@agent-native/core 0.47.1 → 0.48.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (808) hide show
  1. package/bin/agent-native.js +41 -0
  2. package/dist/a2a/handlers.js +2 -2
  3. package/dist/a2a/handlers.js.map +1 -1
  4. package/dist/a2a/server.js +2 -2
  5. package/dist/a2a/server.js.map +1 -1
  6. package/dist/action.d.ts +43 -2
  7. package/dist/action.d.ts.map +1 -1
  8. package/dist/action.js.map +1 -1
  9. package/dist/agent/context-xray/actions/context-evict.d.ts +7 -1
  10. package/dist/agent/context-xray/actions/context-evict.d.ts.map +1 -1
  11. package/dist/agent/context-xray/actions/context-manifest-get.d.ts +4 -1
  12. package/dist/agent/context-xray/actions/context-manifest-get.d.ts.map +1 -1
  13. package/dist/agent/context-xray/actions/context-pin.d.ts +7 -1
  14. package/dist/agent/context-xray/actions/context-pin.d.ts.map +1 -1
  15. package/dist/agent/context-xray/actions/context-report.d.ts +12 -1
  16. package/dist/agent/context-xray/actions/context-report.d.ts.map +1 -1
  17. package/dist/agent/context-xray/actions/context-restore.d.ts +7 -1
  18. package/dist/agent/context-xray/actions/context-restore.d.ts.map +1 -1
  19. package/dist/agent/context-xray/apply-directives.d.ts.map +1 -1
  20. package/dist/agent/context-xray/apply-directives.js.map +1 -1
  21. package/dist/agent/context-xray/schema.d.ts +10 -10
  22. package/dist/agent/engine/ai-sdk-engine.d.ts.map +1 -1
  23. package/dist/agent/engine/ai-sdk-engine.js +26 -3
  24. package/dist/agent/engine/ai-sdk-engine.js.map +1 -1
  25. package/dist/agent/engine/anthropic-engine.d.ts +1 -1
  26. package/dist/agent/engine/anthropic-engine.d.ts.map +1 -1
  27. package/dist/agent/engine/builder-engine.d.ts +1 -1
  28. package/dist/agent/engine/builder-engine.d.ts.map +1 -1
  29. package/dist/agent/engine/builder-engine.js +47 -8
  30. package/dist/agent/engine/builder-engine.js.map +1 -1
  31. package/dist/agent/engine/builtin.js +1 -1
  32. package/dist/agent/engine/builtin.js.map +1 -1
  33. package/dist/agent/engine/output-tokens.d.ts +1 -1
  34. package/dist/agent/engine/output-tokens.d.ts.map +1 -1
  35. package/dist/agent/engine/output-tokens.js +6 -2
  36. package/dist/agent/engine/output-tokens.js.map +1 -1
  37. package/dist/agent/engine/registry.d.ts.map +1 -1
  38. package/dist/agent/engine/registry.js +7 -4
  39. package/dist/agent/engine/registry.js.map +1 -1
  40. package/dist/agent/engine/types.d.ts +19 -0
  41. package/dist/agent/engine/types.d.ts.map +1 -1
  42. package/dist/agent/engine/types.js +6 -0
  43. package/dist/agent/engine/types.js.map +1 -1
  44. package/dist/agent/model-config.d.ts +22 -14
  45. package/dist/agent/model-config.d.ts.map +1 -1
  46. package/dist/agent/model-config.js +113 -8
  47. package/dist/agent/model-config.js.map +1 -1
  48. package/dist/agent/production-agent.d.ts +19 -1
  49. package/dist/agent/production-agent.d.ts.map +1 -1
  50. package/dist/agent/production-agent.js +253 -39
  51. package/dist/agent/production-agent.js.map +1 -1
  52. package/dist/agent/run-loop-with-resume.d.ts.map +1 -1
  53. package/dist/agent/run-loop-with-resume.js +10 -0
  54. package/dist/agent/run-loop-with-resume.js.map +1 -1
  55. package/dist/agent/run-manager.d.ts +1 -0
  56. package/dist/agent/run-manager.d.ts.map +1 -1
  57. package/dist/agent/run-manager.js +36 -9
  58. package/dist/agent/run-manager.js.map +1 -1
  59. package/dist/agent/run-store.d.ts +47 -4
  60. package/dist/agent/run-store.d.ts.map +1 -1
  61. package/dist/agent/run-store.js +154 -4
  62. package/dist/agent/run-store.js.map +1 -1
  63. package/dist/agent/thread-data-builder.d.ts.map +1 -1
  64. package/dist/agent/thread-data-builder.js +57 -2
  65. package/dist/agent/thread-data-builder.js.map +1 -1
  66. package/dist/agent/types.d.ts +3 -0
  67. package/dist/agent/types.d.ts.map +1 -1
  68. package/dist/agent/types.js.map +1 -1
  69. package/dist/agent-web/generator.d.ts +3 -3
  70. package/dist/appearance/actions/change-appearance.d.ts +6 -1
  71. package/dist/appearance/actions/change-appearance.d.ts.map +1 -1
  72. package/dist/application-state/handlers.d.ts +2 -2
  73. package/dist/application-state/handlers.d.ts.map +1 -1
  74. package/dist/application-state/store.d.ts.map +1 -1
  75. package/dist/application-state/store.js +17 -0
  76. package/dist/application-state/store.js.map +1 -1
  77. package/dist/catalog.json +2 -1
  78. package/dist/cli/code-agent-commands.d.ts.map +1 -1
  79. package/dist/cli/code-agent-commands.js +2 -0
  80. package/dist/cli/code-agent-commands.js.map +1 -1
  81. package/dist/cli/code-agent-connector.js +7 -13
  82. package/dist/cli/code-agent-connector.js.map +1 -1
  83. package/dist/cli/code-agent-executor.d.ts +54 -2
  84. package/dist/cli/code-agent-executor.d.ts.map +1 -1
  85. package/dist/cli/code-agent-executor.js +504 -48
  86. package/dist/cli/code-agent-executor.js.map +1 -1
  87. package/dist/cli/code-agent-runs.d.ts +13 -0
  88. package/dist/cli/code-agent-runs.d.ts.map +1 -1
  89. package/dist/cli/code-agent-runs.js +36 -0
  90. package/dist/cli/code-agent-runs.js.map +1 -1
  91. package/dist/cli/code.js +59 -5
  92. package/dist/cli/code.js.map +1 -1
  93. package/dist/cli/connect.js +141 -3
  94. package/dist/cli/connect.js.map +1 -1
  95. package/dist/cli/index.js +0 -0
  96. package/dist/cli/pr-visual-recap-workflow.js +1 -1
  97. package/dist/cli/pr-visual-recap-workflow.js.map +1 -1
  98. package/dist/cli/recap.js +476 -46
  99. package/dist/cli/recap.js.map +1 -1
  100. package/dist/cli/skills.js +298 -179
  101. package/dist/cli/skills.js.map +1 -1
  102. package/dist/client/AgentPanel.d.ts.map +1 -1
  103. package/dist/client/AgentPanel.js +29 -2
  104. package/dist/client/AgentPanel.js.map +1 -1
  105. package/dist/client/AgentTaskCard.d.ts.map +1 -1
  106. package/dist/client/AgentTaskCard.js +17 -2
  107. package/dist/client/AgentTaskCard.js.map +1 -1
  108. package/dist/client/AssistantChat.d.ts +1 -1
  109. package/dist/client/AssistantChat.d.ts.map +1 -1
  110. package/dist/client/AssistantChat.js +310 -1732
  111. package/dist/client/AssistantChat.js.map +1 -1
  112. package/dist/client/CommandMenu.d.ts +1 -1
  113. package/dist/client/CommandMenu.d.ts.map +1 -1
  114. package/dist/client/CommandMenu.js +1 -1
  115. package/dist/client/CommandMenu.js.map +1 -1
  116. package/dist/client/HighlightedCodeBlock.d.ts +40 -0
  117. package/dist/client/HighlightedCodeBlock.d.ts.map +1 -0
  118. package/dist/client/HighlightedCodeBlock.js +110 -0
  119. package/dist/client/HighlightedCodeBlock.js.map +1 -0
  120. package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
  121. package/dist/client/MultiTabAssistantChat.js +8 -1
  122. package/dist/client/MultiTabAssistantChat.js.map +1 -1
  123. package/dist/client/PoweredByBadge.d.ts +2 -2
  124. package/dist/client/PoweredByBadge.d.ts.map +1 -1
  125. package/dist/client/RunStuckBanner.d.ts +1 -1
  126. package/dist/client/RunStuckBanner.d.ts.map +1 -1
  127. package/dist/client/StarfieldBackground.d.ts.map +1 -1
  128. package/dist/client/StarfieldBackground.js +10 -5
  129. package/dist/client/StarfieldBackground.js.map +1 -1
  130. package/dist/client/Turnstile.d.ts +1 -1
  131. package/dist/client/Turnstile.d.ts.map +1 -1
  132. package/dist/client/agent-chat-adapter.d.ts +3 -2
  133. package/dist/client/agent-chat-adapter.d.ts.map +1 -1
  134. package/dist/client/agent-chat-adapter.js +13 -9
  135. package/dist/client/agent-chat-adapter.js.map +1 -1
  136. package/dist/client/app-providers.d.ts +99 -0
  137. package/dist/client/app-providers.d.ts.map +1 -0
  138. package/dist/client/app-providers.js +19 -0
  139. package/dist/client/app-providers.js.map +1 -0
  140. package/dist/client/assistant-ui-recovery.d.ts +1 -1
  141. package/dist/client/auth-redirect-url.d.ts +1 -1
  142. package/dist/client/auth-redirect-url.d.ts.map +1 -1
  143. package/dist/client/blocks/library/AnnotatedCodeBlock.d.ts +0 -19
  144. package/dist/client/blocks/library/AnnotatedCodeBlock.d.ts.map +1 -1
  145. package/dist/client/blocks/library/AnnotatedCodeBlock.js +141 -55
  146. package/dist/client/blocks/library/AnnotatedCodeBlock.js.map +1 -1
  147. package/dist/client/blocks/library/DiffBlock.js +1 -1
  148. package/dist/client/blocks/library/DiffBlock.js.map +1 -1
  149. package/dist/client/blocks/library/FileTreeBlock.d.ts.map +1 -1
  150. package/dist/client/blocks/library/FileTreeBlock.js +1 -1
  151. package/dist/client/blocks/library/FileTreeBlock.js.map +1 -1
  152. package/dist/client/blocks/library/HighlightedCode.d.ts.map +1 -1
