skip the write (the view still opens),\n            // mirroring the malformed-payload branch below.\n            if (\n              draft &&\n              typeof draft === \"object\" &&\n              typeof draft.id === \"string\" &&\n              COMPOSE_ID.test(draft.id)\n            ) {\n              const composeKey = `compose-${draft.id}`;\n              // A compact deep link may carry only `{ id, subject }` when the\n              // full draft was too large to inline in the URL. The complete\n              // draft is already persisted at `compose-<id>` by manage-draft\n              // on create/update. Never let the truncated stub overwrite that\n              // richer saved draft (would silently lose body / recipients /\n              // reply metadata). Only write when the payload actually carries\n              // content, or when nothing is saved yet (composer still opens).\n              const hasContent =\n                (typeof draft.body === \"string\" && draft.body.length > 0) ||\n                !!draft.to ||\n                !!draft.cc ||\n                !!draft.bcc ||\n                !!draft.html ||\n                !!draft.replyToThreadId;\n              const existing = hasContent\n                ? null\n                : await appStateGet(session.email, composeKey);\n              if (hasContent || !existing) {\n                await appStatePut(session.email, composeKey, draft, {\n                  requestSource: \"deep-link\",\n                });\n              }\n            }\n          } catch {\n            // Malformed compose payload — skip; the view still opens.\n          }\n        }\n      } catch {\n        // App-state write failure shouldn't 500 the click; the redirect\n        // below still lands the user on the right view.\n      }\n    }\n\n    // Resolve the SPA path to redirect to.\n    let target =\n      safeRelativePath(toParam) ??\n      safeRelativePath(\n        options.resolveOpenPath?.({ app, view, params: navParams }) ??\n          (view ? `/${view}` : null),\n      ) ??\n      \"/\";\n\n    // Forward filter params (f_*) onto the redirect so dashboards/lists open\n    // pre-filtered even before the navigate command is drained.\n    const filters = new URLSearchParams();\n    for (const [k, v] of search.entries()) {\n      if (k.startsWith(\"f_\")) filters.set(k, v);\n    }\n    target = appendSearchParams(target, filters);\n    const embedParams = new URLSearchParams();\n    for (const key of [EMBED_MODE_QUERY_PARAM, EMBED_TOKEN_QUERY_PARAM]) {\n      const value = search.get(key);\n      if (value) embedParams.set(key, value);\n    }\n    target = appendSearchParams(target, embedParams);\n    target = withCollapsedAgentSidebarParam(target);\n\n    return redirect(target);\n  });\n}\n"]}

package/dist/server/security-headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AA6BH;;;;;;GAMG;AACH,wBAAgB,+BAA+B,8EAqB9C"}
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AA8BH;;;;;;GAMG;AACH,wBAAgB,+BAA+B,8EAsB9C"}

package/dist/server/security-headers.js

@@ -45,6 +45,7 @@
  * us most of the protection.
  */
 import { defineEventHandler, setResponseHeader } from "h3";
+import { requestHasEmbedAuthMarker } from "./embed-session.js";
 const HSTS = "max-age=31536000; includeSubDomains; preload";
 const PERMISSIONS_POLICY = "camera=(), microphone=(self), geolocation=(), screen-wake-lock=()";
 /**
@@ -79,11 +80,12 @@ function isHttpsRequest(event) {
 export function createSecurityHeadersMiddleware() {
     const isProduction = process.env.NODE_ENV === "production";
     return defineEventHandler((event) => {
+        const embedFrameRequest = requestHasEmbedAuthMarker(event);
         setResponseHeader(event, "X-Content-Type-Options", "nosniff");
-        if (isProduction) {
+        if (isProduction && !embedFrameRequest) {
             setResponseHeader(event, "X-Frame-Options", "DENY");
         }
-        setResponseHeader(event, "Referrer-Policy", "strict-origin-when-cross-origin");
+        setResponseHeader(event, "Referrer-Policy", embedFrameRequest ? "no-referrer" : "strict-origin-when-cross-origin");
         setResponseHeader(event, "Permissions-Policy", PERMISSIONS_POLICY);
         setResponseHeader(event, "Cross-Origin-Opener-Policy", "same-origin");
         setResponseHeader(event, "Cross-Origin-Resource-Policy", "same-site");

