@agent-native/core 0.28.2 → 0.28.3

package/dist/templates/default/AGENTS.md

@@ -93,6 +93,7 @@ You do NOT get auto-injected screen state. **Call `pnpm action view-screen` at t
 - Use `db-exec UPDATE` only when no domain action exists and you need a small ad-hoc change.
 - Use `db-patch` when you only need to tweak a small slice of a **large** text/JSON column (documents, slide HTML, dashboard/form JSON). It saves tokens by sending `{find, replace}` instead of re-transmitting the whole column. Targets exactly one row per call — narrow `--where` by primary key. Supports `--edits '[{find,replace},...]'` for batch edits and `--all` for replace-every-occurrence.
 - If a template-specific action exists (e.g. `edit-document`, `update-slide`), prefer it — those also push live updates to any open collaborative editor.
+- **Database admin (dev only):** in development, `db-admin-query` / `db-admin-mutate` / `db-admin-rows` / `db-admin-tables` / `db-admin-schema` give **unscoped, full-database** access to ANY table — including framework tables and tables without `owner_email`/`org_id`. Prefer these over `db-exec`/`db-query` for database-admin work and for any non-owner-scoped table: `db-exec`/`db-query` auto-scope to the current user and return **0 rows** on unscoped tables. These mirror the in-app Database admin UI, so prompts and the UI do the same thing.
 
 ## Skills
 

package/docs/content/security.md

@@ -11,15 +11,16 @@ Agent-native apps are designed to be secure by default. The framework provides a
 
 The framework architecture prevents common vulnerabilities when you use the standard patterns:
 
-| Vulnerability   | Framework Protection                                            |
-| --------------- | --------------------------------------------------------------- |
-| SQL injection   | Parameterized queries in `db-query`/`db-exec` and Drizzle ORM   |
-| XSS             | React auto-escapes JSX; TipTap sanitizes rich text              |
-| Data leaks      | SQL-level scoping via temporary views (`owner_email`, `org_id`) |
-| Auth bypass     | Auth guard auto-protects all `defineAction` endpoints           |
-| Input injection | Zod schema validation in `defineAction`                         |
-| CSRF            | `SameSite=lax` + `httpOnly` cookies                             |
-| Secret exposure | `.env` files gitignored; OAuth tokens in dedicated store        |
+| Vulnerability   | Framework Protection                                                   |
+| --------------- | ---------------------------------------------------------------------- |
+| SQL injection   | Parameterized queries in `db-query`/`db-exec` and Drizzle ORM          |
+| XSS             | React auto-escapes JSX; TipTap sanitizes rich text                     |
+| Data leaks      | SQL-level scoping via temporary views (`owner_email`, `org_id`)        |
+| Auth bypass     | Auth guard auto-protects all `defineAction` endpoints                  |
+| Input injection | Zod schema validation in `defineAction`                                |
+| CSRF            | `SameSite=lax` + `httpOnly` cookies                                    |
+| Secret exposure | `.env` gitignored; credentials & vault encrypted at rest (AES-256-GCM) |
+| SSRF            | `ssrfSafeFetch` blocks internal/metadata targets + redirect rebinding  |
 
 ## Input Validation {#input-validation}
 
@@ -67,6 +68,18 @@ React auto-escapes all JSX expressions. Additional guidelines:
 - For rich text editing, use TipTap (framework dependency) — it sanitizes through its schema
 - For rendering markdown, use `react-markdown` — it converts to React elements safely
 
+## Server-Side Fetch (SSRF) {#ssrf}
+
+Any server-side `fetch` of a user- or agent-controlled URL must go through the framework SSRF guard, or it can be pointed at cloud metadata (`169.254.169.254`), `localhost`, or internal services:
+
+```typescript
+import { ssrfSafeFetch } from "@agent-native/core/extensions/url-safety";
+
+const res = await ssrfSafeFetch(userProvidedUrl, {}, { maxRedirects: 3 });
+```
+
+`ssrfSafeFetch` blocks private/internal targets, re-checks the resolved IP at connect time (DNS rebinding), and re-validates every redirect hop so a public URL can't redirect into the private network. The extension iframe proxy, `upload-image`, and the design-token importer all route through it. For a pre-flight-only check, use `isBlockedExtensionUrlWithDns(url)` with `redirect: "manual"`.
+
 ## Data Scoping {#data-scoping}
 
 In production, the framework automatically restricts agent SQL queries to the current user's data. This is enforced at the SQL level — agents cannot bypass it. This section is the canonical reference for the scoping pipeline; the [Authentication](/docs/authentication) and [Multi-Tenancy](/docs/multi-tenancy) docs link here for the mechanics.
@@ -106,6 +119,8 @@ CREATE TEMPORARY VIEW "notes" AS
 
 INSERT statements get `owner_email` auto-injected when the column isn't already present.
 