  153. package/dist/client/blocks/library/HighlightedCode.js +5 -3
  154. package/dist/client/blocks/library/HighlightedCode.js.map +1 -1
  155. package/dist/client/blocks/library/annotation-rail.d.ts +5 -4
  156. package/dist/client/blocks/library/annotation-rail.d.ts.map +1 -1
  157. package/dist/client/blocks/library/annotation-rail.js +22 -3
  158. package/dist/client/blocks/library/annotation-rail.js.map +1 -1
  159. package/dist/client/blocks/library/diagram.js +1 -1
  160. package/dist/client/blocks/library/diagram.js.map +1 -1
  161. package/dist/client/blocks/library/diff.config.d.ts +3 -2
  162. package/dist/client/blocks/library/diff.config.d.ts.map +1 -1
  163. package/dist/client/blocks/library/diff.config.js +4 -3
  164. package/dist/client/blocks/library/diff.config.js.map +1 -1
  165. package/dist/client/blocks/library/question-form.d.ts.map +1 -1
  166. package/dist/client/blocks/library/question-form.js +2 -1
  167. package/dist/client/blocks/library/question-form.js.map +1 -1
  168. package/dist/client/blocks/library/wireframe-kit.d.ts +1 -1
  169. package/dist/client/blocks/library/wireframe-kit.d.ts.map +1 -1
  170. package/dist/client/blocks/library/wireframe.js +1 -1
  171. package/dist/client/blocks/library/wireframe.js.map +1 -1
  172. package/dist/client/chat/attachment-adapters.d.ts +58 -0
  173. package/dist/client/chat/attachment-adapters.d.ts.map +1 -0
  174. package/dist/client/chat/attachment-adapters.js +331 -0
  175. package/dist/client/chat/attachment-adapters.js.map +1 -0
  176. package/dist/client/chat/index.d.ts +13 -0
  177. package/dist/client/chat/index.d.ts.map +1 -0
  178. package/dist/client/chat/index.js +13 -0
  179. package/dist/client/chat/index.js.map +1 -0
  180. package/dist/client/chat/markdown-renderer.d.ts +49 -0
  181. package/dist/client/chat/markdown-renderer.d.ts.map +1 -0
  182. package/dist/client/chat/markdown-renderer.js +391 -0
  183. package/dist/client/chat/markdown-renderer.js.map +1 -0
  184. package/dist/client/chat/message-components.d.ts +35 -0
  185. package/dist/client/chat/message-components.d.ts.map +1 -0
  186. package/dist/client/chat/message-components.js +452 -0
  187. package/dist/client/chat/message-components.js.map +1 -0
  188. package/dist/client/chat/repo-helpers.d.ts +41 -0
  189. package/dist/client/chat/repo-helpers.d.ts.map +1 -0
  190. package/dist/client/chat/repo-helpers.js +61 -0
  191. package/dist/client/chat/repo-helpers.js.map +1 -0
  192. package/dist/client/chat/run-recovery.d.ts +41 -0
  193. package/dist/client/chat/run-recovery.d.ts.map +1 -0
  194. package/dist/client/chat/run-recovery.js +348 -0
  195. package/dist/client/chat/run-recovery.js.map +1 -0
  196. package/dist/client/chat/tool-call-display.d.ts +34 -0
  197. package/dist/client/chat/tool-call-display.d.ts.map +1 -0
  198. package/dist/client/chat/tool-call-display.js +284 -0
  199. package/dist/client/chat/tool-call-display.js.map +1 -0
  200. package/dist/client/code-agent-chat-adapter.d.ts.map +1 -1
  201. package/dist/client/code-agent-chat-adapter.js +20 -0
  202. package/dist/client/code-agent-chat-adapter.js.map +1 -1
  203. package/dist/client/collab/index.d.ts +10 -0
  204. package/dist/client/collab/index.d.ts.map +1 -0
  205. package/dist/client/collab/index.js +10 -0
  206. package/dist/client/collab/index.js.map +1 -0
  207. package/dist/client/components/AgentPresenceChip.d.ts +1 -1
  208. package/dist/client/components/AgentPresenceChip.d.ts.map +1 -1
  209. package/dist/client/components/ApiKeySettings.d.ts +1 -1
  210. package/dist/client/components/ApiKeySettings.d.ts.map +1 -1
  211. package/dist/client/components/CodeAgentIndicator.d.ts +1 -1
  212. package/dist/client/components/CodeAgentIndicator.d.ts.map +1 -1
  213. package/dist/client/components/CodeRequiredDialog.d.ts +1 -1
  214. package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
  215. package/dist/client/components/LiveCursorOverlay.d.ts.map +1 -1
  216. package/dist/client/components/LiveCursorOverlay.js.map +1 -1
  217. package/dist/client/components/PresenceBar.d.ts +1 -1
  218. package/dist/client/components/PresenceBar.d.ts.map +1 -1
  219. package/dist/client/composer/PromptComposer.d.ts.map +1 -1
  220. package/dist/client/composer/PromptComposer.js +6 -26
  221. package/dist/client/composer/PromptComposer.js.map +1 -1
  222. package/dist/client/composer/TiptapComposer.d.ts +8 -2
  223. package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
  224. package/dist/client/composer/TiptapComposer.js +21 -9
  225. package/dist/client/composer/TiptapComposer.js.map +1 -1
  226. package/dist/client/composer/VoiceButton.d.ts +2 -2
  227. package/dist/client/composer/VoiceButton.d.ts.map +1 -1
  228. package/dist/client/composer/index.d.ts +1 -1
  229. package/dist/client/composer/index.d.ts.map +1 -1
  230. package/dist/client/composer/index.js +1 -1
  231. package/dist/client/composer/index.js.map +1 -1
  232. package/dist/client/composer/use-skills.d.ts +1 -1
  233. package/dist/client/context-xray/ContextMeter.d.ts +1 -1
  234. package/dist/client/context-xray/ContextMeter.d.ts.map +1 -1
  235. package/dist/client/context-xray/ContextMeter.js +3 -3
  236. package/dist/client/context-xray/ContextMeter.js.map +1 -1
  237. package/dist/client/context-xray/ContextXRayPanel.d.ts.map +1 -1
  238. package/dist/client/context-xray/ContextXRayPanel.js +4 -3
  239. package/dist/client/context-xray/ContextXRayPanel.js.map +1 -1
  240. package/dist/client/context-xray/format.d.ts +11 -0
  241. package/dist/client/context-xray/format.d.ts.map +1 -1
  242. package/dist/client/context-xray/format.js +16 -0
  243. package/dist/client/context-xray/format.js.map +1 -1
  244. package/dist/client/conversation/AgentConversation.d.ts.map +1 -1
  245. package/dist/client/conversation/AgentConversation.js +8 -53
  246. package/dist/client/conversation/AgentConversation.js.map +1 -1
  247. package/dist/client/conversation/use-near-bottom-autoscroll.d.ts +1 -1
  248. package/dist/client/conversation/use-near-bottom-autoscroll.d.ts.map +1 -1
  249. package/dist/client/conversation/use-near-bottom-autoscroll.js +14 -1
  250. package/dist/client/conversation/use-near-bottom-autoscroll.js.map +1 -1
  251. package/dist/client/create-query-client.d.ts +28 -0
  252. package/dist/client/create-query-client.d.ts.map +1 -0
  253. package/dist/client/create-query-client.js +78 -0
  254. package/dist/client/create-query-client.js.map +1 -0
  255. package/dist/client/db-admin/DevDatabaseLink.d.ts +1 -1
  256. package/dist/client/db-admin/DevDatabaseLink.d.ts.map +1 -1
  257. package/dist/client/db-admin/RowSidePanel.d.ts +1 -1
  258. package/dist/client/db-admin/RowSidePanel.d.ts.map +1 -1
  259. package/dist/client/db-admin/RowSidePanel.js +2 -2
  260. package/dist/client/db-admin/RowSidePanel.js.map +1 -1
  261. package/dist/client/db-admin/TableEditor.d.ts +1 -1
  262. package/dist/client/db-admin/TableEditor.d.ts.map +1 -1
  263. package/dist/client/db-admin/TableEditor.js +1 -1
  264. package/dist/client/db-admin/TableEditor.js.map +1 -1
  265. package/dist/client/db-admin/cell-format.d.ts +1 -1
  266. package/dist/client/db-admin/cell-format.d.ts.map +1 -1
  267. package/dist/client/dev-overlay/DevOverlay.d.ts +1 -1
  268. package/dist/client/dev-overlay/DevOverlay.d.ts.map +1 -1
  269. package/dist/client/editor/index.d.ts +2 -0
  270. package/dist/client/editor/index.d.ts.map +1 -0
  271. package/dist/client/editor/index.js +2 -0
  272. package/dist/client/editor/index.js.map +1 -0
  273. package/dist/client/error-format.d.ts.map +1 -1
  274. package/dist/client/error-format.js +4 -0
  275. package/dist/client/error-format.js.map +1 -1
  276. package/dist/client/extensions/AgentNativeExtensionFrame.d.ts +1 -1
  277. package/dist/client/extensions/AgentNativeExtensionFrame.d.ts.map +1 -1
  278. package/dist/client/extensions/EmbeddedExtension.d.ts +1 -1
  279. package/dist/client/extensions/EmbeddedExtension.d.ts.map +1 -1
  280. package/dist/client/extensions/ExtensionSlot.d.ts +1 -1
  281. package/dist/client/extensions/ExtensionSlot.d.ts.map +1 -1
  282. package/dist/client/extensions/ExtensionViewerPage.d.ts +1 -1
  283. package/dist/client/extensions/ExtensionViewerPage.d.ts.map +1 -1
  284. package/dist/client/guided-questions.d.ts +6 -6
  285. package/dist/client/host-bridge.d.ts.map +1 -1
  286. package/dist/client/host-bridge.js +2 -0
  287. package/dist/client/host-bridge.js.map +1 -1
  288. package/dist/client/index.d.ts +7 -6
  289. package/dist/client/index.d.ts.map +1 -1