package/dist/server/security-headers.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAEH,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAE3D,MAAM,IAAI,GAAG,8CAA8C,CAAC;AAC5D,MAAM,kBAAkB,GACtB,mEAAmE,CAAC;AAEtE;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAU;IAChC,MAAM,GAAG,GACP,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAChD,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO;QACjE,OAAO,IAAI,CAAC;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1D,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC;IACnC,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACpC,2DAA2D;IAC3D,IAAI,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B;IAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAC3D,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,EAAE,SAAS,CAAC,CAAC;QAC9D,IAAI,YAAY,EAAE,CAAC;YACjB,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACtD,CAAC;QACD,iBAAiB,CACf,KAAK,EACL,iBAAiB,EACjB,iCAAiC,CAClC,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACnE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;QACtE,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,2BAA2B,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,2EAA2E;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Security response headers middleware.\n *\n * Sets a baseline set of \"no-brainer\" security headers on every framework HTTP\n * response. These headers are layered defenses: each one mitigates a specific\n * class of attack, and together they harden the surface against clickjacking,\n * MIME-sniffing, referrer leakage, mixed-content downgrades, and cross-origin\n * window/embed access.\n *\n * The headers we emit:\n *\n *   - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime\n *     of the cached value, preventing SSL-strip MITM. Only emitted when the\n *     request scheme is `https` (we don't want to break local-dev HTTP, and\n *     emitting HSTS over HTTP is a no-op per the spec but causes confusion).\n *   - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so\n *     a tool /render route serving user-authored HTML can't be misinterpreted\n *     as some other content type by a clever Accept header.\n *   - `X-Frame-Options: DENY` — prevents the entire app from being iframed by\n *     other origins (clickjacking the agent chat, booking pages, etc.). The\n *     tool /render endpoint and any other route that legitimately needs to be\n *     embedded in the same-origin app shell can opt out by setting its own\n *     header inside the route handler — h3's `setResponseHeader` overwrites,\n *     so a route emitting `SAMEORIGIN` wins over our middleware default.\n *     We skip this header entirely in dev (NODE_ENV !== \"production\") so the\n *     desktop app's local dev frame (localhost:3334) can iframe templates\n *     running on other localhost ports (e.g. mail at 8085).\n *   - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query\n *     from outbound Referer headers when the request crosses origin, so a\n *     public-share viewer's outbound link clicks never leak the share token.\n *   - `Permissions-Policy: camera=(), microphone=(self), geolocation=(),\n *     screen-wake-lock=()` — allows the app shell to request microphone access\n *     for composer dictation while keeping camera/location/wake-lock blocked\n *     by default. Templates that need broader media capture for recording UI\n *     override this on their own routes.\n *   - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so\n *     a popup-window opener reference can't read or modify our document.\n *   - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from\n *     embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking\n *     the simplest data-leak chain when combined with auth cookies.\n *\n * NOTE: We don't set `Cross-Origin-Embedder-Policy` because it requires every\n * embedded subresource to opt in via CORP/CORS, which would break Builder's\n * iframe editor and template embed use cases. COOP + CORP without COEP gives\n * us most of the protection.\n */\n\nimport { defineEventHandler, setResponseHeader } from \"h3\";\n\nconst HSTS = \"max-age=31536000; includeSubDomains; preload\";\nconst PERMISSIONS_POLICY =\n  \"camera=(), microphone=(self), geolocation=(), screen-wake-lock=()\";\n\n/**\n * Returns true when the request was received over HTTPS. We trust both the\n * underlying connection (when the server is terminating TLS itself) and the\n * `x-forwarded-proto` header (set by Netlify, Vercel, Cloudflare, and any\n * other reverse proxy that fronts the framework).