npm - @agent-native/core - Versions diffs - 0.4.5 → 0.5.0-dev.b51eaae - Mend

@agent-native/core 0.4.5 → 0.5.0-dev.b51eaae

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

package/dist/a2a/client.d.ts +7 -0
package/dist/a2a/client.d.ts.map +1 -1
package/dist/a2a/client.js +24 -3
package/dist/a2a/client.js.map +1 -1
package/dist/a2a/handlers.d.ts +6 -3
package/dist/a2a/handlers.d.ts.map +1 -1
package/dist/a2a/handlers.js +45 -39
package/dist/a2a/handlers.js.map +1 -1
package/dist/a2a/index.d.ts +1 -1
package/dist/a2a/index.d.ts.map +1 -1
package/dist/a2a/index.js +2 -2
package/dist/a2a/index.js.map +1 -1
package/dist/a2a/server.d.ts +7 -2
package/dist/a2a/server.d.ts.map +1 -1
package/dist/a2a/server.js +54 -14
package/dist/a2a/server.js.map +1 -1
package/dist/a2a/task-store.d.ts +6 -6
package/dist/a2a/task-store.d.ts.map +1 -1
package/dist/a2a/task-store.js +102 -42
package/dist/a2a/task-store.js.map +1 -1
package/dist/a2a/types.d.ts +2 -0
package/dist/a2a/types.d.ts.map +1 -1
package/dist/action.d.ts +46 -0
package/dist/action.d.ts.map +1 -0
package/dist/action.js +35 -0
package/dist/action.js.map +1 -0
package/dist/adapters/sync/file-sync.js +1 -1
package/dist/agent/index.d.ts +2 -2
package/dist/agent/index.d.ts.map +1 -1
package/dist/agent/index.js.map +1 -1
package/dist/agent/production-agent.d.ts +22 -6
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +336 -123
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts +43 -0
package/dist/agent/run-manager.d.ts.map +1 -0
package/dist/agent/run-manager.js +358 -0
package/dist/agent/run-manager.js.map +1 -0
package/dist/agent/run-store.d.ts +26 -0
package/dist/agent/run-store.d.ts.map +1 -0
package/dist/agent/run-store.js +145 -0
package/dist/agent/run-store.js.map +1 -0
package/dist/agent/thread-data-builder.d.ts +30 -0
package/dist/agent/thread-data-builder.d.ts.map +1 -0
package/dist/agent/thread-data-builder.js +88 -0
package/dist/agent/thread-data-builder.js.map +1 -0
package/dist/agent/types.d.ts +52 -1
package/dist/agent/types.d.ts.map +1 -1
package/dist/application-state/emitter.d.ts +3 -2
package/dist/application-state/emitter.d.ts.map +1 -1
package/dist/application-state/emitter.js +14 -4
package/dist/application-state/emitter.js.map +1 -1
package/dist/application-state/handlers.d.ts.map +1 -1
package/dist/application-state/handlers.js +13 -16
package/dist/application-state/handlers.js.map +1 -1
package/dist/application-state/script-helpers.d.ts +1 -1
package/dist/application-state/script-helpers.d.ts.map +1 -1
package/dist/application-state/script-helpers.js +15 -5
package/dist/application-state/script-helpers.js.map +1 -1
package/dist/application-state/store.d.ts +4 -3
package/dist/application-state/store.d.ts.map +1 -1
package/dist/application-state/store.js +31 -59
package/dist/application-state/store.js.map +1 -1
package/dist/chat-threads/emitter.d.ts +9 -0
package/dist/chat-threads/emitter.d.ts.map +1 -0
package/dist/chat-threads/emitter.js +14 -0
package/dist/chat-threads/emitter.js.map +1 -0
package/dist/chat-threads/store.d.ts +28 -0
package/dist/chat-threads/store.d.ts.map +1 -0
package/dist/chat-threads/store.js +124 -0
package/dist/chat-threads/store.js.map +1 -0
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +4 -18
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +30 -3
package/dist/cli/index.js.map +1 -1
package/dist/cli/setup-agents.d.ts +11 -0
package/dist/cli/setup-agents.d.ts.map +1 -0
package/dist/cli/setup-agents.js +123 -0
package/dist/cli/setup-agents.js.map +1 -0
package/dist/client/AgentPanel.d.ts +9 -2
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +466 -29
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AssistantChat.d.ts +25 -3
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +613 -83
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ClientOnly.d.ts +14 -0
package/dist/client/ClientOnly.d.ts.map +1 -0
package/dist/client/ClientOnly.js +17 -0
package/dist/client/ClientOnly.js.map +1 -0
package/dist/client/CommandMenu.d.ts +71 -0
package/dist/client/CommandMenu.d.ts.map +1 -0
package/dist/client/CommandMenu.js +257 -0
package/dist/client/CommandMenu.js.map +1 -0
package/dist/client/DefaultSpinner.d.ts +7 -0
package/dist/client/DefaultSpinner.d.ts.map +1 -0
package/dist/client/DefaultSpinner.js +28 -0
package/dist/client/DefaultSpinner.js.map +1 -0
package/dist/client/MultiTabAssistantChat.d.ts +34 -2
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +346 -57
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/PoweredByBadge.d.ts.map +1 -1
package/dist/client/PoweredByBadge.js +2 -1
package/dist/client/PoweredByBadge.js.map +1 -1
package/dist/client/active-run-state.d.ts +10 -0
package/dist/client/active-run-state.d.ts.map +1 -0
package/dist/client/active-run-state.js +32 -0
package/dist/client/active-run-state.js.map +1 -0
package/dist/client/agent-chat-adapter.d.ts +2 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +83 -129
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.js +2 -2
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/components/ApiKeySettings.d.ts +2 -2
package/dist/client/components/ApiKeySettings.js +4 -4
package/dist/client/components/ApiKeySettings.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +4 -3
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/composer/MentionPopover.d.ts +26 -0
package/dist/client/composer/MentionPopover.d.ts.map +1 -0
package/dist/client/composer/MentionPopover.js +130 -0
package/dist/client/composer/MentionPopover.js.map +1 -0
package/dist/client/composer/TiptapComposer.d.ts +19 -0
package/dist/client/composer/TiptapComposer.d.ts.map +1 -0
package/dist/client/composer/TiptapComposer.js +415 -0
package/dist/client/composer/TiptapComposer.js.map +1 -0
package/dist/client/composer/extensions/FileReference.d.ts +3 -0
package/dist/client/composer/extensions/FileReference.d.ts.map +1 -0
