@agent-native/core 0.31.2 → 0.32.1

package/dist/deploy/build.js

@@ -22,10 +22,10 @@ import { getWorkspaceCoreExports, } from "./workspace-core.js";
 import { generateActionRegistryForProject } from "../vite/action-types-plugin.js";
 import { mcpEmbedStaticAssetRouteRules } from "../shared/mcp-embed-headers.js";
 import { AGENT_NATIVE_DEFAULT_SOCIAL_IMAGE } from "../shared/social-meta.js";
+import { DEFAULT_SPECULATION_RULES_PATH, DEFAULT_SSR_CACHE_CONTROL, } from "../shared/cache-control.js";
 import { collectImmutableAssetPaths, IMMUTABLE_ASSET_CACHE_CONTROL, IMMUTABLE_ASSET_CACHE_HEADERS, prefixAssetPath, } from "./immutable-assets.js";
 const cwd = process.cwd();
 const preset = process.env.NITRO_PRESET || "node";
-const DEFAULT_SSR_CACHE_CONTROL = "public, max-age=5, stale-while-revalidate=604800, stale-if-error=3600";
 function normalizeConfiguredAppBasePath() {
     const raw = process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH;
     if (!raw || raw === "/")
@@ -49,6 +49,31 @@ function isNodeOnlyPlugin(filePath) {
     const basename = path.basename(filePath, path.extname(filePath));
     return NODE_ONLY_PLUGINS.has(basename);
 }
+export function generateProvidedPluginsNitroPluginSource(pluginStems) {
+    const stems = [...new Set(pluginStems.filter(Boolean))].sort();
+    return `// AUTO-GENERATED by @agent-native/core deploy build
+import { markDefaultPluginProvided } from "@agent-native/core/server";
+
+const pluginStems = ${JSON.stringify(stems)};
+
+export default function markBuildDiscoveredPlugins(nitroApp) {
+  for (const stem of pluginStems) {
+    markDefaultPluginProvided(nitroApp, stem);
+  }
+}
+`;
+}
+async function writeProvidedPluginsNitroPlugin() {
+    const plugins = await discoverPlugins(cwd);
+    const stems = plugins.map((plugin) => path.basename(plugin, path.extname(plugin)));
+    if (stems.length === 0)
+        return null;
+    const tmpDir = path.join(cwd, ".deploy-tmp");
+    fs.mkdirSync(tmpDir, { recursive: true });
+    const pluginPath = path.join(tmpDir, "agent-native-provided-plugins.mjs");
+    fs.writeFileSync(pluginPath, generateProvidedPluginsNitroPluginSource(stems));
+    return pluginPath;
+}
 function addImmutableAssetRouteRule(routeRules, pathname) {
     const existing = routeRules[pathname] ?? {};
     routeRules[pathname] = {
@@ -77,7 +102,7 @@ export function addImmutableAssetRouteRulesForClientBuild(routeRules, clientDir,
  * `@agent-native/core/server`. This is the middle layer of the three-layer
  * inheritance model: app local > workspace core > framework default.
  */
-export function generateWorkerEntry(routes, pluginPaths, defaultPluginStems = [], actions = [], workspaceCore = null, immutableAssetPaths = []) {
+export function generateWorkerEntry(routes, pluginPaths, defaultPluginStems = [], actions = [], workspaceCore = null, immutableAssetPaths = [], builtAppBasePath = normalizeConfiguredAppBasePath()) {
     const routeImports = [];
     const routeRegistrations = [];
     for (let i = 0; i < routes.length; i++) {
@@ -126,8 +151,10 @@ export function generateWorkerEntry(routes, pluginPaths, defaultPluginStems = []
     const edgePlugins = pluginPaths.filter((p) => !isNodeOnlyPlugin(p));
     const pluginImports = [];
     const pluginCalls = [];
+    const providedPluginStems = new Set();
     for (let i = 0; i < edgePlugins.length; i++) {
         const varName = `plugin_${i}`;
+        providedPluginStems.add(path.basename(edgePlugins[i], path.extname(edgePlugins[i])));
         pluginImports.push(`import ${varName} from ${JSON.stringify(edgePlugins[i])};`);
         pluginCalls.push(`  if (typeof ${varName} === "function") {
     await ${varName}(nitroApp);
@@ -139,6 +166,7 @@ export function generateWorkerEntry(routes, pluginPaths, defaultPluginStems = []
     const edgeDefaultStems = defaultPluginStems.filter((stem) => !NODE_ONLY_PLUGINS.has(stem));
     for (let i = 0; i < edgeDefaultStems.length; i++) {
         const stem = edgeDefaultStems[i];
+        providedPluginStems.add(stem);
         const varName = `defaultPlugin_${i}`;
         const workspaceExportName = workspaceCore?.plugins?.[stem];
         if (workspaceCore && workspaceExportName) {
@@ -156,6 +184,17 @@ export function generateWorkerEntry(routes, pluginPaths, defaultPluginStems = []
     await ${varName}(nitroApp);
   }`);
     }
+    const generatedPluginMarks = providedPluginStems.size > 0
+        ? [
+            ...new Set([
+                ...Object.keys(DEFAULT_PLUGIN_REGISTRY),
+                ...providedPluginStems,
+            ]),
+        ]
+        : [];
+    if (generatedPluginMarks.length > 0) {
+        pluginImports.unshift(`import { markDefaultPluginProvided as markGeneratedPluginProvided } from "@agent-native/core/server";`);
+    }
     return `
 // Auto-generated worker entry point for ${preset}
 import { H3, defineEventHandler, readBody, toResponse } from "h3";
@@ -170,9 +209,11 @@ function normalizeAppBasePath(value) {
 }
 