\n */\nfunction isHttpsRequest(event: any): boolean {\n  const xfp =\n    event?.node?.req?.headers?.[\"x-forwarded-proto\"] ??\n    event?.headers?.get?.(\"x-forwarded-proto\");\n  if (typeof xfp === \"string\" && xfp.split(\",\")[0].trim() === \"https\")\n    return true;\n  if (Array.isArray(xfp) && xfp[0] === \"https\") return true;\n  // h3 sets `event.url.protocol` to \"http:\" or \"https:\".\n  const proto = event?.url?.protocol;\n  if (proto === \"https:\") return true;\n  // Direct Node `req.connection.encrypted` (older runtimes).\n  if (event?.node?.req?.connection?.encrypted) return true;\n  return false;\n}\n\n/**\n * Create the security-headers h3 middleware. Mount this BEFORE other route\n * handlers so the headers are present on every response (including 4xx/5xx\n * error pages). Route handlers that need to relax a specific header (e.g.\n * `X-Frame-Options: SAMEORIGIN` on the tool render route) can call\n * `setResponseHeader` after this runs — the latest write wins.\n */\nexport function createSecurityHeadersMiddleware() {\n  const isProduction = process.env.NODE_ENV === \"production\";\n  return defineEventHandler((event) => {\n    setResponseHeader(event, \"X-Content-Type-Options\", \"nosniff\");\n    if (isProduction) {\n      setResponseHeader(event, \"X-Frame-Options\", \"DENY\");\n    }\n    setResponseHeader(\n      event,\n      \"Referrer-Policy\",\n      \"strict-origin-when-cross-origin\",\n    );\n    setResponseHeader(event, \"Permissions-Policy\", PERMISSIONS_POLICY);\n    setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n    setResponseHeader(event, \"Cross-Origin-Resource-Policy\", \"same-site\");\n    if (isHttpsRequest(event)) {\n      setResponseHeader(event, \"Strict-Transport-Security\", HSTS);\n    }\n    // Continue to the next handler — we only set headers, don't return a body.\n    return undefined;\n  });\n}\n"]}
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AAEH,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAC3D,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAE/D,MAAM,IAAI,GAAG,8CAA8C,CAAC;AAC5D,MAAM,kBAAkB,GACtB,mEAAmE,CAAC;AAEtE;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAU;IAChC,MAAM,GAAG,GACP,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAChD,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO;QACjE,OAAO,IAAI,CAAC;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1D,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC;IACnC,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACpC,2DAA2D;IAC3D,IAAI,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,+BAA+B;IAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IAC3D,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;QAC3D,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,EAAE,SAAS,CAAC,CAAC;QAC9D,IAAI,YAAY,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACtD,CAAC;QACD,iBAAiB,CACf,KAAK,EACL,iBAAiB,EACjB,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iCAAiC,CACtE,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACnE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;QACtE,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,WAAW,CAAC,CAAC;QACtE,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,2BAA2B,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,2EAA2E;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Security response headers middleware.\n *\n * Sets a baseline set of \"no-brainer\" security headers on every framework HTTP\n * response. These headers are layered defenses: each one mitigates a specific\n * class of attack, and together they harden the surface against clickjacking,\n * MIME-sniffing, referrer leakage, mixed-content downgrades, and cross-origin\n * window/embed access.\n *\n * The headers we emit:\n *\n *   - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime\n *     of the cached value, preventing SSL-strip MITM. Only emitted when the\n *     request scheme is `https` (we don't want to break local-dev HTTP, and\n *     emitting HSTS over HTTP is a no-op per the spec but causes confusion).\n *   - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so\n *     a tool /render route serving user-authored HTML can't be misinterpreted\n *     as some other content type by a clever Accept header.