npm - @agent-native/core - Versions diffs - 0.24.4 → 0.24.6 - Mend

@agent-native/core 0.24.4 → 0.24.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/onboarding/default-steps.d.ts.map +1 -1
package/dist/onboarding/default-steps.js +0 -17
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/secrets/substitution.d.ts +1 -0
package/dist/secrets/substitution.d.ts.map +1 -1
package/dist/secrets/substitution.js +32 -0
package/dist/secrets/substitution.js.map +1 -1
package/dist/server/auth.d.ts +0 -1
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +14 -338
package/dist/server/auth.js.map +1 -1
package/docs/content/authentication.md +8 -9
package/docs/content/deployment.md +2 -2
package/package.json +1 -1

package/dist/onboarding/default-steps.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"default-steps.d.ts","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;~~AA4SH~~,6DAA6D;AAC7D,wBAAgB,8BAA8B,IAAI,IAAI,CAOrD"}
1	+ {"version":3,"file":"default-steps.d.ts","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2RH,6DAA6D;AAC7D,wBAAgB,8BAA8B,IAAI,IAAI,CAOrD"}

package/dist/onboarding/default-steps.js CHANGED Viewed

@@ -195,23 +195,6 @@ const authStep = {
                 ],
             },
         },
-        {
-            id: "access-token",
-            kind: "form",
-            label: "Shared access token",
-            description: "Use a simple token gate for private deployments.",
-            payload: {
-                writeScope: "workspace",
-                fields: [
-                    {
-                        key: "ACCESS_TOKEN",
-                        label: "ACCESS_TOKEN",
-                        placeholder: "Paste a strong shared token",
-                        secret: true,
-                    },
-                ],
-            },
-        },
     ],
     isComplete: () => true,
 };

package/dist/onboarding/default-steps.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"default-steps.js","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAUlD,MAAM,eAAe,GAAmB;IACtC;QACE,QAAQ,EAAE,WAAW;QACrB,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,YAAY;QACtB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,YAAY;QACnB,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,SAAS;QACnB,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,yCAAyC;KACvD;CACF,CAAC;AAEF,MAAM,OAAO,GAAmB;IAC9B,EAAE,EAAE,KAAK;IACT,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,sBAAsB;IAC7B,WAAW,EAAE,gEAAgE;IAC7E,OAAO,EAAE;QACP;YACE,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EACT,mNAAmN;YACrN,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;aACb;SACF;QACD,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE;YACvE,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO;gBACL,EAAE;gBACF,IAAI,EAAE,MAAe;gBACrB,KAAK;gBACL,WAAW;gBACX,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE;oBACP,UAAU,EAAE,WAAoB;oBAChC,MAAM,EAAE;wBACN;4BACE,GAAG,EAAE,IAAI,CAAC,MAAM;4BAChB,KAAK,EAAE,IAAI,CAAC,MAAM;4BAClB,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,MAAM,EAAE,IAAI;yBACb;qBACF;iBACF;aACF,CAAC;QACJ,CAAC,CAAC;KACH;IACD,UAAU,EAAE,KAAK,IAAI,EAAE;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,2BAA2B,EAAE,GACnC,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;YACnD,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,IAAI,CAAC;YACH,OAAO,8BAA8B,CAAC,MAAM,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,YAAY,GAAmB;IACnC,EAAE,EAAE,UAAU;IACd,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,UAAU;IACjB,WAAW,EACT,+GAA+G;IACjH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,kBAAkB;YACzB,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,kDAAkD;qBAChE;oBACD;wBACE,GAAG,EAAE,qBAAqB;wBAC1B,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,0CAA0C;wBACvD,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,kEAAkE;IAClE,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,yEAAyE;AACzE,MAAM,QAAQ,GAAmB;IAC/B,EAAE,EAAE,MAAM;IACV,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,qHAAqH;IACvH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,qBAAqB;YAC5B,WAAW,EAAE,kDAAkD;YAC/D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,6BAA6B;wBAC1C,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,6EAA6E;AAC7E,MAAM,SAAS,GAAmB;IAChC,EAAE,EAAE,OAAO;IACX,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,iIAAiI;IACnI,OAAO,EAAE;QACP;YACE,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,qCAAqC;YAClD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,gBAAgB;wBACrB,KAAK,EAAE,gBAAgB;wBACvB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;oBACD;wBACE,GAAG,EAAE,UAAU;wBACf,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,YAAY;qBAC1B;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,uCAAuC;YACpD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,kBAAkB;wBACvB,KAAK,EAAE,kBAAkB;wBACzB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE;QACf,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,wEAAwE;QACxE,iBAAiB;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;YAAE,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;CACF,CAAC;AAEF,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,UAAU,8BAA8B;IAC5C,IAAI,UAAU;QAAE,OAAO;IACvB,UAAU,GAAG,IAAI,CAAC;IAClB,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAChC,sBAAsB,CAAC,YAAY,CAAC,CAAC;IACrC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACpC,CAAC","sourcesContent":["/*\n Default framework-level onboarding steps.\n \n Registered when `createOnboardingPlugin()` mounts (auto-mount or explicit).\n * Templates can override any step by registering another step with the same\n * `id` after these have been registered.\n /\n\nimport { registerOnboardingStep } from \"./registry.js\";\nimport type { OnboardingStep } from \"./types.js\";\nimport {\n PROVIDER_ENV_META,\n PROVIDER_ENV_VARS,\n} from \"../agent/engine/provider-env-vars.js\";\nimport {\n detectEngineFromUserSecrets,\n isAgentEngineSettingConfigured,\n} from \"../agent/engine/registry.js\";\nimport { getSetting } from \"../settings/store.js\";\n\ntype LlmKeyMethod = {\n provider: keyof typeof PROVIDER_ENV_META;\n id: string;\n label: string;\n description: string;\n primary?: boolean;\n};\n\nconst LLM_KEY_METHODS: LlmKeyMethod[] = [\n {\n provider: \"anthropic\",\n id: \"anthropic-key\",\n label: \"Anthropic\",\n description: \"Claude models with your own Anthropic key.