@agent-native/core 0.46.0 → 0.48.1

package/dist/server/cors-origins.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cors-origins.d.ts","sourceRoot":"","sources":["../../src/server/cors-origins.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IACxC,6BAA6B,CAAC,EAAE,OAAO,CAAC;CACzC;AAED,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAKjD;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEhE;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,OAAO,GAAE,iBAAsB,GAC9B,MAAM,GAAG,IAAI,CAoBf"}
+{"version":3,"file":"cors-origins.d.ts","sourceRoot":"","sources":["../../src/server/cors-origins.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,iBAAiB;IAChC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,6BAA6B,CAAC,EAAE,OAAO,CAAC;IAIxC,6BAA6B,CAAC,EAAE,OAAO,CAAC;CACzC;AAED,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAKjD;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEhE;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAEzD;AAED,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,SAAS,EAC1B,OAAO,GAAE,iBAAsB,GAC9B,MAAM,GAAG,IAAI,CA0Bf"}

package/dist/server/cors-origins.js

@@ -26,7 +26,12 @@ export function getAllowedCorsOrigin(origin, options = {}) {
     }
     if (options.allowAnyOriginWhenNoAllowlist)
         return origin;
-    if (options.allowLocalhostWhenNoAllowlist !== false) {
+    // Default: allow localhost only in development. Production with no allowlist
+    // must deny localhost callers — an arbitrary process on the user's machine
+    // must not make readable credentialed cross-origin calls to a production API.
+    const allowLocalhost = options.allowLocalhostWhenNoAllowlist ??
+        process.env.NODE_ENV === "development";
+    if (allowLocalhost) {
         return isLocalhostOrigin(origin) ? origin : null;
     }
     return null;

package/dist/server/cors-origins.js.map

@@ -1 +1 @@
-{"version":3,"file":"cors-origins.js","sourceRoot":"","sources":["../../src/server/cors-origins.ts"],"names":[],"mappings":"AAAA,MAAM,mBAAmB,GACvB,+DAA+D,CAAC;AAElE,MAAM,oBAAoB,GACxB,+EAA+E,CAAC;AAQlF,MAAM,UAAU,sBAAsB;IACpC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;SAC5C,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,OAAO,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,OAAO,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,MAA0B,EAC1B,UAA6B,EAAE;IAE/B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,oEAAoE;IACpE,0EAA0E;IAC1E,gEAAgE;IAChE,IAAI,wBAAwB,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAEpD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,sBAAsB,EAAE,CAAC;IAC1E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACzD,CAAC;IAED,IAAI,OAAO,CAAC,6BAA6B;QAAE,OAAO,MAAM,CAAC;IAEzD,IAAI,OAAO,CAAC,6BAA6B,KAAK,KAAK,EAAE,CAAC;QACpD,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["const LOCALHOST_ORIGIN_RE =\n  /^https?:\\/\\/(localhost|127\\.0\\.0\\.1|tauri\\.localhost)(:\\d+)?$/;\n\nconst NATIVE_APP_ORIGIN_RE =\n  /^(tauri:\\/\\/(localhost|tauri\\.localhost)|https?:\\/\\/tauri\\.localhost(:\\d+)?)$/;\n\nexport interface CorsOriginOptions {\n  allowedOrigins?: string[];\n  allowAnyOriginWhenNoAllowlist?: boolean;\n  allowLocalhostWhenNoAllowlist?: boolean;\n}\n\nexport function readCorsAllowedOrigins(): string[] {\n  return (process.env.CORS_ALLOWED_ORIGINS ?? \"\")\n    .split(\",\")\n    .map((s) => s.trim())\n    .filter(Boolean);\n}\n\nexport function isTrustedNativeAppOrigin(origin: string): boolean {\n  return NATIVE_APP_ORIGIN_RE.test(origin);\n}\n\nexport function isLocalhostOrigin(origin: string): boolean {\n  return LOCALHOST_ORIGIN_RE.test(origin);\n}\n\nexport function getAllowedCorsOrigin(\n  origin: string | undefined,\n  options: CorsOriginOptions = {},\n): string | null {\n  if (!origin) return null;\n\n  // Tauri's production WebView uses a private app origin. It is not a\n  // deploy-configured website origin, so keep it reachable even when an app\n  // also has CORS_ALLOWED_ORIGINS for browser embeds or previews.\n  if (isTrustedNativeAppOrigin(origin)) return origin;\n\n  const allowedOrigins = options.allowedOrigins ?? readCorsAllowedOrigins();\n  if (allowedOrigins.length > 0) {\n    return allowedOrigins.includes(origin) ? origin : null;\n  }\n\n  if (options.allowAnyOriginWhenNoAllowlist) return origin;\n\n  if (options.allowLocalhostWhenNoAllowlist !== false) {\n    return isLocalhostOrigin(origin) ? origin : null;\n  }\n\n  return null;\n}\n"]}
+{"version":3,"file":"cors-origins.js","sourceRoot":"","sources":["../../src/server/cors-origins.ts"],"names":[],"mappings":"AAAA,MAAM,mBAAmB,GACvB,+DAA+D,CAAC;AAElE,MAAM,oBAAoB,GACxB,+EAA+E,CAAC;AAWlF,MAAM,UAAU,sBAAsB;IACpC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;SAC5C,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,MAAc;IACrD,OAAO,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,OAAO,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,MAA0B,EAC1B,UAA6B,EAAE;IAE/B,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,oEAAoE;IACpE,0EAA0E;IAC1E,gEAAgE;IAChE,IAAI,wBAAwB,CAAC,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAEpD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,sBAAsB,EAAE,CAAC;IAC1E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACzD,CAAC;IAED,IAAI,OAAO,CAAC,6BAA6B;QAAE,OAAO,MAAM,CAAC;IAEzD,6EAA6E;IAC7E,2EAA2E;IAC3E,8EAA8E;IAC9E,MAAM,cAAc,GAClB,OAAO,CAAC,6BAA6B;QACrC,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,CAAC;IACzC,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["const LOCALHOST_ORIGIN_RE =\n  /^https?:\\/\\/(localhost|127\\.0\\.0\\.1|tauri\\.localhost)(:\\d+)?$/;\n\nconst NATIVE_APP_ORIGIN_RE =\n  /^(tauri:\\/\\/(localhost|tauri\\.localhost)|https?:\\/\\/tauri\\.localhost(:\\d+)?)$/;\n\nexport interface CorsOriginOptions {\n  allowedOrigins?: string[];\n  allowAnyOriginWhenNoAllowlist?: boolean;\n  // When true, a localhost origin is echoed back even without an explicit\n  // allowlist. Callers must NOT pass true in production — the default resolves\n  // to NODE_ENV === \"development\" so the fallback is dev-only.\n  allowLocalhostWhenNoAllowlist?: boolean;\n}\n\nexport function readCorsAllowedOrigins(): string[] {\n  return (process.env.CORS_ALLOWED_ORIGINS ?? \"\")\n    .split(\",\")\n    .map((s) => s.trim())\n    .filter(Boolean);\n}\n\nexport function isTrustedNativeAppOrigin(origin: string): boolean {\n  return NATIVE_APP_ORIGIN_RE.test(origin);\n}\n\nexport function isLocalhostOrigin(origin: string): boolean {\n  return LOCALHOST_ORIGIN_RE.test(origin);\n}\n\nexport function getAllowedCorsOrigin(\n  origin: string | undefined,\n  options: CorsOriginOptions = {},\n): string | null {\n  if (!origin) return null;\n\n  // Tauri's production WebView uses a private app origin. It is not a\n  // deploy-configured website origin, so keep it reachable even when an app\n  // also has CORS_ALLOWED_ORIGINS for browser embeds or previews.\n  if (isTrustedNativeAppOrigin(origin)) return origin;\n\n  const allowedOrigins = options.allowedOrigins ?? readCorsAllowedOrigins();\n  if (allowedOrigins.length > 0) {\n    return allowedOrigins.includes(origin) ? origin : null;\n  }\n\n  if (options.allowAnyOriginWhenNoAllowlist) return origin;\n\n  // Default: allow localhost only in development. Production with no allowlist\n  // must deny localhost callers — an arbitrary process on the user's machine\n  // must not make readable credentialed cross-origin calls to a production API.\n  const allowLocalhost =\n    options.allowLocalhostWhenNoAllowlist ??\n    process.env.NODE_ENV === \"development\";\n  if (allowLocalhost) {\n    return isLocalhostOrigin(origin) ? origin : null;\n  }\n\n  return null;\n}\n"]}

package/dist/server/create-server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EAOb,MAAM,IAAI,CAAC;AAkBZ,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IACvC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uHAAuH;IACvH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC1C,OAAO,CAAC,IAAI,CAAC,CAoDf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CAyMpB"}
+{"version":3,"file":"create-server.d.ts","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EAOb,MAAM,IAAI,CAAC;AAkBZ,MAAM,WAAW,YAAY;IAC3B,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,gFAAgF;IAChF,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;IACvC,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,qFAAqF;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mEAAmE;IACnE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,uHAAuH;IACvH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,KAAK,CAAC;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC,GAC1C,OAAO,CAAC,IAAI,CAAC,CAoDf;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,UAAU,CAAC,OAAO,SAAS,CAAC,CAAC;IAClC,MAAM,EAAE,UAAU,CAAC,OAAO,YAAY,CAAC,CAAC;CACzC;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAC1B,OAAO,GAAE,mBAAwB,GAChC,kBAAkB,CA0MpB"}

package/dist/server/create-server.js

@@ -115,7 +115,8 @@ export function createServer(options = {}) {
                 : getAllowedCorsOrigin(requestOrigin, {
                     allowedOrigins,
                     allowAnyOriginWhenNoAllowlist: !isProduction,
-                    allowLocalhostWhenNoAllowlist: true,
+                    // Let the cors-origins default apply (dev-only). Passing `true`
+                    // here unconditionally would re-open the production localhost gap.
                 });
             // No origin header at all (same-origin fetch, server-to-server) and
             // no allowlist → fall through with `*`-equivalent behaviour: omit

