@agent-native/core 0.25.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/dist/agent/engine/ai-sdk-engine.d.ts.map +1 -1
  2. package/dist/agent/engine/ai-sdk-engine.js +2 -1
  3. package/dist/agent/engine/ai-sdk-engine.js.map +1 -1
  4. package/dist/agent/engine/anthropic-engine.d.ts.map +1 -1
  5. package/dist/agent/engine/anthropic-engine.js +2 -1
  6. package/dist/agent/engine/anthropic-engine.js.map +1 -1
  7. package/dist/agent/engine/builder-engine.d.ts.map +1 -1
  8. package/dist/agent/engine/builder-engine.js +31 -12
  9. package/dist/agent/engine/builder-engine.js.map +1 -1
  10. package/dist/agent/engine/output-tokens.d.ts +8 -0
  11. package/dist/agent/engine/output-tokens.d.ts.map +1 -0
  12. package/dist/agent/engine/output-tokens.js +60 -0
  13. package/dist/agent/engine/output-tokens.js.map +1 -0
  14. package/dist/agent/production-agent.d.ts +2 -1
  15. package/dist/agent/production-agent.d.ts.map +1 -1
  16. package/dist/agent/production-agent.js +66 -25
  17. package/dist/agent/production-agent.js.map +1 -1
  18. package/dist/client/AssistantChat.d.ts.map +1 -1
  19. package/dist/client/AssistantChat.js +3 -1
  20. package/dist/client/AssistantChat.js.map +1 -1
  21. package/dist/client/index.d.ts +3 -1
  22. package/dist/client/index.d.ts.map +1 -1
  23. package/dist/client/index.js +3 -1
  24. package/dist/client/index.js.map +1 -1
  25. package/dist/client/use-external-value.d.ts +17 -0
  26. package/dist/client/use-external-value.d.ts.map +1 -0
  27. package/dist/client/use-external-value.js +29 -0
  28. package/dist/client/use-external-value.js.map +1 -0
  29. package/dist/collab/client.d.ts +18 -0
  30. package/dist/collab/client.d.ts.map +1 -1
  31. package/dist/collab/client.js +81 -2
  32. package/dist/collab/client.js.map +1 -1
  33. package/dist/scripts/docs/search.d.ts.map +1 -1
  34. package/dist/scripts/docs/search.js +52 -6
  35. package/dist/scripts/docs/search.js.map +1 -1
  36. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  37. package/dist/server/agent-chat-plugin.js +87 -79
  38. package/dist/server/agent-chat-plugin.js.map +1 -1
  39. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  40. package/dist/server/core-routes-plugin.js +6 -6
  41. package/dist/server/core-routes-plugin.js.map +1 -1
  42. package/dist/server/create-server.d.ts.map +1 -1
  43. package/dist/server/create-server.js +5 -1
  44. package/dist/server/create-server.js.map +1 -1
  45. package/package.json +1 -2
package/dist/server/create-server.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EAOb,MAAM,IAAI,CAAC;AAgBZ,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IACvC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uHAAuH;IACvH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AA0BD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC1C,OAAO,CAAC,IAAI,CAAC,CAoDf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAiMpB"}
1
+ {"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EAOb,MAAM,IAAI,CAAC;AAiBZ,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IACvC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uHAAuH;IACvH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AA0BD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC1C,OAAO,CAAC,IAAI,CAAC,CAoDf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAuMpB"}
package/dist/server/create-server.js CHANGED
@@ -6,6 +6,7 @@ import { getAllowedCorsOrigin, readCorsAllowedOrigins, } from "./cors-origins.js
6
6
  import { isEnvVarWriteAllowed } from "./env-var-writes.js";
7
7
  import { EMBED_TARGET_HEADER } from "../shared/embed-auth.js";
8
8
  import { isMcpEmbedCorsOrigin, MCP_EMBED_CORS_ALLOW_HEADERS, shouldAllowMcpEmbedCredentials, } from "../shared/mcp-embed-headers.js";
9
+ import { BUILDER_ENV_KEYS } from "./builder-browser.js";
9
10
  /**
10
11
  * Parse a .env file into key-value pairs, preserving comments and empty lines for roundtrip.