  290. package/dist/client/index.js +5 -3
  291. package/dist/client/index.js.map +1 -1
  292. package/dist/client/onboarding/OnboardingBanner.d.ts +1 -1
  293. package/dist/client/onboarding/OnboardingBanner.d.ts.map +1 -1
  294. package/dist/client/onboarding/OnboardingPanel.d.ts +1 -1
  295. package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
  296. package/dist/client/onboarding/SetupButton.d.ts +1 -1
  297. package/dist/client/onboarding/SetupButton.d.ts.map +1 -1
  298. package/dist/client/org/InvitationBanner.d.ts +1 -1
  299. package/dist/client/org/InvitationBanner.d.ts.map +1 -1
  300. package/dist/client/org/OrgSwitcher.d.ts +1 -1
  301. package/dist/client/org/OrgSwitcher.d.ts.map +1 -1
  302. package/dist/client/org/RequireActiveOrg.d.ts +1 -1
  303. package/dist/client/org/RequireActiveOrg.d.ts.map +1 -1
  304. package/dist/client/org/hooks.d.ts +3 -3
  305. package/dist/client/org/hooks.d.ts.map +1 -1
  306. package/dist/client/progress/RunsTray.d.ts +2 -2
  307. package/dist/client/progress/RunsTray.d.ts.map +1 -1
  308. package/dist/client/progress/RunsTray.js +34 -9
  309. package/dist/client/progress/RunsTray.js.map +1 -1
  310. package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
  311. package/dist/client/resources/ResourceEditor.js +1 -1
  312. package/dist/client/resources/ResourceEditor.js.map +1 -1
  313. package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
  314. package/dist/client/resources/ResourcesPanel.js +2 -0
  315. package/dist/client/resources/ResourcesPanel.js.map +1 -1
  316. package/dist/client/rich-markdown-editor/BubbleToolbar.d.ts +1 -1
  317. package/dist/client/rich-markdown-editor/BubbleToolbar.d.ts.map +1 -1
  318. package/dist/client/rich-markdown-editor/CodeBlockNode.d.ts.map +1 -1
  319. package/dist/client/rich-markdown-editor/CodeBlockNode.js +2 -1
  320. package/dist/client/rich-markdown-editor/CodeBlockNode.js.map +1 -1
  321. package/dist/client/rich-markdown-editor/ImageExtension.d.ts.map +1 -1
  322. package/dist/client/rich-markdown-editor/ImageExtension.js +2 -1
  323. package/dist/client/rich-markdown-editor/ImageExtension.js.map +1 -1
  324. package/dist/client/rich-markdown-editor/RegistryBlockNode.d.ts +1 -1
  325. package/dist/client/rich-markdown-editor/RegistryBlockNode.d.ts.map +1 -1
  326. package/dist/client/rich-markdown-editor/RegistryBlockNode.js +1 -1
  327. package/dist/client/rich-markdown-editor/RegistryBlockNode.js.map +1 -1
  328. package/dist/client/rich-markdown-editor/RichMarkdownEditor.d.ts +1 -1
  329. package/dist/client/rich-markdown-editor/SharedRichEditor.d.ts.map +1 -1
  330. package/dist/client/rich-markdown-editor/SharedRichEditor.js +2 -3
  331. package/dist/client/rich-markdown-editor/SharedRichEditor.js.map +1 -1
  332. package/dist/client/rich-markdown-editor/SlashCommandMenu.d.ts +1 -1
  333. package/dist/client/rich-markdown-editor/SlashCommandMenu.d.ts.map +1 -1
  334. package/dist/client/route-state.d.ts +12 -2
  335. package/dist/client/route-state.d.ts.map +1 -1
  336. package/dist/client/route-state.js +1 -1
  337. package/dist/client/route-state.js.map +1 -1
  338. package/dist/client/route-warmup.d.ts +1 -1
  339. package/dist/client/route-warmup.d.ts.map +1 -1
  340. package/dist/client/settings/VoiceTranscriptionSection.js +1 -1
  341. package/dist/client/settings/VoiceTranscriptionSection.js.map +1 -1
  342. package/dist/client/settings/useBuilderStatus.d.ts +2 -2
  343. package/dist/client/sharing/ShareDialog.d.ts +1 -1
  344. package/dist/client/sharing/ShareDialog.d.ts.map +1 -1
  345. package/dist/client/sse-event-processor.d.ts +8 -0
  346. package/dist/client/sse-event-processor.d.ts.map +1 -1
  347. package/dist/client/sse-event-processor.js +33 -10
  348. package/dist/client/sse-event-processor.js.map +1 -1
  349. package/dist/client/terminal/AgentTerminal.d.ts +1 -1
  350. package/dist/client/terminal/AgentTerminal.d.ts.map +1 -1
  351. package/dist/client/terminal/AgentTerminal.js +4 -2
  352. package/dist/client/terminal/AgentTerminal.js.map +1 -1
  353. package/dist/client/tool-cells/BashCell.d.ts +25 -0
  354. package/dist/client/tool-cells/BashCell.d.ts.map +1 -0
  355. package/dist/client/tool-cells/BashCell.js +49 -0
  356. package/dist/client/tool-cells/BashCell.js.map +1 -0
  357. package/dist/client/tool-cells/EditCell.d.ts +24 -0
  358. package/dist/client/tool-cells/EditCell.d.ts.map +1 -0
  359. package/dist/client/tool-cells/EditCell.js +126 -0
  360. package/dist/client/tool-cells/EditCell.js.map +1 -0
  361. package/dist/client/tool-cells/FilesChangedSummary.d.ts +13 -0
  362. package/dist/client/tool-cells/FilesChangedSummary.d.ts.map +1 -0
  363. package/dist/client/tool-cells/FilesChangedSummary.js +98 -0
  364. package/dist/client/tool-cells/FilesChangedSummary.js.map +1 -0
  365. package/dist/client/tool-cells/WriteCell.d.ts +17 -0
  366. package/dist/client/tool-cells/WriteCell.d.ts.map +1 -0
  367. package/dist/client/tool-cells/WriteCell.js +26 -0
  368. package/dist/client/tool-cells/WriteCell.js.map +1 -0
  369. package/dist/client/tool-cells/index.d.ts +8 -0
  370. package/dist/client/tool-cells/index.d.ts.map +1 -0
  371. package/dist/client/tool-cells/index.js +5 -0
  372. package/dist/client/tool-cells/index.js.map +1 -0
  373. package/dist/client/transcription/BuilderTranscriptionCta.d.ts +1 -1
  374. package/dist/client/transcription/BuilderTranscriptionCta.d.ts.map +1 -1
  375. package/dist/client/use-chat-threads.d.ts +1 -1
  376. package/dist/client/use-chat-threads.d.ts.map +1 -1
  377. package/dist/client/use-chat-threads.js +11 -8
  378. package/dist/client/use-chat-threads.js.map +1 -1
  379. package/dist/client/use-db-sync.d.ts +2 -0
  380. package/dist/client/use-db-sync.d.ts.map +1 -1
  381. package/dist/client/use-db-sync.js +329 -302
  382. package/dist/client/use-db-sync.js.map +1 -1
  383. package/dist/code-agents/transcript-normalizer.d.ts +15 -1
  384. package/dist/code-agents/transcript-normalizer.d.ts.map +1 -1
  385. package/dist/code-agents/transcript-normalizer.js +47 -0
  386. package/dist/code-agents/transcript-normalizer.js.map +1 -1
  387. package/dist/coding-tools/index.d.ts +75 -0
  388. package/dist/coding-tools/index.d.ts.map +1 -1
  389. package/dist/coding-tools/index.js +137 -10
  390. package/dist/coding-tools/index.js.map +1 -1
  391. package/dist/collab/client.d.ts.map +1 -1
  392. package/dist/collab/client.js +15 -9
  393. package/dist/collab/client.js.map +1 -1
  394. package/dist/collab/ydoc-manager.d.ts +1 -1
  395. package/dist/collab/ydoc-manager.d.ts.map +1 -1
  396. package/dist/collab/ydoc-manager.js +1 -1
  397. package/dist/collab/ydoc-manager.js.map +1 -1
  398. package/dist/db/client.d.ts +9 -1
  399. package/dist/db/client.d.ts.map +1 -1
  400. package/dist/db/client.js +204 -48
  401. package/dist/db/client.js.map +1 -1
  402. package/dist/db/create-get-db.d.ts +38 -0
  403. package/dist/db/create-get-db.d.ts.map +1 -1
  404. package/dist/db/create-get-db.js +204 -4
  405. package/dist/db/create-get-db.js.map +1 -1
  406. package/dist/db/migrations.d.ts.map +1 -1
  407. package/dist/db/migrations.js +159 -67
  408. package/dist/db/migrations.js.map +1 -1
  409. package/dist/demo/actions/toggle-demo-mode.d.ts +6 -1
  410. package/dist/demo/actions/toggle-demo-mode.d.ts.map +1 -1
  411. package/dist/deploy/build.d.ts.map +1 -1
  412. package/dist/deploy/build.js +80 -39
  413. package/dist/deploy/build.js.map +1 -1
  414. package/dist/deploy/workspace-deploy.js +20 -10
  415. package/dist/deploy/workspace-deploy.js.map +1 -1
  416. package/dist/extensions/schema.d.ts +51 -51
  417. package/dist/extensions/slots/schema.d.ts +13 -13
  418. package/dist/file-upload/actions/upload-image.d.ts +26 -1
  419. package/dist/file-upload/actions/upload-image.d.ts.map +1 -1
  420. package/dist/file-upload/index.d.ts +1 -1
  421. package/dist/file-upload/index.d.ts.map +1 -1
  422. package/dist/file-upload/index.js +1 -1
  423. package/dist/file-upload/index.js.map +1 -1
  424. package/dist/file-upload/pre-upload-attachments.d.ts +37 -0
  425. package/dist/file-upload/pre-upload-attachments.d.ts.map +1 -1
  426. package/dist/file-upload/pre-upload-attachments.js +79 -19
  427. package/dist/file-upload/pre-upload-attachments.js.map +1 -1
  428. package/dist/index.d.ts +1 -1
  429. package/dist/index.d.ts.map +1 -1
  430. package/dist/index.js.map +1 -1
  431. package/dist/integrations/adapters/slack.js +1 -1
  432. package/dist/integrations/adapters/slack.js.map +1 -1
  433. package/dist/integrations/plugin.js +1 -1