package/dist/client/composer/extensions/FileReference.js +36 -0
package/dist/client/composer/extensions/FileReference.js.map +1 -0
package/dist/client/composer/extensions/MentionReference.d.ts +3 -0
package/dist/client/composer/extensions/MentionReference.d.ts.map +1 -0
package/dist/client/composer/extensions/MentionReference.js +63 -0
package/dist/client/composer/extensions/MentionReference.js.map +1 -0
package/dist/client/composer/extensions/SkillReference.d.ts +3 -0
package/dist/client/composer/extensions/SkillReference.d.ts.map +1 -0
package/dist/client/composer/extensions/SkillReference.js +40 -0
package/dist/client/composer/extensions/SkillReference.js.map +1 -0
package/dist/client/composer/index.d.ts +8 -0
package/dist/client/composer/index.d.ts.map +1 -0
package/dist/client/composer/index.js +7 -0
package/dist/client/composer/index.js.map +1 -0
package/dist/client/composer/types.d.ts +32 -0
package/dist/client/composer/types.d.ts.map +1 -0
package/dist/client/composer/types.js +2 -0
package/dist/client/composer/types.js.map +1 -0
package/dist/client/composer/use-file-search.d.ts +6 -0
package/dist/client/composer/use-file-search.d.ts.map +1 -0
package/dist/client/composer/use-file-search.js +40 -0
package/dist/client/composer/use-file-search.js.map +1 -0
package/dist/client/composer/use-mention-search.d.ts +6 -0
package/dist/client/composer/use-mention-search.d.ts.map +1 -0
package/dist/client/composer/use-mention-search.js +39 -0
package/dist/client/composer/use-mention-search.js.map +1 -0
package/dist/client/composer/use-skills.d.ts +7 -0
package/dist/client/composer/use-skills.d.ts.map +1 -0
package/dist/client/composer/use-skills.js +38 -0
package/dist/client/composer/use-skills.js.map +1 -0
package/dist/client/index.d.ts +9 -4
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +8 -3
package/dist/client/index.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts +7 -0
package/dist/client/resources/ResourceEditor.d.ts.map +1 -0
package/dist/client/resources/ResourceEditor.js +851 -0
package/dist/client/resources/ResourceEditor.js.map +1 -0
package/dist/client/resources/ResourceTree.d.ts +13 -0
package/dist/client/resources/ResourceTree.d.ts.map +1 -0
package/dist/client/resources/ResourceTree.js +122 -0
package/dist/client/resources/ResourceTree.js.map +1 -0
package/dist/client/resources/ResourcesPanel.d.ts +2 -0
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -0
package/dist/client/resources/ResourcesPanel.js +341 -0
package/dist/client/resources/ResourcesPanel.js.map +1 -0
package/dist/client/resources/index.d.ts +5 -0
package/dist/client/resources/index.d.ts.map +1 -0
package/dist/client/resources/index.js +5 -0
package/dist/client/resources/index.js.map +1 -0
package/dist/client/resources/use-resources.d.ts +45 -0
package/dist/client/resources/use-resources.d.ts.map +1 -0
package/dist/client/resources/use-resources.js +102 -0
package/dist/client/resources/use-resources.js.map +1 -0
package/dist/client/sse-event-processor.d.ts +50 -0
package/dist/client/sse-event-processor.d.ts.map +1 -0
package/dist/client/sse-event-processor.js +267 -0
package/dist/client/sse-event-processor.js.map +1 -0
package/dist/client/terminal/AgentTerminal.d.ts +1 -1
package/dist/client/terminal/AgentTerminal.d.ts.map +1 -1
package/dist/client/terminal/AgentTerminal.js +11 -6
package/dist/client/terminal/AgentTerminal.js.map +1 -1
package/dist/client/use-agent-chat.d.ts +1 -1
package/dist/client/use-agent-chat.d.ts.map +1 -1
package/dist/client/use-agent-chat.js +3 -3
package/dist/client/use-agent-chat.js.map +1 -1
package/dist/client/use-chat-threads.d.ts +36 -0
package/dist/client/use-chat-threads.d.ts.map +1 -0
package/dist/client/use-chat-threads.js +175 -0
package/dist/client/use-chat-threads.js.map +1 -0
package/dist/client/use-db-sync.d.ts +35 -0
package/dist/client/use-db-sync.d.ts.map +1 -0
package/dist/client/use-db-sync.js +74 -0
package/dist/client/use-db-sync.js.map +1 -0
package/dist/client/use-dev-mode.d.ts +4 -2
package/dist/client/use-dev-mode.d.ts.map +1 -1
package/dist/client/use-dev-mode.js +39 -12
package/dist/client/use-dev-mode.js.map +1 -1
package/dist/client/use-file-sync-status.d.ts +1 -1
package/dist/client/use-file-sync-status.js +3 -3
package/dist/client/use-file-sync-status.js.map +1 -1
package/dist/client/use-session.d.ts +1 -1
package/dist/client/use-session.js +2 -2
package/dist/client/use-session.js.map +1 -1
package/dist/client/useProductionAgent.d.ts +1 -1
package/dist/client/useProductionAgent.d.ts.map +1 -1
package/dist/client/useProductionAgent.js +38 -3
package/dist/client/useProductionAgent.js.map +1 -1
package/dist/credentials/index.d.ts +18 -0
package/dist/credentials/index.d.ts.map +1 -0
package/dist/credentials/index.js +32 -0
package/dist/credentials/index.js.map +1 -0
package/dist/db/client.d.ts +35 -0
package/dist/db/client.d.ts.map +1 -0
package/dist/db/client.js +248 -0
package/dist/db/client.js.map +1 -0
package/dist/db/create-get-db.d.ts.map +1 -1
package/dist/db/create-get-db.js +103 -16
package/dist/db/create-get-db.js.map +1 -1
package/dist/db/index.d.ts +10 -6
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +10 -4
package/dist/db/index.js.map +1 -1
package/dist/db/migrations.d.ts.map +1 -1
package/dist/db/migrations.js +31 -30
package/dist/db/migrations.js.map +1 -1
package/dist/db/schema.d.ts +45 -0
package/dist/db/schema.d.ts.map +1 -0
package/dist/db/schema.js +61 -0
package/dist/db/schema.js.map +1 -0
package/dist/deploy/build.js +35 -6
package/dist/deploy/build.js.map +1 -1
package/dist/deploy/route-discovery.d.ts +9 -0
package/dist/deploy/route-discovery.d.ts.map +1 -1
package/dist/deploy/route-discovery.js +30 -1
package/dist/deploy/route-discovery.js.map +1 -1
package/dist/index.browser.d.ts +1 -1
package/dist/index.browser.d.ts.map +1 -1
package/dist/index.browser.js +1 -1
package/dist/index.browser.js.map +1 -1