package/dist/server/create-server.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0BxD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;oBAClD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;oBACzD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,6BAA6B,EAAE,IAAI;iBACpC,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,0JAA0J;iBAC7J,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBACzB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtB,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  setResponseHeader,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  getAllowedCorsOrigin,\n  readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n  EMBED_TRANSPLANT_HEADER,\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n  shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\nimport { BUILDER_ENV_KEYS } from \"./builder-browser.js\";\n\nexport interface EnvKeyConfig {\n  /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n  key: string;\n  /** Human-readable label (e.g. \"HubSpot\") */\n  label: string;\n  /** Whether this key is required for the app to function */\n  required?: boolean;\n  /** Optional UI hint shown next to the field describing where to find this value. */\n  helpText?: string;\n}\n\nexport interface CreateServerOptions {\n  /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n  cors?: Record<string, unknown> | false;\n  /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n  jsonLimit?: string;\n  /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n  pingMessage?: string;\n  /** Disable the /_agent-native/ping health check. Default: false */\n  disablePing?: boolean;\n  /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n  envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n  envPath: string,\n  vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n  // Sanitize: reject values that could inject additional env vars\n  for (const { key, value } of vars) {\n    if (/[\\n\\r\\0]/.test(value)) {\n      throw new Error(\n        `Invalid env var value for ${key}: must not contain newlines or control characters`,\n      );\n    }\n  }\n\n  const fs = await import(\"fs\");\n\n  let content = \"\";\n  try {\n    content = fs.readFileSync(envPath, \"utf-8\");\n  } catch {\n    // File doesn't exist yet\n  }\n\n  const lines = content.split(\"\\n\");\n  const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n  // Update existing lines in place\n  const updated = lines.map((line) => {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) return line;\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) return line;\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (remaining.has(key)) {\n      const value = remaining.get(key)!;\n      remaining.delete(key);\n      return `${key}=${value}`;\n    }\n    return line;\n  });\n\n  // Append new vars\n  for (const [key, value] of remaining) {\n    updated.push(`${key}=${value}`);\n  }\n\n  // Ensure trailing newline\n  let result = updated.join(\"\\n\");\n  if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n  try {\n    fs.mkdirSync(path.dirname(envPath), { recursive: true });\n    fs.writeFileSync(envPath, result);\n  } catch {\n    // Edge runtimes don't have writable filesystem — skip silently\n  }\n}\n\nexport interface CreateServerResult {\n  app: ReturnType<typeof createApp>;\n  router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n  options: CreateServerOptions = {},\n): CreateServerResult {\n  const app = createApp({\n    onError(error, event) {\n      // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n      const err = error as NodeJS.ErrnoException;\n      const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n      if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n      if (err?.message === \"aborted\") return;\n      console.error(\n        `[agent-native] Server error: ${event.method} ${event.path}`,\n        error,\n      );\n    },\n  });\n\n  // CORS middleware\n  if (options.cors !== false) {\n    const allowedOrigins = readCorsAllowedOrigins();\n    const isProduction = process.env.NODE_ENV === \"production\";\n\n    /**\n     * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n     * localhost/native desktop origins. Development keeps the legacy \"echo\n     * any origin\" behavior so local tools and docs previews keep working.\n     */\n    app.use(\n      defineEventHandler((event) => {\n        const requestOrigin = getRequestHeader(event, \"origin\");\n        const method = getMethod(event);\n        const requestedHeaders = String(\n          getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n        )\n          .toLowerCase()\n          .split(\",\")\n          .map((header) => header.trim());\n        const embedCorsRequest =\n          isMcpEmbedCorsOrigin(requestOrigin) &&\n          (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n            requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n            Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n            Boolean(getRequestHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n            Boolean(getRequestHeader(event, \"authorization\")));\n\n        /**\n         * Decide whether the requesting origin is allowed. We never fall back\n         * to \"the first allowlist entry\" when the origin isn't in the list —\n         * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n         * with credentials enabled to attacker-controlled origins, which was\n         * permissive enough that some clients followed through with the\n         * credentialed request.\n         */\n        const allowedOrigin = embedCorsRequest\n          ? requestOrigin\n          : getAllowedCorsOrigin(requestOrigin, {\n              allowedOrigins,\n              allowAnyOriginWhenNoAllowlist: !isProduction,\n              allowLocalhostWhenNoAllowlist: true,\n            });\n        // No origin header at all (same-origin fetch, server-to-server) and\n        // no allowlist → fall through with `*`-equivalent behaviour: omit\n        // ACAO entirely and let the browser apply its same-origin default.\n\n        if (allowedOrigin) {\n          setResponseHeader(\n            event,\n            \"Access-Control-Allow-Origin\",\n            allowedOrigin,\n          );\n          setResponseHeader(event, \"Vary\", \"Origin\");\n          // A specific origin means we can honor credentialed requests\n          // (fetch with `credentials: \"include\"` — used by desktop tray\n          // apps that share a same-site cookie with the web app). The\n          // wildcard `*` is spec-incompatible with credentials, so only\n          // set this when we're echoing a concrete origin.\n          if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n            setResponseHeader(\n              event,\n              \"Access-Control-Allow-Credentials\",\n              \"true\",\n            );\n          }\n        } else if (!requestOrigin) {\n          // No origin header — preserve the legacy permissive behaviour for\n          // tools/scripts that hit the API directly (no credentialed CORS\n          // semantics apply when there's no Origin).\n          setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n        }\n\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Methods\",\n          \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n        );\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Headers\",\n          MCP_EMBED_CORS_ALLOW_HEADERS,\n        );\n\n        if (method === \"OPTIONS\") {\n          // Reject preflights from disallowed cross-origin callers. We only\n          // 204 if either (a) there was no Origin header (same-origin or\n          // direct script invocation) or (b) the origin was in the allowlist\n          // / dev fallback above. Otherwise we 403 so the browser surfaces\n          // a hard CORS failure rather than blindly retrying with credentials.\n          if (requestOrigin && !allowedOrigin) {\n            return new Response(null, { status: 403 });\n          }\n          return new Response(null, { status: 204 });\n        }\n      }),\n    );\n  }\n\n  const router = createRouter();\n  app.use(router);\n\n  // Health check\n  if (!options.disablePing) {\n    router.get(\n      \"/_agent-native/ping\",\n      defineEventHandler(() => {\n        const message =\n          options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n        return { message };\n      }),\n    );\n  }\n\n  // Env key management routes\n  if (options.envKeys) {\n    const envKeys = options.envKeys;\n\n    router.get(\n      \"/_agent-native/env-status\",\n      defineEventHandler(() => {\n        return envKeys.map((cfg) => ({\n          key: cfg.key,\n          label: cfg.label,\n          required: cfg.required ?? false,\n          configured: !!process.env[cfg.key],\n          ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n        }));\n      }),\n    );\n\n    router.post(\n      \"/_agent-native/env-vars\",\n      defineEventHandler(async (event: H3Event) => {\n        // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n        // above. Disable the endpoint on any multi-tenant deploy.\n        if (!isEnvVarWriteAllowed()) {\n          setResponseStatus(event, 403);\n          return {\n            error:\n              \"env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.\",\n          };\n        }\n\n        const body = await readBody(event);\n        const { vars } = body as {\n          vars?: Array<{ key: string; value: string }>;\n        };\n\n        if (!Array.isArray(vars) || vars.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"vars array required\" };\n        }\n\n        // Only allow keys that are in the env config\n        const allowedKeys = new Set(envKeys.map((k) => k.key));\n        const blockedEnvVarWriteKeys = new Set<string>(BUILDER_ENV_KEYS);\n        const filtered = vars.filter(\n          (v) =>\n            typeof v.key === \"string\" &&\n            allowedKeys.has(v.key) &&\n            !blockedEnvVarWriteKeys.has(v.key),\n        );\n        if (filtered.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"No recognized env keys in request\" };\n        }\n\n        // Write to .env file\n        const envPath = path.join(process.cwd(), \".env\");\n        await upsertEnvFile(envPath, filtered);\n\n        // Update process.env so the app picks up the new values immediately\n        for (const { key, value } of filtered) {\n          process.env[key] = value;\n        }\n\n        // Notify parent (Builder or frame) via postMessage\n        agentEnv.setVars(filtered);\n\n        return { saved: filtered.map((v) => v.key) };\n      }),\n    );\n  }\n\n  return { app, router };\n}\n"]}
+{"version":3,"file":"create-server.js","sourceRoot":"","sources":["../../src/server/create-server.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,yBAAyB,CAAC;AACnD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,4BAA4B,EAC5B,8BAA8B,GAC/B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AA0BxD;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAe,EACf,IAA2C;IAE3C,gEAAgE;IAChE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,6BAA6B,GAAG,mDAAmD,CACpF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;IAE9B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,yBAAyB;IAC3B,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAE7D,iCAAiC;IACjC,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAC7C,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;YAClC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACtB,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;QAC3B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,kBAAkB;IAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IAClC,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,MAAM,IAAI,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;AACH,CAAC;AAOD;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAC1B,UAA+B,EAAE;IAEjC,MAAM,GAAG,GAAG,SAAS,CAAC;QACpB,OAAO,CAAC,KAAK,EAAE,KAAK;YAClB,yFAAyF;YACzF,MAAM,GAAG,GAAG,KAA8B,CAAC;YAC3C,MAAM,IAAI,GAAG,GAAG,EAAE,IAAI,IAAK,GAAG,EAAE,KAA+B,EAAE,IAAI,CAAC;YACtE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,cAAc;gBAAE,OAAO;YAC7D,IAAI,GAAG,EAAE,OAAO,KAAK,SAAS;gBAAE,OAAO;YACvC,OAAO,CAAC,KAAK,CACX,gCAAgC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,IAAI,EAAE,EAC5D,KAAK,CACN,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,kBAAkB;IAClB,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC3B,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;QAChD,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;QAE3D;;;;WAIG;QACH,GAAG,CAAC,GAAG,CACL,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;YAC3B,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACxD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YAChC,MAAM,gBAAgB,GAAG,MAAM,CAC7B,gBAAgB,CAAC,KAAK,EAAE,gCAAgC,CAAC,IAAI,EAAE,CAChE;iBACE,WAAW,EAAE;iBACb,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAClC,MAAM,gBAAgB,GACpB,oBAAoB,CAAC,aAAa,CAAC;gBACnC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC;oBAC3D,gBAAgB,CAAC,QAAQ,CAAC,uBAAuB,CAAC;oBAClD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACrD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;oBACzD,OAAO,CAAC,gBAAgB,CAAC,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC;YAEvD;;;;;;;eAOG;YACH,MAAM,aAAa,GAAG,gBAAgB;gBACpC,CAAC,CAAC,aAAa;gBACf,CAAC,CAAC,oBAAoB,CAAC,aAAa,EAAE;oBAClC,cAAc;oBACd,6BAA6B,EAAE,CAAC,YAAY;oBAC5C,gEAAgE;oBAChE,mEAAmE;iBACpE,CAAC,CAAC;YACP,oEAAoE;YACpE,kEAAkE;YAClE,mEAAmE;YAEnE,IAAI,aAAa,EAAE,CAAC;gBAClB,iBAAiB,CACf,KAAK,EACL,6BAA6B,EAC7B,aAAa,CACd,CAAC;gBACF,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;gBAC3C,6DAA6D;gBAC7D,8DAA8D;gBAC9D,4DAA4D;gBAC5D,8DAA8D;gBAC9D,iDAAiD;gBACjD,IAAI,8BAA8B,CAAC,aAAa,CAAC,EAAE,CAAC;oBAClD,iBAAiB,CACf,KAAK,EACL,kCAAkC,EAClC,MAAM,CACP,CAAC;gBACJ,CAAC;YACH,CAAC;iBAAM,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC1B,kEAAkE;gBAClE,gEAAgE;gBAChE,2CAA2C;gBAC3C,