\n *   - `X-Frame-Options: DENY` — prevents the entire app from being iframed by\n *     other origins (clickjacking the agent chat, booking pages, etc.). The\n *     tool /render endpoint and any other route that legitimately needs to be\n *     embedded in the same-origin app shell can opt out by setting its own\n *     header inside the route handler — h3's `setResponseHeader` overwrites,\n *     so a route emitting `SAMEORIGIN` wins over our middleware default.\n *     We skip this header entirely in dev (NODE_ENV !== \"production\") so the\n *     desktop app's local dev frame (localhost:3334) can iframe templates\n *     running on other localhost ports (e.g. mail at 8085).\n *   - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query\n *     from outbound Referer headers when the request crosses origin, so a\n *     public-share viewer's outbound link clicks never leak the share token.\n *   - `Permissions-Policy: camera=(), microphone=(self), geolocation=(),\n *     screen-wake-lock=()` — allows the app shell to request microphone access\n *     for composer dictation while keeping camera/location/wake-lock blocked\n *     by default. Templates that need broader media capture for recording UI\n *     override this on their own routes.\n *   - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so\n *     a popup-window opener reference can't read or modify our document.\n *   - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from\n *     embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking\n *     the simplest data-leak chain when combined with auth cookies.\n *\n * NOTE: We don't set `Cross-Origin-Embedder-Policy` because it requires every\n * embedded subresource to opt in via CORP/CORS, which would break Builder's\n * iframe editor and template embed use cases. COOP + CORP without COEP gives\n * us most of the protection.\n */\n\nimport { defineEventHandler, setResponseHeader } from \"h3\";\nimport { requestHasEmbedAuthMarker } from \"./embed-session.js\";\n\nconst HSTS = \"max-age=31536000; includeSubDomains; preload\";\nconst PERMISSIONS_POLICY =\n  \"camera=(), microphone=(self), geolocation=(), screen-wake-lock=()\";\n\n/**\n * Returns true when the request was received over HTTPS. We trust both the\n * underlying connection (when the server is terminating TLS itself) and the\n * `x-forwarded-proto` header (set by Netlify, Vercel, Cloudflare, and any\n * other reverse proxy that fronts the framework).\n */\nfunction isHttpsRequest(event: any): boolean {\n  const xfp =\n    event?.node?.req?.headers?.[\"x-forwarded-proto\"] ??\n    event?.headers?.get?.(\"x-forwarded-proto\");\n  if (typeof xfp === \"string\" && xfp.split(\",\")[0].trim() === \"https\")\n    return true;\n  if (Array.isArray(xfp) && xfp[0] === \"https\") return true;\n  // h3 sets `event.url.protocol` to \"http:\" or \"https:\".\n  const proto = event?.url?.protocol;\n  if (proto === \"https:\") return true;\n  // Direct Node `req.connection.encrypted` (older runtimes).\n  if (event?.node?.req?.connection?.encrypted) return true;\n  return false;\n}\n\n/**\n * Create the security-headers h3 middleware. Mount this BEFORE other route\n * handlers so the headers are present on every response (including 4xx/5xx\n * error pages). Route handlers that need to relax a specific header (e.g.\n * `X-Frame-Options: SAMEORIGIN` on the tool render route) can call\n * `setResponseHeader` after this runs — the latest write wins.\n */\nexport function createSecurityHeadersMiddleware() {\n  const isProduction = process.env.NODE_ENV === \"production\";\n  return defineEventHandler((event) => {\n    const embedFrameRequest = requestHasEmbedAuthMarker(event);\n    setResponseHeader(event, \"X-Content-Type-Options\", \"nosniff\");\n    if (isProduction && !embedFrameRequest) {\n      setResponseHeader(event, \"X-Frame-Options\", \"DENY\");\n    }\n    setResponseHeader(\n      event,\n      \"Referrer-Policy\",\n      embedFrameRequest ? \"no-referrer\" : \"strict-origin-when-cross-origin\",\n    );\n    setResponseHeader(event, \"Permissions-Policy\", PERMISSIONS_POLICY);\n    setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n    setResponseHeader(event, \"Cross-Origin-Resource-Policy\", \"same-site\");\n    if (isHttpsRequest(event)) {\n      setResponseHeader(event, \"Strict-Transport-Security\", HSTS);\n    }\n    // Continue to the next handler — we only set headers, don't return a body.\n    return undefined;\n  });\n}\n"]}