package/dist/index.d.ts +3 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -1
package/dist/index.js.map +1 -1
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +43 -81
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/resources/emitter.d.ts +13 -0
package/dist/resources/emitter.d.ts.map +1 -0
package/dist/resources/emitter.js +32 -0
package/dist/resources/emitter.js.map +1 -0
package/dist/resources/handlers.d.ts +45 -0
package/dist/resources/handlers.d.ts.map +1 -0
package/dist/resources/handlers.js +219 -0
package/dist/resources/handlers.js.map +1 -0
package/dist/resources/index.d.ts +5 -0
package/dist/resources/index.d.ts.map +1 -0
package/dist/resources/index.js +5 -0
package/dist/resources/index.js.map +1 -0
package/dist/resources/script-helpers.d.ts +24 -0
package/dist/resources/script-helpers.d.ts.map +1 -0
package/dist/resources/script-helpers.js +36 -0
package/dist/resources/script-helpers.js.map +1 -0
package/dist/resources/store.d.ts +35 -0
package/dist/resources/store.d.ts.map +1 -0
package/dist/resources/store.js +453 -0
package/dist/resources/store.js.map +1 -0
package/dist/scripts/call-agent.d.ts +5 -0
package/dist/scripts/call-agent.d.ts.map +1 -0
package/dist/scripts/call-agent.js +107 -0
package/dist/scripts/call-agent.js.map +1 -0
package/dist/scripts/core-scripts.d.ts.map +1 -1
package/dist/scripts/core-scripts.js +2 -0
package/dist/scripts/core-scripts.js.map +1 -1
package/dist/scripts/db/exec.d.ts +6 -2
package/dist/scripts/db/exec.d.ts.map +1 -1
package/dist/scripts/db/exec.js +127 -36
package/dist/scripts/db/exec.js.map +1 -1
package/dist/scripts/db/query.d.ts +7 -2
package/dist/scripts/db/query.d.ts.map +1 -1
package/dist/scripts/db/query.js +89 -45
package/dist/scripts/db/query.js.map +1 -1
package/dist/scripts/db/schema.d.ts +2 -2
package/dist/scripts/db/schema.d.ts.map +1 -1
package/dist/scripts/db/schema.js +145 -6
package/dist/scripts/db/schema.js.map +1 -1
package/dist/scripts/db/scoping.d.ts +36 -0
package/dist/scripts/db/scoping.d.ts.map +1 -0
package/dist/scripts/db/scoping.js +198 -0
package/dist/scripts/db/scoping.js.map +1 -0
package/dist/scripts/dev/index.d.ts +2 -2
package/dist/scripts/dev/index.js +1 -1
package/dist/scripts/dev/list-files.d.ts +2 -2
package/dist/scripts/dev/read-file.d.ts +2 -2
package/dist/scripts/dev/read-file.js +1 -1
package/dist/scripts/dev/read-file.js.map +1 -1
package/dist/scripts/dev/search-files.d.ts +2 -2
package/dist/scripts/dev/search-files.js +1 -1
package/dist/scripts/dev/search-files.js.map +1 -1
package/dist/scripts/dev/shell.d.ts +2 -2
package/dist/scripts/dev/shell.js +1 -1
package/dist/scripts/dev/shell.js.map +1 -1
package/dist/scripts/dev/write-file.d.ts +2 -2
package/dist/scripts/dev/write-file.js +1 -1
package/dist/scripts/dev/write-file.js.map +1 -1
package/dist/scripts/resources/delete.d.ts +10 -0
package/dist/scripts/resources/delete.d.ts.map +1 -0
package/dist/scripts/resources/delete.js +38 -0
package/dist/scripts/resources/delete.js.map +1 -0
package/dist/scripts/resources/index.d.ts +2 -0
package/dist/scripts/resources/index.d.ts.map +1 -0
package/dist/scripts/resources/index.js +8 -0
package/dist/scripts/resources/index.js.map +1 -0
package/dist/scripts/resources/list.d.ts +10 -0
package/dist/scripts/resources/list.d.ts.map +1 -0
package/dist/scripts/resources/list.js +57 -0
package/dist/scripts/resources/list.js.map +1 -0
package/dist/scripts/resources/migrate-learnings.d.ts +10 -0
package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -0
package/dist/scripts/resources/migrate-learnings.js +23 -0
package/dist/scripts/resources/migrate-learnings.js.map +1 -0
package/dist/scripts/resources/read.d.ts +10 -0
package/dist/scripts/resources/read.d.ts.map +1 -0
package/dist/scripts/resources/read.js +59 -0
package/dist/scripts/resources/read.js.map +1 -0
package/dist/scripts/resources/write.d.ts +10 -0
package/dist/scripts/resources/write.d.ts.map +1 -0
package/dist/scripts/resources/write.js +67 -0
package/dist/scripts/resources/write.js.map +1 -0
package/dist/scripts/runner.d.ts +7 -7
package/dist/scripts/runner.d.ts.map +1 -1
package/dist/scripts/runner.js +68 -27
package/dist/scripts/runner.js.map +1 -1
package/dist/scripts/utils.d.ts +4 -1
package/dist/scripts/utils.d.ts.map +1 -1
package/dist/scripts/utils.js +5 -3
package/dist/scripts/utils.js.map +1 -1
package/dist/server/action-discovery.d.ts +40 -0
package/dist/server/action-discovery.d.ts.map +1 -0
package/dist/server/action-discovery.js +189 -0
package/dist/server/action-discovery.js.map +1 -0
package/dist/server/agent-chat-plugin.d.ts +12 -23
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +1087 -36
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts +16 -0
package/dist/server/agent-discovery.d.ts.map +1 -0
package/dist/server/agent-discovery.js +136 -0
package/dist/server/agent-discovery.js.map +1 -0
package/dist/server/auth-plugin.d.ts +5 -0
package/dist/server/auth-plugin.d.ts.map +1 -1
package/dist/server/auth-plugin.js +12 -1
package/dist/server/auth-plugin.js.map +1 -1
package/dist/server/auth.d.ts +3 -1
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +576 -117
package/dist/server/auth.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts +57 -0
package/dist/server/core-routes-plugin.d.ts.map +1 -0
package/dist/server/core-routes-plugin.js +125 -0
package/dist/server/core-routes-plugin.js.map +1 -0
package/dist/server/create-server.d.ts +4 -4
package/dist/server/create-server.d.ts.map +1 -1
package/dist/server/create-server.js +5 -5
package/dist/server/create-server.js.map +1 -1
package/dist/server/default-watcher.d.ts +9 -3
package/dist/server/default-watcher.d.ts.map +1 -1
package/dist/server/default-watcher.js +26 -6
package/dist/server/default-watcher.js.map +1 -1
package/dist/server/google-auth-plugin.js +3 -3
package/dist/server/google-auth-plugin.js.map +1 -1
package/dist/server/google-oauth.d.ts +72 -0