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,GAAG,CAAC,CAAC;YAC/D,CAAC;YAED,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;YAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,kEAAkE;gBAClE,+DAA+D;gBAC/D,mEAAmE;gBACnE,iEAAiE;gBACjE,qEAAqE;gBACrE,IAAI,aAAa,IAAI,CAAC,aAAa,EAAE,CAAC;oBACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;gBAC7C,CAAC;gBACD,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEhB,eAAe;IACf,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CACR,qBAAqB,EACrB,kBAAkB,CAAC,GAAG,EAAE;YACtB,MAAM,OAAO,GACX,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,MAAM,CAAC;YAC5D,OAAO,EAAE,OAAO,EAAE,CAAC;QACrB,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAEhC,MAAM,CAAC,GAAG,CACR,2BAA2B,EAC3B,kBAAkB,CAAC,GAAG,EAAE;YACtB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBAC3B,GAAG,EAAE,GAAG,CAAC,GAAG;gBACZ,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,KAAK;gBAC/B,UAAU,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC;gBAClC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACpD,CAAC,CAAC,CAAC;QACN,CAAC,CAAC,CACH,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,yBAAyB,EACzB,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YAC1C,kEAAkE;YAClE,0DAA0D;YAC1D,IAAI,CAAC,oBAAoB,EAAE,EAAE,CAAC;gBAC5B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,0JAA0J;iBAC7J,CAAC;YACJ,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;YACnC,MAAM,EAAE,IAAI,EAAE,GAAG,IAEhB,CAAC;YAEF,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;YAC1C,CAAC;YAED,6CAA6C;YAC7C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvD,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAS,gBAAgB,CAAC,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAC1B,CAAC,CAAC,EAAE,EAAE,CACJ,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;gBACzB,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtB,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CACrC,CAAC;YACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;YACxD,CAAC;YAED,qBAAqB;YACrB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;YACjD,MAAM,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAEvC,oEAAoE;YACpE,KAAK,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACtC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;YAED,mDAAmD;YACnD,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAE3B,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,CAAC,CAAC,CACH,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,CAAC;AACzB,CAAC","sourcesContent":["import {\n  createApp,\n  createRouter,\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  setResponseHeader,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport path from \"path\";\nimport { agentEnv } from \"../shared/agent-env.js\";\nimport { readBody } from \"../server/h3-helpers.js\";\nimport {\n  getAllowedCorsOrigin,\n  readCorsAllowedOrigins,\n} from \"./cors-origins.js\";\nimport { isEnvVarWriteAllowed } from \"./env-var-writes.js\";\nimport { EMBED_TARGET_HEADER } from \"../shared/embed-auth.js\";\nimport {\n  EMBED_TRANSPLANT_HEADER,\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n  shouldAllowMcpEmbedCredentials,\n} from \"../shared/mcp-embed-headers.js\";\nimport { BUILDER_ENV_KEYS } from \"./builder-browser.js\";\n\nexport interface EnvKeyConfig {\n  /** Environment variable name (e.g. \"HUBSPOT_ACCESS_TOKEN\") */\n  key: string;\n  /** Human-readable label (e.g. \"HubSpot\") */\n  label: string;\n  /** Whether this key is required for the app to function */\n  required?: boolean;\n  /** Optional UI hint shown next to the field describing where to find this value. */\n  helpText?: string;\n}\n\nexport interface CreateServerOptions {\n  /** CORS options. Ignored (H3 handles CORS via middleware). Default: enabled. */\n  cors?: Record<string, unknown> | false;\n  /** JSON body parser limit. Kept for API compatibility (H3 uses readBody). */\n  jsonLimit?: string;\n  /** Custom ping message. Default: reads PING_MESSAGE env var, falls back to \"pong\" */\n  pingMessage?: string;\n  /** Disable the /_agent-native/ping health check. Default: false */\n  disablePing?: boolean;\n  /** Env key configuration for the settings UI. Enables /_agent-native/env-status and /_agent-native/env-vars routes. */\n  envKeys?: EnvKeyConfig[];\n}\n\n/**\n * Upsert vars into a .env file, preserving existing structure.\n */\nexport async function upsertEnvFile(\n  envPath: string,\n  vars: Array<{ key: string; value: string }>,\n): Promise<void> {\n  // Sanitize: reject values that could inject additional env vars\n  for (const { key, value } of vars) {\n    if (/[\\n\\r\\0]/.test(value)) {\n      throw new Error(\n        `Invalid env var value for ${key}: must not contain newlines or control characters`,\n      );\n    }\n  }\n\n  const fs = await import(\"fs\");\n\n  let content = \"\";\n  try {\n    content = fs.readFileSync(envPath, \"utf-8\");\n  } catch {\n    // File doesn't exist yet\n  }\n\n  const lines = content.split(\"\\n\");\n  const remaining = new Map(vars.map((v) => [v.key, v.value]));\n\n  // Update existing lines in place\n  const updated = lines.map((line) => {\n    const trimmed = line.trim();\n    if (!trimmed || trimmed.startsWith(\"#\")) return line;\n    const eqIndex = trimmed.indexOf(\"=\");\n    if (eqIndex === -1) return line;\n    const key = trimmed.slice(0, eqIndex).trim();\n    if (remaining.has(key)) {\n      const value = remaining.get(key)!;\n      remaining.delete(key);\n      return `${key}=${value}`;\n    }\n    return line;\n  });\n\n  // Append new vars\n  for (const [key, value] of remaining) {\n    updated.push(`${key}=${value}`);\n  }\n\n  // Ensure trailing newline\n  let result = updated.join(\"\\n\");\n  if (!result.endsWith(\"\\n\")) result += \"\\n\";\n\n  try {\n    fs.mkdirSync(path.dirname(envPath), { recursive: true });\n    fs.writeFileSync(envPath, result);\n  } catch {\n    // Edge runtimes don't have writable filesystem — skip silently\n  }\n}\n\nexport interface CreateServerResult {\n  app: ReturnType<typeof createApp>;\n  router: ReturnType<typeof createRouter>;\n}\n\n/**\n * Create a pre-configured H3 app with standard agent-native setup:\n * - CORS headers via middleware\n * - /_agent-native/ping health check\n * - /_agent-native/env-status and /_agent-native/env-vars (when envKeys is provided)\n *\n * Returns { app, router } — mount routes on `router`.\n */\nexport function createServer(\n  options: CreateServerOptions = {},\n): CreateServerResult {\n  const app = createApp({\n    onError(error, event) {\n      // Suppress connection-reset errors — client disconnected mid-request (tab close, reload)\n      const err = error as NodeJS.ErrnoException;\n      const code = err?.code || (err?.cause as NodeJS.ErrnoException)?.code;\n      if (code === \"ECONNRESET\" || code === \"ECONNABORTED\") return;\n      if (err?.message === \"aborted\") return;\n      console.error(\n        `[agent-native] Server error: ${event.method} ${event.path}`,\n        error,\n      );\n    },\n  });\n\n  // CORS middleware\n  if (options.cors !== false) {\n    const allowedOrigins = readCorsAllowedOrigins();\n    const isProduction = process.env.NODE_ENV === \"production\";\n\n    /**\n     * When CORS_ALLOWED_ORIGINS is unset, production only allows trusted\n     * localhost/native desktop origins. Development keeps the legacy \"echo\n     * any origin\" behavior so local tools and docs previews keep working.\n     */\n    app.use(\n      defineEventHandler((event) => {\n        const requestOrigin = getRequestHeader(event, \"origin\");\n        const method = getMethod(event);\n        const requestedHeaders = String(\n          getRequestHeader(event, \"access-control-request-headers\") ?? \"\",\n        )\n          .toLowerCase()\n          .split(\",\")\n          .map((header) => header.trim());\n        const embedCorsRequest =\n          isMcpEmbedCorsOrigin(requestOrigin) &&\n          (requestedHeaders.includes(EMBED_TARGET_HEADER.toLowerCase()) ||\n            requestedHeaders.includes(EMBED_TRANSPLANT_HEADER) ||\n            Boolean(getRequestHeader(event, EMBED_TARGET_HEADER)) ||\n            Boolean(getRequestHeader(event, EMBED_TRANSPLANT_HEADER)) ||\n            Boolean(getRequestHeader(event, \"authorization\")));\n\n        /**\n         * Decide whether the requesting origin is allowed. We never fall back\n         * to \"the first allowlist entry\" when the origin isn't in the list —\n         * that previously sent `Access-Control-Allow-Origin: <other-origin>`\n         * with credentials enabled to attacker-controlled origins, which was\n         * permissive enough that some clients followed through with the\n         * credentialed request.\n         */\n        const allowedOrigin = embedCorsRequest\n          ? requestOrigin\n          : getAllowedCorsOrigin(requestOrigin, {\n              allowedOrigins,\n              allowAnyOriginWhenNoAllowlist: !isProduction,\n              // Let the cors-origins default apply (dev-only). Passing `true`\n              // here unconditionally would re-open the production localhost gap.\n            });\n        // No origin header at all (same-origin fetch, server-to-server) and\n        // no allowlist → fall through with `*`-equivalent behaviour: omit\n        // ACAO entirely and let the browser apply its same-origin default.\n\n        if (allowedOrigin) {\n          setResponseHeader(\n            event,\n            \"Access-Control-Allow-Origin\",\n            allowedOrigin,\n          );\n          setResponseHeader(event, \"Vary\", \"Origin\");\n          // A specific origin means we can honor credentialed requests\n          // (fetch with `credentials: \"include\"` — used by desktop tray\n          // apps that share a same-site cookie with the web app). The\n          // wildcard `*` is spec-incompatible with credentials, so only\n          // set this when we're echoing a concrete origin.\n          if (shouldAllowMcpEmbedCredentials(allowedOrigin)) {\n            setResponseHeader(\n              event,\n              \"Access-Control-Allow-Credentials\",\n              \"true\",\n            );\n          }\n        } else if (!requestOrigin) {\n          // No origin header — preserve the legacy permissive behaviour for\n          // tools/scripts that hit the API directly (no credentialed CORS\n          // semantics apply when there's no Origin).\n          setResponseHeader(event, \"Access-Control-Allow-Origin\", \"*\");\n        }\n\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Methods\",\n          \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n        );\n        setResponseHeader(\n          event,\n          \"Access-Control-Allow-Headers\",\n          MCP_EMBED_CORS_ALLOW_HEADERS,\n        );\n\n        if (method === \"OPTIONS\") {\n          // Reject preflights from disallowed cross-origin callers. We only\n          // 204 if either (a) there was no Origin header (same-origin or\n          // direct script invocation) or (b) the origin was in the allowlist\n          // / dev fallback above. Otherwise we 403 so the browser surfaces\n          // a hard CORS failure rather than blindly retrying with credentials.\n          if (requestOrigin && !allowedOrigin) {\n            return new Response(null, { status: 403 });\n          }\n          return new Response(null, { status: 204 });\n        }\n      }),\n    );\n  }\n\n  const router = createRouter();\n  app.use(router);\n\n  // Health check\n  if (!options.disablePing) {\n    router.get(\n      \"/_agent-native/ping\",\n      defineEventHandler(() => {\n        const message =\n          options.pingMessage ?? process.env.PING_MESSAGE ?? \"pong\";\n        return { message };\n      }),\n    );\n  }\n\n  // Env key management routes\n  if (options.envKeys) {\n    const envKeys = options.envKeys;\n\n    router.get(\n      \"/_agent-native/env-status\",\n      defineEventHandler(() => {\n        return envKeys.map((cfg) => ({\n          key: cfg.key,\n          label: cfg.label,\n          required: cfg.required ?? false,\n          configured: !!process.env[cfg.key],\n          ...(cfg.helpText ? { helpText: cfg.helpText } : {}),\n        }));\n      }),\n    );\n\n    router.post(\n      \"/_agent-native/env-vars\",\n      defineEventHandler(async (event: H3Event) => {\n        // Env vars are deployment-wide globals — see isEnvVarWriteAllowed\n        // above. Disable the endpoint on any multi-tenant deploy.\n        if (!isEnvVarWriteAllowed()) {\n          setResponseStatus(event, 403);\n          return {\n            error:\n              \"env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.\",\n          };\n        }\n\n        const body = await readBody(event);\n        const { vars } = body as {\n          vars?: Array<{ key: string; value: string }>;\n        };\n\n        if (!Array.isArray(vars) || vars.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"vars array required\" };\n        }\n\n        // Only allow keys that are in the env config\n        const allowedKeys = new Set(envKeys.map((k) => k.key));\n        const blockedEnvVarWriteKeys = new Set<string>(BUILDER_ENV_KEYS);\n        const filtered = vars.filter(\n          (v) =>\n            typeof v.key === \"string\" &&\n            allowedKeys.has(v.key) &&\n            !blockedEnvVarWriteKeys.has(v.key),\n        );\n        if (filtered.length === 0) {\n          setResponseStatus(event, 400);\n          return { error: \"No recognized env keys in request\" };\n        }\n\n        // Write to .env file\n        const envPath = path.join(process.cwd(), \".env\");\n        await upsertEnvFile(envPath, filtered);\n\n        // Update process.env so the app picks up the new values immediately\n        for (const { key, value } of filtered) {\n          process.env[key] = value;\n        }\n\n        // Notify parent (Builder or frame) via postMessage\n        agentEnv.setVars(filtered);\n\n        return { saved: filtered.map((v) => v.key) };\n      }),\n    );\n  }\n\n  return { app, router };\n}\n"]}