\",\n },\n {\n provider: \"openai\",\n id: \"openai-key\",\n label: \"OpenAI\",\n description: \"GPT models with your own OpenAI key.\",\n },\n {\n provider: \"google\",\n id: \"google-key\",\n label: \"Google Gemini\",\n description: \"Gemini models with your own Google AI key.\",\n },\n {\n provider: \"openrouter\",\n id: \"openrouter-key\",\n label: \"OpenRouter\",\n description: \"OpenRouter models with your own OpenRouter key.\",\n },\n {\n provider: \"groq\",\n id: \"groq-key\",\n label: \"Groq\",\n description: \"Groq-hosted models with your own Groq key.\",\n },\n {\n provider: \"mistral\",\n id: \"mistral-key\",\n label: \"Mistral\",\n description: \"Mistral models with your own Mistral key.\",\n },\n {\n provider: \"cohere\",\n id: \"cohere-key\",\n label: \"Cohere\",\n description: \"Cohere models with your own Cohere key.\",\n },\n];\n\nconst llmStep: OnboardingStep = {\n id: \"llm\",\n order: 10,\n required: true,\n title: \"Connect an AI engine\",\n description: \"Use Builder's managed gateway, or bring your own provider key.\",\n methods: [\n {\n id: \"builder\",\n kind: \"builder-cli-auth\",\n label: \"Connect Builder\",\n description:\n \"Connect the Builder space where this app should run. This unlocks managed LLM credits, browser automation, and file uploads. Cloud code changes appear when Builder Cloud Agents are available for the workspace.\",\n primary: true,\n payload: {\n scope: \"llm\",\n },\n },\n ...LLM_KEY_METHODS.map(({ provider, id, label, description, primary }) => {\n const meta = PROVIDER_ENV_META[provider];\n return {\n id,\n kind: \"form\" as const,\n label,\n description,\n ...(primary ? { primary: true } : {}),\n payload: {\n writeScope: \"workspace\" as const,\n fields: [\n {\n key: meta.envVar,\n label: meta.envVar,\n placeholder: meta.placeholder,\n secret: true,\n },\n ],\n },\n };\n }),\n ],\n isComplete: async () => {\n try {\n const { resolveHasBuilderPrivateKey } =\n await import(\"../server/credential-provider.js\");\n if (await resolveHasBuilderPrivateKey()) return true;\n } catch {\n if (process.env.BUILDER_PRIVATE_KEY) return true;\n }\n try {\n if (await detectEngineFromUserSecrets()) return true;\n } catch {\n // Fall through to legacy/env detection.\n }\n if (PROVIDER_ENV_VARS.some((k) => !!process.env[k])) return true;\n try {\n return isAgentEngineSettingConfigured(await getSetting(\"agent-engine\"));\n } catch {\n return false;\n }\n },\n};\n\n/* Step 2 — where application data lives. The default DB is non-blocking. /\nconst databaseStep: OnboardingStep = {\n id: \"database\",\n order: 20,\n required: false,\n title: \"Database\",\n description:\n \"Agent-native stores app data in SQL. Set DATABASE_URL when you want to point this app at a specific database.\",\n methods: [\n {\n id: \"database-url\",\n kind: \"form\",\n label: \"Set DATABASE_URL\",\n description: \"Paste the SQL connection string this app should use.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"DATABASE_URL\",\n label: \"DATABASE_URL\",\n placeholder: \"postgres://..., libsql://..., file:./data/app.db\",\n },\n {\n key: \"DATABASE_AUTH_TOKEN\",\n label: \"DATABASE_AUTH_TOKEN (if needed)\",\n placeholder: \"Token for providers such as Turso/libSQL\",\n secret: true,\n },\n ],\n },\n },\n ],\n // The default local database means this step is always satisfied.\n isComplete: () => true,\n};\n\n/* Step 3 — how users sign in. Built-in account auth is non-blocking. /\nconst authStep: OnboardingStep = {\n id: \"auth\",\n order: 30,\n required: false,\n title: \"Authentication\",\n description:\n \"Built-in email/password accounts work by default. Add OAuth or access tokens only if you want another sign-in path.\",\n methods: [\n {\n id: \"google-oauth\",\n kind: \"form\",\n label: \"Google OAuth\",\n description: \"Add Google as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GOOGLE_CLIENT_ID\", label: \"GOOGLE_CLIENT_ID\" },\n {\n key: \"GOOGLE_CLIENT_SECRET\",\n label: \"GOOGLE_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"github-oauth\",\n kind: \"form\",\n label: \"GitHub OAuth\",\n description: \"Add GitHub as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GITHUB_CLIENT_ID\", label: \"GITHUB_CLIENT_ID\" },\n {\n key: \"GITHUB_CLIENT_SECRET\",\n label: \"GITHUB_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"access-token\",\n kind: \"form\",\n label: \"Shared access token\",\n description: \"Use a simple token gate for private deployments.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"ACCESS_TOKEN\",\n label: \"ACCESS_TOKEN\",\n placeholder: \"Paste a strong shared token\",\n secret: true,\n },\n ],\n },\n },\n ],\n isComplete: () => true,\n};\n\n/* Step 4 — transactional email (password resets, invitations). Optional. /\nconst emailStep: OnboardingStep = {\n id: \"email\",\n order: 40,\n required: false,\n title: \"Email delivery\",\n description:\n \"Optional for local work. Before deploying with password resets, invitations, or share notifications, connect an email provider.\",\n methods: [\n {\n id: \"resend\",\n kind: \"form\",\n label: \"Resend\",\n description: \"Use Resend for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"RESEND_API_KEY\",\n label: \"RESEND_API_KEY\",\n placeholder: \"re_...\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n {\n key: \"APP_NAME\",\n label: \"APP_NAME (shown in invite emails)\",\n placeholder: \"Acme Forms\",\n },\n ],\n },\n },\n {\n id: \"sendgrid\",\n kind: \"form\",\n label: \"SendGrid\",\n description: \"Use SendGrid for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"SENDGRID_API_KEY\",\n label: \"SENDGRID_API_KEY\",\n placeholder: \"SG....\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n ],\n },\n },\n ],\n isComplete: () => {\n if (process.env.RESEND_API_KEY) return true;\n // SendGrid rejects Resend's sandbox sender, so EMAIL_FROM must also be\n // set — otherwise sendEmail() throws at runtime even though the API key\n // is configured.\n if (process.env.SENDGRID_API_KEY) return !!process.env.EMAIL_FROM;\n return false;\n },\n};\n\nlet registered = false;\n\n/* Idempotent. Safe to call from every plugin-mount call. */\nexport function registerDefaultOnboardingSteps(): void {\n if (registered) return;\n registered = true;\n registerOnboardingStep(llmStep);\n registerOnboardingStep(databaseStep);\n registerOnboardingStep(authStep);\n registerOnboardingStep(emailStep);\n}\n"]}