package/dist/server/google-oauth.d.ts.map +1 -0
package/dist/server/google-oauth.js +187 -0
package/dist/server/google-oauth.js.map +1 -0
package/dist/server/index.d.ts +9 -2
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +8 -1
package/dist/server/index.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +16 -0
package/dist/server/oauth-helpers.d.ts.map +1 -0
package/dist/server/oauth-helpers.js +25 -0
package/dist/server/oauth-helpers.js.map +1 -0
package/dist/server/poll.d.ts +40 -0
package/dist/server/poll.d.ts.map +1 -0
package/dist/server/poll.js +49 -0
package/dist/server/poll.js.map +1 -0
package/dist/server/resources-plugin.d.ts +27 -0
package/dist/server/resources-plugin.d.ts.map +1 -0
package/dist/server/resources-plugin.js +74 -0
package/dist/server/resources-plugin.js.map +1 -0
package/dist/server/script-discovery.d.ts +6 -0
package/dist/server/script-discovery.d.ts.map +1 -0
package/dist/server/script-discovery.js +6 -0
package/dist/server/script-discovery.js.map +1 -0
package/dist/server/sse.d.ts +1 -1
package/dist/server/sse.js +1 -1
package/dist/settings/handlers.d.ts +3 -3
package/dist/settings/handlers.d.ts.map +1 -1
package/dist/settings/handlers.js +8 -6
package/dist/settings/handlers.js.map +1 -1
package/dist/settings/index.d.ts +1 -1
package/dist/settings/index.d.ts.map +1 -1
package/dist/settings/index.js.map +1 -1
package/dist/settings/store.d.ts +6 -2
package/dist/settings/store.d.ts.map +1 -1
package/dist/settings/store.js +26 -63
package/dist/settings/store.js.map +1 -1
package/dist/settings/user-settings.d.ts +3 -2
package/dist/settings/user-settings.d.ts.map +1 -1
package/dist/settings/user-settings.js +5 -5
package/dist/settings/user-settings.js.map +1 -1
package/dist/tailwind.preset.d.ts +7 -6
package/dist/tailwind.preset.d.ts.map +1 -1
package/dist/tailwind.preset.js +18 -1
package/dist/tailwind.preset.js.map +1 -1
package/dist/terminal/cli-registry.d.ts +1 -1
package/dist/terminal/cli-registry.js +3 -3
package/dist/terminal/cli-registry.js.map +1 -1
package/dist/terminal/pty-server.d.ts.map +1 -1
package/dist/terminal/pty-server.js +65 -11
package/dist/terminal/pty-server.js.map +1 -1
package/dist/terminal/terminal-plugin.d.ts +2 -2
package/dist/terminal/terminal-plugin.d.ts.map +1 -1
package/dist/terminal/terminal-plugin.js +27 -21
package/dist/terminal/terminal-plugin.js.map +1 -1
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +114 -8
package/dist/vite/client.js.map +1 -1
package/dist/vite/dev-api-server.d.ts +1 -1
package/dist/vite/dev-api-server.d.ts.map +1 -1
package/dist/vite/dev-api-server.js +105 -22
package/dist/vite/dev-api-server.js.map +1 -1
package/package.json +22 -6
package/src/templates/default/.agents/skills/actions/SKILL.md +136 -0
package/src/templates/default/.agents/skills/create-skill/SKILL.md +1 -1
package/src/templates/default/.agents/skills/delegate-to-agent/SKILL.md +1 -1
package/src/templates/default/.agents/skills/files-as-database/SKILL.md +2 -2
package/src/templates/default/.agents/skills/real-time-sync/SKILL.md +112 -0
package/src/templates/default/AGENTS.md +56 -164
package/src/templates/default/DEVELOPING.md +117 -0
package/src/templates/default/{scripts → actions}/hello.ts +1 -1
package/src/templates/default/actions/navigate.ts +53 -0
package/src/templates/default/actions/view-screen.ts +39 -0
package/src/templates/default/app/global.css +2 -2
package/src/templates/default/app/root.tsx +19 -16
package/src/templates/default/app/routes/_index.tsx +1 -1
package/src/templates/default/package.json +4 -0
package/src/templates/default/server/plugins/.gitkeep +0 -0
package/dist/a2a/middleware.d.ts +0 -3
package/dist/a2a/middleware.d.ts.map +0 -1
package/dist/a2a/middleware.js +0 -36
package/dist/a2a/middleware.js.map +0 -1
package/dist/client/use-file-watcher.d.ts +0 -23
package/dist/client/use-file-watcher.d.ts.map +0 -1
package/dist/client/use-file-watcher.js +0 -50
package/dist/client/use-file-watcher.js.map +0 -1
package/src/templates/default/.agents/skills/scripts/SKILL.md +0 -121
package/src/templates/default/.agents/skills/sse-file-watcher/SKILL.md +0 -80
package/src/templates/default/server/plugins/agent-chat.ts +0 -1
package/src/templates/default/server/plugins/auth.ts +0 -1
package/src/templates/default/server/plugins/file-sync.ts +0 -1
package/src/templates/default/server/plugins/terminal.ts +0 -1
package/src/templates/default/server/routes/api/events.get.ts +0 -3
package/src/templates/default/server/routes/api/file-sync/status.get.ts +0 -4
/package/src/templates/default/{scripts → actions}/run.ts +0 -0

package/dist/server/auth.js CHANGED Viewed

@@ -1,82 +1,82 @@
 import crypto from "node:crypto";
-import fs from "node:fs";
-import path from "node:path";
-import { defineEventHandler, readBody, getMethod, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
-import { createClient } from "@libsql/client";
+import { defineEventHandler, readBody, getMethod, getQuery, getRequestIP, setResponseHeader, setResponseStatus, getCookie, setCookie, deleteCookie, } from "h3";
+import { getDbExec, isPostgres, intType } from "../db/client.js";
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
 const COOKIE_NAME = "an_session";
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
+const RATE_LIMIT_WINDOW = 15 * 60 * 1000; // 15 minutes
+const RATE_LIMIT_MAX = 10; // max attempts per window
+const rateLimitMap = new Map();
+// Prune stale entries every 5 minutes to prevent unbounded growth
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, entry] of rateLimitMap) {
+        if (now > entry.resetAt)
+            rateLimitMap.delete(key);
+    }
+}, 5 * 60 * 1000).unref();
+function getClientIp(event) {
+    return getRequestIP(event, { xForwardedFor: true }) ?? "unknown";
+}
+/**
+ * Check rate limit for a given key (typically IP + route).
+ * Returns null if allowed, or a response object if blocked.