11
12
  */
@@ -211,7 +212,10 @@ export function createServer(options = {}) {
211
212
  }
212
213
  // Only allow keys that are in the env config
213
214
  const allowedKeys = new Set(envKeys.map((k) => k.key));
214
- const filtered = vars.filter((v) => allowedKeys.has(v.key));
215
+ const blockedEnvVarWriteKeys = new Set(BUILDER_ENV_KEYS);
216
+ const filtered = vars.filter((v) => typeof v.key === "string" &&
217
+ allowedKeys.has(v.key) &&
218
+ !blockedEnvVarWriteKeys.has(v.key));
215
219
  if (filtered.length === 0) {
216
220
  setResponseStatus(event, 400);
217
221
  return { error: "No recognized env keys in request" };
package/dist/server/create-server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AA0BxC;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAClD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,2BAA2B;QAC3B,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,6BAA6B,EAAE,IAAI;iBACpC,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,0JAA0J;iBAC7J,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n createApp,\n createRouter,\n defineEventHandler,\n getMethod,\n getRequestHeader,\n setResponseHeader,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\n\nexport interface EnvKeyConfig {\n /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n key: string;\n /** Human-readable label (e.g. \"HubSpot\") */\n label: string;\n /** Whether this key is required for the app to function */\n required?: boolean;\n /** Optional UI hint shown next to the field describing where to find this value. */\n helpText?: string;\n}\n\nexport interface CreateServerOptions {\n /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n cors?: Record<string, unknown> | false;\n /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n jsonLimit?: string;\n /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n pingMessage?: string;\n /** Disable the /_agent-native/ping health check. Default: false */\n disablePing?: boolean;\n /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Parse a .env file into key-value pairs, preserving comments and empty lines for roundtrip.\n */\nfunction parseEnvFile(content: string): Map<string, string> {\n const vars = new Map<string, string>();\n for (const line of content.split(\"\\n\")) {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) continue;\n const eqIndex = trimmed.indexOf(\"=\");\n if (eqIndex === -1) continue;\n const key = trimmed.slice(0, eqIndex).trim();\n let value = trimmed.slice(eqIndex + 1).trim();\n // Strip surrounding quotes\n if (\n (value.startsWith('\"') && value.endsWith('\"')) ||\n (value.startsWith(\"'\") && value.endsWith(\"'\"))\n ) {\n value = value.slice(1, -1);\n }\n vars.set(key, value);\n }\n return vars;\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n envPath: string,\n vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n // Sanitize: reject values that could inject additional env vars\n for (const { key, value } of vars) {\n if (/[\\n\\r\\0]/.test(value)) {\n throw new Error(\n `Invalid env var value for ${key}: must not contain newlines or control characters`,\n );\n }\n }\n\n const fs = await import(\"fs\");\n\n let content = \"\";\n try {\n content = fs.readFileSync(envPath, \"utf-8\");\n } catch {\n // File doesn't exist yet\n }\n\n const lines = content.split(\"\\n\");\n const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n // Update existing lines in place\n const updated = lines.map((line) => {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) return line;\n const eqIndex = trimmed.indexOf(\"=\");\n if (eqIndex === -1) return line;\n const key = trimmed.slice(0, eqIndex).trim();\n if (remaining.has(key)) {\n const value = remaining.get(key)!;\n remaining.delete(key);\n return `${key}=${value}`;\n }\n return line;\n });\n\n // Append new vars\n for (const [key, value] of remaining) {\n updated.push(`${key}=${value}`);\n }\n\n // Ensure trailing newline\n let result = updated.join(\"\\n\");\n if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n try {\n fs.mkdirSync(path.dirname(envPath), { recursive: true });\n fs.writeFileSync(envPath, result);\n } catch {\n // Edge runtimes don't have writable filesystem — skip silently\n }\n}\n\nexport interface CreateServerResult {\n app: ReturnType<typeof createApp>;\n router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n options: CreateServerOptions = {},\n): CreateServerResult {\n const app = createApp({\n onError(error, event) {\n // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n const err = error as NodeJS.ErrnoException;\n const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n if (err?.message === \"aborted\") return;\n console.error(\n `[agent-native] Server error: ${event.method} ${event.path}`,\n error,\n );\n },\n });\n\n // CORS middleware\n if (options.cors !== false) {\n const allowedOrigins = readCorsAllowedOrigins();\n const isProduction = process.env.NODE_ENV === \"production\";\n\n /**\n * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n * localhost/native desktop origins. Development keeps the legacy \"echo\n * any origin\" behavior so local tools and docs previews keep working.