  434. package/dist/integrations/plugin.js.map +1 -1
  435. package/dist/jobs/scheduler.js +70 -21
  436. package/dist/jobs/scheduler.js.map +1 -1
  437. package/dist/mcp/actions/create-org-service-token.d.ts +14 -0
  438. package/dist/mcp/actions/create-org-service-token.d.ts.map +1 -0
  439. package/dist/mcp/actions/create-org-service-token.js +74 -0
  440. package/dist/mcp/actions/create-org-service-token.js.map +1 -0
  441. package/dist/mcp/actions/list-org-service-tokens.d.ts +17 -0
  442. package/dist/mcp/actions/list-org-service-tokens.d.ts.map +1 -0
  443. package/dist/mcp/actions/list-org-service-tokens.js +42 -0
  444. package/dist/mcp/actions/list-org-service-tokens.js.map +1 -0
  445. package/dist/mcp/actions/revoke-org-service-token.d.ts +7 -0
  446. package/dist/mcp/actions/revoke-org-service-token.d.ts.map +1 -0
  447. package/dist/mcp/actions/revoke-org-service-token.js +28 -0
  448. package/dist/mcp/actions/revoke-org-service-token.js.map +1 -0
  449. package/dist/mcp/actions/service-token-access.d.ts +24 -0
  450. package/dist/mcp/actions/service-token-access.d.ts.map +1 -0
  451. package/dist/mcp/actions/service-token-access.js +63 -0
  452. package/dist/mcp/actions/service-token-access.js.map +1 -0
  453. package/dist/mcp/build-server.d.ts +42 -11
  454. package/dist/mcp/build-server.d.ts.map +1 -1
  455. package/dist/mcp/build-server.js +53 -3
  456. package/dist/mcp/build-server.js.map +1 -1
  457. package/dist/mcp/connect-route.d.ts +35 -0
  458. package/dist/mcp/connect-route.d.ts.map +1 -1
  459. package/dist/mcp/connect-route.js +57 -2
  460. package/dist/mcp/connect-route.js.map +1 -1
  461. package/dist/mcp/connect-store.d.ts +43 -0
  462. package/dist/mcp/connect-store.d.ts.map +1 -1
  463. package/dist/mcp/connect-store.js +129 -12
  464. package/dist/mcp/connect-store.js.map +1 -1
  465. package/dist/mcp/oauth-token.d.ts +10 -0
  466. package/dist/mcp/oauth-token.d.ts.map +1 -1
  467. package/dist/mcp/oauth-token.js +2 -0
  468. package/dist/mcp/oauth-token.js.map +1 -1
  469. package/dist/mcp/server.d.ts.map +1 -1
  470. package/dist/mcp/server.js +3 -0
  471. package/dist/mcp/server.js.map +1 -1
  472. package/dist/mcp-client/routes.js +1 -1
  473. package/dist/mcp-client/routes.js.map +1 -1
  474. package/dist/org/context.d.ts +4 -0
  475. package/dist/org/context.d.ts.map +1 -1
  476. package/dist/org/context.js +10 -0
  477. package/dist/org/context.js.map +1 -1
  478. package/dist/org/handlers.d.ts +11 -7
  479. package/dist/org/handlers.d.ts.map +1 -1
  480. package/dist/org/handlers.js +0 -8
  481. package/dist/org/handlers.js.map +1 -1
  482. package/dist/org/migrations.d.ts.map +1 -1
  483. package/dist/org/migrations.js +8 -0
  484. package/dist/org/migrations.js.map +1 -1
  485. package/dist/org/schema.d.ts +15 -15
  486. package/dist/progress/actions.d.ts.map +1 -1
  487. package/dist/progress/actions.js +13 -5
  488. package/dist/progress/actions.js.map +1 -1
  489. package/dist/provider-api/actions/delete-staged-dataset.d.ts +9 -0
  490. package/dist/provider-api/actions/delete-staged-dataset.d.ts.map +1 -0
  491. package/dist/provider-api/actions/delete-staged-dataset.js +35 -0
  492. package/dist/provider-api/actions/delete-staged-dataset.js.map +1 -0
  493. package/dist/provider-api/actions/list-staged-datasets.d.ts +15 -0
  494. package/dist/provider-api/actions/list-staged-datasets.d.ts.map +1 -0
  495. package/dist/provider-api/actions/list-staged-datasets.js +41 -0
  496. package/dist/provider-api/actions/list-staged-datasets.js.map +1 -0
  497. package/dist/provider-api/actions/query-staged-dataset.d.ts +29 -0
  498. package/dist/provider-api/actions/query-staged-dataset.d.ts.map +1 -0
  499. package/dist/provider-api/actions/query-staged-dataset.js +116 -0
  500. package/dist/provider-api/actions/query-staged-dataset.js.map +1 -0
  501. package/dist/provider-api/custom-registry.d.ts.map +1 -1
  502. package/dist/provider-api/custom-registry.js.map +1 -1
  503. package/dist/provider-api/index.d.ts +10 -10
  504. package/dist/provider-api/index.js +0 -5
  505. package/dist/provider-api/index.js.map +1 -1
  506. package/dist/provider-api/staged-datasets-aggregate.d.ts +46 -0
  507. package/dist/provider-api/staged-datasets-aggregate.d.ts.map +1 -0
  508. package/dist/provider-api/staged-datasets-aggregate.js +209 -0
  509. package/dist/provider-api/staged-datasets-aggregate.js.map +1 -0
  510. package/dist/provider-api/staged-datasets-store.d.ts +76 -0
  511. package/dist/provider-api/staged-datasets-store.d.ts.map +1 -0
  512. package/dist/provider-api/staged-datasets-store.js +319 -0
  513. package/dist/provider-api/staged-datasets-store.js.map +1 -0
  514. package/dist/provider-api/staging.d.ts +100 -0
  515. package/dist/provider-api/staging.d.ts.map +1 -0
  516. package/dist/provider-api/staging.js +281 -0
  517. package/dist/provider-api/staging.js.map +1 -0
  518. package/dist/resources/handlers.d.ts.map +1 -1
  519. package/dist/resources/handlers.js +13 -1
  520. package/dist/resources/handlers.js.map +1 -1
  521. package/dist/scripts/call-agent.d.ts.map +1 -1
  522. package/dist/scripts/call-agent.js +1 -2
  523. package/dist/scripts/call-agent.js.map +1 -1
  524. package/dist/scripts/resources/migrate-learnings.d.ts +1 -1
  525. package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
  526. package/dist/scripts/resources/migrate-learnings.js +1 -1
  527. package/dist/scripts/resources/migrate-learnings.js.map +1 -1
  528. package/dist/secrets/schema.d.ts +7 -7
  529. package/dist/server/action-discovery.d.ts.map +1 -1
  530. package/dist/server/action-discovery.js +14 -0
  531. package/dist/server/action-discovery.js.map +1 -1
  532. package/dist/server/action-routes.d.ts.map +1 -1
  533. package/dist/server/action-routes.js +3 -2
  534. package/dist/server/action-routes.js.map +1 -1
  535. package/dist/server/agent-chat-plugin.d.ts +33 -0
  536. package/dist/server/agent-chat-plugin.d.ts.map +1 -1
  537. package/dist/server/agent-chat-plugin.js +251 -180
  538. package/dist/server/agent-chat-plugin.js.map +1 -1
  539. package/dist/server/agent-discovery.d.ts.map +1 -1
  540. package/dist/server/agent-discovery.js +13 -16
  541. package/dist/server/agent-discovery.js.map +1 -1
  542. package/dist/server/agent-teams-run-queue.d.ts +31 -8
  543. package/dist/server/agent-teams-run-queue.d.ts.map +1 -1
  544. package/dist/server/agent-teams-run-queue.js +61 -18
  545. package/dist/server/agent-teams-run-queue.js.map +1 -1
  546. package/dist/server/agent-teams.d.ts +27 -1
  547. package/dist/server/agent-teams.d.ts.map +1 -1
  548. package/dist/server/agent-teams.js +214 -14
  549. package/dist/server/agent-teams.js.map +1 -1
  550. package/dist/server/app-base-path.d.ts +20 -0
  551. package/dist/server/app-base-path.d.ts.map +1 -1
  552. package/dist/server/app-base-path.js +36 -0
  553. package/dist/server/app-base-path.js.map +1 -1
  554. package/dist/server/attachment-actions.d.ts +43 -0
  555. package/dist/server/attachment-actions.d.ts.map +1 -0
  556. package/dist/server/attachment-actions.js +214 -0
  557. package/dist/server/attachment-actions.js.map +1 -0
  558. package/dist/server/auth.js +1 -1
  559. package/dist/server/auth.js.map +1 -1
  560. package/dist/server/complete-text.d.ts +56 -0
  561. package/dist/server/complete-text.d.ts.map +1 -0
  562. package/dist/server/complete-text.js +147 -0
  563. package/dist/server/complete-text.js.map +1 -0
  564. package/dist/server/core-routes-plugin.d.ts +1 -0
  565. package/dist/server/core-routes-plugin.d.ts.map +1 -1
  566. package/dist/server/core-routes-plugin.js +37 -27
  567. package/dist/server/core-routes-plugin.js.map +1 -1
  568. package/dist/server/cors-origins.d.ts.map +1 -1
  569. package/dist/server/cors-origins.js +6 -1
  570. package/dist/server/cors-origins.js.map +1 -1
  571. package/dist/server/create-server.d.ts.map +1 -1
  572. package/dist/server/create-server.js +2 -1
  573. package/dist/server/create-server.js.map +1 -1
  574. package/dist/server/csrf.d.ts +1 -1
  575. package/dist/server/csrf.d.ts.map +1 -1
  576. package/dist/server/email-actions.d.ts +19 -0
  577. package/dist/server/email-actions.d.ts.map +1 -0
  578. package/dist/server/email-actions.js +191 -0
  579. package/dist/server/email-actions.js.map +1 -0
  580. package/dist/server/embed-route.js +1 -1
  581. package/dist/server/embed-route.js.map +1 -1
  582. package/dist/server/embed-session.d.ts.map +1 -1
  583. package/dist/server/embed-session.js +5 -1
  584. package/dist/server/embed-session.js.map +1 -1