 function getAppBasePath() {
+  const builtAppBasePath = ${JSON.stringify(builtAppBasePath)};
   return normalizeAppBasePath(
     globalThis.process?.env?.VITE_APP_BASE_PATH ||
-      globalThis.process?.env?.APP_BASE_PATH,
+      globalThis.process?.env?.APP_BASE_PATH ||
+      builtAppBasePath,
   );
 }
 
@@ -283,6 +324,7 @@ function injectHeadScript(html, script) {
 }
 
 const DEFAULT_SSR_CACHE_CONTROL = ${JSON.stringify(DEFAULT_SSR_CACHE_CONTROL)};
+const DEFAULT_SPECULATION_RULES_PATH = ${JSON.stringify(DEFAULT_SPECULATION_RULES_PATH)};
 const IMMUTABLE_ASSET_CACHE_CONTROL = ${JSON.stringify(IMMUTABLE_ASSET_CACHE_CONTROL)};
 const IMMUTABLE_ASSET_PATHS = new Set(${JSON.stringify([...new Set(immutableAssetPaths)].sort())});
 const AGENT_NATIVE_DEFAULT_SOCIAL_IMAGE = ${JSON.stringify(AGENT_NATIVE_DEFAULT_SOCIAL_IMAGE)};
@@ -312,50 +354,54 @@ function injectDefaultSocialImageMeta(html) {
   return html.slice(0, headCloseIdx) + tags.join("") + html.slice(headCloseIdx);
 }
 
-const ANONYMOUS_SESSION_COOKIE_NAMES = new Set(["an_docs_session"]);
-const AUTH_SESSION_COOKIE_RE = /^(?:an_session(?:_[^=;]+)?|an_embed_session|[^=;]+\\.session_(?:token|data))$/;
-
-function requestHasAuthenticatedCookie(cookieHeader) {
-  if (!cookieHeader) return false;
-  return cookieHeader
-    .split(";")
-    .map((cookie) => cookie.trim().split("=", 1)[0]?.trim())
-    .filter(Boolean)
-    .map((name) => name.replace(/^__(?:Secure|Host)-/, ""))
-    .some((name) => !ANONYMOUS_SESSION_COOKIE_NAMES.has(name) && AUTH_SESSION_COOKIE_RE.test(name));
-}
-
-function requestHasAuthSignal(request) {
-  const url = new URL(request.url);
-  return Boolean(
-    request.headers.get("authorization") ||
-    requestHasAuthenticatedCookie(request.headers.get("cookie")) ||
-    url.searchParams.has("__an_embed_token") ||
-    url.searchParams.has("_session")
-  );
-}
-
-function shouldUseDefaultSsrCacheHeader(headers, status, pathname, hasAuthSignal) {
+function shouldUseDefaultSsrCacheHeader(headers, status, pathname) {
   if (status < 200 || status >= 400) return false;
 