1	+ {"version":3,"file":"default-steps.js","sourceRoot":"","sources":["../../src/onboarding/default-steps.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,OAAO,EACL,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,GAC/B,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAUlD,MAAM,eAAe,GAAmB;IACtC;QACE,QAAQ,EAAE,WAAW;QACrB,EAAE,EAAE,eAAe;QACnB,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,YAAY;QACtB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,YAAY;QACnB,WAAW,EAAE,iDAAiD;KAC/D;IACD;QACE,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,MAAM;QACb,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,QAAQ,EAAE,SAAS;QACnB,EAAE,EAAE,aAAa;QACjB,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,QAAQ,EAAE,QAAQ;QAClB,EAAE,EAAE,YAAY;QAChB,KAAK,EAAE,QAAQ;QACf,WAAW,EAAE,yCAAyC;KACvD;CACF,CAAC;AAEF,MAAM,OAAO,GAAmB;IAC9B,EAAE,EAAE,KAAK;IACT,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,sBAAsB;IAC7B,WAAW,EAAE,gEAAgE;IAC7E,OAAO,EAAE;QACP;YACE,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,kBAAkB;YACxB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EACT,mNAAmN;YACrN,OAAO,EAAE,IAAI;YACb,OAAO,EAAE;gBACP,KAAK,EAAE,KAAK;aACb;SACF;QACD,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,EAAE,EAAE;YACvE,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YACzC,OAAO;gBACL,EAAE;gBACF,IAAI,EAAE,MAAe;gBACrB,KAAK;gBACL,WAAW;gBACX,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrC,OAAO,EAAE;oBACP,UAAU,EAAE,WAAoB;oBAChC,MAAM,EAAE;wBACN;4BACE,GAAG,EAAE,IAAI,CAAC,MAAM;4BAChB,KAAK,EAAE,IAAI,CAAC,MAAM;4BAClB,WAAW,EAAE,IAAI,CAAC,WAAW;4BAC7B,MAAM,EAAE,IAAI;yBACb;qBACF;iBACF;aACF,CAAC;QACJ,CAAC,CAAC;KACH;IACD,UAAU,EAAE,KAAK,IAAI,EAAE;QACrB,IAAI,CAAC;YACH,MAAM,EAAE,2BAA2B,EAAE,GACnC,MAAM,MAAM,CAAC,kCAAkC,CAAC,CAAC;YACnD,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB;gBAAE,OAAO,IAAI,CAAC;QACnD,CAAC;QACD,IAAI,CAAC;YACH,IAAI,MAAM,2BAA2B,EAAE;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,IAAI,CAAC;YACH,OAAO,8BAA8B,CAAC,MAAM,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;QAC1E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC;AAEF,6EAA6E;AAC7E,MAAM,YAAY,GAAmB;IACnC,EAAE,EAAE,UAAU;IACd,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,UAAU;IACjB,WAAW,EACT,+GAA+G;IACjH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,kBAAkB;YACzB,WAAW,EAAE,sDAAsD;YACnE,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,cAAc;wBACnB,KAAK,EAAE,cAAc;wBACrB,WAAW,EAAE,kDAAkD;qBAChE;oBACD;wBACE,GAAG,EAAE,qBAAqB;wBAC1B,KAAK,EAAE,iCAAiC;wBACxC,WAAW,EAAE,0CAA0C;wBACvD,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,kEAAkE;IAClE,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,yEAAyE;AACzE,MAAM,QAAQ,GAAmB;IAC/B,EAAE,EAAE,MAAM;IACV,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,qHAAqH;IACvH,OAAO,EAAE;QACP;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,cAAc;YAClB,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,cAAc;YACrB,WAAW,EAAE,6CAA6C;YAC1D,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN,EAAE,GAAG,EAAE,kBAAkB,EAAE,KAAK,EAAE,kBAAkB,EAAE;oBACtD;wBACE,GAAG,EAAE,sBAAsB;wBAC3B,KAAK,EAAE,sBAAsB;wBAC7B,MAAM,EAAE,IAAI;qBACb;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI;CACvB,CAAC;AAEF,6EAA6E;AAC7E,MAAM,SAAS,GAAmB;IAChC,EAAE,EAAE,OAAO;IACX,KAAK,EAAE,EAAE;IACT,QAAQ,EAAE,KAAK;IACf,KAAK,EAAE,gBAAgB;IACvB,WAAW,EACT,iIAAiI;IACnI,OAAO,EAAE;QACP;YACE,EAAE,EAAE,QAAQ;YACZ,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,QAAQ;YACf,WAAW,EAAE,qCAAqC;YAClD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,gBAAgB;wBACrB,KAAK,EAAE,gBAAgB;wBACvB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;oBACD;wBACE,GAAG,EAAE,UAAU;wBACf,KAAK,EAAE,mCAAmC;wBAC1C,WAAW,EAAE,YAAY;qBAC1B;iBACF;aACF;SACF;QACD;YACE,EAAE,EAAE,UAAU;YACd,IAAI,EAAE,MAAM;YACZ,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,uCAAuC;YACpD,OAAO,EAAE;gBACP,UAAU,EAAE,WAAW;gBACvB,MAAM,EAAE;oBACN;wBACE,GAAG,EAAE,kBAAkB;wBACvB,KAAK,EAAE,kBAAkB;wBACzB,WAAW,EAAE,QAAQ;wBACrB,MAAM,EAAE,IAAI;qBACb;oBACD;wBACE,GAAG,EAAE,YAAY;wBACjB,KAAK,EAAE,2BAA2B;wBAClC,WAAW,EAAE,uCAAuC;qBACrD;iBACF;aACF;SACF;KACF;IACD,UAAU,EAAE,GAAG,EAAE;QACf,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;YAAE,OAAO,IAAI,CAAC;QAC5C,uEAAuE;QACvE,wEAAwE;QACxE,iBAAiB;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB;YAAE,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAClE,OAAO,KAAK,CAAC;IACf,CAAC;CACF,CAAC;AAEF,IAAI,UAAU,GAAG,KAAK,CAAC;AAEvB,6DAA6D;AAC7D,MAAM,UAAU,8BAA8B;IAC5C,IAAI,UAAU;QAAE,OAAO;IACvB,UAAU,GAAG,IAAI,CAAC;IAClB,sBAAsB,CAAC,OAAO,CAAC,CAAC;IAChC,sBAAsB,CAAC,YAAY,CAAC,CAAC;IACrC,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACpC,CAAC","sourcesContent":["/*\n Default framework-level onboarding steps.\n \n Registered when `createOnboardingPlugin()` mounts (auto-mount or explicit).\n * Templates can override any step by registering another step with the same\n * `id` after these have been registered.\n /\n\nimport { registerOnboardingStep } from \"./registry.js\";\nimport type { OnboardingStep } from \"./types.js\";\nimport {\n PROVIDER_ENV_META,\n PROVIDER_ENV_VARS,\n} from \"../agent/engine/provider-env-vars.js\";\nimport {\n detectEngineFromUserSecrets,\n isAgentEngineSettingConfigured,\n} from \"../agent/engine/registry.js\";\nimport { getSetting } from \"../settings/store.js\";\n\ntype LlmKeyMethod = {\n provider: keyof typeof PROVIDER_ENV_META;\n id: string;\n label: string;\n description: string;\n primary?: boolean;\n};\n\nconst LLM_KEY_METHODS: LlmKeyMethod[] = [\n {\n provider: \"anthropic\",\n id: \"anthropic-key\",\n label: \"Anthropic\",\n description: \"Claude models with your own Anthropic key.\",\n },\n {\n provider: \"openai\",\n id: \"openai-key\",\n label: \"OpenAI\",\n description: \"GPT models with your own OpenAI key.\",\n },\n {\n provider: \"google\",\n id: \"google-key\",\n label: \"Google Gemini\",\n description: \"Gemini models with your own Google AI key.\",\n },\n {\n provider: \"openrouter\",\n id: \"openrouter-key\",\n label: \"OpenRouter\",\n description: \"OpenRouter models with your own OpenRouter key.\",\n },\n {\n provider: \"groq\",\n id: \"groq-key\",\n label: \"Groq\",\n description: \"Groq-hosted models with your own Groq key.\",\n },\n {\n provider: \"mistral\",\n id: \"mistral-key\",\n label: \"Mistral\",\n description: \"Mistral models with your own Mistral key.\",\n },\n {\n provider: \"cohere\",\n id: \"cohere-key\",\n label: \"Cohere\",\n description: \"Cohere models with your own Cohere key.