\n */\n app.use(\n defineEventHandler((event) => {\n const requestOrigin = getRequestHeader(event, \"origin\");\n const method = getMethod(event);\n const requestedHeaders = String(\n getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n )\n .toLowerCase()\n .split(\",\")\n .map((header) => header.trim());\n const embedCorsRequest =\n isMcpEmbedCorsOrigin(requestOrigin) &&\n (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n Boolean(getRequestHeader(event, \"authorization\")));\n\n /**\n * Decide whether the requesting origin is allowed. We never fall back\n * to \"the first allowlist entry\" when the origin isn't in the list —\n * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n * with credentials enabled to attacker-controlled origins, which was\n * permissive enough that some clients followed through with the\n * credentialed request.\n */\n const allowedOrigin = embedCorsRequest\n ? requestOrigin\n : getAllowedCorsOrigin(requestOrigin, {\n allowedOrigins,\n allowAnyOriginWhenNoAllowlist: !isProduction,\n allowLocalhostWhenNoAllowlist: true,\n });\n // No origin header at all (same-origin fetch, server-to-server) and\n // no allowlist → fall through with `*`-equivalent behaviour: omit\n // ACAO entirely and let the browser apply its same-origin default.\n\n if (allowedOrigin) {\n setResponseHeader(\n event,\n \"Access-Control-Allow-Origin\",\n allowedOrigin,\n );\n setResponseHeader(event, \"Vary\", \"Origin\");\n // A specific origin means we can honor credentialed requests\n // (fetch with `credentials: \"include\"` — used by desktop tray\n // apps that share a same-site cookie with the web app). The\n // wildcard `*` is spec-incompatible with credentials, so only\n // set this when we're echoing a concrete origin.\n if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n setResponseHeader(\n event,\n \"Access-Control-Allow-Credentials\",\n \"true\",\n );\n }\n } else if (!requestOrigin) {\n // No origin header — preserve the legacy permissive behaviour for\n // tools/scripts that hit the API directly (no credentialed CORS\n // semantics apply when there's no Origin).\n setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n }\n\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n MCP_EMBED_CORS_ALLOW_HEADERS,\n );\n\n if (method === \"OPTIONS\") {\n // Reject preflights from disallowed cross-origin callers. We only\n // 204 if either (a) there was no Origin header (same-origin or\n // direct script invocation) or (b) the origin was in the allowlist\n // / dev fallback above. Otherwise we 403 so the browser surfaces\n // a hard CORS failure rather than blindly retrying with credentials.\n if (requestOrigin && !allowedOrigin) {\n return new Response(null, { status: 403 });\n }\n return new Response(null, { status: 204 });\n }\n }),\n );\n }\n\n const router = createRouter();\n app.use(router);\n\n // Health check\n if (!options.disablePing) {\n router.get(\n \"/_agent-native/ping\",\n defineEventHandler(() => {\n const message =\n options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n return { message };\n }),\n );\n }\n\n // Env key management routes\n if (options.envKeys) {\n const envKeys = options.envKeys;\n\n router.get(\n \"/_agent-native/env-status\",\n defineEventHandler(() => {\n return envKeys.map((cfg) => ({\n key: cfg.key,\n label: cfg.label,\n required: cfg.required ?? false,\n configured: !!process.env[cfg.key],\n ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n }));\n }),\n );\n\n router.post(\n \"/_agent-native/env-vars\",\n defineEventHandler(async (event: H3Event) => {\n // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n // above. Disable the endpoint on any multi-tenant deploy.\n if (!isEnvVarWriteAllowed()) {\n setResponseStatus(event, 403);\n return {\n error:\n \"env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.\",\n };\n }\n\n const body = await readBody(event);\n const { vars } = body as {\n vars?: Array<{ key: string; value: string }>;\n };\n\n if (!Array.isArray(vars) || vars.length === 0) {\n setResponseStatus(event, 400);\n return { error: \"vars array required\" };\n }\n\n // Only allow keys that are in the env config\n const allowedKeys = new Set(envKeys.map((k) => k.key));\n const filtered = vars.filter((v) => allowedKeys.has(v.key));\n if (filtered.length === 0) {\n setResponseStatus(event, 400);\n return { error: \"No recognized env keys in request\" };\n }\n\n // Write to .env file\n const envPath = path.join(process.cwd(), \".env\");\n await upsertEnvFile(envPath, filtered);\n\n // Update process.env so the app picks up the new values immediately\n for (const { key, value } of filtered) {\n process.env[key] = value;\n }\n\n // Notify parent (Builder or frame) via postMessage\n agentEnv.setVars(filtered);\n\n return { saved: filtered.map((v) => v.key) };\n }),\n );\n }\n\n return { app, router };\n}\n"]}
1