package/dist/server/csrf.d.ts

@@ -55,5 +55,5 @@
  */
 export declare function createCsrfMiddleware(frameworkPrefix?: string): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, {
     error: string;
-}>;
+} | undefined>;
 //# sourceMappingURL=csrf.d.ts.map

package/dist/server/csrf.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAiHH;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,GAAE,MAAyB;;GAqB3C"}
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAiHH;;;;;;;;;;GAUG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,GAAE,MAAyB;;eAqB3C"}

package/dist/server/email-actions.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Framework-level agent action for sending transactional/notification emails
+ * via the configured core email transport (Resend or SendGrid).
+ *
+ * Registered as a native tool in every template when RESEND_API_KEY or
+ * SENDGRID_API_KEY is set. When neither key is present the tool is omitted
+ * from the agent surface so the agent never sees it.
+ *
+ * SAFETY: the action description instructs the agent to draft-first and only
+ * send when the user explicitly confirms, matching the mail template convention.
+ *
+ * COLLISION: the mail template registers its own richer "send-email" action.
+ * The template's registration comes after this one in the spread, so it wins
+ * when both would be present under the same key. To avoid any ambiguity this
+ * action is keyed "core-send-email" which is distinct from the template name.
+ */
+import type { ActionEntry } from "../agent/production-agent.js";
+export declare function createCoreEmailActionEntries(): Record<string, ActionEntry>;
+//# sourceMappingURL=email-actions.d.ts.map

package/dist/server/email-actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-actions.d.ts","sourceRoot":"","sources":["../../src/server/email-actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmGhE,wBAAgB,4BAA4B,IAAI,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,CAwG1E"}

package/dist/server/email-actions.js

@@ -0,0 +1,191 @@
+/**
+ * Framework-level agent action for sending transactional/notification emails
+ * via the configured core email transport (Resend or SendGrid).
+ *
+ * Registered as a native tool in every template when RESEND_API_KEY or
+ * SENDGRID_API_KEY is set. When neither key is present the tool is omitted
+ * from the agent surface so the agent never sees it.
+ *
+ * SAFETY: the action description instructs the agent to draft-first and only
+ * send when the user explicitly confirms, matching the mail template convention.
+ *
+ * COLLISION: the mail template registers its own richer "send-email" action.
+ * The template's registration comes after this one in the spread, so it wins
+ * when both would be present under the same key. To avoid any ambiguity this
+ * action is keyed "core-send-email" which is distinct from the template name.
+ */
+import { isEmailConfigured, sendEmail } from "./email.js";
+function markdownToText(md) {
+    return md
+        .replace(/!\[([^\]]*)\]\([^\s)]+\)/g, "$1")
+        .replace(/\[([^\]]+)\]\([^\s)]+\)/g, "$1 ($2)")
+        .replace(/`([^`]+)`/g, "$1")
+        .replace(/\*\*([^*]+)\*\*/g, "$1")
+        .replace(/\*([^*\n]+)\*/g, "$1")
+        .replace(/^#{1,6}\s+/gm, "")
+        .trim();
+}
+function markdownToHtml(md) {
+    const normalized = md.replace(/\r\n/g, "\n").trim();
+    if (!normalized)
+        return "<p></p>";
+    // Escape HTML entities in a string, preserving already-encoded references.
+    const esc = (s) => s
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;");
+    // Inline markdown: links, bold, italic, code, bare URLs.
+    const inline = (s) => s
+        .replace(/\[([^\]]+)\]\((https?:\/\/[^\s)]+)\)/g, (_m, label, url) => `<a href="${esc(url)}" target="_blank" rel="noopener noreferrer">${esc(label)}</a>`)
+        .replace(/(^|[^\w"'=])(https?:\/\/[^\s<]+)/g, (_m, pre, url) => `${pre}<a href="${esc(url)}" target="_blank" rel="noopener noreferrer">${esc(url)}</a>`)
+        .replace(/`([^`]+)`/g, (_m, code) => `<code>${esc(code)}</code>`)
+        .replace(/\*\*([^*]+)\*\*/g, "<strong>$1</strong>")
+        .replace(/(^|[\s(])\*([^*\n]+)\*(?=$|[\s).,!?:;])/g, "$1<em>$2</em>");
+    const blocks = normalized.split(/\n{2,}/);
+    const html = blocks
+        .map((block) => {
+        const trimmed = block.trim();
+        // Fenced code block
+        if (trimmed.startsWith("```") && trimmed.endsWith("```")) {
+            const code = trimmed
+                .replace(/^```[^\n]*\n?/, "")
+                .replace(/\n?```$/, "");
+            return `<pre><code>${esc(code)}</code></pre>`;
+        }
+        // Heading
+        const hm = trimmed.match(/^(#{1,6})\s+(.+)$/);
+        if (hm) {
+            const level = hm[1].length;
+            return `<h${level}>${inline(hm[2])}</h${level}>`;
+        }
+        // Unordered list
+        if (/^[-*+]\s+/m.test(trimmed)) {
+            const items = trimmed
+                .split("\n")
+                .filter(Boolean)
+                .map((l) => `<li>${inline(l.replace(/^[-*+]\s+/, ""))}</li>`)
+                .join("");
+            return `<ul style="margin:0 0 1em;padding-left:1.5em">${items}</ul>`;
+        }
+        // Ordered list
+        if (/^\d+\.\s+/m.test(trimmed)) {
+            const items = trimmed
+                .split("\n")
+                .filter(Boolean)
+                .map((l) => `<li>${inline(l.replace(/^\d+\.\s+/, ""))}</li>`)
+                .join("");
+            return `<ol style="margin:0 0 1em;padding-left:1.5em">${items}</ol>`;
+        }
+        // Blockquote
+        if (trimmed.startsWith("> ")) {
+            const inner = trimmed
+                .split("\n")
+                .map((l) => (l.startsWith("> ") ? l.slice(2) : l))
+                .join("\n");
+            return `<blockquote style="margin:0 0 1em 1em;border-left:3px solid #ccc;padding-left:0.75em;color:#555">${inline(inner)}</blockquote>`;
+        }
+        return `<p style="margin:0 0 1em">${inline(trimmed).replace(/\n/g, "<br />")}</p>`;
+    })
+        .join("");
+    return html;
+}
+export function createCoreEmailActionEntries() {
+    if (!isEmailConfigured())
+        return {};
+    return {
+        "core-send-email": {
+            tool: {
+                description: [
+                    "Send a transactional email via the app's configured email provider (Resend or SendGrid).",
+                    "",
+                    "IMPORTANT — DRAFT-FIRST SAFETY RULE: Never call this tool until the user has explicitly",
+                    "confirmed they want to send. Always compose the full email content first, show it to the",
+                    "user, and wait for an explicit 'yes, send it' before invoking this action.",
+                    "",
+                    "The body is written in markdown. Tables, lists, bold, italic, links, and code blocks",
+                    "are all supported and will render correctly in email clients.",
+                    "",
+                    "This sends via the framework transport (Resend/SendGrid). It is NOT the Gmail-based",
+                    "send-email action in the mail template — use this for system/notification emails from",
+                    "any template.",
+                ].join("\n"),
+                parameters: {
+                    type: "object",
+                    properties: {
+                        to: {
+                            type: "string",
+                            description: "Recipient email address.",
+                        },
+                        subject: {
+                            type: "string",
+                            description: "Email subject line.",
+                        },
+                        body: {
+                            type: "string",
+                            description: "Email body in markdown. Tables, lists, headings, bold, italic, links, and code blocks are supported.",
+                        },
+                        cc: {
+                            type: "string",
+                            description: "CC email address (single address only).",
+                        },
+                        bcc: {
+                            type: "string",
+                            description: "BCC email address (single address only).",
+                        },
+                        replyTo: {
+                            type: "string",
+                            description: "Reply-To address. Useful when sending on behalf of someone.",
+                        },
+                        from: {
+                            type: "string",
+                            description: 'Override the sender address. Must be a verified sender for the configured provider. Example: "Team Name <team@example.com>". Leave unset to use the default EMAIL_FROM env var.',
+                        },
+                    },
+                    required: ["to", "subject", "body"],
+                },
+            },
+            run: async (input) => {
+                const to = typeof input.to === "string" ? input.to.trim() : "";
+                const subject = typeof input.subject === "string" ? input.subject.trim() : "";
+                const bodyMd = typeof input.body === "string" ? input.body.trim() : "";
+                const cc = typeof input.cc === "string" && input.cc.trim()
+                    ? input.cc.trim()
+                    : undefined;
+                const bcc = typeof input.bcc === "string" && input.bcc.trim()
+                    ? input.bcc.trim()
+                    : undefined;
+                const replyTo = typeof input.replyTo === "string" && input.replyTo.trim()
+                    ? input.replyTo.trim()
+                    : undefined;
+                const from = typeof input.from === "string" && input.from.trim()
+                    ? input.from.trim()
+                    : undefined;
+                if (!to)
+                    return "Error: 'to' is required.";
+                if (!subject)
+                    return "Error: 'subject' is required.";
+                if (!bodyMd)
+                    return "Error: 'body' is required.";
+                try {
+                    await sendEmail({
+                        to,
+                        subject,
+                        html: markdownToHtml(bodyMd),
+                        text: markdownToText(bodyMd),
+                        ...(from ? { from } : {}),
+                        ...(cc ? { cc } : {}),
+                        ...(replyTo ? { replyTo } : {}),
+                    });
+                    const bccNote = bcc ? ` (bcc: ${bcc})` : "";
+                    return `Email sent to ${to}${bccNote}: "${subject}"`;
+                }
+                catch (err) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    return `Error sending email: ${msg}`;
+                }
+            },
+        },
+    };
+}
+//# sourceMappingURL=email-actions.js.map