\",\n },\n];\n\nconst llmStep: OnboardingStep = {\n id: \"llm\",\n order: 10,\n required: true,\n title: \"Connect an AI engine\",\n description: \"Use Builder's managed gateway, or bring your own provider key.\",\n methods: [\n {\n id: \"builder\",\n kind: \"builder-cli-auth\",\n label: \"Connect Builder\",\n description:\n \"Connect the Builder space where this app should run. This unlocks managed LLM credits, browser automation, and file uploads. Cloud code changes appear when Builder Cloud Agents are available for the workspace.\",\n primary: true,\n payload: {\n scope: \"llm\",\n },\n },\n ...LLM_KEY_METHODS.map(({ provider, id, label, description, primary }) => {\n const meta = PROVIDER_ENV_META[provider];\n return {\n id,\n kind: \"form\" as const,\n label,\n description,\n ...(primary ? { primary: true } : {}),\n payload: {\n writeScope: \"workspace\" as const,\n fields: [\n {\n key: meta.envVar,\n label: meta.envVar,\n placeholder: meta.placeholder,\n secret: true,\n },\n ],\n },\n };\n }),\n ],\n isComplete: async () => {\n try {\n const { resolveHasBuilderPrivateKey } =\n await import(\"../server/credential-provider.js\");\n if (await resolveHasBuilderPrivateKey()) return true;\n } catch {\n if (process.env.BUILDER_PRIVATE_KEY) return true;\n }\n try {\n if (await detectEngineFromUserSecrets()) return true;\n } catch {\n // Fall through to legacy/env detection.\n }\n if (PROVIDER_ENV_VARS.some((k) => !!process.env[k])) return true;\n try {\n return isAgentEngineSettingConfigured(await getSetting(\"agent-engine\"));\n } catch {\n return false;\n }\n },\n};\n\n/* Step 2 — where application data lives. The default DB is non-blocking. /\nconst databaseStep: OnboardingStep = {\n id: \"database\",\n order: 20,\n required: false,\n title: \"Database\",\n description:\n \"Agent-native stores app data in SQL. Set DATABASE_URL when you want to point this app at a specific database.\",\n methods: [\n {\n id: \"database-url\",\n kind: \"form\",\n label: \"Set DATABASE_URL\",\n description: \"Paste the SQL connection string this app should use.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"DATABASE_URL\",\n label: \"DATABASE_URL\",\n placeholder: \"postgres://..., libsql://..., file:./data/app.db\",\n },\n {\n key: \"DATABASE_AUTH_TOKEN\",\n label: \"DATABASE_AUTH_TOKEN (if needed)\",\n placeholder: \"Token for providers such as Turso/libSQL\",\n secret: true,\n },\n ],\n },\n },\n ],\n // The default local database means this step is always satisfied.\n isComplete: () => true,\n};\n\n/* Step 3 — how users sign in. Built-in account auth is non-blocking. /\nconst authStep: OnboardingStep = {\n id: \"auth\",\n order: 30,\n required: false,\n title: \"Authentication\",\n description:\n \"Built-in email/password accounts work by default. Add OAuth or access tokens only if you want another sign-in path.\",\n methods: [\n {\n id: \"google-oauth\",\n kind: \"form\",\n label: \"Google OAuth\",\n description: \"Add Google as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GOOGLE_CLIENT_ID\", label: \"GOOGLE_CLIENT_ID\" },\n {\n key: \"GOOGLE_CLIENT_SECRET\",\n label: \"GOOGLE_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n {\n id: \"github-oauth\",\n kind: \"form\",\n label: \"GitHub OAuth\",\n description: \"Add GitHub as an optional sign-in provider.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n { key: \"GITHUB_CLIENT_ID\", label: \"GITHUB_CLIENT_ID\" },\n {\n key: \"GITHUB_CLIENT_SECRET\",\n label: \"GITHUB_CLIENT_SECRET\",\n secret: true,\n },\n ],\n },\n },\n ],\n isComplete: () => true,\n};\n\n/* Step 4 — transactional email (password resets, invitations). Optional. /\nconst emailStep: OnboardingStep = {\n id: \"email\",\n order: 40,\n required: false,\n title: \"Email delivery\",\n description:\n \"Optional for local work. Before deploying with password resets, invitations, or share notifications, connect an email provider.\",\n methods: [\n {\n id: \"resend\",\n kind: \"form\",\n label: \"Resend\",\n description: \"Use Resend for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"RESEND_API_KEY\",\n label: \"RESEND_API_KEY\",\n placeholder: \"re_...\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n {\n key: \"APP_NAME\",\n label: \"APP_NAME (shown in invite emails)\",\n placeholder: \"Acme Forms\",\n },\n ],\n },\n },\n {\n id: \"sendgrid\",\n kind: \"form\",\n label: \"SendGrid\",\n description: \"Use SendGrid for transactional email.\",\n payload: {\n writeScope: \"workspace\",\n fields: [\n {\n key: \"SENDGRID_API_KEY\",\n label: \"SENDGRID_API_KEY\",\n placeholder: \"SG....\",\n secret: true,\n },\n {\n key: \"EMAIL_FROM\",\n label: \"EMAIL_FROM (from address)\",\n placeholder: \"Agent Native <noreply@yourdomain.com>\",\n },\n ],\n },\n },\n ],\n isComplete: () => {\n if (process.env.RESEND_API_KEY) return true;\n // SendGrid rejects Resend's sandbox sender, so EMAIL_FROM must also be\n // set — otherwise sendEmail() throws at runtime even though the API key\n // is configured.\n if (process.env.SENDGRID_API_KEY) return !!process.env.EMAIL_FROM;\n return false;\n },\n};\n\nlet registered = false;\n\n/* Idempotent. Safe to call from every plugin-mount call. */\nexport function registerDefaultOnboardingSteps(): void {\n if (registered) return;\n registered = true;\n registerOnboardingStep(llmStep);\n registerOnboardingStep(databaseStep);\n registerOnboardingStep(authStep);\n registerOnboardingStep(emailStep);\n}\n"]}

package/dist/secrets/substitution.d.ts CHANGED Viewed

@@ -53,6 +53,7 @@ export declare function resolveKeyReferences(text: string, scope: SecretScope, s
  * 2. active org scope (Dispatch vault sync writes here for org workspaces)
  * 3. active org workspace scope (legacy shared rows)
  * 4. solo workspace scope when no org is active
+ * 5. legacy app credential store user/org scopes
  */
 export declare function resolveKeyReferencesWithRequestScopes(text: string, userScopeId: string): Promise<ResolveKeyReferencesResult>;
 /**

package/dist/secrets/substitution.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"substitution.d.ts","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;~~AAoBjD~~,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,CAAC,EAAE,oBAAoB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,0BAA0B,CAAC,CA4CrC;AAED~~;;;;;;;;;GASG~~;AACH,wBAAsB,qCAAqC,CACzD,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,0BAA0B,CAAC,CAmCrC;~~AAiCD~~;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,GACzB,OAAO,CAeT;AAED;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAU1B;AAED,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,oBAAoB,GACxB,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAO1B"}