+ */
+function checkRateLimit(event, key) {
+    const now = Date.now();
+    const entry = rateLimitMap.get(key);
+    if (!entry || now > entry.resetAt) {
+        rateLimitMap.set(key, { count: 1, resetAt: now + RATE_LIMIT_WINDOW });
+        return null;
+    }
+    entry.count++;
+    if (entry.count > RATE_LIMIT_MAX) {
+        const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+        setResponseStatus(event, 429);
+        setResponseHeader(event, "Retry-After", retryAfter);
+        return {
+            error: "Too many attempts. Please try again later.",
+            retryAfter,
+        };
+    }
+    return null;
+}
+/** Reset rate limit on successful auth (so valid users aren't penalized). */
+function resetRateLimit(key) {
+    rateLimitMap.delete(key);
+}
 // ---------------------------------------------------------------------------
 // Session store — SQL-backed
 // ---------------------------------------------------------------------------
-let _sessionClient;
-let _sessionTableReady = false;
+let _sessionInitPromise;
 let sessionMaxAge = DEFAULT_MAX_AGE;
-function getSessionClient() {
-    if (!_sessionClient) {
-        // Check for Cloudflare D1 binding
-        const d1 = globalThis.__cf_env?.DB;
-        if (d1) {
-            _sessionClient = {
-                async execute(sql) {
-                    if (typeof sql === "string") {
-                        const r = await d1.prepare(sql).all();
-                        return {
-                            rows: r.results || [],
-                            rowsAffected: r.meta?.changes ?? 0,
-                        };
-                    }
-                    const r = await d1
-                        .prepare(sql.sql)
-                        .bind(...sql.args)
-                        .all();
-                    return { rows: r.results || [], rowsAffected: r.meta?.changes ?? 0 };
-                },
-            };
-            return _sessionClient;
-        }
-        // Fall back to libsql
-        const url = process.env.DATABASE_URL || "file:./data/app.db";
-        if (url.startsWith("file:")) {
+async function ensureSessionTable() {
+    if (!_sessionInitPromise) {
+        _sessionInitPromise = (async () => {
+            const client = getDbExec();
+            await client.execute(`
+        CREATE TABLE IF NOT EXISTS sessions (
+          token TEXT PRIMARY KEY,
+          email TEXT,
+          created_at ${intType()} NOT NULL
+        )
+      `);
+            // Migration: add email column to existing tables that lack it
             try {
-                fs.mkdirSync(path.join(process.cwd(), "data"), { recursive: true });
+                await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);
             }
             catch {
-                // Edge runtime — no filesystem
+                // Column already exists — ignore
             }
-        }
-        _sessionClient = createClient({
-            url,
-            authToken: process.env.DATABASE_AUTH_TOKEN,
-        });
-    }
-    return _sessionClient;
-}
-async function ensureSessionTable() {
-    if (_sessionTableReady)
-        return;
-    const client = getSessionClient();
-    await client.execute(`
-    CREATE TABLE IF NOT EXISTS sessions (
-      token TEXT PRIMARY KEY,
-      email TEXT,
-      created_at INTEGER NOT NULL
-    )
-  `);
-    // Migration: add email column to existing tables that lack it
-    try {
-        await client.execute(`ALTER TABLE sessions ADD COLUMN email TEXT`);
-    }
-    catch {
-        // Column already exists — ignore
+        })();
     }
-    _sessionTableReady = true;
+    return _sessionInitPromise;
 }
 async function pruneExpiredSessions() {
     await ensureSessionTable();
-    const client = getSessionClient();
+    const client = getDbExec();
     const cutoff = Date.now() - sessionMaxAge * 1000;
     await client.execute({
         sql: `DELETE FROM sessions WHERE created_at < ?`,
@@ -89,16 +89,18 @@ async function pruneExpiredSessions() {
  */
 export async function addSession(token, email) {
     await ensureSessionTable();
-    const client = getSessionClient();
+    const client = getDbExec();
     await client.execute({
-        sql: `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,
+        sql: isPostgres()
+            ? `INSERT INTO sessions (token, email, created_at) VALUES (?, ?, ?) ON CONFLICT (token) DO UPDATE SET email=EXCLUDED.email, created_at=EXCLUDED.created_at`
+            : `INSERT OR REPLACE INTO sessions (token, email, created_at) VALUES (?, ?, ?)`,
         args: [token, email ?? null, Date.now()],
     });
 }
 /** Remove a session by token. */
 export async function removeSession(token) {
     await ensureSessionTable();
-    const client = getSessionClient();
+    const client = getDbExec();
     await client.execute({
         sql: `DELETE FROM sessions WHERE token = ?`,
         args: [token],
@@ -110,7 +112,7 @@ export async function removeSession(token) {
  */
 export async function getSessionEmail(token) {
     await ensureSessionTable();
-    const client = getSessionClient();
+    const client = getDbExec();
     const { rows } = await client.execute({
         sql: `SELECT email, created_at FROM sessions WHERE token = ?`,
         args: [token],
@@ -129,7 +131,7 @@ export async function getSessionEmail(token) {
 }
 async function hasSession(token) {
     await ensureSessionTable();
-    const client = getSessionClient();
+    const client = getDbExec();
     const { rows } = await client.execute({
         sql: `SELECT created_at FROM sessions WHERE token = ?`,
         args: [token],
@@ -182,20 +184,61 @@ const DEV_SESSION = { email: "local@localhost" };
 /**
  * Get the current auth session for a request.
  *
- * - In dev mode: always returns { email: "local@localhost" }
+ * - In dev mode: checks for a session cookie first (e.g. from Google OAuth),
+ *   so the real email is used when sharing a DB with production.
+ *   Falls back to { email: "local@localhost" } if no session cookie.
  * - In production with built-in auth: returns session if cookie is valid
  * - With custom auth (BYOA): delegates to the custom getSession
  */
 export async function getSession(event) {
-    if (isDevMode())
-        return DEV_SESSION;
-    if (authDisabledMode)
+    if (isDevMode() || authDisabledMode) {
+        // Check for a real session cookie (created by Google OAuth callback)
+        // so dev and prod share the same identity on the same DB
+        try {
+            const cookie = getCookie(event, COOKIE_NAME);
+            if (cookie) {
+                const email = await getSessionEmail(cookie);
+                if (email)
+                    return { email, token: cookie };
+            }
+        }
+        catch {
+            // DB not ready yet — fall back to dev session
+        }
         return DEV_SESSION;
-    if (customGetSession)
-        return customGetSession(event);
-    const cookie = getCookie(event, COOKIE_NAME);
-    if (cookie && (await hasSession(cookie))) {
-        return { email: "user", token: cookie };
+    }
+    if (customGetSession) {
+        const session = await customGetSession(event);
+        if (session)
+            return session;
+        // Fall through to _session query param check (mobile WebView bridge)
+    }
+    else {
+        const cookie = getCookie(event, COOKIE_NAME);
+        if (cookie) {
+            const email = await getSessionEmail(cookie);
+            if (email)
+                return { email, token: cookie };
+        }
+    }
+    // Mobile WebViews have a separate cookie jar from Safari, so after OAuth
+    // completes in Safari the WebView won't have the session cookie.  The mobile
+    // app passes the token as a query parameter; if it's valid we promote it to
+    // an httpOnly cookie so subsequent requests work normally.
+    // This MUST run even with custom auth providers (e.g. createGoogleAuthPlugin).