+ {"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0BxD;;GAEG;AACH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAClD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,SAAS;QAC7B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,2BAA2B;QAC3B,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,6BAA6B,EAAE,IAAI;iBACpC,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,0JAA0J;iBAC7J,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBACzB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtB,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n createApp,\n createRouter,\n defineEventHandler,\n getMethod,\n getRequestHeader,\n setResponseHeader,\n setResponseStatus,\n type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n getAllowedCorsOrigin,\n readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\nimport { BUILDER_ENV_KEYS } from \"./builder-browser.js\";\n\nexport interface EnvKeyConfig {\n /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n key: string;\n /** Human-readable label (e.g. \"HubSpot\") */\n label: string;\n /** Whether this key is required for the app to function */\n required?: boolean;\n /** Optional UI hint shown next to the field describing where to find this value. */\n helpText?: string;\n}\n\nexport interface CreateServerOptions {\n /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n cors?: Record<string, unknown> | false;\n /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n jsonLimit?: string;\n /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n pingMessage?: string;\n /** Disable the /_agent-native/ping health check. Default: false */\n disablePing?: boolean;\n /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Parse a .env file into key-value pairs, preserving comments and empty lines for roundtrip.\n */\nfunction parseEnvFile(content: string): Map<string, string> {\n const vars = new Map<string, string>();\n for (const line of content.split(\"\\n\")) {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) continue;\n const eqIndex = trimmed.indexOf(\"=\");\n if (eqIndex === -1) continue;\n const key = trimmed.slice(0, eqIndex).trim();\n let value = trimmed.slice(eqIndex + 1).trim();\n // Strip surrounding quotes\n if (\n (value.startsWith('\"') && value.endsWith('\"')) ||\n (value.startsWith(\"'\") && value.endsWith(\"'\"))\n ) {\n value = value.slice(1, -1);\n }\n vars.set(key, value);\n }\n return vars;\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n envPath: string,\n vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n // Sanitize: reject values that could inject additional env vars\n for (const { key, value } of vars) {\n if (/[\\n\\r\\0]/.test(value)) {\n throw new Error(\n `Invalid env var value for ${key}: must not contain newlines or control characters`,\n );\n }\n }\n\n const fs = await import(\"fs\");\n\n let content = \"\";\n try {\n content = fs.readFileSync(envPath, \"utf-8\");\n } catch {\n // File doesn't exist yet\n }\n\n const lines = content.split(\"\\n\");\n const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n // Update existing lines in place\n const updated = lines.map((line) => {\n const trimmed = line.trim();\n if (!trimmed || trimmed.startsWith(\"#\")) return line;\n const eqIndex = trimmed.indexOf(\"=\");\n if (eqIndex === -1) return line;\n const key = trimmed.slice(0, eqIndex).trim();\n if (remaining.has(key)) {\n const value = remaining.get(key)!;\n remaining.delete(key);\n return `${key}=${value}`;\n }\n return line;\n });\n\n // Append new vars\n for (const [key, value] of remaining) {\n updated.push(`${key}=${value}`);\n }\n\n // Ensure trailing newline\n let result = updated.join(\"\\n\");\n if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n try {\n fs.mkdirSync(path.dirname(envPath), { recursive: true });\n fs.writeFileSync(envPath, result);\n } catch {\n // Edge runtimes don't have writable filesystem — skip silently\n }\n}\n\nexport interface CreateServerResult {\n app: ReturnType<typeof createApp>;\n router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n options: CreateServerOptions = {},\n): CreateServerResult {\n const app = createApp({\n onError(error, event) {\n // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n const err = error as NodeJS.ErrnoException;\n const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n if (err?.message === \"aborted\") return;\n console.error(\n `[agent-native] Server error: ${event.method} ${event.path}`,\n error,\n );\n },\n });\n\n // CORS middleware\n if (options.cors !== false) {\n const allowedOrigins = readCorsAllowedOrigins();\n const isProduction = process.env.NODE_ENV === \"production\";\n\n /**\n * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n * localhost/native desktop origins. Development keeps the legacy \"echo\n * any origin\" behavior so local tools and docs previews keep working.\n */\n app.use(\n defineEventHandler((event) => {\n const requestOrigin = getRequestHeader(event, \"origin\");\n const method = getMethod(event);\n const requestedHeaders = String(\n getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n )\n .toLowerCase()\n .split(\",\")\n .map((header) => header.trim());\n const embedCorsRequest =\n isMcpEmbedCorsOrigin(requestOrigin) &&\n (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n Boolean(getRequestHeader(event, \"authorization\")));\n\n /**\n * Decide whether the requesting origin is allowed. We never fall back\n * to \"the first allowlist entry\" when the origin isn't in the list —\n * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n * with credentials enabled to attacker-controlled origins, which was\n * permissive enough that some clients followed through with the\n * credentialed request.