1	+ {"version":3,"file":"substitution.d.ts","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAqBjD,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,CAAC,EAAE,oBAAoB,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,WAAW,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,0BAA0B,CAAC,CA4CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,qCAAqC,CACzD,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,0BAA0B,CAAC,CAmCrC;AAkED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EAAE,GAAG,IAAI,GACzB,OAAO,CAeT;AAED;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,WAAW,EAClB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAU1B;AAED,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,oBAAoB,GACxB,OAAO,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,CAO1B"}

package/dist/secrets/substitution.js CHANGED Viewed

@@ -25,6 +25,7 @@
  * org-admin write-gate is verified to be active.
  */
 import { readAppSecret, readAppSecretMeta } from "./storage.js";
+import { resolveCredentialForScope } from "../credentials/index.js";
 import { getRequestOrgId, getRequestUserEmail, } from "../server/request-context.js";
 const KEY_REFERENCE_REGEX = /\$\{keys\.([A-Za-z0-9_-]+)\}/g;
 function isWorkspaceFallbackEnabled() {
@@ -94,6 +95,7 @@ export async function resolveKeyReferences(text, scope, scopeId) {
  * 2. active org scope (Dispatch vault sync writes here for org workspaces)
  * 3. active org workspace scope (legacy shared rows)
  * 4. solo workspace scope when no org is active
+ * 5. legacy app credential store user/org scopes
  */
 export async function resolveKeyReferencesWithRequestScopes(text, userScopeId) {
     const usedKeys = [];
@@ -134,8 +136,38 @@ async function readRequestScopedSecret(name, userScopeId) {
         if (result)
             return { value: result.value, ref: { name, ...ref } };
     }
+    const legacyCredential = await readLegacyCredential(name, userScopeId);
+    if (legacyCredential)
+        return legacyCredential;
     return null;
 }
+async function readLegacyCredential(name, userScopeId) {
+    const orgId = getRequestOrgId();
+    const userValue = await resolveCredentialForScope(name, {
+        userEmail: userScopeId,
+        orgId,
+        scope: "user",
+    }).catch(() => undefined);
+    if (userValue) {
+        return {
+            value: userValue,
+            ref: { name, scope: "user", scopeId: userScopeId },
+        };
+    }
+    if (!orgId)
+        return null;
+    const orgValue = await resolveCredentialForScope(name, {
+        userEmail: userScopeId,
+        orgId,
+        scope: "org",
+    }).catch(() => undefined);
+    if (!orgValue)
+        return null;
+    return {
+        value: orgValue,
+        ref: { name, scope: "org", scopeId: orgId },
+    };
+}
 function requestSecretCandidates(userScopeId) {
     const orgId = getRequestOrgId();
     if (orgId) {

package/dist/secrets/substitution.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"substitution.js","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EACL,eAAe,EACf,mBAAmB,GACpB,MAAM,8BAA8B,CAAC;AAEtC,MAAM,mBAAmB,GAAG,+BAA+B,CAAC;AAE5D,SAAS,0BAA0B;IACjC,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC;IAC3D,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,CACL,UAAU,KAAK,GAAG;QAClB,UAAU,KAAK,MAAM;QACrB,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,IAAI,CACpB,CAAC;AACJ,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,wBAAwB,GAAG,0BAA0B,EAAE,CAAC;IAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,IAAI,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAChE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,IAAI,CAAC,MAAM,IAAI,KAAK,KAAK,MAAM,IAAI,wBAAwB,EAAE,CAAC;YAC5D,MAAM,GAAG,MAAM,aAAa,CAAC;gBAC3B,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,+BAA+B,KAAK,+EAA+E,CAC3I,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,IAAY,EACZ,WAAmB;IAEnB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAA2B,EAAE,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,8HAA8H,CACtJ,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;AAC5D,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,IAAY,EACZ,WAAmB;IAEnB,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,MAAM;YAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,EAAE,CAAC;IACpE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,uBAAuB,CAC9B,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;YACvC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;YAChC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO;QACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;QACvC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,KAAK,EAAE,EAAE;KACjD,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,SAA0B;IAE1B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,IAAI,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,MAAM,IAAI,0BAA0B,EAAE,EAAE,CAAC;QAC9D,IAAI,GAAG,MAAM,iBAAiB,CAAC;YAC7B,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;SACtC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC;QACnC,GAAG,EAAE,GAAG,CAAC,IAAI;QACb,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAC;IACH,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO,QAAQ,KAAK,EAAE,CAAC;AACzB,CAAC","sourcesContent":["/*\n Server-side key substitution for automation tools.\n \n Resolves `${keys.NAME}` references in user-supplied strings (URLs, headers,\n * bodies, etc.) by looking up the named secret at tool-dispatch time. The\n * raw secret value NEVER enters the model's context — substitution happens\n * after the agent emits its tool call and before the request is dispatched.\n \n SECURITY — workspace-scope fallback (audit 05 H2):\n \n The user→workspace fallback is OPT-IN via the\n * `AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK=1` env flag. Default OFF.\n \n When a user (any org member) writes a workspace-scoped `OPENAI_API_KEY`,\n * a default-on fallback would let every other org member's tools that\n * reference `${keys.OPENAI_API_KEY}` start using the malicious key\n * (key-skimming, mirror requests, billing hijack). The previous\n * fix-wave gated workspace-scope WRITES behind an org-admin check; this\n * file is the read-side defense-in-depth.