+    const qToken = getQuery(event)?._session;
+    if (qToken) {
+        const email = await getSessionEmail(qToken);
+        if (email) {
+            setCookie(event, COOKIE_NAME, qToken, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+                sameSite: "lax",
+                path: "/",
+                maxAge: sessionMaxAge,
+            });
+            return { email, token: qToken };
+        }
     }
     return null;
 }
@@ -214,6 +257,102 @@ function safeTokenMatch(input, tokens) {
     return false;
 }
 // ---------------------------------------------------------------------------
+// Password hashing — Web Crypto PBKDF2 (works on Node.js + CF Workers)
+// ---------------------------------------------------------------------------
+const PBKDF2_ITERATIONS = 100_000;
+function toHex(buf) {
+    return Array.from(buf)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+function fromHex(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+    }
+    return bytes;
+}
+async function hashPassword(password) {
+    const salt = crypto.getRandomValues(new Uint8Array(16));
+    const encoded = new TextEncoder().encode(password);
+    const keyMaterial = await globalThis.crypto.subtle.importKey("raw", encoded.buffer, "PBKDF2", false, ["deriveBits"]);
+    const derived = await globalThis.crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        salt: salt.buffer,
+        iterations: PBKDF2_ITERATIONS,
+        hash: "SHA-256",
+    }, keyMaterial, 256);
+    return `${PBKDF2_ITERATIONS}:${toHex(salt)}:${toHex(new Uint8Array(derived))}`;
+}
+async function verifyPassword(password, stored) {
+    const [iterStr, saltHex, hashHex] = stored.split(":");
+    const iterations = parseInt(iterStr, 10);
+    const salt = fromHex(saltHex);
+    const expectedHash = fromHex(hashHex);
+    const encoded = new TextEncoder().encode(password);
+    const keyMaterial = await globalThis.crypto.subtle.importKey("raw", encoded.buffer, "PBKDF2", false, ["deriveBits"]);
+    const derived = new Uint8Array(await globalThis.crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        salt: salt.buffer,
+        iterations,
+        hash: "SHA-256",
+    }, keyMaterial, 256));
+    if (derived.length !== expectedHash.length)
+        return false;
+    // Constant-time comparison
+    let diff = 0;
+    for (let i = 0; i < derived.length; i++) {
+        diff |= derived[i] ^ expectedHash[i];
+    }
+    return diff === 0;
+}
+// ---------------------------------------------------------------------------
+// Users table — email/password accounts
+// ---------------------------------------------------------------------------
+let _usersTableReady = false;
+async function ensureUsersTable() {
+    if (_usersTableReady)
+        return;
+    const client = getDbExec();
+    await client.execute(`
+    CREATE TABLE IF NOT EXISTS users (
+      email TEXT PRIMARY KEY,
+      password_hash TEXT NOT NULL,
+      created_at ${intType()} NOT NULL
+    )
+  `);
+    _usersTableReady = true;
+}
+async function createUser(email, password) {
+    await ensureUsersTable();
+    const client = getDbExec();
+    // Check if user already exists
+    const { rows } = await client.execute({
+        sql: `SELECT email FROM users WHERE email = ?`,
+        args: [email],
+    });
+    if (rows.length > 0) {
+        return { ok: false, error: "An account with this email already exists" };
+    }
+    const passwordHash = await hashPassword(password);
+    await client.execute({
+        sql: `INSERT INTO users (email, password_hash, created_at) VALUES (?, ?, ?)`,
+        args: [email, passwordHash, Date.now()],
+    });
+    return { ok: true };
+}
+async function authenticateUser(email, password) {
+    await ensureUsersTable();
+    const client = getDbExec();
+    const { rows } = await client.execute({
+        sql: `SELECT password_hash FROM users WHERE email = ?`,
+        args: [email],
+    });
+    if (rows.length === 0)
+        return false;
+    return verifyPassword(password, rows[0].password_hash);
+}
+// ---------------------------------------------------------------------------
 // Login page HTML
 // ---------------------------------------------------------------------------
 const LOGIN_HTML = `<!DOCTYPE html>
@@ -287,7 +426,7 @@ const LOGIN_HTML = `<!DOCTYPE html>
   document.getElementById('form').addEventListener('submit', async (e) => {
     e.preventDefault();
     const token = document.getElementById('token').value;
-    const res = await fetch('/api/auth/login', {
+    const res = await fetch('/_agent-native/auth/login', {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       body: JSON.stringify({ token }),
@@ -302,6 +441,327 @@ const LOGIN_HTML = `<!DOCTYPE html>
 </body>
 </html>`;
 // ---------------------------------------------------------------------------
+// Email/password auth HTML — combined login + register page
+// ---------------------------------------------------------------------------
+const EMAIL_AUTH_HTML = `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Sign in</title>
+<style>
+  *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+  body {
+    font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+    background: #0a0a0a;
+    color: #e5e5e5;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    min-height: 100vh;
+  }
+  .card {
+    width: 100%;
+    max-width: 380px;
+    padding: 2rem;
+    background: #141414;
+    border: 1px solid rgba(255,255,255,0.08);
+    border-radius: 12px;
+  }
+  .tabs {
+    display: inline-flex;
+    width: 100%;
+    padding: 4px;
+    margin-bottom: 1.5rem;
+    background: rgba(255,255,255,0.06);
+    border-radius: 8px;
+  }
+  .tab {
+    flex: 1;
+    padding: 0.5rem 0.75rem;
+    background: none;
+    border: none;
+    color: #888;
+    font-size: 0.8125rem;
+    font-weight: 500;
+    cursor: pointer;
+    border-radius: 6px;
+  }
+  .tab.active {
+    background: #1e1e1e;
+    color: #fff;
+    box-shadow: 0 1px 2px rgba(0,0,0,0.3);
+  }
+  .tab:hover:not(.active) { color: #bbb; }
+  .form { display: none; }
+  .form.active { display: block; }
+  label { display: block; font-size: 0.8125rem; color: #888; margin-bottom: 0.375rem; }
+  input {
+    width: 100%;
+    padding: 0.5rem 0.75rem;
+    background: transparent;
+    border: 1px solid rgba(255,255,255,0.12);
+    border-radius: 6px;
+    color: #e5e5e5;
+    font-size: 0.875rem;
+    outline: none;
+    margin-bottom: 0.875rem;
+  }
+  input:focus { border-color: rgba(255,255,255,0.3); box-shadow: 0 0 0 1px rgba(255,255,255,0.1); }
+  input::placeholder { color: #555; }
+  button[type="submit"] {
+    width: 100%;
+    margin-top: 0.25rem;
+    padding: 0.5rem;
+    background: #fff;
+    color: #000;
+    border: none;
+    border-radius: 6px;
+    font-size: 0.875rem;
+    font-weight: 500;
+    cursor: pointer;
+  }
+  button[type="submit"]:hover { background: #e5e5e5; }
+  button[type="submit"]:disabled { opacity: 0.5; cursor: not-allowed; }
+  .msg { margin-top: 0.75rem; font-size: 0.8125rem; display: none; }
+  .msg.error { color: #f87171; }
+  .msg.success { color: #4ade80; }
+  .msg.show { display: block; }
+</style>
+</head>
+<body>
+<div class="card">
+  <div class="tabs">
+    <button class="tab active" data-tab="login">Sign in</button>
+    <button class="tab" data-tab="register">Create account</button>
+  </div>
+  <form id="login-form" class="form active">
+    <label for="l-email">Email</label>
+    <input id="l-email" type="email" autocomplete="email" autofocus placeholder="you@example.com" required />
+    <label for="l-pass">Password</label>
+    <input id="l-pass" type="password" autocomplete="current-password" placeholder="Enter password" required />
+    <button type="submit">Sign in</button>
+    <p class="msg error" id="l-err"></p>
+  </form>
+  <form id="register-form" class="form">
+    <label for="r-email">Email</label>
+    <input id="r-email" type="email" autocomplete="email" placeholder="you@example.com" required />
+    <label for="r-pass">Password</label>
+    <input id="r-pass" type="password" autocomplete="new-password" placeholder="At least 8 characters" required minlength="8" />