   const contentType = (headers.get("content-type") || "").toLowerCase();
   if (contentType.includes("text/html")) {
-    return !headers.has("cache-control");
+    // SSR HTML is public app shell in this framework; any per-user state is
+    // fetched after hydration. Always enforce the framework SWR default here;
+    // route-level no-cache/private headers on SSR HTML recreate the same
+    // origin stampede this cache policy is meant to prevent.
+    return true;
   }
 
   if (!pathname.endsWith(".data")) return false;
-  if (hasAuthSignal) return false;
   if (!contentType.includes("text/x-script")) return false;
 
-  const cacheControl = headers.get("cache-control");
-  return !cacheControl || cacheControl.trim().toLowerCase() === "no-cache";
+  // React Router marks loader .data responses no-cache by default. Agent-Native
+  // SSR is public app shell, even for browsers carrying auth-looking cookies;
+  // user/org-specific data is loaded client-side through actions/API routes
+  // after hydration. Keep .data on the same SWR policy as HTML so normal route
+  // data fetches fill CDN cache instead of bypassing it and slamming origin.
+  // Do not re-add a blanket auth-signal bypass here; logged-in browsers still
+  // need CDN-cached public route data. Worker SSR does not populate
+  // getRequestUserEmail()/accessFilter() context for private loaders, and
+  // Node/H3 has an auth-context access guard for older loaders that still do.
+  // Also do not preserve route-level private/no-store for React Router .data:
+  // if a route needs per-user data, it belongs behind a client-side action/API
+  // call rather than in the shared SSR payload.
+  return true;
 }
 
-function applyDefaultSsrCacheHeader(headers, status, pathname, hasAuthSignal) {
-  if (!shouldUseDefaultSsrCacheHeader(headers, status, pathname, hasAuthSignal)) return;
+function applyDefaultSsrCacheHeader(headers, status, pathname) {
+  if (!shouldUseDefaultSsrCacheHeader(headers, status, pathname)) return;
   headers.set("cache-control", DEFAULT_SSR_CACHE_CONTROL);
 }
 
+function applyDefaultSpeculationRulesHeader(headers, status, basePath) {
+  if (status < 200 || status >= 400) return;
+  if (headers.has("speculation-rules")) return;
+
+  const contentType = (headers.get("content-type") || "").toLowerCase();
+  if (!contentType.includes("text/html")) return;
+
+  // Cloudflare Speed Brain injects Speculation-Rules when origin omits this
+  // header. Those browser prefetches carry Sec-Purpose: prefetch and
+  // Cloudflare can return 503 before the request reaches origin. Publish an
+  // explicit no-op ruleset by default; apps can still provide their own header.
+  headers.set("speculation-rules", '"' + prefixMountedPath(DEFAULT_SPECULATION_RULES_PATH, basePath) + '"');
+}
 function isImmutableAssetRequest(request) {
   const pathname = stripAppBasePath(new URL(request.url).pathname);
   return IMMUTABLE_ASSET_PATHS.has(pathname);
@@ -376,10 +422,11 @@ function applyImmutableAssetCacheHeaders(response, request) {
   });
 }
 
-async function rewriteMountedResponse(response, basePath, pathname, hasAuthSignal) {
+async function rewriteMountedResponse(response, basePath, pathname) {
   const sentryClientConfigScript = getSentryClientConfigScript();
   const headers = new Headers(response.headers);
-  applyDefaultSsrCacheHeader(headers, response.status, pathname, hasAuthSignal);
+  applyDefaultSsrCacheHeader(headers, response.status, pathname);
+  applyDefaultSpeculationRulesHeader(headers, response.status, basePath);
 
   const location = headers.get("location");
   if (location?.startsWith("/") && !location.startsWith("//")) {
@@ -466,6 +513,12 @@ async function getHandler() {
 