  585. package/dist/server/entry-server.d.ts +24 -0
  586. package/dist/server/entry-server.d.ts.map +1 -0
  587. package/dist/server/entry-server.js +54 -0
  588. package/dist/server/entry-server.js.map +1 -0
  589. package/dist/server/framework-request-handler.d.ts.map +1 -1
  590. package/dist/server/framework-request-handler.js +2 -10
  591. package/dist/server/framework-request-handler.js.map +1 -1
  592. package/dist/server/google-oauth.d.ts.map +1 -1
  593. package/dist/server/google-oauth.js +2 -9
  594. package/dist/server/google-oauth.js.map +1 -1
  595. package/dist/server/google-realtime-session.d.ts.map +1 -1
  596. package/dist/server/google-realtime-session.js +6 -4
  597. package/dist/server/google-realtime-session.js.map +1 -1
  598. package/dist/server/h3-helpers.d.ts +39 -0
  599. package/dist/server/h3-helpers.d.ts.map +1 -1
  600. package/dist/server/h3-helpers.js +104 -1
  601. package/dist/server/h3-helpers.js.map +1 -1
  602. package/dist/server/index.d.ts +2 -1
  603. package/dist/server/index.d.ts.map +1 -1
  604. package/dist/server/index.js +2 -1
  605. package/dist/server/index.js.map +1 -1
  606. package/dist/server/onboarding-html.d.ts.map +1 -1
  607. package/dist/server/onboarding-html.js +1 -8
  608. package/dist/server/onboarding-html.js.map +1 -1
  609. package/dist/server/open-route.d.ts.map +1 -1
  610. package/dist/server/open-route.js +1 -0
  611. package/dist/server/open-route.js.map +1 -1
  612. package/dist/server/prompts/framework-core-compact.d.ts +19 -0
  613. package/dist/server/prompts/framework-core-compact.d.ts.map +1 -0
  614. package/dist/server/prompts/framework-core-compact.js +69 -0
  615. package/dist/server/prompts/framework-core-compact.js.map +1 -0
  616. package/dist/server/prompts/framework-core.d.ts +26 -0
  617. package/dist/server/prompts/framework-core.d.ts.map +1 -0
  618. package/dist/server/prompts/framework-core.js +130 -0
  619. package/dist/server/prompts/framework-core.js.map +1 -0
  620. package/dist/server/prompts/index.d.ts +9 -0
  621. package/dist/server/prompts/index.d.ts.map +1 -0
  622. package/dist/server/prompts/index.js +9 -0
  623. package/dist/server/prompts/index.js.map +1 -0
  624. package/dist/server/prompts/model-overlays.d.ts +18 -0
  625. package/dist/server/prompts/model-overlays.d.ts.map +1 -0
  626. package/dist/server/prompts/model-overlays.js +46 -0
  627. package/dist/server/prompts/model-overlays.js.map +1 -0
  628. package/dist/server/prompts/shared-rules.d.ts +29 -0
  629. package/dist/server/prompts/shared-rules.d.ts.map +1 -0
  630. package/dist/server/prompts/shared-rules.js +54 -0
  631. package/dist/server/prompts/shared-rules.js.map +1 -0
  632. package/dist/server/security-headers.d.ts +7 -1
  633. package/dist/server/security-headers.d.ts.map +1 -1
  634. package/dist/server/security-headers.js +11 -0
  635. package/dist/server/security-headers.js.map +1 -1
  636. package/dist/server/ssr-handler.d.ts.map +1 -1
  637. package/dist/server/ssr-handler.js +135 -46
  638. package/dist/server/ssr-handler.js.map +1 -1
  639. package/dist/server/transcribe-voice.d.ts.map +1 -1
  640. package/dist/server/transcribe-voice.js +7 -4
  641. package/dist/server/transcribe-voice.js.map +1 -1
  642. package/dist/settings/store.d.ts.map +1 -1
  643. package/dist/settings/store.js +9 -0
  644. package/dist/settings/store.js.map +1 -1
  645. package/dist/shared/markdown-block-split.d.ts +39 -0
  646. package/dist/shared/markdown-block-split.d.ts.map +1 -0
  647. package/dist/shared/markdown-block-split.js +97 -0
  648. package/dist/shared/markdown-block-split.js.map +1 -0
  649. package/dist/shared/reasoning-effort.js +13 -1
  650. package/dist/shared/reasoning-effort.js.map +1 -1
  651. package/dist/shared/streaming-text-smoothing.d.ts +18 -0
  652. package/dist/shared/streaming-text-smoothing.d.ts.map +1 -1
  653. package/dist/shared/streaming-text-smoothing.js +70 -4
  654. package/dist/shared/streaming-text-smoothing.js.map +1 -1
  655. package/dist/sharing/actions/list-resource-shares.d.ts +24 -1
  656. package/dist/sharing/actions/list-resource-shares.d.ts.map +1 -1
  657. package/dist/sharing/actions/set-resource-visibility.d.ts +8 -1
  658. package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -1
  659. package/dist/sharing/actions/share-resource.d.ts +12 -1
  660. package/dist/sharing/actions/share-resource.d.ts.map +1 -1
  661. package/dist/sharing/actions/unshare-resource.d.ts +8 -1
  662. package/dist/sharing/actions/unshare-resource.d.ts.map +1 -1
  663. package/dist/sharing/schema.d.ts +10 -10
  664. package/dist/styles/agent-conversation.css +239 -0
  665. package/dist/templates/default/.agents/skills/delegate-to-agent/SKILL.md +50 -2
  666. package/dist/templates/default/AGENTS.md +1 -1
  667. package/dist/templates/default/DEVELOPING.md +19 -0
  668. package/dist/templates/default/app/entry.client.tsx +4 -1
  669. package/dist/templates/default/app/entry.server.tsx +4 -56
  670. package/dist/templates/default/app/global.css +3 -2
  671. package/dist/templates/default/app/root.tsx +8 -24
  672. package/dist/templates/default/app/routes/_index.tsx +0 -13
  673. package/dist/templates/default/package.json +6 -5
  674. package/dist/templates/default/tsconfig.json +2 -1
  675. package/dist/templates/starter-shell-sync.spec.ts +118 -0
  676. package/dist/templates/ui-primitives-sync.spec.ts +399 -0
  677. package/dist/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +50 -2
  678. package/dist/terminal/pty-server.js +1 -1
  679. package/dist/terminal/pty-server.js.map +1 -1
  680. package/dist/triggers/dispatcher.js +1 -1
  681. package/dist/triggers/dispatcher.js.map +1 -1
  682. package/dist/usage/store.d.ts.map +1 -1
  683. package/dist/usage/store.js +60 -7
  684. package/dist/usage/store.js.map +1 -1
  685. package/dist/vite/client.d.ts.map +1 -1
  686. package/dist/vite/client.js +44 -12
  687. package/dist/vite/client.js.map +1 -1
  688. package/dist/workspace-files/schema.d.ts +8 -8
  689. package/dist/workspace-files/tool.d.ts.map +1 -1
  690. package/dist/workspace-files/tool.js +0 -1
  691. package/dist/workspace-files/tool.js.map +1 -1
  692. package/docs/content/a2a-protocol.md +18 -12
  693. package/docs/content/actions.md +42 -10
  694. package/docs/content/agent-mentions.md +7 -8
  695. package/docs/content/agent-teams.md +23 -37
  696. package/docs/content/agent-web-surfaces.md +18 -9
  697. package/docs/content/authentication.md +6 -17
  698. package/docs/content/automations.md +43 -15
  699. package/docs/content/cli-adapters.md +25 -24
  700. package/docs/content/client.md +66 -17
  701. package/docs/content/cloneable-saas.md +19 -23
  702. package/docs/content/code-agents-ui.md +3 -31
  703. package/docs/content/components.md +308 -0
  704. package/docs/content/context-awareness.md +4 -0
  705. package/docs/content/creating-templates.md +4 -2
  706. package/docs/content/cross-app-sso.md +45 -19
  707. package/docs/content/database.md +26 -1
  708. package/docs/content/deployment.md +3 -1
  709. package/docs/content/dispatch.md +9 -37
  710. package/docs/content/drop-in-agent.md +123 -2
  711. package/docs/content/embedding-sdk.md +35 -0
  712. package/docs/content/extensions.md +2 -2
  713. package/docs/content/external-agents.md +86 -171
  714. package/docs/content/faq.md +6 -27
  715. package/docs/content/frames.md +9 -12
  716. package/docs/content/getting-started.md +80 -77
  717. package/docs/content/key-concepts.md +29 -19
  718. package/docs/content/mcp-apps.md +103 -0
  719. package/docs/content/mcp-clients.md +2 -2
  720. package/docs/content/mcp-protocol.md +40 -17
  721. package/docs/content/messaging.md +11 -4
  722. package/docs/content/migration-workbench.md +4 -47
  723. package/docs/content/multi-app-workspace.md +48 -17
  724. package/docs/content/multi-tenancy.md +1 -1
  725. package/docs/content/notifications.md +8 -6
  726. package/docs/content/observability.md +26 -15
  727. package/docs/content/onboarding.md +7 -1
  728. package/docs/content/pr-visual-recap.md +203 -23
  729. package/docs/content/progress.md +5 -5
  730. package/docs/content/pure-agent-apps.md +3 -1
  731. package/docs/content/real-time-collaboration.md +106 -0
  732. package/docs/content/recurring-jobs.md +17 -1
  733. package/docs/content/security.md +17 -3
  734. package/docs/content/server.md +39 -3
  735. package/docs/content/sharing.md +20 -1
  736. package/docs/content/skills-guide.md +151 -125
  737. package/docs/content/template-analytics.md +8 -0