\n \n When the env flag is unset, `resolveKeyReferences(\"user\", scopeId)`\n * queries ONLY user-scope rows. Tools/automations that need shared\n * defaults must explicitly look up via `scope: \"workspace\"`. Most\n * installs benefit from the stricter default — opt in only after the\n * org-admin write-gate is verified to be active.\n /\n\nimport { readAppSecret, readAppSecretMeta } from \"./storage.js\";\nimport type { SecretScope } from \"./register.js\";\nimport {\n getRequestOrgId,\n getRequestUserEmail,\n} from \"../server/request-context.js\";\n\nconst KEY_REFERENCE_REGEX = /\\$\\{keys\\.([A-Za-z0-9_-]+)\\}/g;\n\nfunction isWorkspaceFallbackEnabled(): boolean {\n const v = process.env.AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK;\n if (!v) return false;\n const normalized = v.trim().toLowerCase();\n return (\n normalized === \"1\" \|\|\n normalized === \"true\" \|\|\n normalized === \"yes\" \|\|\n normalized === \"on\"\n );\n}\n\nexport interface ResolveKeyReferencesResult {\n resolved: string;\n usedKeys: string[];\n secretValues: string[];\n resolvedKeys?: ResolvedKeyReference[];\n}\n\nexport interface ResolvedKeyReference {\n name: string;\n scope: SecretScope;\n scopeId: string;\n}\n\n/\n Resolve `${keys.NAME}` references in `text`. For each reference, looks up\n * the named secret at the given scope, falling back to workspace-scope when\n * the user-scope row doesn't exist. Throws when a referenced key is missing\n * so the agent receives a clear error rather than dispatching with the\n * literal placeholder.\n /\nexport async function resolveKeyReferences(\n text: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [] };\n }\n\n const resolutions = new Map<string, string>();\n const secretValues: string[] = [];\n const workspaceFallbackEnabled = isWorkspaceFallbackEnabled();\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n let result = await readAppSecret({ key: name, scope, scopeId });\n // SECURITY (audit 05 H2): user→workspace fallback is opt-in. Default\n // off prevents one malicious org member from poisoning every other\n // member's `${keys.NAME}` resolution with a workspace-scoped value.\n if (!result && scope === \"user\" && workspaceFallbackEnabled) {\n result = await readAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for scope \"${scope}\". Create it in Settings or via the secrets API before using this automation.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues };\n}\n\n/\n Resolve `${keys.NAME}` for browser extension fetches and other request-bound\n * code paths that should honor the active workspace's shared credential store.\n \n Lookup order:\n * 1. user scope for personal overrides\n * 2. active org scope (Dispatch vault sync writes here for org workspaces)\n * 3. active org workspace scope (legacy shared rows)\n * 4. solo workspace scope when no org is active\n /\nexport async function resolveKeyReferencesWithRequestScopes(\n text: string,\n userScopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [], resolvedKeys: [] };\n }\n\n const resolutions = new Map<string, string>();\n const resolvedKeys: ResolvedKeyReference[] = [];\n const secretValues: string[] = [];\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n const result = await readRequestScopedSecret(name, userScopeId);\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for this user or active workspace. Create it in Settings or the Dispatch vault before using this extension.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n resolvedKeys.push(result.ref);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues, resolvedKeys };\n}\n\nasync function readRequestScopedSecret(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } \| null> {\n const candidates = requestSecretCandidates(userScopeId);\n for (const ref of candidates) {\n const result = await readAppSecret({ key: name, ...ref });\n if (result) return { value: result.value, ref: { name, ...ref } };\n }\n return null;\n}\n\nfunction requestSecretCandidates(\n userScopeId: string,\n): Array<{ scope: SecretScope; scopeId: string }> {\n const orgId = getRequestOrgId();\n if (orgId) {\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"org\", scopeId: orgId },\n { scope: \"workspace\", scopeId: orgId },\n ];\n }\n\n const email = getRequestUserEmail() \|\| userScopeId;\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"workspace\", scopeId: `solo:${email}` },\n ];\n}\n\n/\n Check if a URL is allowed by a key's URL allowlist. Returns true when no\n * allowlist is configured (permissive default — the allowlist is opt-in).\n \n Matching is exact on the URL's origin (scheme + host + port), so an entry\n * like `https://hooks.slack.com` blocks `https://evil.example.com` even if\n * the agent tries to redirect the request elsewhere.\n /\nexport function validateUrlAllowlist(\n url: string,\n allowlist: string[] \| null,\n): boolean {\n if (!allowlist \|\| allowlist.length === 0) return true;\n let origin: string;\n try {\n origin = new URL(url).origin;\n } catch {\n return false;\n }\n return allowlist.some((entry) => {\n try {\n return new URL(entry).origin === origin;\n } catch {\n return false;\n }\n });\n}\n\n/\n Convenience helper: look up a key's allowlist by name+scope. Returns null\n * when the key doesn't exist or has no allowlist configured.\n \n SECURITY: workspace fallback obeys the same opt-in flag as\n * `resolveKeyReferences` so the allowlist check stays consistent with the\n * resolved secret. If a future caller queries the allowlist for a key the\n * resolver wouldn't return, we'd risk allowing requests that the resolver\n * would refuse — keep them aligned.\n */\nexport async function getKeyAllowlist(\n name: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<string[] \| null> {\n let meta = await readAppSecretMeta({ key: name, scope, scopeId });\n if (!meta && scope === \"user\" && isWorkspaceFallbackEnabled()) {\n meta = await readAppSecretMeta({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n return meta?.urlAllowlist ?? null;\n}\n\nexport async function getResolvedKeyAllowlist(\n ref: ResolvedKeyReference,\n): Promise<string[] \| null> {\n const meta = await readAppSecretMeta({\n key: ref.name,\n scope: ref.scope,\n scopeId: ref.scopeId,\n });\n return meta?.urlAllowlist ?? null;\n}\n\nfunction getWorkspaceScopeId(userScopeId: string): string {\n const orgId = getRequestOrgId();\n if (orgId) return orgId;\n const email = getRequestUserEmail() \|\| userScopeId;\n return `solo:${email}`;\n}\n"]}