\n */\n const allowedOrigin = embedCorsRequest\n ? requestOrigin\n : getAllowedCorsOrigin(requestOrigin, {\n allowedOrigins,\n allowAnyOriginWhenNoAllowlist: !isProduction,\n allowLocalhostWhenNoAllowlist: true,\n });\n // No origin header at all (same-origin fetch, server-to-server) and\n // no allowlist → fall through with `*`-equivalent behaviour: omit\n // ACAO entirely and let the browser apply its same-origin default.\n\n if (allowedOrigin) {\n setResponseHeader(\n event,\n \"Access-Control-Allow-Origin\",\n allowedOrigin,\n );\n setResponseHeader(event, \"Vary\", \"Origin\");\n // A specific origin means we can honor credentialed requests\n // (fetch with `credentials: \"include\"` — used by desktop tray\n // apps that share a same-site cookie with the web app). The\n // wildcard `*` is spec-incompatible with credentials, so only\n // set this when we're echoing a concrete origin.\n if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n setResponseHeader(\n event,\n \"Access-Control-Allow-Credentials\",\n \"true\",\n );\n }\n } else if (!requestOrigin) {\n // No origin header — preserve the legacy permissive behaviour for\n // tools/scripts that hit the API directly (no credentialed CORS\n // semantics apply when there's no Origin).\n setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n }\n\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n MCP_EMBED_CORS_ALLOW_HEADERS,\n );\n\n if (method === \"OPTIONS\") {\n // Reject preflights from disallowed cross-origin callers. We only\n // 204 if either (a) there was no Origin header (same-origin or\n // direct script invocation) or (b) the origin was in the allowlist\n // / dev fallback above. Otherwise we 403 so the browser surfaces\n // a hard CORS failure rather than blindly retrying with credentials.\n if (requestOrigin && !allowedOrigin) {\n return new Response(null, { status: 403 });\n }\n return new Response(null, { status: 204 });\n }\n }),\n );\n }\n\n const router = createRouter();\n app.use(router);\n\n // Health check\n if (!options.disablePing) {\n router.get(\n \"/_agent-native/ping\",\n defineEventHandler(() => {\n const message =\n options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n return { message };\n }),\n );\n }\n\n // Env key management routes\n if (options.envKeys) {\n const envKeys = options.envKeys;\n\n router.get(\n \"/_agent-native/env-status\",\n defineEventHandler(() => {\n return envKeys.map((cfg) => ({\n key: cfg.key,\n label: cfg.label,\n required: cfg.required ?? false,\n configured: !!process.env[cfg.key],\n ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n }));\n }),\n );\n\n router.post(\n \"/_agent-native/env-vars\",\n defineEventHandler(async (event: H3Event) => {\n // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n // above. Disable the endpoint on any multi-tenant deploy.\n if (!isEnvVarWriteAllowed()) {\n setResponseStatus(event, 403);\n return {\n error:\n \"env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.\",\n };\n }\n\n const body = await readBody(event);\n const { vars } = body as {\n vars?: Array<{ key: string; value: string }>;\n };\n\n if (!Array.isArray(vars) || vars.length === 0) {\n setResponseStatus(event, 400);\n return { error: \"vars array required\" };\n }\n\n // Only allow keys that are in the env config\n const allowedKeys = new Set(envKeys.map((k) => k.key));\n const blockedEnvVarWriteKeys = new Set<string>(BUILDER_ENV_KEYS);\n const filtered = vars.filter(\n (v) =>\n typeof v.key === \"string\" &&\n allowedKeys.has(v.key) &&\n !blockedEnvVarWriteKeys.has(v.key),\n );\n if (filtered.length === 0) {\n setResponseStatus(event, 400);\n return { error: \"No recognized env keys in request\" };\n }\n\n // Write to .env file\n const envPath = path.join(process.cwd(), \".env\");\n await upsertEnvFile(envPath, filtered);\n\n // Update process.env so the app picks up the new values immediately\n for (const { key, value } of filtered) {\n process.env[key] = value;\n }\n\n // Notify parent (Builder or frame) via postMessage\n agentEnv.setVars(filtered);\n\n return { saved: filtered.map((v) => v.key) };\n }),\n );\n }\n\n return { app, router };\n}\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agent-native/core",
3
- "version": "0.25.0",
3
+ "version": "0.26.0",
4
4
  "type": "module",
5
5
  "description": "Framework for agent-native application development — where AI agents and UI share state via files",
6
6
  "license": "MIT",
@@ -296,7 +296,6 @@
296
296
  "autoprefixer": "^10.4.21",
297
297
  "drizzle-kit": "^0.31.10",
298
298
  "express": "^5.2.1",
299
- "firebase-admin": "^13.0.0",
300
299
  "node-pty": "^1.1.0",
301
300
  "playwright": "^1.60.0",
302
301
  "react": "^19.2.5",