  738. package/docs/content/template-assets.md +2 -0
  739. package/docs/content/template-brain.md +59 -3
  740. package/docs/content/template-calendar.md +8 -0
  741. package/docs/content/template-clips.md +11 -2
  742. package/docs/content/template-content.md +24 -4
  743. package/docs/content/template-design.md +19 -17
  744. package/docs/content/template-dispatch.md +2 -0
  745. package/docs/content/template-forms.md +28 -1
  746. package/docs/content/template-mail.md +17 -0
  747. package/docs/content/template-plan.md +177 -10
  748. package/docs/content/template-slides.md +51 -12
  749. package/docs/content/template-videos.md +17 -0
  750. package/docs/content/tracking.md +17 -13
  751. package/docs/content/using-your-agent.md +15 -5
  752. package/docs/content/voice-input.md +1 -1
  753. package/docs/content/what-is-agent-native.md +5 -6
  754. package/docs/content/workspace-connections.md +138 -424
  755. package/docs/content/workspace-management.md +12 -128
  756. package/docs/content/workspace.md +125 -199
  757. package/docs/content/writing-agent-instructions.md +17 -1
  758. package/package.json +25 -6
  759. package/src/templates/default/.agents/skills/delegate-to-agent/SKILL.md +50 -2
  760. package/src/templates/default/AGENTS.md +1 -1
  761. package/src/templates/default/DEVELOPING.md +19 -0
  762. package/src/templates/default/app/entry.client.tsx +4 -1
  763. package/src/templates/default/app/entry.server.tsx +4 -56
  764. package/src/templates/default/app/global.css +3 -2
  765. package/src/templates/default/app/root.tsx +8 -24
  766. package/src/templates/default/app/routes/_index.tsx +0 -13
  767. package/src/templates/default/package.json +6 -5
  768. package/src/templates/default/tsconfig.json +2 -1
  769. package/src/templates/starter-shell-sync.spec.ts +118 -0
  770. package/src/templates/ui-primitives-sync.spec.ts +399 -0
  771. package/src/templates/workspace-core/.agents/skills/delegate-to-agent/SKILL.md +50 -2
  772. package/tsconfig.base.json +2 -10
  773. package/dist/cli/app-skill.d.ts +0 -157
  774. package/dist/cli/app-skill.d.ts.map +0 -1
  775. package/dist/cli/audit-agent-web.d.ts +0 -2
  776. package/dist/cli/audit-agent-web.d.ts.map +0 -1
  777. package/dist/cli/code-agent-connector.d.ts +0 -17
  778. package/dist/cli/code-agent-connector.d.ts.map +0 -1
  779. package/dist/cli/code.d.ts +0 -66
  780. package/dist/cli/code.d.ts.map +0 -1
  781. package/dist/cli/connect.d.ts +0 -140
  782. package/dist/cli/connect.d.ts.map +0 -1
  783. package/dist/cli/context-xray-local.d.ts +0 -16
  784. package/dist/cli/context-xray-local.d.ts.map +0 -1
  785. package/dist/cli/create-workspace.d.ts +0 -8
  786. package/dist/cli/create-workspace.d.ts.map +0 -1
  787. package/dist/cli/index.d.ts +0 -3
  788. package/dist/cli/index.d.ts.map +0 -1
  789. package/dist/cli/info.d.ts +0 -2
  790. package/dist/cli/info.d.ts.map +0 -1
  791. package/dist/cli/mcp-config-writers.d.ts +0 -82
  792. package/dist/cli/mcp-config-writers.d.ts.map +0 -1
  793. package/dist/cli/mcp.d.ts +0 -16
  794. package/dist/cli/mcp.d.ts.map +0 -1
  795. package/dist/cli/migrate.d.ts +0 -38
  796. package/dist/cli/migrate.d.ts.map +0 -1
  797. package/dist/cli/plan-local.d.ts +0 -43
  798. package/dist/cli/plan-local.d.ts.map +0 -1
  799. package/dist/cli/plan-publish-store.d.ts +0 -62
  800. package/dist/cli/plan-publish-store.d.ts.map +0 -1
  801. package/dist/cli/pr-visual-recap-workflow.d.ts +0 -11
  802. package/dist/cli/pr-visual-recap-workflow.d.ts.map +0 -1
  803. package/dist/cli/recap.d.ts +0 -297
  804. package/dist/cli/recap.d.ts.map +0 -1
  805. package/dist/cli/skills.d.ts +0 -162
  806. package/dist/cli/skills.d.ts.map +0 -1
  807. package/dist/cli/workspace-dev.d.ts +0 -96
  808. package/dist/cli/workspace-dev.d.ts.map +0 -1
package/dist/server/prompts/shared-rules.js ADDED
@@ -0,0 +1,54 @@
1
+ /**
2
+ * Shared rule text used in both FRAMEWORK_CORE (full) and FRAMEWORK_CORE_COMPACT.
3
+ * Single source of truth so the two variants can't drift on rules that are
4
+ * identical between them.
5
+ *
6
+ * Rules 8–10 (db-* tools, no fabrication, no false success) are reproduced
7
+ * verbatim in both prompts — keep them here.
8
+ */
9
+ const DEFAULT_PROVIDER_ACTIONS = [
10
+ "bigquery",
11
+ "ga4-report",
12
+ "hubspot-deals",
13
+ "jira",
14
+ "jira-search",
15
+ "pylon-issues",
16
+ ];
17
+ /** Rule 8 — db-* tools are internal only (shared between full and compact). */
18
+ export function sharedRule8(examples) {
19
+ const providers = examples?.providerActions ?? DEFAULT_PROVIDER_ACTIONS;
20
+ const providerList = providers.join(", ");
21
+ // Build the "e.g." clause for warehouse vs. named provider
22
+ const warehouseExample = providers.includes("bigquery")
23
+ ? "`bigquery` for warehouse tables, "
24
+ : "";
25
+ const providerExamples = providers
26
+ .filter((p) => p !== "bigquery")
27
+ .slice(0, 4)
28
+ .map((p) => `\`${p}\``)
29
+ .join(", ");
30
+ return `8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach ${providerList.length > 0
31
+ ? providerList
32
+ .split(",")
33
+ .slice(0, 3)
34
+ .map((s) => s.trim())
35
+ .join(", ")
36
+ : "external data sources"}, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — ${warehouseExample}${providerExamples ? `${providerExamples} for their respective providers, ` : ""}etc. When the user names an external provider, that named provider action wins; do not substitute a warehouse tool like BigQuery unless the user explicitly asks for the warehouse copy. **Never use \`db-query\` for external data — it will fail.** For extensions, use \`get-extension\` when you already have an id from \`<current-screen>\` or \`<current-url>\`; otherwise use \`list-extensions\`, \`update-extension\`, \`hide-extension\`, and \`delete-extension\`. Do not query the legacy \`tools\` table directly.`;
37
+ }
38
+ /** Rule 9 — Never fabricate factual claims (shared). */
39
+ export const SHARED_RULE_9 = `9. **Never fabricate factual claims or records** — Do NOT invent numbers, metrics, records, query results, URLs, citations, source attributions, customer names, dates, or success rates. This applies inside generated artifacts too: decks, documents, reports, dashboards, Slack/email replies, and charts must not contain unsupported factual specifics. Only state factual numbers/claims when the user provided them or you retrieved them with an action/tool. If a data source is unavailable, returns no rows, is missing credentials, or has a connection error, say so clearly; do not create placeholder rows or fetch unrelated external providers to make the answer look complete unless the user explicitly asked you to import/sync/backfill. If a specific metric would be useful but is not known, use qualitative wording, placeholders like \`[metric TBD]\`, or clearly labeled draft assumptions instead of plausible-looking facts. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.`;
40
+ /** Rule 10 — Never fabricate success from tool errors (shared). */
41
+ export const SHARED_RULE_10 = `10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`bash(command="pnpm action ...")\` calls: if the action threw, it did NOT succeed.`;
42
+ /** Rule 14 — Planning and progress (adapted from Codex's update_plan discipline). */
43
+ export const SHARED_RULE_14 = `14. **Plan and track multi-step work** — For non-trivial tasks that span several actions or phases, use \`manage-progress\` to make work visible and keep it on track.
44
+
45
+ - Call \`manage-progress\` with \`action: "start"\` at the beginning of multi-step work; include a descriptive \`title\` and the first \`step\`.
46
+ - Update with \`action: "update"\` after each meaningful milestone — include \`step\` (what you just did or are doing now) and \`percent\` when there is a known upper bound. Do not batch-complete multiple steps after the fact; update as you go.
47
+ - Exactly one logical task should be \`in_progress\` at a time within a turn. Finish (or explicitly complete/cancel) a run before starting an unrelated one.
48
+ - Mark done with \`action: "complete"\` and \`status: "succeeded"\` (or "failed"/"cancelled") as the last step. Never leave a run open indefinitely.
49
+ - **Skip for trivial work**: single-action lookups, simple reads, one-line answers, and any task that finishes in one tool call do not need a progress run. Plans add value only when there are multiple real steps the user would want to watch.
50
+ - Never create single-step plans — if everything fits in one \`start\`+\`complete\`, just call the action and report the outcome directly.