package/dist/shared/embed-auth.d.ts

@@ -0,0 +1,6 @@
+export declare const EMBED_START_PATH = "/_agent-native/embed/start";
+export declare const EMBED_TOKEN_QUERY_PARAM = "__an_embed_token";
+export declare const EMBED_MODE_QUERY_PARAM = "embedded";
+export declare const EMBED_SESSION_COOKIE = "an_embed_session";
+export declare const EMBED_TARGET_HEADER = "x-agent-native-embed-target";
+//# sourceMappingURL=embed-auth.d.ts.map

package/dist/shared/embed-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-auth.d.ts","sourceRoot":"","sources":["../../src/shared/embed-auth.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,gBAAgB,+BAA+B,CAAC;AAC7D,eAAO,MAAM,uBAAuB,qBAAqB,CAAC;AAC1D,eAAO,MAAM,sBAAsB,aAAa,CAAC;AACjD,eAAO,MAAM,oBAAoB,qBAAqB,CAAC;AACvD,eAAO,MAAM,mBAAmB,gCAAgC,CAAC"}

package/dist/shared/embed-auth.js

@@ -0,0 +1,6 @@
+export const EMBED_START_PATH = "/_agent-native/embed/start";
+export const EMBED_TOKEN_QUERY_PARAM = "__an_embed_token";
+export const EMBED_MODE_QUERY_PARAM = "embedded";
+export const EMBED_SESSION_COOKIE = "an_embed_session";
+export const EMBED_TARGET_HEADER = "x-agent-native-embed-target";
+//# sourceMappingURL=embed-auth.js.map

package/dist/shared/embed-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"embed-auth.js","sourceRoot":"","sources":["../../src/shared/embed-auth.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,gBAAgB,GAAG,4BAA4B,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,kBAAkB,CAAC;AAC1D,MAAM,CAAC,MAAM,sBAAsB,GAAG,UAAU,CAAC;AACjD,MAAM,CAAC,MAAM,oBAAoB,GAAG,kBAAkB,CAAC;AACvD,MAAM,CAAC,MAAM,mBAAmB,GAAG,6BAA6B,CAAC","sourcesContent":["export const EMBED_START_PATH = \"/_agent-native/embed/start\";\nexport const EMBED_TOKEN_QUERY_PARAM = \"__an_embed_token\";\nexport const EMBED_MODE_QUERY_PARAM = \"embedded\";\nexport const EMBED_SESSION_COOKIE = \"an_embed_session\";\nexport const EMBED_TARGET_HEADER = \"x-agent-native-embed-target\";\n"]}

package/dist/shared/index.d.ts

@@ -6,4 +6,5 @@ export { llmConnectionTrackingProperties, normalizeLlmConnection, type LlmConnec
 export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
 export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, type WorkspaceAppRouteAccess, type WorkspaceAppRouteAccessFromConfig, type WorkspaceAppAudience, } from "./workspace-app-audience.js";
 export { AGENT_NATIVE_OPEN_PATH, AGENT_SIDEBAR_QUERY_PARAM, AGENT_SIDEBAR_QUERY_VALUE_CLOSED, isAgentNativeOpenDeepLink, withCollapsedAgentSidebarParam, } from "./agent-sidebar-url.js";
+export { EMBED_MODE_QUERY_PARAM, EMBED_SESSION_COOKIE, EMBED_START_PATH, EMBED_TOKEN_QUERY_PARAM, } from "./embed-auth.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/shared/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,EACtB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,KAAK,iCAAiC,EACtC,KAAK,oBAAoB,GAC1B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,wBAAwB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,EACtB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,KAAK,iCAAiC,EACtC,KAAK,oBAAoB,GAC1B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC"}

package/dist/shared/index.js

@@ -6,4 +6,5 @@ export { llmConnectionTrackingProperties, normalizeLlmConnection, } from "./llm-
 export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
 export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, } from "./workspace-app-audience.js";
 export { AGENT_NATIVE_OPEN_PATH, AGENT_SIDEBAR_QUERY_PARAM, AGENT_SIDEBAR_QUERY_VALUE_CLOSED, isAgentNativeOpenDeepLink, withCollapsedAgentSidebarParam, } from "./agent-sidebar-url.js";
+export { EMBED_MODE_QUERY_PARAM, EMBED_SESSION_COOKIE, EMBED_START_PATH, EMBED_TOKEN_QUERY_PARAM, } from "./embed-auth.js";
 //# sourceMappingURL=index.js.map