1	+ {"version":3,"file":"substitution.js","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EACL,eAAe,EACf,mBAAmB,GACpB,MAAM,8BAA8B,CAAC;AAEtC,MAAM,mBAAmB,GAAG,+BAA+B,CAAC;AAE5D,SAAS,0BAA0B;IACjC,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC;IAC3D,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,CACL,UAAU,KAAK,GAAG;QAClB,UAAU,KAAK,MAAM;QACrB,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,IAAI,CACpB,CAAC;AACJ,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,wBAAwB,GAAG,0BAA0B,EAAE,CAAC;IAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,IAAI,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAChE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,IAAI,CAAC,MAAM,IAAI,KAAK,KAAK,MAAM,IAAI,wBAAwB,EAAE,CAAC;YAC5D,MAAM,GAAG,MAAM,aAAa,CAAC;gBAC3B,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,+BAA+B,KAAK,+EAA+E,CAC3I,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,IAAY,EACZ,WAAmB;IAEnB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAA2B,EAAE,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,8HAA8H,CACtJ,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;AAC5D,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,IAAY,EACZ,WAAmB;IAEnB,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,MAAM;YAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,EAAE,CAAC;IACpE,CAAC;IACD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvE,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACtD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,MAAM;KACd,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACrD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,KAAK;KACb,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;YACvC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;YAChC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO;QACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;QACvC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,KAAK,EAAE,EAAE;KACjD,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,SAA0B;IAE1B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,IAAI,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,MAAM,IAAI,0BAA0B,EAAE,EAAE,CAAC;QAC9D,IAAI,GAAG,MAAM,iBAAiB,CAAC;YAC7B,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;SACtC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC;QACnC,GAAG,EAAE,GAAG,CAAC,IAAI;QACb,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAC;IACH,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO,QAAQ,KAAK,EAAE,CAAC;AACzB,CAAC","sourcesContent":["/*\n Server-side key substitution for automation tools.\n \n Resolves `${keys.NAME}` references in user-supplied strings (URLs, headers,\n * bodies, etc.) by looking up the named secret at tool-dispatch time. The\n * raw secret value NEVER enters the model's context — substitution happens\n * after the agent emits its tool call and before the request is dispatched.\n \n SECURITY — workspace-scope fallback (audit 05 H2):\n \n The user→workspace fallback is OPT-IN via the\n * `AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK=1` env flag. Default OFF.\n \n When a user (any org member) writes a workspace-scoped `OPENAI_API_KEY`,\n * a default-on fallback would let every other org member's tools that\n * reference `${keys.OPENAI_API_KEY}` start using the malicious key\n * (key-skimming, mirror requests, billing hijack). The previous\n * fix-wave gated workspace-scope WRITES behind an org-admin check; this\n * file is the read-side defense-in-depth.\n \n When the env flag is unset, `resolveKeyReferences(\"user\", scopeId)`\n * queries ONLY user-scope rows. Tools/automations that need shared\n * defaults must explicitly look up via `scope: \"workspace\"`. Most\n * installs benefit from the stricter default — opt in only after the\n * org-admin write-gate is verified to be active.\n /\n\nimport { readAppSecret, readAppSecretMeta } from \"./storage.js\";\nimport type { SecretScope } from \"./register.js\";\nimport { resolveCredentialForScope } from \"../credentials/index.js\";\nimport {\n getRequestOrgId,\n getRequestUserEmail,\n} from \"../server/request-context.js\";\n\nconst KEY_REFERENCE_REGEX = /\\$\\{keys\\.([A-Za-z0-9_-]+)\\}/g;\n\nfunction isWorkspaceFallbackEnabled(): boolean {\n const v = process.env.AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK;\n if (!v) return false;\n const normalized = v.trim().toLowerCase();\n return (\n normalized === \"1\" \|\|\n normalized === \"true\" \|\|\n normalized === \"yes\" \|\|\n normalized === \"on\"\n );\n}\n\nexport interface ResolveKeyReferencesResult {\n resolved: string;\n usedKeys: string[];\n secretValues: string[];\n resolvedKeys?: ResolvedKeyReference[];\n}\n\nexport interface ResolvedKeyReference {\n name: string;\n scope: SecretScope;\n scopeId: string;\n}\n\n/\n Resolve `${keys.NAME}` references in `text`. For each reference, looks up\n * the named secret at the given scope, falling back to workspace-scope when\n * the user-scope row doesn't exist. Throws when a referenced key is missing\n * so the agent receives a clear error rather than dispatching with the\n * literal placeholder.\n /\nexport async function resolveKeyReferences(\n text: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [] };\n }\n\n const resolutions = new Map<string, string>();\n const secretValues: string[] = [];\n const workspaceFallbackEnabled = isWorkspaceFallbackEnabled();\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n let result = await readAppSecret({ key: name, scope, scopeId });\n // SECURITY (audit 05 H2): user→workspace fallback is opt-in. Default\n // off prevents one malicious org member from poisoning every other\n // member's `${keys.NAME}` resolution with a workspace-scoped value.\n if (!result && scope === \"user\" && workspaceFallbackEnabled) {\n result = await readAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for scope \"${scope}\". Create it in Settings or via the secrets API before using this automation.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues };\n}\n\n/\n Resolve `${keys.NAME}` for browser extension fetches and other request-bound\n * code paths that should honor the active workspace's shared credential store.