+    <label for="r-pass2">Confirm password</label>
+    <input id="r-pass2" type="password" autocomplete="new-password" placeholder="Confirm password" required minlength="8" />
+    <button type="submit">Create account</button>
+    <p class="msg" id="r-msg"></p>
+  </form>
+</div>
+<script>
+  const tabs = document.querySelectorAll('.tab');
+  const forms = document.querySelectorAll('.form');
+  tabs.forEach(t => t.addEventListener('click', () => {
+    tabs.forEach(x => x.classList.remove('active'));
+    forms.forEach(x => x.classList.remove('active'));
+    t.classList.add('active');
+    document.getElementById(t.dataset.tab + '-form').classList.add('active');
+  }));
+  document.getElementById('login-form').addEventListener('submit', async (e) => {
+    e.preventDefault();
+    const err = document.getElementById('l-err');
+    err.classList.remove('show');
+    const res = await fetch('/_agent-native/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        email: document.getElementById('l-email').value,
+        password: document.getElementById('l-pass').value,
+      }),
+    });
+    if (res.ok) {
+      window.location.reload();
+    } else {
+      const data = await res.json().catch(() => ({}));
+      err.textContent = data.error || 'Invalid email or password';
+      err.classList.add('show');
+    }
+  });
+  document.getElementById('register-form').addEventListener('submit', async (e) => {
+    e.preventDefault();
+    const msg = document.getElementById('r-msg');
+    msg.classList.remove('show', 'error', 'success');
+    const pass = document.getElementById('r-pass').value;
+    const pass2 = document.getElementById('r-pass2').value;
+    if (pass !== pass2) {
+      msg.textContent = 'Passwords do not match';
+      msg.classList.add('show', 'error');
+      return;
+    }
+    const res = await fetch('/_agent-native/auth/register', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        email: document.getElementById('r-email').value,
+        password: pass,
+      }),
+    });
+    const data = await res.json().catch(() => ({}));
+    if (res.ok) {
+      msg.textContent = 'Account created — signing you in...';
+      msg.classList.add('show', 'success');
+      // Auto-login after registration
+      const loginRes = await fetch('/_agent-native/auth/login', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email: document.getElementById('r-email').value,
+          password: pass,
+        }),
+      });
+      if (loginRes.ok) {
+        window.location.reload();
+      }
+    } else {
+      msg.textContent = data.error || 'Registration failed';
+      msg.classList.add('show', 'error');
+    }
+  });
+</script>
+</body>
+</html>`;
+// ---------------------------------------------------------------------------
+// mountEmailAuthRoutes — email/password registration + login
+// ---------------------------------------------------------------------------
+function mountEmailAuthRoutes(app, publicPaths = []) {
+    // Also support ACCESS_TOKEN login for backward compat (API callers, scripts)
+    const accessTokens = getAccessTokens();
+    // POST /_agent-native/auth/register
+    app.use("/_agent-native/auth/register", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const ip = getClientIp(event);
+        const limited = checkRateLimit(event, `register:${ip}`);
+        if (limited)
+            return limited;
+        const body = await readBody(event);
+        const email = body?.email?.trim?.()?.toLowerCase?.();
+        const password = body?.password;
+        if (!email || typeof email !== "string" || !email.includes("@")) {
+            setResponseStatus(event, 400);
+            return { error: "Valid email is required" };
+        }
+        if (!password || typeof password !== "string" || password.length < 8) {
+            setResponseStatus(event, 400);
+            return { error: "Password must be at least 8 characters" };
+        }
+        const result = await createUser(email, password);
+        if (!result.ok) {
+            setResponseStatus(event, 409);
+            return { error: result.error };
+        }
+        resetRateLimit(`register:${ip}`);
+        return { ok: true };
+    }));
+    // POST /_agent-native/auth/login — email/password or legacy ACCESS_TOKEN
+    app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const ip = getClientIp(event);
+        const rateLimitKey = `login:${ip}`;
+        const limited = checkRateLimit(event, rateLimitKey);
+        if (limited)
+            return limited;
+        const body = await readBody(event);
+        // Legacy: ACCESS_TOKEN login (for API callers, scripts)
+        if (body?.token &&
+            typeof body.token === "string" &&
+            accessTokens.length > 0) {
+            if (!safeTokenMatch(body.token, accessTokens)) {
+                setResponseStatus(event, 401);
+                return { error: "Invalid token" };
+            }
+            const sessionToken = crypto.randomBytes(32).toString("hex");
+            await addSession(sessionToken, "user");
+            setCookie(event, COOKIE_NAME, sessionToken, {
+                httpOnly: true,
+                secure: process.env.NODE_ENV === "production",
+                sameSite: "lax",
+                path: "/",
+                maxAge: sessionMaxAge,
+            });
+            resetRateLimit(rateLimitKey);
+            return { ok: true };
+        }
+        // Email/password login
+        const email = body?.email?.trim?.()?.toLowerCase?.();
+        const password = body?.password;
+        if (!email || !password) {
+            setResponseStatus(event, 400);
+            return { error: "Email and password are required" };
+        }
+        const valid = await authenticateUser(email, password);
+        if (!valid) {
+            setResponseStatus(event, 401);
+            return { error: "Invalid email or password" };
+        }
+        const sessionToken = crypto.randomBytes(32).toString("hex");
+        await addSession(sessionToken, email);
+        setCookie(event, COOKIE_NAME, sessionToken, {
+            httpOnly: true,
+            secure: process.env.NODE_ENV === "production",
+            sameSite: "lax",
+            path: "/",
+            maxAge: sessionMaxAge,
+        });
+        resetRateLimit(rateLimitKey);
+        return { ok: true };
+    }));
+    // POST /_agent-native/auth/logout
+    app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
+        const cookie = getCookie(event, COOKIE_NAME);
+        if (cookie)
+            await removeSession(cookie);
+        deleteCookie(event, COOKIE_NAME, { path: "/" });
+        return { ok: true };
+    }));
+    // GET /_agent-native/auth/session
+    app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "GET") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const session = await getSession(event);
+        return session ?? { error: "Not authenticated" };
+    }));
+    // Auth guard
+    const loginHtml = EMAIL_AUTH_HTML;
+    app.use(defineEventHandler(async (event) => {
+        const url = event.node?.req?.url ?? event.path ?? "/";
+        const p = url.split("?")[0];
+        if (p === "/_agent-native/auth/login" ||
+            p === "/_agent-native/auth/logout" ||
+            p === "/_agent-native/auth/session" ||
+            p === "/_agent-native/auth/register") {
+            return;
+        }
+        if (isPublicPath(url, publicPaths))
+            return;
+        const session = await getSession(event);
+        if (session)
+            return;
+        if (p.startsWith("/api/") || p.startsWith("/_agent-native/")) {
+            setResponseStatus(event, 401);
+            return { error: "Unauthorized" };
+        }
+        setResponseStatus(event, 200);
+        setResponseHeader(event, "Content-Type", "text/html");
+        return loginHtml;
+    }));
+}
+// ---------------------------------------------------------------------------
 // mountAuthMiddleware — mounts login/logout/session routes + auth guard
 // ---------------------------------------------------------------------------
 /**