   // Run plugins — they call getH3App(nitroApp).use(path, handler) which
   // pushes path-prefix middleware onto app["~middleware"].
+  // Pre-mark every build-time plugin slot before any plugin awaits the runtime
+  // default bootstrap. Bundled serverless workers often lack server/plugins/
+  // on disk, so runtime discovery would otherwise auto-mount duplicate
+  // framework defaults before later custom plugins get a chance to mark
+  // themselves as provided.
+${generatedPluginMarks.map((stem) => `  markGeneratedPluginProvided(nitroApp, ${JSON.stringify(stem)});`).join("\n")}
 ${pluginCalls.join("\n")}
 
   // Register API routes
@@ -490,7 +543,6 @@ ${actionRegistrations.join("\n")}
       return new Response(null, { status: 404 });
     }
     const request = requestWithPathname(event.req, p);
-    const hasAuthSignal = requestHasAuthSignal(event.req);
     if (event.req.method === "HEAD") {
       const getRequest = requestWithMethod(request, "GET");
       const response = await rrHandler(getRequest);
@@ -501,11 +553,10 @@ ${actionRegistrations.join("\n")}
           headers: response.headers,
         }),
         basePath,
-        p,
-        hasAuthSignal,
+        p
       );
     }
-    return rewriteMountedResponse(await rrHandler(request), basePath, p, hasAuthSignal);
+    return rewriteMountedResponse(await rrHandler(request), basePath, p);
   }));
 
   _handler = app.fetch.bind(app);
@@ -1137,15 +1188,22 @@ function createDanglingOptionalDepStubs() {
  */
 export async function runNitroBuildPipeline(opts) {
     const { nitro, hooks, clientDir, publicOutputDir, appBasePath, cwd } = opts;
+    const hasClientBuild = fs.existsSync(clientDir) && Boolean(publicOutputDir);
+    if (hasClientBuild) {
+        // Install hashed-asset route rules before Nitro prepares platform output.
+        // Some presets materialize headers during prepare/copy phases, not only in
+        // nitroBuild; adding these later leaves Netlify/Vercel static assets without
+        // the one-year immutable CDN policy even though the runtime manifest works.
+        nitro.options.routeRules ??= {};
+        addImmutableAssetRouteRulesForClientBuild(nitro.options.routeRules, clientDir, appBasePath);
+    }
     await hooks.prepare(nitro);
     await hooks.copyPublicAssets(nitro);
-    if (fs.existsSync(clientDir) && publicOutputDir) {
+    if (hasClientBuild && publicOutputDir) {
         copyDir(clientDir, publicOutputDir);
         if (appBasePath) {
             copyDir(clientDir, path.join(publicOutputDir, appBasePath.slice(1)));
         }
-        nitro.options.routeRules ??= {};
-        addImmutableAssetRouteRulesForClientBuild(nitro.options.routeRules, clientDir, appBasePath);
         console.log(`[deploy] Copied client assets to ${path.relative(cwd, publicOutputDir)}`);
     }
     await hooks.nitroBuild(nitro);
@@ -1212,6 +1270,7 @@ export default bundle;
         pathAliases["@"] = appDir;
     if (fs.existsSync(sharedDir))
         pathAliases["@shared"] = sharedDir;
+    const providedPluginsNitroPlugin = await writeProvidedPluginsNitroPlugin();
     const nitro = await createNitro({
         rootDir: cwd,
         dev: false,
@@ -1228,6 +1287,9 @@ export default bundle;
         virtual: {
             "virtual:agents-bundle": agentsBundleModuleSource,
         },
+        ...(providedPluginsNitroPlugin
+            ? { plugins: [providedPluginsNitroPlugin] }
+            : {}),
         routeRules: mcpEmbedStaticAssetRouteRules(appBasePath),
         // For edge presets (cloudflare, deno), bundle all deps — node_modules
         // aren't available at runtime. Netlify/Vercel/Node have node_modules.