@agent-native/core 0.26.5 → 0.26.7

package/dist/shared/mcp-embed-headers.d.ts

@@ -1,6 +1,7 @@
 export declare const MCP_EMBED_CORS_ALLOW_HEADERS = "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-User-Timezone,X-Agent-Native-Embed-Target,X-Agent-Native-Embed-Transplant";
 export declare const EMBED_TRANSPLANT_HEADER = "x-agent-native-embed-transplant";
 export declare function isClaudeMcpContentOrigin(origin: string | null | undefined): boolean;
+export declare function isChatGptMcpSandboxOrigin(origin: string | null | undefined): boolean;
 export declare function isMcpEmbedCorsOrigin(origin: string | null | undefined): boolean;
 export declare function shouldAllowMcpEmbedCredentials(origin: string | null | undefined): boolean;
 export declare const MCP_EMBED_STATIC_ASSET_HEADERS: {

package/dist/shared/mcp-embed-headers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-embed-headers.d.ts","sourceRoot":"","sources":["../../src/shared/mcp-embed-headers.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,4BAA4B,iKACuH,CAAC;AACjK,eAAO,MAAM,uBAAuB,oCAAoC,CAAC;AAIzE,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAUT;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAET;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAET;AAED,eAAO,MAAM,8BAA8B;;;CAGjC,CAAC;AAoBX,wBAAgB,6BAA6B,CAC3C,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,MAAM,EAAE;IAAE,OAAO,EAAE,OAAO,8BAA8B,CAAA;CAAE,CAAC,CAapE"}
+{"version":3,"file":"mcp-embed-headers.d.ts","sourceRoot":"","sources":["../../src/shared/mcp-embed-headers.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,4BAA4B,iKACuH,CAAC;AACjK,eAAO,MAAM,uBAAuB,oCAAoC,CAAC;AAMzE,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAUT;AAED,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAWT;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAMT;AAED,wBAAgB,8BAA8B,CAC5C,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,OAAO,CAMT;AAED,eAAO,MAAM,8BAA8B;;;CAGjC,CAAC;AAoBX,wBAAgB,6BAA6B,CAC3C,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAAC,MAAM,EAAE;IAAE,OAAO,EAAE,OAAO,8BAA8B,CAAA;CAAE,CAAC,CAapE"}

package/dist/shared/mcp-embed-headers.js

@@ -1,6 +1,7 @@
 export const MCP_EMBED_CORS_ALLOW_HEADERS = "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-User-Timezone,X-Agent-Native-Embed-Target,X-Agent-Native-Embed-Transplant";
 export const EMBED_TRANSPLANT_HEADER = "x-agent-native-embed-transplant";
 const CLAUDE_MCP_CONTENT_HOST_RE = /^[a-f0-9]{32}\.claudemcpcontent\.com$/i;
+const CHATGPT_MCP_SANDBOX_HOST_RE = /^[^.]+\.web-sandbox\.oaiusercontent\.com$/i;
 export function isClaudeMcpContentOrigin(origin) {
     if (!origin)
         return false;
@@ -12,11 +13,27 @@ export function isClaudeMcpContentOrigin(origin) {
         return false;
     }
 }
+export function isChatGptMcpSandboxOrigin(origin) {
+    if (!origin)
+        return false;
+    try {
+        const url = new URL(origin);
+        return (url.protocol === "https:" &&
+            CHATGPT_MCP_SANDBOX_HOST_RE.test(url.hostname));
+    }
+    catch {
+        return false;
+    }
+}
 export function isMcpEmbedCorsOrigin(origin) {
-    return origin === "null" || isClaudeMcpContentOrigin(origin);
+    return (origin === "null" ||
+        isClaudeMcpContentOrigin(origin) ||
+        isChatGptMcpSandboxOrigin(origin));
 }
 export function shouldAllowMcpEmbedCredentials(origin) {
-    return origin !== "null" && !isClaudeMcpContentOrigin(origin);
+    return (origin !== "null" &&
+        !isClaudeMcpContentOrigin(origin) &&
+        !isChatGptMcpSandboxOrigin(origin));
 }
 export const MCP_EMBED_STATIC_ASSET_HEADERS = {
     "Access-Control-Allow-Origin": "*",