package/dist/server/email-actions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email-actions.js","sourceRoot":"","sources":["../../src/server/email-actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE1D,SAAS,cAAc,CAAC,EAAU;IAChC,OAAO,EAAE;SACN,OAAO,CAAC,2BAA2B,EAAE,IAAI,CAAC;SAC1C,OAAO,CAAC,0BAA0B,EAAE,SAAS,CAAC;SAC9C,OAAO,CAAC,YAAY,EAAE,IAAI,CAAC;SAC3B,OAAO,CAAC,kBAAkB,EAAE,IAAI,CAAC;SACjC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC;SAC/B,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC;SAC3B,IAAI,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,cAAc,CAAC,EAAU;IAChC,MAAM,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,IAAI,CAAC,UAAU;QAAE,OAAO,SAAS,CAAC;IAElC,2EAA2E;IAC3E,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,EAAE,CACxB,CAAC;SACE,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAE7B,yDAAyD;IACzD,MAAM,MAAM,GAAG,CAAC,CAAS,EAAU,EAAE,CACnC,CAAC;SACE,OAAO,CACN,uCAAuC,EACvC,CAAC,EAAE,EAAE,KAAa,EAAE,GAAW,EAAE,EAAE,CACjC,YAAY,GAAG,CAAC,GAAG,CAAC,+CAA+C,GAAG,CAAC,KAAK,CAAC,MAAM,CACtF;SACA,OAAO,CACN,mCAAmC,EACnC,CAAC,EAAE,EAAE,GAAW,EAAE,GAAW,EAAE,EAAE,CAC/B,GAAG,GAAG,YAAY,GAAG,CAAC,GAAG,CAAC,+CAA+C,GAAG,CAAC,GAAG,CAAC,MAAM,CAC1F;SACA,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,EAAE,IAAY,EAAE,EAAE,CAAC,SAAS,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;SACxE,OAAO,CAAC,kBAAkB,EAAE,qBAAqB,CAAC;SAClD,OAAO,CAAC,0CAA0C,EAAE,eAAe,CAAC,CAAC;IAE1E,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,MAAM;SAChB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAE7B,oBAAoB;QACpB,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,GAAG,OAAO;iBACjB,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC;iBAC5B,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC1B,OAAO,cAAc,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC;QAChD,CAAC;QAED,UAAU;QACV,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC9C,IAAI,EAAE,EAAE,CAAC;YACP,MAAM,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3B,OAAO,KAAK,KAAK,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,GAAG,CAAC;QACnD,CAAC;QAED,iBAAiB;QACjB,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,OAAO,CAAC;iBACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC;iBAC5D,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,iDAAiD,KAAK,OAAO,CAAC;QACvE,CAAC;QAED,eAAe;QACf,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,MAAM,CAAC,OAAO,CAAC;iBACf,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC;iBAC5D,IAAI,CAAC,EAAE,CAAC,CAAC;YACZ,OAAO,iDAAiD,KAAK,OAAO,CAAC;QACvE,CAAC;QAED,aAAa;QACb,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,OAAO;iBAClB,KAAK,CAAC,IAAI,CAAC;iBACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;iBACjD,IAAI,CAAC,IAAI,CAAC,CAAC;YACd,OAAO,oGAAoG,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC;QAC1I,CAAC;QAED,OAAO,6BAA6B,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC;IACrF,CAAC,CAAC;SACD,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,4BAA4B;IAC1C,IAAI,CAAC,iBAAiB,EAAE;QAAE,OAAO,EAAE,CAAC;IAEpC,OAAO;QACL,iBAAiB,EAAE;YACjB,IAAI,EAAE;gBACJ,WAAW,EAAE;oBACX,0FAA0F;oBAC1F,EAAE;oBACF,yFAAyF;oBACzF,0FAA0F;oBAC1F,4EAA4E;oBAC5E,EAAE;oBACF,sFAAsF;oBACtF,+DAA+D;oBAC/D,EAAE;oBACF,qFAAqF;oBACrF,uFAAuF;oBACvF,eAAe;iBAChB,CAAC,IAAI,CAAC,IAAI,CAAC;gBACZ,UAAU,EAAE;oBACV,IAAI,EAAE,QAAiB;oBACvB,UAAU,EAAE;wBACV,EAAE,EAAE;4BACF,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,0BAA0B;yBACxC;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,qBAAqB;yBACnC;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,sGAAsG;yBACzG;wBACD,EAAE,EAAE;4BACF,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,yCAAyC;yBACvD;wBACD,GAAG,EAAE;4BACH,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,0CAA0C;yBACxD;wBACD,OAAO,EAAE;4BACP,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,6DAA6D;yBAChE;wBACD,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EACT,iLAAiL;yBACpL;qBACF;oBACD,QAAQ,EAAE,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC;iBACpC;aACF;YACD,GAAG,EAAE,KAAK,EAAE,KAA8B,EAAE,EAAE;gBAC5C,MAAM,EAAE,GAAG,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC/D,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,MAAM,MAAM,GAAG,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvE,MAAM,EAAE,GACN,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ,IAAI,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE;oBAC7C,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC,IAAI,EAAE;oBACjB,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,GAAG,GACP,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;oBAC/C,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE;oBAClB,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,OAAO,GACX,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;oBACvD,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE;oBACtB,CAAC,CAAC,SAAS,CAAC;gBAChB,MAAM,IAAI,GACR,OAAO,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE;oBACjD,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE;oBACnB,CAAC,CAAC,SAAS,CAAC;gBAEhB,IAAI,CAAC,EAAE;oBAAE,OAAO,0BAA0B,CAAC;gBAC3C,IAAI,CAAC,OAAO;oBAAE,OAAO,+BAA+B,CAAC;gBACrD,IAAI,CAAC,MAAM;oBAAE,OAAO,4BAA4B,CAAC;gBAEjD,IAAI,CAAC;oBACH,MAAM,SAAS,CAAC;wBACd,EAAE;wBACF,OAAO;wBACP,IAAI,EAAE,cAAc,CAAC,MAAM,CAAC;wBAC5B,IAAI,EAAE,cAAc,CAAC,MAAM,CAAC;wBAC5B,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACzB,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBACrB,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAChC,CAAC,CAAC;oBAEH,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5C,OAAO,iBAAiB,EAAE,GAAG,OAAO,MAAM,OAAO,GAAG,CAAC;gBACvD,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;oBAC7D,OAAO,wBAAwB,GAAG,EAAE,CAAC;gBACvC,CAAC;YACH,CAAC;SACF;KACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Framework-level agent action for sending transactional/notification emails\n * via the configured core email transport (Resend or SendGrid).\n *\n * Registered as a native tool in every template when RESEND_API_KEY or\n * SENDGRID_API_KEY is set. When neither key is present the tool is omitted\n * from the agent surface so the agent never sees it.\n *\n * SAFETY: the action description instructs the agent to draft-first and only\n * send when the user explicitly confirms, matching the mail template convention.\n *\n * COLLISION: the mail template registers its own richer \"send-email\" action.\n * The template's registration comes after this one in the spread, so it wins\n * when both would be present under the same key. To avoid any ambiguity this\n * action is keyed \"core-send-email\" which is distinct from the template name.\n */\n\nimport type { ActionEntry } from \"../agent/production-agent.js\";\nimport { isEmailConfigured, sendEmail } from \"./email.js\";\n\nfunction markdownToText(md: string): string {\n  return md\n    .replace(/!\\[([^\\]]*)\\]\\([^\\s)]+\\)/g, \"$1\")\n    .replace(/\\[([^\\]]+)\\]\\([^\\s)]+\\)/g, \"$1 ($2)\")\n    .replace(/`([^`]+)`/g, \"$1\")\n    .replace(/\\*\\*([^*]+)\\*\\*/g, \"$1\")\n    .replace(/\\*([^*\\n]+)\\*/g, \"$1\")\n    .replace(/^#{1,6}\\s+/gm, \"\")\n    .trim();\n}\n\nfunction markdownToHtml(md: string): string {\n  const normalized = md.replace(/\\r\\n/g, \"\\n\").trim();\n  if (!normalized) return \"<p></p>\";\n\n  // Escape HTML entities in a string, preserving already-encoded references.\n  const esc = (s: string) =>\n    s\n      .replace(/&/g, \"&amp;\")\n      .replace(/</g, \"&lt;\")\n      .replace(/>/g, \"&gt;\")\n      .replace(/\"/g, \"&quot;\");\n\n  // Inline markdown: links, bold, italic, code, bare URLs.\n  const inline = (s: string): string =>\n    s\n      .replace(\n        /\\[([^\\]]+)\\]\\((https?:\\/\\/[^\\s)]+)\\)/g,\n        (_m, label: string, url: string) =>\n          `<a href=\"${esc(url)}\" target=\"_blank\" rel=\"noopener noreferrer\">${esc(label)}</a>`,\n      )\n      .replace(\n        /(^|[^\\w\"'=])(https?:\\/\\/[^\\s<]+)/g,\n        (_m, pre: string, url: string) =>\n          `${pre}<a href=\"${esc(url)}\" target=\"_blank\" rel=\"noopener noreferrer\">${esc(url)}</a>`,\n      )\n      .replace(/`([^`]+)`/g, (_m, code: string) => `<code>${esc(code)}</code>`)\n      .replace(/\\*\\*([^*]+)\\*\\*/g, \"<strong>$1</strong>\")\n      .replace(/(^|[\\s(])\\*([^*\\n]+)\\*(?=$|[\\s).,!?:;])/g, \"$1<em>$2</em>\");\n\n  const blocks = normalized.split(/\\n{2,}/);\n  const html = blocks\n    .map((block) => {\n      const trimmed = block.trim();\n\n      // Fenced code block\n      if (trimmed.startsWith(\"```\") && trimmed.endsWith(\"```\")) {\n        const code = trimmed\n          .replace(/^```[^\\n]*\\n?/, \"\")\n          .replace(/\\n?```$/, \"\");\n        return `<pre><code>${esc(code)}</code></pre>`;\n      }\n\n      // Heading\n      const hm = trimmed.match(/^(#{1,6})\\s+(.+)$/);\n      if (hm) {\n        const level = hm[1].length;\n        return `<h${level}>${inline(hm[2])}</h${level}>`;\n      }\n\n      // Unordered list\n      if (/^[-*+]\\s+/m.test(trimmed)) {\n        const items = trimmed\n          .split(\"\\n\")\n          .filter(Boolean)\n          .map((l) => `<li>${inline(l.replace(/^[-*+]\\s+/, \"\"))}</li>`)\n          .join(\"\");\n        return `<ul style=\"margin:0 0 1em;padding-left:1.5em\">${items}</ul>`;\n      }\n\n      // Ordered list\n      if (/^\\d+\\.\\s+/m.test(trimmed)) {\n        const items = trimmed\n          .split(\"\\n\")\n          .filter(Boolean)\n          .map((l) => `<li>${inline(l.replace(/^\\d+\\.\\s+/, \"\"))}</li>`)\n          .join(\"\");\n        return `<ol style=\"margin:0 0 1em;padding-left:1.5em\">${items}</ol>`;\n      }\n\n      // Blockquote\n      if (trimmed.startsWith(\"> \")) {\n        const inner = trimmed\n          .split(\"\\n\")\n          .map((l) => (l.startsWith(\"> \") ? l.slice(2) : l))\n          .join(\"\\n\");\n        return `<blockquote style=\"margin:0 0 1em 1em;border-left:3px solid #ccc;padding-left:0.75em;color:#555\">${inline(inner)}</blockquote>`;\n      }\n\n      return `<p style=\"margin:0 0 1em\">${inline(trimmed).replace(/\\n/g, \"<br />\")}</p>`;\n    })\n    .join(\"\");\n\n  return html;\n}\n\nexport function createCoreEmailActionEntries(): Record<string, ActionEntry> {\n  if (!isEmailConfigured()) return {};\n\n  return {\n    \"core-send-email\": {\n      tool: {\n        description: [\n          \"Send a transactional email via the app's configured email provider (Resend or SendGrid).\",\n          \"\",\n          \"IMPORTANT — DRAFT-FIRST SAFETY RULE: Never call this tool until the user has explicitly\",\n          \"confirmed they want to send. Always compose the full email content first, show it to the\",\n          \"user, and wait for an explicit 'yes, send it' before invoking this action.\",\n          \"\",\n          \"The body is written in markdown. Tables, lists, bold, italic, links, and code blocks\",\n          \"are all supported and will render correctly in email clients.\",\n          \"\",\n          \"This sends via the framework transport (Resend/SendGrid). It is NOT the Gmail-based\",\n          \"send-email action in the mail template — use this for system/notification emails from\",\n          \"any template.\",\n        ].join(\"\\n\"),\n        parameters: {\n          type: \"object\" as const,\n          properties: {\n            to: {\n              type: \"string\",\n              description: \"Recipient email address.\",\n            },\n            subject: {\n              type: \"string\",\n              description: \"Email subject line.\",\n            },\n            body: {\n              type: \"string\",\n              description:\n                \"Email body in markdown. Tables, lists, headings, bold, italic, links, and code blocks are supported.\",\n            },\n            cc: {\n              type: \"string\",\n              description: \"CC email address (single address only).\",\n            },\n            bcc: {\n              type: \"string\",\n              description: \"BCC email address (single address only).\",\n            },\n            replyTo: {\n              type: \"string\",\n              description:\n                \"Reply-To address. Useful when sending on behalf of someone.\",\n            },\n            from: {\n              type: \"string\",\n              description:\n                'Override the sender address. Must be a verified sender for the configured provider. Example: \"Team Name <team@example.com>\". Leave unset to use the default EMAIL_FROM env var.',\n            },\n          },\n          required: [\"to\", \"subject\", \"body\"],\n        },\n      },\n      run: async (input: Record<string, unknown>) => {\n        const to = typeof input.to === \"string\" ? input.to.trim() : \"\";\n        const subject =\n          typeof input.subject === \"string\" ? input.subject.trim() : \"\";\n        const bodyMd = typeof input.body === \"string\" ? input.body.trim() : \"\";\n        const cc =\n          typeof input.cc === \"string\" && input.cc.trim()\n            ? input.cc.trim()\n            : undefined;\n        const bcc =\n          typeof input.bcc === \"string\" && input.bcc.trim()\n            ? input.bcc.trim()\n            : undefined;\n        const replyTo =\n          typeof input.replyTo === \"string\" && input.replyTo.trim()\n            ? input.replyTo.trim()\n            : undefined;\n        const from =\n          typeof input.from === \"string\" && input.from.trim()\n            ? input.from.trim()\n            : undefined;\n\n        if (!to) return \"Error: 'to' is required.\";\n        if (!subject) return \"Error: 'subject' is required.\";\n        if (!bodyMd) return \"Error: 'body' is required.\";\n\n        try {\n          await sendEmail({\n            to,\n            subject,\n            html: markdownToHtml(bodyMd),\n            text: markdownToText(bodyMd),\n            ...(from ? { from } : {}),\n            ...(cc ? { cc } : {}),\n            ...(replyTo ? { replyTo } : {}),\n          });\n\n          const bccNote = bcc ? ` (bcc: ${bcc})` : \"\";\n          return `Email sent to ${to}${bccNote}: \"${subject}\"`;\n        } catch (err: unknown) {\n          const msg = err instanceof Error ? err.message : String(err);\n          return `Error sending email: ${msg}`;\n        }\n      },\n    },\n  };\n}\n"]}