package/dist/shared/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,GAEvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,GAIvC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,wBAAwB,CAAC","sourcesContent":["export {\n  agentChat,\n  type AgentChatMessage,\n  type AgentChatCallOptions,\n  type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n  llmConnectionTrackingProperties,\n  normalizeLlmConnection,\n  type LlmConnectionStatus,\n} from \"./llm-connection.js\";\nexport {\n  DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n  RESERVED_WORKSPACE_APP_IDS,\n  assertValidWorkspaceAppId,\n  getWorkspaceAppIdValidationError,\n  isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\nexport {\n  DEFAULT_WORKSPACE_APP_AUDIENCE,\n  WORKSPACE_APP_AUDIENCES,\n  normalizeWorkspaceAppAudience,\n  normalizeWorkspaceAppPathList,\n  workspaceAppAudienceFromEnv,\n  workspaceAppAudienceFromPackageJson,\n  workspaceAppRouteAccessFromEnv,\n  workspaceAppRouteAccessFromPackageJson,\n  type WorkspaceAppRouteAccess,\n  type WorkspaceAppRouteAccessFromConfig,\n  type WorkspaceAppAudience,\n} from \"./workspace-app-audience.js\";\nexport {\n  AGENT_NATIVE_OPEN_PATH,\n  AGENT_SIDEBAR_QUERY_PARAM,\n  AGENT_SIDEBAR_QUERY_VALUE_CLOSED,\n  isAgentNativeOpenDeepLink,\n  withCollapsedAgentSidebarParam,\n} from \"./agent-sidebar-url.js\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,GAEvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,GAIvC,MAAM,6BAA6B,CAAC;AACrC,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,gBAAgB,EAChB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC","sourcesContent":["export {\n  agentChat,\n  type AgentChatMessage,\n  type AgentChatCallOptions,\n  type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n  llmConnectionTrackingProperties,\n  normalizeLlmConnection,\n  type LlmConnectionStatus,\n} from \"./llm-connection.js\";\nexport {\n  DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n  RESERVED_WORKSPACE_APP_IDS,\n  assertValidWorkspaceAppId,\n  getWorkspaceAppIdValidationError,\n  isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\nexport {\n  DEFAULT_WORKSPACE_APP_AUDIENCE,\n  WORKSPACE_APP_AUDIENCES,\n  normalizeWorkspaceAppAudience,\n  normalizeWorkspaceAppPathList,\n  workspaceAppAudienceFromEnv,\n  workspaceAppAudienceFromPackageJson,\n  workspaceAppRouteAccessFromEnv,\n  workspaceAppRouteAccessFromPackageJson,\n  type WorkspaceAppRouteAccess,\n  type WorkspaceAppRouteAccessFromConfig,\n  type WorkspaceAppAudience,\n} from \"./workspace-app-audience.js\";\nexport {\n  AGENT_NATIVE_OPEN_PATH,\n  AGENT_SIDEBAR_QUERY_PARAM,\n  AGENT_SIDEBAR_QUERY_VALUE_CLOSED,\n  isAgentNativeOpenDeepLink,\n  withCollapsedAgentSidebarParam,\n} from \"./agent-sidebar-url.js\";\nexport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_SESSION_COOKIE,\n  EMBED_START_PATH,\n  EMBED_TOKEN_QUERY_PARAM,\n} from \"./embed-auth.js\";\n"]}

package/dist/templates/workspace-core/AGENTS.md

@@ -55,11 +55,14 @@ available to every workspace app. Only create or request per-app vault grants
 when Dispatch's vault access setting is switched to manual mode.
 