51
+ - If the task pivots mid-run (unexpected blocker, scope change), update the current step to reflect the new direction before continuing.`;
52
+ /** Rule 15 — Collaborate through uncertainty (better-specified version). */
53
+ export const SHARED_RULE_15 = `15. **Collaborate through uncertainty** — If a task stalls, errors, or depends on setup the user may not know about, shift into builder-coach mode instead of repeating the same attempt. State what you verified, name the most likely next checks, and proactively try common unblockers you can inspect (for example prompt size, missing environment variables, unavailable connections, current screen state, or tool choice). When you finish a meaningful step, offer one or two concrete next steps or improvements so non-technical users can keep iterating. When you are genuinely blocked on a decision you cannot resolve from context — and a wrong guess would be costly — use \`ask-question\` to present the choice instead of guessing; otherwise prefer a reasonable assumption and keep moving.`;
54
+ //# sourceMappingURL=shared-rules.js.map
package/dist/server/prompts/shared-rules.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"shared-rules.js","sourceRoot":"","sources":["../../../src/server/prompts/shared-rules.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAaH,MAAM,wBAAwB,GAAG;IAC/B,UAAU;IACV,YAAY;IACZ,eAAe;IACf,MAAM;IACN,aAAa;IACb,cAAc;CACf,CAAC;AACF,+EAA+E;AAC/E,MAAM,UAAU,WAAW,CAAC,QAAyB;IACnD,MAAM,SAAS,GAAG,QAAQ,EAAE,eAAe,IAAI,wBAAwB,CAAC;IACxE,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1C,2DAA2D;IAC3D,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;QACrD,CAAC,CAAC,mCAAmC;QACrC,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,gBAAgB,GAAG,SAAS;SAC/B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,CAAC;SAC/B,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC;SACtB,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO,8LACL,YAAY,CAAC,MAAM,GAAG,CAAC;QACrB,CAAC,CAAC,YAAY;aACT,KAAK,CAAC,GAAG,CAAC;aACV,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,IAAI,CAAC,IAAI,CAAC;QACf,CAAC,CAAC,uBACN,2OAA2O,gBAAgB,GAAG,gBAAgB,CAAC,CAAC,CAAC,GAAG,gBAAgB,mCAAmC,CAAC,CAAC,CAAC,EAAE,kgBAAkgB,CAAC;AACj1B,CAAC;AAED,wDAAwD;AACxD,MAAM,CAAC,MAAM,aAAa,GAAG,igCAAigC,CAAC;AAE/hC,mEAAmE;AACnE,MAAM,CAAC,MAAM,cAAc,GAAG,kcAAkc,CAAC;AAEje,qFAAqF;AACrF,MAAM,CAAC,MAAM,cAAc,GAAG;;;;;;;;2IAQ6G,CAAC;AAE5I,4EAA4E;AAC5E,MAAM,CAAC,MAAM,cAAc,GAAG,qxBAAqxB,CAAC","sourcesContent":["/**\n * Shared rule text used in both FRAMEWORK_CORE (full) and FRAMEWORK_CORE_COMPACT.\n * Single source of truth so the two variants can't drift on rules that are\n * identical between them.\n *\n * Rules 8–10 (db-* tools, no fabrication, no false success) are reproduced\n * verbatim in both prompts — keep them here.\n */\n\n/**\n * Injectable provider/action examples. Defaults are generic; templates that\n * have named providers pass their own list via AgentChatPluginOptions.promptExamples.\n */\nexport interface PromptExamples {\n /** Named external provider actions accessible from the agent (e.g. [\"bigquery\", \"ga4-report\"]). */\n providerActions?: string[];\n /** Named template-specific actions to cite as examples (e.g. [\"log-meal\", \"update-form\"]). */\n appActions?: string[];\n}\n\nconst DEFAULT_PROVIDER_ACTIONS = [\n \"bigquery\",\n \"ga4-report\",\n \"hubspot-deals\",\n \"jira\",\n \"jira-search\",\n \"pylon-issues\",\n];\n/** Rule 8 — db-* tools are internal only (shared between full and compact). */\nexport function sharedRule8(examples?: PromptExamples): string {\n const providers = examples?.providerActions ?? DEFAULT_PROVIDER_ACTIONS;\n const providerList = providers.join(\", \");\n // Build the \"e.g.\" clause for warehouse vs. named provider\n const warehouseExample = providers.includes(\"bigquery\")\n ? \"`bigquery` for warehouse tables, \"\n : \"\";\n const providerExamples = providers\n .filter((p) => p !== \"bigquery\")\n .slice(0, 4)\n .map((p) => `\\`${p}\\``)\n .join(\", \");\n\n return `8. **\\`db-*\\` tools are internal only** — \\`db-query\\`, \\`db-exec\\`, \\`db-patch\\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach ${\n providerList.length > 0\n ? providerList\n .split(\",\")\n .slice(0, 3)\n .map((s) => s.trim())\n .join(\", \")\n : \"external data sources\"\n }, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \\`dbt_analytics.*\\`, \\`dbt_mart.*\\`, or any fully-qualified \\`project.dataset.table\\`), use the appropriate template action instead — ${warehouseExample}${providerExamples ? `${providerExamples} for their respective providers, ` : \"\"}etc. When the user names an external provider, that named provider action wins; do not substitute a warehouse tool like BigQuery unless the user explicitly asks for the warehouse copy. **Never use \\`db-query\\` for external data — it will fail.** For extensions, use \\`get-extension\\` when you already have an id from \\`<current-screen>\\` or \\`<current-url>\\`; otherwise use \\`list-extensions\\`, \\`update-extension\\`, \\`hide-extension\\`, and \\`delete-extension\\`. Do not query the legacy \\`tools\\` table directly.`;\n}\n\n/** Rule 9 — Never fabricate factual claims (shared). */\nexport const SHARED_RULE_9 = `9. **Never fabricate factual claims or records** — Do NOT invent numbers, metrics, records, query results, URLs, citations, source attributions, customer names, dates, or success rates. This applies inside generated artifacts too: decks, documents, reports, dashboards, Slack/email replies, and charts must not contain unsupported factual specifics. Only state factual numbers/claims when the user provided them or you retrieved them with an action/tool. If a data source is unavailable, returns no rows, is missing credentials, or has a connection error, say so clearly; do not create placeholder rows or fetch unrelated external providers to make the answer look complete unless the user explicitly asked you to import/sync/backfill. If a specific metric would be useful but is not known, use qualitative wording, placeholders like \\`[metric TBD]\\`, or clearly labeled draft assumptions instead of plausible-looking facts. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.`;\n\n/** Rule 10 — Never fabricate success from tool errors (shared). */\nexport const SHARED_RULE_10 = `10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \\`isError: true\\`, contains \"Command failed\", \"Error:\", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative or describe what the action \"would have\" produced. Report the failure verbatim from the tool output. This applies especially to \\`bash(command=\"pnpm action ...\")\\` calls: if the action threw, it did NOT succeed.`;\n\n/** Rule 14 — Planning and progress (adapted from Codex's update_plan discipline). */\nexport const SHARED_RULE_14 = `14. **Plan and track multi-step work** — For non-trivial tasks that span several actions or phases, use \\`manage-progress\\` to make work visible and keep it on track.\n\n - Call \\`manage-progress\\` with \\`action: \"start\"\\` at the beginning of multi-step work; include a descriptive \\`title\\` and the first \\`step\\`.\n - Update with \\`action: \"update\"\\` after each meaningful milestone — include \\`step\\` (what you just did or are doing now) and \\`percent\\` when there is a known upper bound. Do not batch-complete multiple steps after the fact; update as you go.\n - Exactly one logical task should be \\`in_progress\\` at a time within a turn. Finish (or explicitly complete/cancel) a run before starting an unrelated one.\n - Mark done with \\`action: \"complete\"\\` and \\`status: \"succeeded\"\\` (or \"failed\"/\"cancelled\") as the last step. Never leave a run open indefinitely.\n - **Skip for trivial work**: single-action lookups, simple reads, one-line answers, and any task that finishes in one tool call do not need a progress run. Plans add value only when there are multiple real steps the user would want to watch.\n - Never create single-step plans — if everything fits in one \\`start\\`+\\`complete\\`, just call the action and report the outcome directly.\n - If the task pivots mid-run (unexpected blocker, scope change), update the current step to reflect the new direction before continuing.`;\n\n/** Rule 15 — Collaborate through uncertainty (better-specified version). */\nexport const SHARED_RULE_15 = `15. **Collaborate through uncertainty** — If a task stalls, errors, or depends on setup the user may not know about, shift into builder-coach mode instead of repeating the same attempt. State what you verified, name the most likely next checks, and proactively try common unblockers you can inspect (for example prompt size, missing environment variables, unavailable connections, current screen state, or tool choice). When you finish a meaningful step, offer one or two concrete next steps or improvements so non-technical users can keep iterating. When you are genuinely blocked on a decision you cannot resolve from context — and a wrong guess would be costly — use \\`ask-question\\` to present the choice instead of guessing; otherwise prefer a reasonable assumption and keep moving.`;\n"]}
package/dist/server/security-headers.d.ts CHANGED
@@ -48,11 +48,17 @@
48
48
  * shells. Routes that render especially sensitive iframe-only documents should
49
49
  * set their own route-specific CSP / frame policy.
50
50
  */
51
+ /**
52
+ * Compute the sha256-<base64> hash token for an inline script's text content.
53
+ * Pass the raw script body (no surrounding <script> tags). The resulting token
54
+ * can be listed directly in a `script-src` CSP directive.
55
+ */
56
+ export declare function computeInlineScriptHash(scriptContent: string): string;
51
57
  /**
52
58
  * Create the security-headers h3 middleware. Mount this BEFORE other route
53
59
  * handlers so the headers are present on every response (including 4xx/5xx
54
60
  * error pages). Route handlers that need to tighten a specific header can call
55
61
  * `setResponseHeader` after this runs — the latest write wins.
56
62
  */
57
- export declare function createSecurityHeadersMiddleware(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, any>;
63
+ export declare function createSecurityHeadersMiddleware(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, undefined>;
58
64
  //# sourceMappingURL=security-headers.d.ts.map
package/dist/server/security-headers.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AA+CH;;;;;GAKG;AACH,wBAAgB,+BAA+B,8EA4C9C"}
1
+ {"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAUH;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM,CAGrE;AAwCD;;;;;GAKG;AACH,wBAAgB,+BAA+B,oFA6C9C"}
package/dist/server/security-headers.js CHANGED
@@ -48,9 +48,19 @@
48
48
  * shells. Routes that render especially sensitive iframe-only documents should
49
49
  * set their own route-specific CSP / frame policy.
50
50
  */
51
+ import { createHash } from "node:crypto";
51
52
  import { defineEventHandler, getHeader, setResponseHeader } from "h3";
52
53
  import { requestHasEmbedAuthMarker } from "./embed-session.js";
53
54
  import { isMcpEmbedCorsOrigin, MCP_EMBED_CORS_ALLOW_HEADERS, } from "../shared/mcp-embed-headers.js";
55
+ /**
56
+ * Compute the sha256-<base64> hash token for an inline script's text content.
57
+ * Pass the raw script body (no surrounding <script> tags). The resulting token
58
+ * can be listed directly in a `script-src` CSP directive.