package/dist/server/embed-route.js

@@ -48,7 +48,7 @@ function setEmbedStartResponseHeaders(event) {
 }
 function embedStartCorsOrigin(event) {
     const origin = getHeader(event, "origin");
-    return isMcpEmbedCorsOrigin(origin) ? origin : null;
+    return isMcpEmbedCorsOrigin(origin) ? (origin ?? null) : null;
 }
 function embedStartResponseHeaders(event, init = {}) {
     const headers = new Headers({

package/dist/server/embed-route.js.map

@@ -1 +1 @@
-{"version":3,"file":"embed-route.js","sourceRoot":"","sources":["../../src/server/embed-route.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,SAAS,EACT,QAAQ,EACR,iBAAiB,GAClB,MAAM,IAAI,CAAC;AACZ,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAC;AAEhF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAc,EACd,KAAa,EACb,gBAAgB,GAAG,KAAK;IAExB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC;IAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;IACrD,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,SAAS,yBAAyB,CAChC,KAAc,EACd,QAAgB,EAChB,MAAM,GAAG,GAAG;IAEZ,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACzE,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9C,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,OAAgB;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAc;IAClD,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;IACzE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;IACtE,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,MAAM,CAAC,CAAC;QAChE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,kBAAkB,CACnB,CAAC;QACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,+BAA+B,EAAE,UAAU,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AACtD,CAAC;AAED,SAAS,yBAAyB,CAChC,KAAc,EACd,OAA+B,EAAE;IAEjC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;QAC1B,8BAA8B,EAAE,cAAc;QAC9C,4BAA4B,EAAE,aAAa;QAC3C,8BAA8B,EAAE,cAAc;QAC9C,GAAG,IAAI;KACR,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,4BAA4B,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,+BAA+B,EAAE,UAAU,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,YAAY,CACnB,KAAc,EACd,OAAe,EACf,MAAc;IAEd,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE;QAC3B,MAAM;QACN,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;YACxC,cAAc,EAAE,2BAA2B;SAC5C,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAc;IACjD,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO,IAAI,QAAQ,CACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA4BI,EACJ;QACE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;YACxC,cAAc,EAAE,0BAA0B;YAC1C,eAAe,EAAE,UAAU;SAC5B,CAAC;KACH,CACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,OAAO,GAAG,wBAAwB,EAAE,GAAG,gBAAgB,IAAI,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ;QAC9B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;YACpD,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;YACV,CAAC,CAAC,EAAE,CAAC;AACX,CAAC;AAED,SAAS,+BAA+B,CAAC,KAAc;IACrD,IAAI,SAAS,CAAC,KAAK,EAAE,iCAAiC,CAAC,KAAK,GAAG,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAc,EACd,QAAgB;IAEhB,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,EAAE;QAC/C,eAAe,EAAE,UAAU;QAC3B,cAAc,EAAE,iCAAiC;KAClD,CAAC,CAAC;IACH,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE;QAChD,MAAM,EAAE,GAAG;QACX,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAMD,MAAM,UAAU,4BAA4B,CAC1C,UAAkC,EAAE;IAEpC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;oBACxC,eAAe,EAAE,UAAU;iBAC5B,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;oBACxC,eAAe,EAAE,UAAU;iBAC5B,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,OAAO,YAAY,CAAC,KAAK,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,MAAM,eAAe,GAAG,MAAM,OAAO;aAClC,kBAAkB,EAAE,CAAC,KAAK,CAAC;aAC3B,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,MAAM,EAAE;YACvD,aAAa,EAAE,eAAe,EAAE,KAAK,IAAI,IAAI;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,2BAA2B,CAAC,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,wBAAwB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,KAAK,EAAE,uBAAuB,EAAE,GAAG,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,qBAAqB,CAAC;YAClC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QACH,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACpC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAE3D,MAAM,gBAAgB,GACpB,eAAe,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,KAAK,GAAG;YAC/D,eAAe,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,KAAK,MAAM,CAAC;QACrE,MAAM,QAAQ,GAAG,sBAAsB,CACrC,8BAA8B,CAC5B,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,gBAAgB,CAAC,CACnD,CACF,CAAC;QACF,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,OAAO,0BAA0B,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { H3Event } from \"h3\";\nimport {\n  defineEventHandler,\n  getHeader,\n  getMethod,\n  getQuery,\n  setResponseHeader,\n} from \"h3\";\nimport {\n  consumeEmbedSessionTicket,\n  normalizeEmbedTargetPath,\n  setEmbedSessionCookie,\n  signEmbedSessionToken,\n} from \"./embed-session.js\";\nimport type { AuthSession } from \"./auth.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_START_PATH,\n  EMBED_TOKEN_QUERY_PARAM,\n  MCP_APP_CHAT_BRIDGE_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\nimport {\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n} from \"../shared/mcp-embed-headers.js\";\nimport { withCollapsedAgentSidebarParam } from \"../shared/agent-sidebar-url.js\";\n\nfunction withConfiguredBasePath(path: string): string {\n  const base = getConfiguredAppBasePath();\n  if (!base) return path;\n  if (path === base || path.startsWith(`${base}/`)) return path;\n  return `${base}${path}`;\n}\n\nfunction appendEmbedParams(\n  target: string,\n  token: string,\n  chatBridgeActive = false,\n): string {\n  const url = new URL(target, \"http://agent-native.invalid\");\n  url.searchParams.set(EMBED_MODE_QUERY_PARAM, \"1\");\n  url.searchParams.set(EMBED_TOKEN_QUERY_PARAM, token);\n  if (chatBridgeActive) {\n    url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n  }\n  return `${url.pathname}${url.search}${url.hash}`;\n}\n\nfunction redirectWithStagedCookies(\n  event: H3Event,\n  location: string,\n  status = 302,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  const headers = embedStartResponseHeaders(event, { Location: location });\n  appendStagedCookies(event, headers);\n  headers.set(\"Referrer-Policy\", \"no-referrer\");\n  return new Response(\"\", { status, headers });\n}\n\nfunction appendStagedCookies(event: H3Event, headers: Headers): void {\n  const staged = event.res?.headers?.getSetCookie?.() ?? [];\n  for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n}\n\nfunction setEmbedStartResponseHeaders(event: H3Event): void {\n  setResponseHeader(event, \"Cross-Origin-Embedder-Policy\", \"require-corp\");\n  setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n  setResponseHeader(event, \"Cross-Origin-Resource-Policy\", \"cross-origin\");\n  const origin = embedStartCorsOrigin(event);\n  if (origin) {\n    setResponseHeader(event, \"Access-Control-Allow-Origin\", origin);\n    setResponseHeader(event, \"Vary\", \"Origin\");\n    setResponseHeader(\n      event,\n      \"Access-Control-Allow-Methods\",\n      \"GET,HEAD,OPTIONS\",\n    );\n    setResponseHeader(\n      event,\n      \"Access-Control-Allow-Headers\",\n      MCP_EMBED_CORS_ALLOW_HEADERS,\n    );\n    setResponseHeader(event, \"Access-Control-Expose-Headers\", \"Location\");\n  }\n}\n\nfunction embedStartCorsOrigin(event: H3Event): string | null {\n  const origin = getHeader(event, \"origin\");\n  return isMcpEmbedCorsOrigin(origin) ? origin : null;\n}\n\nfunction embedStartResponseHeaders(\n  event: H3Event,\n  init: Record<string, string> = {},\n): Headers {\n  const headers = new Headers({\n    \"Cross-Origin-Embedder-Policy\": \"require-corp\",\n    \"Cross-Origin-Opener-Policy\": \"same-origin\",\n    \"Cross-Origin-Resource-Policy\": \"cross-origin\",\n    ...init,\n  });\n  const origin = embedStartCorsOrigin(event);\n  if (origin) {\n    headers.set(\"Access-Control-Allow-Origin\", origin);\n    headers.set(\"Vary\", \"Origin\");\n    headers.set(\"Access-Control-Allow-Methods\", \"GET,HEAD,OPTIONS\");\n    headers.set(\"Access-Control-Allow-Headers\", MCP_EMBED_CORS_ALLOW_HEADERS);\n    headers.set(\"Access-Control-Expose-Headers\", \"Location\");\n  }\n  return headers;\n}\n\nfunction textResponse(\n  event: H3Event,\n  message: string,\n  status: number,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  return new Response(message, {\n    status,\n    headers: embedStartResponseHeaders(event, {\n      \"Content-Type\": \"text/plain; charset=utf-8\",\n    }),\n  });\n}\n\nfunction expiredEmbedSessionResponse(event: H3Event): Response {\n  setEmbedStartResponseHeaders(event);\n  return new Response(\n    `<!doctype html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Embedded app session expired</title>\n  <style>\n    :root { color-scheme: light dark; font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif; background: Canvas; color: CanvasText; }\n    * { box-sizing: border-box; }\n    body { margin: 0; min-height: 100vh; display: grid; place-items: center; padding: 24px; }\n    main { max-width: 520px; text-align: center; }\n    h1 { margin: 0 0 8px; font-size: 16px; line-height: 1.25; }\n    p { margin: 0; color: color-mix(in srgb, CanvasText 64%, Canvas); font-size: 13px; line-height: 1.5; }\n  </style>\n</head>\n<body>\n  <main>\n    <h1>Embedded app session expired</h1>\n    <p>This chat preview is refreshing. If it does not reload, ask the chat to open the app again.</p>\n  </main>\n  <script>\n    try {\n      if (window.parent && window.parent !== window) {\n        window.parent.postMessage({ type: \"agentNative.embedSessionExpired\" }, \"*\");\n      }\n    } catch {}\n  </script>\n</body>\n</html>`,\n    {\n      status: 401,\n      headers: embedStartResponseHeaders(event, {\n        \"Content-Type\": \"text/html; charset=utf-8\",\n        \"Cache-Control\": \"no-store\",\n      }),\n    },\n  );\n}\n\nexport function buildEmbedStartPath(ticket: string): string {\n  const qs = new URLSearchParams({ ticket });\n  return `${getConfiguredAppBasePath()}${EMBED_START_PATH}?${qs}`;\n}\n\nfunction firstQueryValue(value: unknown): string {\n  return typeof value === \"string\"\n    ? value\n    : Array.isArray(value) && typeof value[0] === \"string\"\n      ? value[0]\n      : \"\";\n}\n\nfunction wantsTransplantLocationResponse(event: H3Event): boolean {\n  if (getHeader(event, \"x-agent-native-embed-transplant\") === \"1\") {\n    return true;\n  }\n  const accept = getHeader(event, \"accept\") ?? \"\";\n  return /\\bapplication\\/json\\b/i.test(accept);\n}\n\nfunction transplantLocationResponse(\n  event: H3Event,\n  location: string,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  const headers = embedStartResponseHeaders(event, {\n    \"Cache-Control\": \"no-store\",\n    \"Content-Type\": \"application/json; charset=utf-8\",\n  });\n  appendStagedCookies(event, headers);\n  headers.set(\"Referrer-Policy\", \"no-referrer\");\n  return new Response(JSON.stringify({ location }), {\n    status: 200,\n    headers,\n  });\n}\n\nexport interface EmbedStartRouteOptions {\n  getExistingSession?: (event: H3Event) => Promise<AuthSession | null>;\n}\n\nexport function createEmbedStartRouteHandler(\n  options: EmbedStartRouteOptions = {},\n) {\n  return defineEventHandler(async (event: H3Event) => {\n    const method = getMethod(event);\n    if (method === \"OPTIONS\") {\n      setEmbedStartResponseHeaders(event);\n      return new Response(null, {\n        status: 204,\n        headers: embedStartResponseHeaders(event, {\n          \"Cache-Control\": \"no-store\",\n        }),\n      });\n    }\n\n    if (method === \"HEAD\") {\n      setEmbedStartResponseHeaders(event);\n      return new Response(null, {\n        status: 204,\n        headers: embedStartResponseHeaders(event, {\n          \"Cache-Control\": \"no-store\",\n        }),\n      });\n    }\n\n    if (method !== \"GET\") {\n      return textResponse(event, \"Method not allowed\", 405);\n    }\n\n    const query = getQuery(event) ?? {};\n    const rawTicket = query.ticket;\n    const ticket = Array.isArray(rawTicket) ? rawTicket[0] : rawTicket;\n    const existingSession = await options\n      .getExistingSession?.(event)\n      .catch(() => null);\n    const consumed = await consumeEmbedSessionTicket(ticket, {\n      expectedOrgId: existingSession?.orgId ?? null,\n    });\n    if (!consumed) {\n      return expiredEmbedSessionResponse(event);\n    }\n\n    const target = normalizeEmbedTargetPath(consumed.targetPath);\n    if (!target) {\n      return textResponse(event, \"Invalid embed target.\", 400);\n    }\n\n    const token = signEmbedSessionToken({\n      ownerEmail: consumed.ownerEmail,\n      orgId: consumed.orgId,\n      targetPath: target,\n      scope: consumed.scope,\n    });\n    setEmbedSessionCookie(event, token);\n    setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n\n    const chatBridgeActive =\n      firstQueryValue(query[MCP_APP_CHAT_BRIDGE_QUERY_PARAM]) === \"1\" ||\n      firstQueryValue(query[MCP_APP_CHAT_BRIDGE_QUERY_PARAM]) === \"true\";\n    const location = withConfiguredBasePath(\n      withCollapsedAgentSidebarParam(\n        appendEmbedParams(target, token, chatBridgeActive),\n      ),\n    );\n    if (wantsTransplantLocationResponse(event)) {\n      return transplantLocationResponse(event, location);\n    }\n    return redirectWithStagedCookies(event, location);\n  });\n}\n"]}