\n \n Lookup order:\n * 1. user scope for personal overrides\n * 2. active org scope (Dispatch vault sync writes here for org workspaces)\n * 3. active org workspace scope (legacy shared rows)\n * 4. solo workspace scope when no org is active\n * 5. legacy app credential store user/org scopes\n /\nexport async function resolveKeyReferencesWithRequestScopes(\n text: string,\n userScopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [], resolvedKeys: [] };\n }\n\n const resolutions = new Map<string, string>();\n const resolvedKeys: ResolvedKeyReference[] = [];\n const secretValues: string[] = [];\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n const result = await readRequestScopedSecret(name, userScopeId);\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for this user or active workspace. Create it in Settings or the Dispatch vault before using this extension.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n resolvedKeys.push(result.ref);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues, resolvedKeys };\n}\n\nasync function readRequestScopedSecret(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } \| null> {\n const candidates = requestSecretCandidates(userScopeId);\n for (const ref of candidates) {\n const result = await readAppSecret({ key: name, ...ref });\n if (result) return { value: result.value, ref: { name, ...ref } };\n }\n const legacyCredential = await readLegacyCredential(name, userScopeId);\n if (legacyCredential) return legacyCredential;\n return null;\n}\n\nasync function readLegacyCredential(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } \| null> {\n const orgId = getRequestOrgId();\n const userValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"user\",\n }).catch(() => undefined);\n if (userValue) {\n return {\n value: userValue,\n ref: { name, scope: \"user\", scopeId: userScopeId },\n };\n }\n\n if (!orgId) return null;\n const orgValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"org\",\n }).catch(() => undefined);\n if (!orgValue) return null;\n\n return {\n value: orgValue,\n ref: { name, scope: \"org\", scopeId: orgId },\n };\n}\n\nfunction requestSecretCandidates(\n userScopeId: string,\n): Array<{ scope: SecretScope; scopeId: string }> {\n const orgId = getRequestOrgId();\n if (orgId) {\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"org\", scopeId: orgId },\n { scope: \"workspace\", scopeId: orgId },\n ];\n }\n\n const email = getRequestUserEmail() \|\| userScopeId;\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"workspace\", scopeId: `solo:${email}` },\n ];\n}\n\n/\n Check if a URL is allowed by a key's URL allowlist. Returns true when no\n * allowlist is configured (permissive default — the allowlist is opt-in).\n \n Matching is exact on the URL's origin (scheme + host + port), so an entry\n * like `https://hooks.slack.com` blocks `https://evil.example.com` even if\n * the agent tries to redirect the request elsewhere.\n /\nexport function validateUrlAllowlist(\n url: string,\n allowlist: string[] \| null,\n): boolean {\n if (!allowlist \|\| allowlist.length === 0) return true;\n let origin: string;\n try {\n origin = new URL(url).origin;\n } catch {\n return false;\n }\n return allowlist.some((entry) => {\n try {\n return new URL(entry).origin === origin;\n } catch {\n return false;\n }\n });\n}\n\n/\n Convenience helper: look up a key's allowlist by name+scope. Returns null\n * when the key doesn't exist or has no allowlist configured.\n \n SECURITY: workspace fallback obeys the same opt-in flag as\n * `resolveKeyReferences` so the allowlist check stays consistent with the\n * resolved secret. If a future caller queries the allowlist for a key the\n * resolver wouldn't return, we'd risk allowing requests that the resolver\n * would refuse — keep them aligned.\n */\nexport async function getKeyAllowlist(\n name: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<string[] \| null> {\n let meta = await readAppSecretMeta({ key: name, scope, scopeId });\n if (!meta && scope === \"user\" && isWorkspaceFallbackEnabled()) {\n meta = await readAppSecretMeta({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n return meta?.urlAllowlist ?? null;\n}\n\nexport async function getResolvedKeyAllowlist(\n ref: ResolvedKeyReference,\n): Promise<string[] \| null> {\n const meta = await readAppSecretMeta({\n key: ref.name,\n scope: ref.scope,\n scopeId: ref.scopeId,\n });\n return meta?.urlAllowlist ?? null;\n}\n\nfunction getWorkspaceScopeId(userScopeId: string): string {\n const orgId = getRequestOrgId();\n if (orgId) return orgId;\n const email = getRequestUserEmail() \|\| userScopeId;\n return `solo:${email}`;\n}\n"]}

package/dist/server/auth.d.ts CHANGED Viewed

@@ -259,7 +259,6 @@ export declare function setFrameworkSessionCookie(event: H3Event, token: string)
  * Automatically configure auth based on environment and configuration:
  *
  * - **BYOA (custom getSession)**: Template-provided auth callback handles everything.
- * - **ACCESS_TOKEN/ACCESS_TOKENS**: Simple token-based auth.
  * - **Default**: Better Auth with email/password, social providers, organizations, and JWT.
  *   Users see an onboarding page to create an account on first visit.
  *

package/dist/server/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAyChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAc7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;~~AAmJD~~,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAgHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAmnBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAgID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;~~AA66CD;;;;;;;;;;;;;;GAcG~~;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,~~CAuLlB~~;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,~~CAEzE~~"}
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAyChE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAwB5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAc7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAOpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAqID,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAgHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAmnBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAgID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAimCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}