package/dist/shared/mcp-embed-headers.js.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-embed-headers.js","sourceRoot":"","sources":["../../src/shared/mcp-embed-headers.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,4BAA4B,GACvC,8JAA8J,CAAC;AACjK,MAAM,CAAC,MAAM,uBAAuB,GAAG,iCAAiC,CAAC;AAEzE,MAAM,0BAA0B,GAAG,wCAAwC,CAAC;AAE5E,MAAM,UAAU,wBAAwB,CACtC,MAAiC;IAEjC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,CACL,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,0BAA0B,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC3E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,MAAiC;IAEjC,OAAO,MAAM,KAAK,MAAM,IAAI,wBAAwB,CAAC,MAAM,CAAC,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,MAAiC;IAEjC,OAAO,MAAM,KAAK,MAAM,IAAI,CAAC,wBAAwB,CAAC,MAAM,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,6BAA6B,EAAE,GAAG;IAClC,8BAA8B,EAAE,cAAc;CACtC,CAAC;AAEX,MAAM,qBAAqB,GAAG;IAC5B,YAAY;IACZ,cAAc;IACd,cAAc;IACd,gBAAgB;IAChB,aAAa;IACb,qBAAqB;IACrB,qBAAqB;CACtB,CAAC;AAEF,SAAS,iBAAiB,CAAC,QAA4B;IACrD,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,QAAiB;IAEjB,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,KAAK,GAGP,EAAE,CAAC;IACP,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;QAC7D,IAAI,IAAI,EAAE,CAAC;YACT,KAAK,CAAC,GAAG,IAAI,GAAG,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["export const MCP_EMBED_CORS_ALLOW_HEADERS =\n  \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-User-Timezone,X-Agent-Native-Embed-Target,X-Agent-Native-Embed-Transplant\";\nexport const EMBED_TRANSPLANT_HEADER = \"x-agent-native-embed-transplant\";\n\nconst CLAUDE_MCP_CONTENT_HOST_RE = /^[a-f0-9]{32}\\.claudemcpcontent\\.com$/i;\n\nexport function isClaudeMcpContentOrigin(\n  origin: string | null | undefined,\n): boolean {\n  if (!origin) return false;\n  try {\n    const url = new URL(origin);\n    return (\n      url.protocol === \"https:\" && CLAUDE_MCP_CONTENT_HOST_RE.test(url.hostname)\n    );\n  } catch {\n    return false;\n  }\n}\n\nexport function isMcpEmbedCorsOrigin(\n  origin: string | null | undefined,\n): boolean {\n  return origin === \"null\" || isClaudeMcpContentOrigin(origin);\n}\n\nexport function shouldAllowMcpEmbedCredentials(\n  origin: string | null | undefined,\n): boolean {\n  return origin !== \"null\" && !isClaudeMcpContentOrigin(origin);\n}\n\nexport const MCP_EMBED_STATIC_ASSET_HEADERS = {\n  \"Access-Control-Allow-Origin\": \"*\",\n  \"Cross-Origin-Resource-Policy\": \"cross-origin\",\n} as const;\n\nconst STATIC_ASSET_PATTERNS = [\n  \"/assets/**\",\n  \"/favicon.ico\",\n  \"/favicon.svg\",\n  \"/manifest.json\",\n  \"/icon-*.svg\",\n  \"/agent-native-*.svg\",\n  \"/library-presets/**\",\n];\n\nfunction normalizeBasePath(basePath: string | undefined): string {\n  const base = (basePath ?? \"\").trim();\n  if (!base || base === \"/\") return \"\";\n  return base.startsWith(\"/\")\n    ? base.replace(/\\/+$/g, \"\")\n    : `/${base.replace(/\\/+$/g, \"\")}`;\n}\n\nexport function mcpEmbedStaticAssetRouteRules(\n  basePath?: string,\n): Record<string, { headers: typeof MCP_EMBED_STATIC_ASSET_HEADERS }> {\n  const base = normalizeBasePath(basePath);\n  const rules: Record<\n    string,\n    { headers: typeof MCP_EMBED_STATIC_ASSET_HEADERS }\n  > = {};\n  for (const pattern of STATIC_ASSET_PATTERNS) {\n    rules[pattern] = { headers: MCP_EMBED_STATIC_ASSET_HEADERS };\n    if (base) {\n      rules[`${base}${pattern}`] = { headers: MCP_EMBED_STATIC_ASSET_HEADERS };\n    }\n  }\n  return rules;\n}\n"]}