+{"version":3,"file":"embed-route.js","sourceRoot":"","sources":["../../src/server/embed-route.ts"],"names":[],"mappings":"AACA,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,SAAS,EACT,QAAQ,EACR,iBAAiB,GAClB,MAAM,IAAI,CAAC;AACZ,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,qBAAqB,EACrB,qBAAqB,GACtB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EACL,sBAAsB,EACtB,gBAAgB,EAChB,uBAAuB,EACvB,+BAA+B,GAChC,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,gCAAgC,CAAC;AACxC,OAAO,EAAE,8BAA8B,EAAE,MAAM,gCAAgC,CAAC;AAEhF,SAAS,sBAAsB,CAAC,IAAY;IAC1C,MAAM,IAAI,GAAG,wBAAwB,EAAE,CAAC;IACxC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAG,IAAI,GAAG,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAc,EACd,KAAa,EACb,gBAAgB,GAAG,KAAK;IAExB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC;IAC3D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;IAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;IACrD,IAAI,gBAAgB,EAAE,CAAC;QACrB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,SAAS,yBAAyB,CAChC,KAAc,EACd,QAAgB,EAChB,MAAM,GAAG,GAAG;IAEZ,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IACzE,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9C,OAAO,IAAI,QAAQ,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,OAAgB;IAC3D,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,MAAM;QAAE,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,4BAA4B,CAAC,KAAc;IAClD,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;IACzE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;IACtE,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,MAAM,CAAC,CAAC;QAChE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3C,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,kBAAkB,CACnB,CAAC;QACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,+BAA+B,EAAE,UAAU,CAAC,CAAC;IACxE,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC1C,OAAO,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAChE,CAAC;AAED,SAAS,yBAAyB,CAChC,KAAc,EACd,OAA+B,EAAE;IAEjC,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;QAC1B,8BAA8B,EAAE,cAAc;QAC9C,4BAA4B,EAAE,aAAa;QAC3C,8BAA8B,EAAE,cAAc;QAC9C,GAAG,IAAI;KACR,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;IAC3C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,kBAAkB,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,4BAA4B,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,+BAA+B,EAAE,UAAU,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,YAAY,CACnB,KAAc,EACd,OAAe,EACf,MAAc;IAEd,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE;QAC3B,MAAM;QACN,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;YACxC,cAAc,EAAE,2BAA2B;SAC5C,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAc;IACjD,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO,IAAI,QAAQ,CACjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA4BI,EACJ;QACE,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;YACxC,cAAc,EAAE,0BAA0B;YAC1C,eAAe,EAAE,UAAU;SAC5B,CAAC;KACH,CACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC3C,OAAO,GAAG,wBAAwB,EAAE,GAAG,gBAAgB,IAAI,EAAE,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,eAAe,CAAC,KAAc;IACrC,OAAO,OAAO,KAAK,KAAK,QAAQ;QAC9B,CAAC,CAAC,KAAK;QACP,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ;YACpD,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;YACV,CAAC,CAAC,EAAE,CAAC;AACX,CAAC;AAED,SAAS,+BAA+B,CAAC,KAAc;IACrD,IAAI,SAAS,CAAC,KAAK,EAAE,iCAAiC,CAAC,KAAK,GAAG,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;IAChD,OAAO,wBAAwB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,0BAA0B,CACjC,KAAc,EACd,QAAgB;IAEhB,4BAA4B,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,yBAAyB,CAAC,KAAK,EAAE;QAC/C,eAAe,EAAE,UAAU;QAC3B,cAAc,EAAE,iCAAiC;KAClD,CAAC,CAAC;IACH,mBAAmB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACpC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE;QAChD,MAAM,EAAE,GAAG;QACX,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAMD,MAAM,UAAU,4BAA4B,CAC1C,UAAkC,EAAE;IAEpC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;oBACxC,eAAe,EAAE,UAAU;iBAC5B,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,4BAA4B,CAAC,KAAK,CAAC,CAAC;YACpC,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,yBAAyB,CAAC,KAAK,EAAE;oBACxC,eAAe,EAAE,UAAU;iBAC5B,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,OAAO,YAAY,CAAC,KAAK,EAAE,oBAAoB,EAAE,GAAG,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC;QAC/B,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,MAAM,eAAe,GAAG,MAAM,OAAO;aAClC,kBAAkB,EAAE,CAAC,KAAK,CAAC;aAC3B,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,MAAM,EAAE;YACvD,aAAa,EAAE,eAAe,EAAE,KAAK,IAAI,IAAI;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,2BAA2B,CAAC,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,wBAAwB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC7D,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,KAAK,EAAE,uBAAuB,EAAE,GAAG,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,KAAK,GAAG,qBAAqB,CAAC;YAClC,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QACH,qBAAqB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACpC,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;QAE3D,MAAM,gBAAgB,GACpB,eAAe,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,KAAK,GAAG;YAC/D,eAAe,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC,KAAK,MAAM,CAAC;QACrE,MAAM,QAAQ,GAAG,sBAAsB,CACrC,8BAA8B,CAC5B,iBAAiB,CAAC,MAAM,EAAE,KAAK,EAAE,gBAAgB,CAAC,CACnD,CACF,CAAC;QACF,IAAI,+BAA+B,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,OAAO,0BAA0B,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACrD,CAAC;QACD,OAAO,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import type { H3Event } from \"h3\";\nimport {\n  defineEventHandler,\n  getHeader,\n  getMethod,\n  getQuery,\n  setResponseHeader,\n} from \"h3\";\nimport {\n  consumeEmbedSessionTicket,\n  normalizeEmbedTargetPath,\n  setEmbedSessionCookie,\n  signEmbedSessionToken,\n} from \"./embed-session.js\";\nimport type { AuthSession } from \"./auth.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\nimport {\n  EMBED_MODE_QUERY_PARAM,\n  EMBED_START_PATH,\n  EMBED_TOKEN_QUERY_PARAM,\n  MCP_APP_CHAT_BRIDGE_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\nimport {\n  isMcpEmbedCorsOrigin,\n  MCP_EMBED_CORS_ALLOW_HEADERS,\n} from \"../shared/mcp-embed-headers.js\";\nimport { withCollapsedAgentSidebarParam } from \"../shared/agent-sidebar-url.js\";\n\nfunction withConfiguredBasePath(path: string): string {\n  const base = getConfiguredAppBasePath();\n  if (!base) return path;\n  if (path === base || path.startsWith(`${base}/`)) return path;\n  return `${base}${path}`;\n}\n\nfunction appendEmbedParams(\n  target: string,\n  token: string,\n  chatBridgeActive = false,\n): string {\n  const url = new URL(target, \"http://agent-native.invalid\");\n  url.searchParams.set(EMBED_MODE_QUERY_PARAM, \"1\");\n  url.searchParams.set(EMBED_TOKEN_QUERY_PARAM, token);\n  if (chatBridgeActive) {\n    url.searchParams.set(MCP_APP_CHAT_BRIDGE_QUERY_PARAM, \"1\");\n  }\n  return `${url.pathname}${url.search}${url.hash}`;\n}\n\nfunction redirectWithStagedCookies(\n  event: H3Event,\n  location: string,\n  status = 302,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  const headers = embedStartResponseHeaders(event, { Location: location });\n  appendStagedCookies(event, headers);\n  headers.set(\"Referrer-Policy\", \"no-referrer\");\n  return new Response(\"\", { status, headers });\n}\n\nfunction appendStagedCookies(event: H3Event, headers: Headers): void {\n  const staged = event.res?.headers?.getSetCookie?.() ?? [];\n  for (const cookie of staged) headers.append(\"set-cookie\", cookie);\n}\n\nfunction setEmbedStartResponseHeaders(event: H3Event): void {\n  setResponseHeader(event, \"Cross-Origin-Embedder-Policy\", \"require-corp\");\n  setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n  setResponseHeader(event, \"Cross-Origin-Resource-Policy\", \"cross-origin\");\n  const origin = embedStartCorsOrigin(event);\n  if (origin) {\n    setResponseHeader(event, \"Access-Control-Allow-Origin\", origin);\n    setResponseHeader(event, \"Vary\", \"Origin\");\n    setResponseHeader(\n      event,\n      \"Access-Control-Allow-Methods\",\n      \"GET,HEAD,OPTIONS\",\n    );\n    setResponseHeader(\n      event,\n      \"Access-Control-Allow-Headers\",\n      MCP_EMBED_CORS_ALLOW_HEADERS,\n    );\n    setResponseHeader(event, \"Access-Control-Expose-Headers\", \"Location\");\n  }\n}\n\nfunction embedStartCorsOrigin(event: H3Event): string | null {\n  const origin = getHeader(event, \"origin\");\n  return isMcpEmbedCorsOrigin(origin) ? (origin ?? null) : null;\n}\n\nfunction embedStartResponseHeaders(\n  event: H3Event,\n  init: Record<string, string> = {},\n): Headers {\n  const headers = new Headers({\n    \"Cross-Origin-Embedder-Policy\": \"require-corp\",\n    \"Cross-Origin-Opener-Policy\": \"same-origin\",\n    \"Cross-Origin-Resource-Policy\": \"cross-origin\",\n    ...init,\n  });\n  const origin = embedStartCorsOrigin(event);\n  if (origin) {\n    headers.set(\"Access-Control-Allow-Origin\", origin);\n    headers.set(\"Vary\", \"Origin\");\n    headers.set(\"Access-Control-Allow-Methods\", \"GET,HEAD,OPTIONS\");\n    headers.set(\"Access-Control-Allow-Headers\", MCP_EMBED_CORS_ALLOW_HEADERS);\n    headers.set(\"Access-Control-Expose-Headers\", \"Location\");\n  }\n  return headers;\n}\n\nfunction textResponse(\n  event: H3Event,\n  message: string,\n  status: number,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  return new Response(message, {\n    status,\n    headers: embedStartResponseHeaders(event, {\n      \"Content-Type\": \"text/plain; charset=utf-8\",\n    }),\n  });\n}\n\nfunction expiredEmbedSessionResponse(event: H3Event): Response {\n  setEmbedStartResponseHeaders(event);\n  return new Response(\n    `<!doctype html>\n<html lang=\"en\">\n<head>\n  <meta charset=\"utf-8\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n  <title>Embedded app session expired</title>\n  <style>\n    :root { color-scheme: light dark; font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, \"Segoe UI\", sans-serif; background: Canvas; color: CanvasText; }\n    * { box-sizing: border-box; }\n    body { margin: 0; min-height: 100vh; display: grid; place-items: center; padding: 24px; }\n    main { max-width: 520px; text-align: center; }\n    h1 { margin: 0 0 8px; font-size: 16px; line-height: 1.25; }\n    p { margin: 0; color: color-mix(in srgb, CanvasText 64%, Canvas); font-size: 13px; line-height: 1.5; }\n  </style>\n</head>\n<body>\n  <main>\n    <h1>Embedded app session expired</h1>\n    <p>This chat preview is refreshing. If it does not reload, ask the chat to open the app again.</p>\n  </main>\n  <script>\n    try {\n      if (window.parent && window.parent !== window) {\n        window.parent.postMessage({ type: \"agentNative.embedSessionExpired\" }, \"*\");\n      }\n    } catch {}\n  </script>\n</body>\n</html>`,\n    {\n      status: 401,\n      headers: embedStartResponseHeaders(event, {\n        \"Content-Type\": \"text/html; charset=utf-8\",\n        \"Cache-Control\": \"no-store\",\n      }),\n    },\n  );\n}\n\nexport function buildEmbedStartPath(ticket: string): string {\n  const qs = new URLSearchParams({ ticket });\n  return `${getConfiguredAppBasePath()}${EMBED_START_PATH}?${qs}`;\n}\n\nfunction firstQueryValue(value: unknown): string {\n  return typeof value === \"string\"\n    ? value\n    : Array.isArray(value) && typeof value[0] === \"string\"\n      ? value[0]\n      : \"\";\n}\n\nfunction wantsTransplantLocationResponse(event: H3Event): boolean {\n  if (getHeader(event, \"x-agent-native-embed-transplant\") === \"1\") {\n    return true;\n  }\n  const accept = getHeader(event, \"accept\") ?? \"\";\n  return /\\bapplication\\/json\\b/i.test(accept);\n}\n\nfunction transplantLocationResponse(\n  event: H3Event,\n  location: string,\n): Response {\n  setEmbedStartResponseHeaders(event);\n  const headers = embedStartResponseHeaders(event, {\n    \"Cache-Control\": \"no-store\",\n    \"Content-Type\": \"application/json; charset=utf-8\",\n  });\n  appendStagedCookies(event, headers);\n  headers.set(\"Referrer-Policy\", \"no-referrer\");\n  return new Response(JSON.stringify({ location }), {\n    status: 200,\n    headers,\n  });\n}\n\nexport interface EmbedStartRouteOptions {\n  getExistingSession?: (event: H3Event) => Promise<AuthSession | null>;\n}\n\nexport function createEmbedStartRouteHandler(\n  options: EmbedStartRouteOptions = {},\n) {\n  return defineEventHandler(async (event: H3Event) => {\n    const method = getMethod(event);\n    if (method === \"OPTIONS\") {\n      setEmbedStartResponseHeaders(event);\n      return new Response(null, {\n        status: 204,\n        headers: embedStartResponseHeaders(event, {\n          \"Cache-Control\": \"no-store\",\n        }),\n      });\n    }\n\n    if (method === \"HEAD\") {\n      setEmbedStartResponseHeaders(event);\n      return new Response(null, {\n        status: 204,\n        headers: embedStartResponseHeaders(event, {\n          \"Cache-Control\": \"no-store\",\n        }),\n      });\n    }\n\n    if (method !== \"GET\") {\n      return textResponse(event, \"Method not allowed\", 405);\n    }\n\n    const query = getQuery(event) ?? {};\n    const rawTicket = query.ticket;\n    const ticket = Array.isArray(rawTicket) ? rawTicket[0] : rawTicket;\n    const existingSession = await options\n      .getExistingSession?.(event)\n      .catch(() => null);\n    const consumed = await consumeEmbedSessionTicket(ticket, {\n      expectedOrgId: existingSession?.orgId ?? null,\n    });\n    if (!consumed) {\n      return expiredEmbedSessionResponse(event);\n    }\n\n    const target = normalizeEmbedTargetPath(consumed.targetPath);\n    if (!target) {\n      return textResponse(event, \"Invalid embed target.\", 400);\n    }\n\n    const token = signEmbedSessionToken({\n      ownerEmail: consumed.ownerEmail,\n      orgId: consumed.orgId,\n      targetPath: target,\n      scope: consumed.scope,\n    });\n    setEmbedSessionCookie(event, token);\n    setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n\n    const chatBridgeActive =\n      firstQueryValue(query[MCP_APP_CHAT_BRIDGE_QUERY_PARAM]) === \"1\" ||\n      firstQueryValue(query[MCP_APP_CHAT_BRIDGE_QUERY_PARAM]) === \"true\";\n    const location = withConfiguredBasePath(\n      withCollapsedAgentSidebarParam(\n        appendEmbedParams(target, token, chatBridgeActive),\n      ),\n    );\n    if (wantsTransplantLocationResponse(event)) {\n      return transplantLocationResponse(event, location);\n    }\n    return redirectWithStagedCookies(event, location);\n  });\n}\n"]}