 Workspace apps are discovered from `apps/<app-name>/package.json`. There is no
-separate workspace app registry to edit for Dispatch to list the app. Use
-relative workspace links like `/<app-name>` and never hardcode `localhost`,
-`127.0.0.1`, `8080`, `8100`, or any dev port in app cards, instructions,
-redirects, or navigation; the active workspace gateway/browser origin owns the
-port. React Router apps must preserve `APP_BASE_PATH` / `VITE_APP_BASE_PATH` in
+separate workspace app registry to edit for Dispatch to list the app. Always
+save a concise, human-readable `description` there; Dispatch lists and A2A
+connected-agent context use the app name plus description so agents know what
+the app does. Use relative workspace links like `/<app-name>` and never
+hardcode `localhost`, `127.0.0.1`, `8080`, `8100`, or any dev port in app
+cards, instructions, redirects, or navigation; the active workspace
+gateway/browser origin owns the port. React Router apps must preserve
+`APP_BASE_PATH` / `VITE_APP_BASE_PATH` in
 `app/entry.client.tsx` via `appBasePath()` so the app hydrates correctly when
 mounted at `/<app-name>`. Use the framework/template UI stack for standard UI:
 shadcn/ui components and `@tabler/icons-react`. Do not add `lucide-react` or
@@ -80,3 +83,9 @@ workspace root. In production, Dispatch posts new-app requests to Builder
 branch creation; Builder should still scaffold the separate workspace app. The
 workspace dev gateway (`pnpm dev`) detects new `apps/<app-name>` directories
 automatically.
+
+When using the starter template, treat it as scaffolding only. The finished app
+must be branded as the requested app, with its own home screen, navigation,
+package metadata, manifest, and domain workflow. Do not leave visible
+`Starter`, `Blank app`, `Start building`, or `New app` UI in a starter-derived
+app.

package/dist/templates/workspace-root/AGENTS.md

@@ -108,6 +108,11 @@ coding agents can discover the same workspace-wide guidance from the root.
   should still create the separate workspace app, not patch starter. The local
   workspace gateway detects new app directories automatically and starts each
   app server lazily on first visit.
+- When using the starter template, treat it as scaffolding only. The finished
+  app must be branded as the requested app, with its own home screen,
+  navigation, package metadata, manifest, and domain workflow. Do not leave
+  visible `Starter`, `Blank app`, `Start building`, or `New app` UI in a
+  starter-derived app.
 
 ## Workspace Identity
 

package/dist/templates/workspace-root/README.md

@@ -106,6 +106,9 @@ pnpm exec agent-native create crm --template=starter
 The CLI detects the workspace root and scaffolds a minimal app that already
 depends on `@{{APP_NAME}}/shared`. Edit only the routes you care about;
 auth, org switching, skills, and instructions come from the shared package.
+Starter is only the source scaffold: the finished app should use its own name,
+home screen, navigation, package metadata, and manifest rather than leaving
+starter or new-app UI in place.
 If the request starts from Dispatch in production, Dispatch sends it to Builder
 branch creation; that branch should still add a new `apps/<app-id>` workspace
 app rather than adding files to `apps/starter`.

package/dist/vite/action-types-plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action-types-plugin.d.ts","sourceRoot":"","sources":["../../src/vite/action-types-plugin.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAiSnC;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAuC1C;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAG1E"}
+{"version":3,"file":"action-types-plugin.d.ts","sourceRoot":"","sources":["../../src/vite/action-types-plugin.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAwSnC;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAuC1C;AAED;;;GAGG;AACH,wBAAgB,gCAAgC,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAG1E"}

package/dist/vite/action-types-plugin.js

@@ -55,6 +55,15 @@ const CORE_SHARING_ACTIONS = [
         specifier: "@agent-native/core/file-upload/actions/upload-image",
     },
 ];
+function isRuntimeSourceFile(filename) {
+    if (!/\.(ts|js)$/.test(filename))
+        return false;
+    if (/\.d\.ts$/.test(filename))
+        return false;
+    if (/\.(test|spec)\.(ts|js)$/.test(filename))
+        return false;
+    return true;
+}
 function scanActionFiles(actionsDir) {
     let files;
     try {
@@ -64,7 +73,7 @@ function scanActionFiles(actionsDir) {
         return [];
     }
     return files.filter((f) => {
-        if (!f.endsWith(".ts") && !f.endsWith(".js"))
+        if (!isRuntimeSourceFile(f))
             return false;
         const name = f.replace(/\.(ts|js)$/, "");
         if (name.startsWith("_"))