+{"version":3,"file":"mcp-embed-headers.js","sourceRoot":"","sources":["../../src/shared/mcp-embed-headers.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,4BAA4B,GACvC,8JAA8J,CAAC;AACjK,MAAM,CAAC,MAAM,uBAAuB,GAAG,iCAAiC,CAAC;AAEzE,MAAM,0BAA0B,GAAG,wCAAwC,CAAC;AAC5E,MAAM,2BAA2B,GAC/B,4CAA4C,CAAC;AAE/C,MAAM,UAAU,wBAAwB,CACtC,MAAiC;IAEjC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,CACL,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,0BAA0B,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC3E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,MAAiC;IAEjC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC5B,OAAO,CACL,GAAG,CAAC,QAAQ,KAAK,QAAQ;YACzB,2BAA2B,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAC/C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,MAAiC;IAEjC,OAAO,CACL,MAAM,KAAK,MAAM;QACjB,wBAAwB,CAAC,MAAM,CAAC;QAChC,yBAAyB,CAAC,MAAM,CAAC,CAClC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,MAAiC;IAEjC,OAAO,CACL,MAAM,KAAK,MAAM;QACjB,CAAC,wBAAwB,CAAC,MAAM,CAAC;QACjC,CAAC,yBAAyB,CAAC,MAAM,CAAC,CACnC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,8BAA8B,GAAG;IAC5C,6BAA6B,EAAE,GAAG;IAClC,8BAA8B,EAAE,cAAc;CACtC,CAAC;AAEX,MAAM,qBAAqB,GAAG;IAC5B,YAAY;IACZ,cAAc;IACd,cAAc;IACd,gBAAgB;IAChB,aAAa;IACb,qBAAqB;IACrB,qBAAqB;CACtB,CAAC;AAEF,SAAS,iBAAiB,CAAC,QAA4B;IACrD,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,IAAI,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QACzB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,6BAA6B,CAC3C,QAAiB;IAEjB,MAAM,IAAI,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,KAAK,GAGP,EAAE,CAAC;IACP,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,KAAK,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;QAC7D,IAAI,IAAI,EAAE,CAAC;YACT,KAAK,CAAC,GAAG,IAAI,GAAG,OAAO,EAAE,CAAC,GAAG,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["export const MCP_EMBED_CORS_ALLOW_HEADERS =\n  \"Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF,X-User-Timezone,X-Agent-Native-Embed-Target,X-Agent-Native-Embed-Transplant\";\nexport const EMBED_TRANSPLANT_HEADER = \"x-agent-native-embed-transplant\";\n\nconst CLAUDE_MCP_CONTENT_HOST_RE = /^[a-f0-9]{32}\\.claudemcpcontent\\.com$/i;\nconst CHATGPT_MCP_SANDBOX_HOST_RE =\n  /^[^.]+\\.web-sandbox\\.oaiusercontent\\.com$/i;\n\nexport function isClaudeMcpContentOrigin(\n  origin: string | null | undefined,\n): boolean {\n  if (!origin) return false;\n  try {\n    const url = new URL(origin);\n    return (\n      url.protocol === \"https:\" && CLAUDE_MCP_CONTENT_HOST_RE.test(url.hostname)\n    );\n  } catch {\n    return false;\n  }\n}\n\nexport function isChatGptMcpSandboxOrigin(\n  origin: string | null | undefined,\n): boolean {\n  if (!origin) return false;\n  try {\n    const url = new URL(origin);\n    return (\n      url.protocol === \"https:\" &&\n      CHATGPT_MCP_SANDBOX_HOST_RE.test(url.hostname)\n    );\n  } catch {\n    return false;\n  }\n}\n\nexport function isMcpEmbedCorsOrigin(\n  origin: string | null | undefined,\n): boolean {\n  return (\n    origin === \"null\" ||\n    isClaudeMcpContentOrigin(origin) ||\n    isChatGptMcpSandboxOrigin(origin)\n  );\n}\n\nexport function shouldAllowMcpEmbedCredentials(\n  origin: string | null | undefined,\n): boolean {\n  return (\n    origin !== \"null\" &&\n    !isClaudeMcpContentOrigin(origin) &&\n    !isChatGptMcpSandboxOrigin(origin)\n  );\n}\n\nexport const MCP_EMBED_STATIC_ASSET_HEADERS = {\n  \"Access-Control-Allow-Origin\": \"*\",\n  \"Cross-Origin-Resource-Policy\": \"cross-origin\",\n} as const;\n\nconst STATIC_ASSET_PATTERNS = [\n  \"/assets/**\",\n  \"/favicon.ico\",\n  \"/favicon.svg\",\n  \"/manifest.json\",\n  \"/icon-*.svg\",\n  \"/agent-native-*.svg\",\n  \"/library-presets/**\",\n];\n\nfunction normalizeBasePath(basePath: string | undefined): string {\n  const base = (basePath ?? \"\").trim();\n  if (!base || base === \"/\") return \"\";\n  return base.startsWith(\"/\")\n    ? base.replace(/\\/+$/g, \"\")\n    : `/${base.replace(/\\/+$/g, \"\")}`;\n}\n\nexport function mcpEmbedStaticAssetRouteRules(\n  basePath?: string,\n): Record<string, { headers: typeof MCP_EMBED_STATIC_ASSET_HEADERS }> {\n  const base = normalizeBasePath(basePath);\n  const rules: Record<\n    string,\n    { headers: typeof MCP_EMBED_STATIC_ASSET_HEADERS }\n  > = {};\n  for (const pattern of STATIC_ASSET_PATTERNS) {\n    rules[pattern] = { headers: MCP_EMBED_STATIC_ASSET_HEADERS };\n    if (base) {\n      rules[`${base}${pattern}`] = { headers: MCP_EMBED_STATIC_ASSET_HEADERS };\n    }\n  }\n  return rules;\n}\n"]}