package/dist/server/embed-session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"embed-session.d.ts","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAkBlC,QAAA,MAAM,UAAU,+BAA+B,CAAC;AAiChD,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gCAAgC;IAC/C,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,OAAO,UAAU,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,MAAM,6BAA6B,GACrC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,uBAAuB,CAAA;CAAE,GAC7C;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAElC,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAoTF,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAYT;AAiBD,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,MAAM,GAAG,IAAI,CA8Bf;AAED,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,CA8B7B;AAED,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACjC,OAAO,GAAE,gCAAqC,GAC7C,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CA6C5C;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CAeT;AAED,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAC/B,6BAA6B,CAsC/B;AAiCD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAQzE;AAyBD,wBAAsB,8BAA8B,CAClD,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAuCtC;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CA2BjE;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAS1D"}
+{"version":3,"file":"embed-session.d.ts","sourceRoot":"","sources":["../../src/server/embed-session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAkBlC,QAAA,MAAM,UAAU,+BAA+B,CAAC;AAiChD,MAAM,WAAW,uBAAuB;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,gCAAgC;IAC/C,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,OAAO,UAAU,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,MAAM,6BAA6B,GACrC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,uBAAuB,CAAA;CAAE,GAC7C;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAElC,MAAM,MAAM,oBAAoB,GAAG;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAwTF,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACjB,OAAO,CAYT;AAiBD,wBAAgB,wBAAwB,CACtC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EAC9B,aAAa,CAAC,EAAE,MAAM,GACrB,MAAM,GAAG,IAAI,CA8Bf;AAED,wBAAsB,wBAAwB,CAC5C,KAAK,EAAE,uBAAuB,GAC7B,OAAO,CAAC,kBAAkB,CAAC,CA8B7B;AAED,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,EACjC,OAAO,GAAE,gCAAqC,GAC7C,OAAO,CAAC,0BAA0B,GAAG,IAAI,CAAC,CA6C5C;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CAeT;AAED,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAC/B,6BAA6B,CAsC/B;AAiCD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAQzE;AAyBD,wBAAsB,8BAA8B,CAClD,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAuCtC;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CA2BjE;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAS1D"}

package/dist/server/embed-session.js

@@ -280,7 +280,11 @@ function referrerTargetPathname(event) {
         event.node?.req?.headers?.referrer ??
         null;
     try {
-        raw = raw ?? getHeader(event, "referer") ?? getHeader(event, "referrer");
+        raw =
+            raw ??
+                getHeader(event, "referer") ??
+                getHeader(event, "referrer") ??
+                null;
     }
     catch {
         raw = raw ?? null;