+The `db-query` / `db-exec` tools reject schema-qualified table references (`public.<table>`, `main.<table>`) — a qualified name resolves to the base table and would bypass the temporary view above. Agents use bare table names; scoping is applied automatically.
+
 ### Per-Org Scoping (`org_id`)
 
 For multi-user apps where teams share data, add an `org_id` column. When both columns are present, queries are scoped by both: `WHERE owner_email = ? AND org_id = ?`.
@@ -141,13 +156,17 @@ pnpm action db-check-scoping --require-org  # Also require org_id
 
 ## Secrets Management {#secrets}
 
-| Secret type                     | Where to store                               |
-| ------------------------------- | -------------------------------------------- |
-| API keys (OpenAI, Stripe, etc.) | `.env` file (gitignored, server-side only)   |
-| OAuth tokens (Google, GitHub)   | `oauth_tokens` store via `saveOAuthTokens()` |
-| Session tokens                  | Automatic (Better Auth handles this)         |
+| Secret type                        | Where to store                                             |
+| ---------------------------------- | ---------------------------------------------------------- |
+| Deploy-level keys (one per app)    | `.env` file (gitignored, server-side only)                 |
+| Per-user / per-org API keys        | `saveCredential` / `resolveCredential` (encrypted at rest) |
+| Registered secrets (sidebar vault) | `app_secrets` vault (encrypted at rest)                    |
+| OAuth tokens (Google, GitHub)      | `oauth_tokens` store via `saveOAuthTokens()`               |
+| Session tokens                     | Automatic (Better Auth handles this)                       |
+
+Per-user/per-org credentials and the vault are encrypted at rest with AES-256-GCM, keyed by `SECRETS_ENCRYPTION_KEY` (falling back to `BETTER_AUTH_SECRET`); production refuses to start without one. To encrypt any pre-existing plaintext credential rows in place, run `pnpm action db-migrate-encrypt-credentials` (idempotent, non-destructive).
 
-Never store secrets in `settings`, `application_state`, source code, or action responses.
+Never store secrets in `settings`, `application_state`, source code, or action responses. Use the credential / vault APIs above — they handle both encryption and per-user scoping.
 
 ## Authentication {#auth}
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-native/core",
-  "version": "0.28.2",
+  "version": "0.28.3",
   "type": "module",
   "engines": {
     "node": ">=22"
@@ -296,6 +296,7 @@
     "@types/react": "^19.2.14",
     "@types/ws": "^8.18.1",
     "@vitejs/plugin-react-swc": "^4.0.0",
+    "@vitest/coverage-v8": "4.1.5",
     "@xterm/addon-fit": "^0.11.0",
     "@xterm/addon-web-links": "^0.12.0",
     "@xterm/xterm": "^6.0.0",

package/src/templates/default/AGENTS.md

@@ -93,6 +93,7 @@ You do NOT get auto-injected screen state. **Call `pnpm action view-screen` at t
 - Use `db-exec UPDATE` only when no domain action exists and you need a small ad-hoc change.
 - Use `db-patch` when you only need to tweak a small slice of a **large** text/JSON column (documents, slide HTML, dashboard/form JSON). It saves tokens by sending `{find, replace}` instead of re-transmitting the whole column. Targets exactly one row per call — narrow `--where` by primary key. Supports `--edits '[{find,replace},...]'` for batch edits and `--all` for replace-every-occurrence.
 - If a template-specific action exists (e.g. `edit-document`, `update-slide`), prefer it — those also push live updates to any open collaborative editor.
+- **Database admin (dev only):** in development, `db-admin-query` / `db-admin-mutate` / `db-admin-rows` / `db-admin-tables` / `db-admin-schema` give **unscoped, full-database** access to ANY table — including framework tables and tables without `owner_email`/`org_id`. Prefer these over `db-exec`/`db-query` for database-admin work and for any non-owner-scoped table: `db-exec`/`db-query` auto-scope to the current user and return **0 rows** on unscoped tables. These mirror the in-app Database admin UI, so prompts and the UI do the same thing.
 
 ## Skills