@@ -319,12 +779,17 @@ function isPublicPath(url, publicPaths) {
     return publicPaths.some((pp) => p === pp || p.startsWith(pp + "/"));
 }
 function mountAuthRoutes(app, accessTokens, publicPaths = []) {
-    // POST /api/auth/login
-    app.use("/api/auth/login", defineEventHandler(async (event) => {
+    // POST /_agent-native/auth/login
+    app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
         if (getMethod(event) !== "POST") {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
+        const ip = getClientIp(event);
+        const rateLimitKey = `login:${ip}`;
+        const limited = checkRateLimit(event, rateLimitKey);
+        if (limited)
+            return limited;
         const body = await readBody(event);
         if (!body?.token ||
             typeof body.token !== "string" ||
@@ -333,26 +798,27 @@ function mountAuthRoutes(app, accessTokens, publicPaths = []) {
             return { error: "Invalid token" };
         }
         const sessionToken = crypto.randomBytes(32).toString("hex");
-        await addSession(sessionToken);
+        await addSession(sessionToken, "user");
         setCookie(event, COOKIE_NAME, sessionToken, {
             httpOnly: true,
-            secure: true,
+            secure: process.env.NODE_ENV === "production",
             sameSite: "lax",
             path: "/",
             maxAge: sessionMaxAge,
         });
+        resetRateLimit(rateLimitKey);
         return { ok: true };
     }));
-    // POST /api/auth/logout
-    app.use("/api/auth/logout", defineEventHandler(async (event) => {
+    // POST /_agent-native/auth/logout
+    app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie)
             await removeSession(cookie);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
         return { ok: true };
     }));
-    // GET /api/auth/session — client session check
-    app.use("/api/auth/session", defineEventHandler(async (event) => {
+    // GET /_agent-native/auth/session — client session check
+    app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
         if (getMethod(event) !== "GET") {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
@@ -365,9 +831,9 @@ function mountAuthRoutes(app, accessTokens, publicPaths = []) {
         const url = event.node?.req?.url ?? event.path ?? "/";
         const p = url.split("?")[0];
         // Skip auth routes
-        if (p === "/api/auth/login" ||
-            p === "/api/auth/logout" ||
-            p === "/api/auth/session") {
+        if (p === "/_agent-native/auth/login" ||
+            p === "/_agent-native/auth/logout" ||
+            p === "/_agent-native/auth/session") {
             return;
         }
         // Skip public paths
@@ -380,7 +846,7 @@ function mountAuthRoutes(app, accessTokens, publicPaths = []) {
             return; // Authenticated
         }
         // Unauthenticated
-        if (p.startsWith("/api/")) {
+        if (p.startsWith("/api/") || p.startsWith("/_agent-native/")) {
             setResponseStatus(event, 401);
             return { error: "Unauthorized" };
         }
@@ -431,23 +897,23 @@ export function autoMountAuth(app, options = {}) {
     }
     // Dev mode — skip auth entirely
     if (isDevMode()) {
-        // Mount a session endpoint that returns the dev stub
-        app.use("/api/auth/session", defineEventHandler(async (event) => {
+        // Mount a session endpoint that checks for a real session first
+        app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }
-            return DEV_SESSION;
+            return await getSession(event);
         }));
         // Mount no-op login/logout so client code doesn't break
-        app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
-        app.use("/api/auth/logout", defineEventHandler(() => ({ ok: true })));
+        app.use("/_agent-native/auth/login", defineEventHandler(() => ({ ok: true })));
+        app.use("/_agent-native/auth/logout", defineEventHandler(() => ({ ok: true })));
         return false;
     }
     // BYOA with custom getSession — skip token check, mount session/guard routes
     if (customGetSession) {
         // Mount session endpoint
-        app.use("/api/auth/session", defineEventHandler(async (event) => {
+        app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
@@ -455,8 +921,8 @@ export function autoMountAuth(app, options = {}) {
             const session = await getSession(event);
             return session ?? { error: "Not authenticated" };
         }));
-        app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
-        app.use("/api/auth/logout", defineEventHandler(async (event) => {
+        app.use("/_agent-native/auth/login", defineEventHandler(() => ({ ok: true })));
+        app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
             const cookie = getCookie(event, COOKIE_NAME);
             if (cookie)
                 await removeSession(cookie);
@@ -469,9 +935,9 @@ export function autoMountAuth(app, options = {}) {
             // Use H3's getRequestURL for cross-platform compat (Node + Workers)
             const url = event.node?.req?.url ?? event.path ?? "/";
             const p = url.split("?")[0];
-            if (p === "/api/auth/login" ||
-                p === "/api/auth/logout" ||
-                p === "/api/auth/session") {
+            if (p === "/_agent-native/auth/login" ||
+                p === "/_agent-native/auth/logout" ||
+                p === "/_agent-native/auth/session") {
                 return;
             }
             // Skip public paths
@@ -481,7 +947,7 @@ export function autoMountAuth(app, options = {}) {
             const session = await getSession(event);
             if (session)
                 return;
-            if (p.startsWith("/api/")) {
+            if (p.startsWith("/api/") || p.startsWith("/_agent-native/")) {
                 setResponseStatus(event, 401);
                 return { error: "Unauthorized" };
             }
@@ -500,30 +966,23 @@ export function autoMountAuth(app, options = {}) {
             authDisabledMode = true;
             console.warn("[agent-native] AUTH_DISABLED=true — running in production without auth. " +
                 "Ensure this app is behind infrastructure-level auth (Cloudflare Access, VPN, etc.).");
-            // Mount session endpoint — getSession() will return DEV_SESSION
-            app.use("/api/auth/session", defineEventHandler(async (event) => {
+            // Mount session endpoint
+            app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
                 if (getMethod(event) !== "GET") {
                     setResponseStatus(event, 405);
                     return { error: "Method not allowed" };
                 }
-                return DEV_SESSION;
+                return await getSession(event);
             }));
-            app.use("/api/auth/login", defineEventHandler(() => ({ ok: true })));
-            app.use("/api/auth/logout", defineEventHandler(() => ({ ok: true })));
+            app.use("/_agent-native/auth/login", defineEventHandler(() => ({ ok: true })));
+            app.use("/_agent-native/auth/logout", defineEventHandler(() => ({ ok: true })));
             return false;
         }
-        // Refuse to start without auth in production
-        const msg = "\n" +
-            "=".repeat(70) +
-            "\n" +
-            " ERROR: Running in production without authentication.\n\n" +
-            " Set ACCESS_TOKEN=<your-secret> to enable auth, or\n" +
-            " set AUTH_DISABLED=true if this app is behind infrastructure auth.\n\n" +
-            " For multi-user access: ACCESS_TOKENS=token1,token2,token3\n" +
-            "=".repeat(70) +
-            "\n";
-        console.error(msg);
-        process.exit(1);
+        // No access tokens set — enable email/password authentication
+        pruneExpiredSessions().catch(() => { });
+        mountEmailAuthRoutes(app, publicPaths);
+        console.log("[agent-native] Auth enabled — email/password authentication.");
+        return true;
     }
     // Production with tokens — mount auth
     pruneExpiredSessions().catch(() => { });