package/dist/vite/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/vite/client.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAU,UAAU,EAAE,MAAM,MAAM,CAAC;AAmZ/C,MAAM,WAAW,YAAY;IAC3B,sGAAsG;IACtG,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,yCAAyC;IACzC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,YAAY,CAAC,EAAE,WAAW,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;IAC9E,oGAAoG;IACpG,QAAQ,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IAClC,8BAA8B;IAC9B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IAChB,iDAAiD;IACjD,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gCAAgC;IAChC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,kCAAkC;IAClC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,iDAAiD;IACjD,YAAY,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;IACvD;;;;OAIG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;;;;;;;;;OAcG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD;AAyPD,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,GAAG,SAAS,CAMpB;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,OAAO,CAWT;AA6KD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,UAAU,CAkQ1E"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/vite/client.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAU,UAAU,EAAE,MAAM,MAAM,CAAC;AAyZ/C,MAAM,WAAW,YAAY;IAC3B,sGAAsG;IACtG,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6DAA6D;IAC7D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oEAAoE;IACpE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,yCAAyC;IACzC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,6DAA6D;IAC7D,YAAY,CAAC,EAAE,WAAW,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;IAC9E,oGAAoG;IACpG,QAAQ,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;IAClC,8BAA8B;IAC9B,OAAO,CAAC,EAAE,GAAG,EAAE,CAAC;IAChB,iDAAiD;IACjD,KAAK,CAAC,EAAE,YAAY,CAAC;IACrB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,iDAAiD;IACjD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,gCAAgC;IAChC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,kCAAkC;IAClC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,iDAAiD;IACjD,YAAY,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC,CAAC;IACvD;;;;OAIG;IACH,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB;;;;;;;;;;;;;;OAcG;IACH,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB;;;;;;;;OAQG;IACH,WAAW,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjD;AA6XD,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,MAAM,GAAG,SAAS,CAMpB;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,GAAG,SAAS,GACvB,OAAO,CAWT;AA6KD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,UAAU,CAkQ1E"}

package/dist/vite/client.js

@@ -6,6 +6,8 @@ import { actionTypesPlugin } from "./action-types-plugin.js";
 import { agentsBundlePlugin } from "./agents-bundle-plugin.js";
 import { findWorkspaceRoot } from "../scripts/utils.js";
 import { getViteDevRecoveryScript } from "../client/vite-dev-recovery-script.js";
+import { verifyEmbedSessionToken } from "../server/embed-session.js";
+import { EMBED_SESSION_COOKIE, EMBED_TOKEN_QUERY_PARAM, MCP_APP_CHAT_BRIDGE_QUERY_PARAM, } from "../shared/embed-auth.js";
 import { isMcpEmbedCorsOrigin, MCP_EMBED_CORS_ALLOW_HEADERS, MCP_EMBED_STATIC_ASSET_HEADERS, mcpEmbedStaticAssetRouteRules, } from "../shared/mcp-embed-headers.js";
 import { fileURLToPath } from "url";
 const require = createRequire(import.meta.url);
@@ -449,6 +451,9 @@ function baseRedirectGuard() {
                         // original path so the normal dev-server error handling applies.
                     }
                 }
+                if (serveMountedEmbedRuntimeModule(server, req, res, base)) {
+                    return;
+                }
                 req.url = stripMountedDevApiPath(req.url, base);
                 if (req.method === "HEAD" &&
                     req.url &&
@@ -466,6 +471,125 @@ function baseRedirectGuard() {
         },
     };
 }
+const VITE_RUNTIME_PATH_PREFIXES = [
+    "/@fs/",
+    "/@id/",
+    "/@vite/",
+    "/app/",
+    "/node_modules/",
+    "/packages/",
+    "/src/",
+];
+function cookieValue(req, name) {
+    const header = req.headers.cookie;
+    if (typeof header !== "string" || !header)
+        return undefined;
+    for (const part of header.split(";")) {
+        const index = part.indexOf("=");
+        if (index < 0)
+            continue;
+        const key = part.slice(0, index).trim();
+        if (key !== name)
+            continue;
+        try {
+            return decodeURIComponent(part.slice(index + 1).trim());
+        }
+        catch {
+            return part.slice(index + 1).trim();
+        }
+    }
+    return undefined;
+}
+function hasValidEmbedRuntimeToken(req) {
+    try {
+        const url = new URL(req.url ?? "/", "http://agent-native.local");
+        const queryToken = url.searchParams.get(EMBED_TOKEN_QUERY_PARAM);
+        const cookieToken = cookieValue(req, EMBED_SESSION_COOKIE);
+        return [queryToken, cookieToken].some((token) => verifyEmbedSessionToken(token).ok);
+    }
+    catch {
+        return false;
+    }
+}
+function mountedEmbedRuntimeModuleUrl(reqUrl, base) {
+    if (!reqUrl || !base || base === "/")
+        return null;
+    const normalizedBase = base.endsWith("/") ? base : `${base}/`;
+    if (!reqUrl.startsWith(normalizedBase))
+        return null;
+    const runtimeUrl = reqUrl.slice(normalizedBase.length - 1) || "/";
+    let url;
+    try {
+        url = new URL(runtimeUrl, "http://agent-native.local");
+    }
+    catch {
+        return null;
+    }
+    if (!VITE_RUNTIME_PATH_PREFIXES.some((prefix) => url.pathname.startsWith(prefix))) {
+        return null;
+    }
+    url.searchParams.delete(EMBED_TOKEN_QUERY_PARAM);
+    url.searchParams.delete(MCP_APP_CHAT_BRIDGE_QUERY_PARAM);
+    return `${url.pathname}${url.search}${url.hash}`;
+}
+function virtualModuleIdFromRuntimeUrl(runtimeUrl) {
+    try {
+        const pathname = new URL(runtimeUrl, "http://agent-native.local").pathname;
+        const prefix = "/@id/__x00__";
+        if (!pathname.startsWith(prefix))
+            return null;
+        return `\0${decodeURIComponent(pathname.slice(prefix.length))}`;
+    }
+    catch {
+        return null;
+    }
+}
+async function loadMountedEmbedRuntimeModule(server, runtimeUrl) {
+    const virtualId = virtualModuleIdFromRuntimeUrl(runtimeUrl);
+    if (virtualId) {
+        const loaded = await server.pluginContainer?.load?.(virtualId);
+        if (typeof loaded === "string")
+            return loaded;
+        if (loaded && typeof loaded.code === "string")
+            return loaded.code;
+    }
+    const result = await server.transformRequest(runtimeUrl);
+    return result?.code ?? null;
+}
+function serveMountedEmbedRuntimeModule(server, req, res, base) {
+    if (req.method !== "GET" && req.method !== "HEAD")
+        return false;
+    if (!hasValidEmbedRuntimeToken(req))
+        return false;
+    const runtimeUrl = mountedEmbedRuntimeModuleUrl(req.url, base);
+    if (!runtimeUrl)
+        return false;
+    void loadMountedEmbedRuntimeModule(server, runtimeUrl)
+        .then((code) => {
+        if (!code) {
+            if (!res.headersSent) {
+                res.statusCode = 404;
+                res.end();
+            }
+            return;
+        }
+        res.statusCode = 200;
+        res.setHeader("content-type", "text/javascript");
+        if (req.method === "HEAD") {
+            res.end();
+            return;
+        }
+        res.end(code);
+    })
+        .catch((err) => {
+        if (res.headersSent)
+            return;
+        res.statusCode = 500;
+        res.setHeader("content-type", "text/plain");
+        res.end(err instanceof Error ? err.message : String(err));
+    });
+    return true;
+}
 function embedDevFrameHeaders() {
     return {
         name: "agent-native-embed-dev-frame-headers",