59
+ */
60
+ export function computeInlineScriptHash(scriptContent) {
61
+ const hash = createHash("sha256").update(scriptContent).digest("base64");
62
+ return `'sha256-${hash}'`;
63
+ }
54
64
  const HSTS = "max-age=31536000; includeSubDomains; preload";
55
65
  const PERMISSIONS_POLICY = "camera=(), microphone=(self), geolocation=(), screen-wake-lock=()";
56
66
  /**
@@ -106,6 +116,7 @@ export function createSecurityHeadersMiddleware() {
106
116
  ? "cross-origin"
107
117
  : "same-site");
108
118
  if (embedFrameRequest && isMcpEmbedCorsOrigin(requestOrigin)) {
119
+ // requestOrigin is non-null: isMcpEmbedCorsOrigin returns true only for truthy origins
109
120
  setResponseHeader(event, "Access-Control-Allow-Origin", requestOrigin);
110
121
  setResponseHeader(event, "Vary", "Origin");
111
122
  setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
package/dist/server/security-headers.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAEH,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,gCAAgC,CAAC;AAExC,MAAM,IAAI,GAAG,8CAA8C,CAAC;AAC5D,MAAM,kBAAkB,GACtB,mEAAmE,CAAC;AAEtE;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAU;IAChC,MAAM,GAAG,GACP,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAChD,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO;QACjE,OAAO,IAAI,CAAC;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1D,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC;IACnC,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACpC,2DAA2D;IAC3D,IAAI,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAU;IACtC,MAAM,QAAQ,GACZ,KAAK,EAAE,GAAG,EAAE,QAAQ;QACpB,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,EAAE,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,CACL,QAAQ,KAAK,oBAAoB,IAAI,QAAQ,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAC7E,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAU;IAC3C,OAAO,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,KAAK,QAAQ,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B;IAC7C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;QAC3D,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;QACvD,MAAM,uBAAuB,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACjD,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,EAAE,SAAS,CAAC,CAAC;QAC9D,iBAAiB,CACf,KAAK,EACL,iBAAiB,EACjB,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iCAAiC,CACtE,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACnE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;QACtE,IAAI,iBAAiB,IAAI,uBAAuB,EAAE,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;QAC3E,CAAC;QACD,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,iBAAiB,IAAI,kBAAkB,IAAI,uBAAuB;YAChE,CAAC,CAAC,cAAc;YAChB,CAAC,CAAC,WAAW,CAChB,CAAC;QACF,IAAI,iBAAiB,IAAI,oBAAoB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC7D,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAa,CAAC,CAAC;YACvE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC3C,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QACD,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,2BAA2B,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,2EAA2E;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Security response headers middleware.\n *\n * Sets a baseline set of \"no-brainer\" security headers on every framework HTTP\n * response. These headers are layered defenses: each one mitigates a specific\n * class of attack, and together they harden the surface against MIME-sniffing,\n * referrer leakage, mixed-content downgrades, and cross-origin window/embed\n * access.\n *\n * The headers we emit:\n *\n * - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime\n * of the cached value, preventing SSL-strip MITM. Only emitted when the\n * request scheme is `https` (we don't want to break local-dev HTTP, and\n * emitting HSTS over HTTP is a no-op per the spec but causes confusion).\n * - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so\n * a tool /render route serving user-authored HTML can't be misinterpreted\n * as some other content type by a clever Accept header.\n * - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query\n * from outbound Referer headers when the request crosses origin, so a\n * public-share viewer's outbound link clicks never leak the share token.\n * - `Permissions-Policy: camera=(), microphone=(self), geolocation=(),\n * screen-wake-lock=()` — allows the app shell to request microphone access\n * for composer dictation while keeping camera/location/wake-lock blocked\n * by default. Templates that need broader media capture for recording UI\n * override this on their own routes.\n * - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so\n * a popup-window opener reference can't read or modify our document.\n * - `Cross-Origin-Embedder-Policy: require-corp` — emitted only for\n * validated MCP embed-session page loads and browser iframe navigations.\n * COEP hosts such as Claude's MCP Apps proxy require framed cross-origin\n * documents to opt in explicitly.\n * - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from\n * embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking\n * the simplest data-leak chain when combined with auth cookies. Validated\n * MCP embed-session page loads and browser iframe navigations use\n * `cross-origin` so COEP hosts can frame app documents.\n *\n * NOTE: `Cross-Origin-Embedder-Policy` is NOT set by default because it\n * requires every embedded subresource to opt in via CORP/CORS, which would\n * break Builder's iframe editor and template embed use cases. COOP + CORP\n * without COEP gives us most of the protection on normal responses; COEP is\n * only added for validated MCP embed-session page loads and browser iframe\n * navigations (see above).\n *\n * NOTE: `X-Frame-Options` is intentionally not set globally. Agent-native apps\n * are expected to run inside iframe hosts such as Builder, Design, and MCP app\n * shells. Routes that render especially sensitive iframe-only documents should\n * set their own route-specific CSP / frame policy.\n */\n\nimport { defineEventHandler, getHeader, setResponseHeader } from \"h3\";\nimport { requestHasEmbedAuthMarker } from \"./embed-session.js\";\nimport {\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n} from \"../shared/mcp-embed-headers.js\";\n\nconst HSTS = \"max-age=31536000; includeSubDomains; preload\";\nconst PERMISSIONS_POLICY =\n \"camera=(), microphone=(self), geolocation=(), screen-wake-lock=()\";\n\n/**\n * Returns true when the request was received over HTTPS. We trust both the\n * underlying connection (when the server is terminating TLS itself) and the\n * `x-forwarded-proto` header (set by Netlify, Vercel, Cloudflare, and any\n * other reverse proxy that fronts the framework).\n */\nfunction isHttpsRequest(event: any): boolean {\n const xfp =\n event?.node?.req?.headers?.[\"x-forwarded-proto\"] ??\n event?.headers?.get?.(\"x-forwarded-proto\");\n if (typeof xfp === \"string\" && xfp.split(\",\")[0].trim() === \"https\")\n return true;\n if (Array.isArray(xfp) && xfp[0] === \"https\") return true;\n // h3 sets `event.url.protocol` to \"http:\" or \"https:\".\n const proto = event?.url?.protocol;\n if (proto === \"https:\") return true;\n // Direct Node `req.connection.encrypted` (older runtimes).\n if (event?.node?.req?.connection?.encrypted) return true;\n return false;\n}\n\nfunction isMcpEndpointRequest(event: any): boolean {\n const pathname =\n event?.url?.pathname ??\n String(event?.node?.req?.url ?? event?.path ?? \"/\").split(\"?\")[0];\n return (\n pathname === \"/_agent-native/mcp\" || pathname.endsWith(\"/_agent-native/mcp\")\n );\n}\n\nfunction isIframeNavigationRequest(event: any): boolean {\n return getHeader(event, \"sec-fetch-dest\") === \"iframe\";\n}\n\n/**\n * Create the security-headers h3 middleware. Mount this BEFORE other route\n * handlers so the headers are present on every response (including 4xx/5xx\n * error pages). Route handlers that need to tighten a specific header can call\n * `setResponseHeader` after this runs — the latest write wins.\n */\nexport function createSecurityHeadersMiddleware() {\n return defineEventHandler((event) => {\n const embedFrameRequest = requestHasEmbedAuthMarker(event);\n const mcpEndpointRequest = isMcpEndpointRequest(event);\n const iframeNavigationRequest = isIframeNavigationRequest(event);\n const requestOrigin = getHeader(event, \"origin\");\n setResponseHeader(event, \"X-Content-Type-Options\", \"nosniff\");\n setResponseHeader(\n event,\n \"Referrer-Policy\",\n embedFrameRequest ? \"no-referrer\" : \"strict-origin-when-cross-origin\",\n );\n setResponseHeader(event, \"Permissions-Policy\", PERMISSIONS_POLICY);\n setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n if (embedFrameRequest || iframeNavigationRequest) {\n setResponseHeader(event, \"Cross-Origin-Embedder-Policy\", \"require-corp\");\n }\n setResponseHeader(\n event,\n \"Cross-Origin-Resource-Policy\",\n embedFrameRequest || mcpEndpointRequest || iframeNavigationRequest\n ? \"cross-origin\"\n : \"same-site\",\n );\n if (embedFrameRequest && isMcpEmbedCorsOrigin(requestOrigin)) {\n setResponseHeader(event, \"Access-Control-Allow-Origin\", requestOrigin);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n MCP_EMBED_CORS_ALLOW_HEADERS,\n );\n }\n if (isHttpsRequest(event)) {\n setResponseHeader(event, \"Strict-Transport-Security\", HSTS);\n }\n // Continue to the next handler — we only set headers, don't return a body.\n return undefined;\n });\n}\n"]}
1
+ {"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../src/server/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiDG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,kBAAkB,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AACtE,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EACL,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,gCAAgC,CAAC;AAExC;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,aAAqB;IAC3D,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACzE,OAAO,WAAW,IAAI,GAAG,CAAC;AAC5B,CAAC;AAED,MAAM,IAAI,GAAG,8CAA8C,CAAC;AAC5D,MAAM,kBAAkB,GACtB,mEAAmE,CAAC;AAEtE;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAU;IAChC,MAAM,GAAG,GACP,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,mBAAmB,CAAC;QAChD,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,OAAO;QACjE,OAAO,IAAI,CAAC;IACd,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1D,uDAAuD;IACvD,MAAM,KAAK,GAAG,KAAK,EAAE,GAAG,EAAE,QAAQ,CAAC;IACnC,IAAI,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACpC,2DAA2D;IAC3D,IAAI,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,UAAU,EAAE,SAAS;QAAE,OAAO,IAAI,CAAC;IACzD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAU;IACtC,MAAM,QAAQ,GACZ,KAAK,EAAE,GAAG,EAAE,QAAQ;QACpB,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,KAAK,EAAE,IAAI,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,CACL,QAAQ,KAAK,oBAAoB,IAAI,QAAQ,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAC7E,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAU;IAC3C,OAAO,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,KAAK,QAAQ,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B;IAC7C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,iBAAiB,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;QAC3D,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;QACvD,MAAM,uBAAuB,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QACjD,iBAAiB,CAAC,KAAK,EAAE,wBAAwB,EAAE,SAAS,CAAC,CAAC;QAC9D,iBAAiB,CACf,KAAK,EACL,iBAAiB,EACjB,iBAAiB,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,iCAAiC,CACtE,CAAC;QACF,iBAAiB,CAAC,KAAK,EAAE,oBAAoB,EAAE,kBAAkB,CAAC,CAAC;QACnE,iBAAiB,CAAC,KAAK,EAAE,4BAA4B,EAAE,aAAa,CAAC,CAAC;QACtE,IAAI,iBAAiB,IAAI,uBAAuB,EAAE,CAAC;YACjD,iBAAiB,CAAC,KAAK,EAAE,8BAA8B,EAAE,cAAc,CAAC,CAAC;QAC3E,CAAC;QACD,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,iBAAiB,IAAI,kBAAkB,IAAI,uBAAuB;YAChE,CAAC,CAAC,cAAc;YAChB,CAAC,CAAC,WAAW,CAChB,CAAC;QACF,IAAI,iBAAiB,IAAI,oBAAoB,CAAC,aAAa,CAAC,EAAE,CAAC;YAC7D,uFAAuF;YACvF,iBAAiB,CAAC,KAAK,EAAE,6BAA6B,EAAE,aAAc,CAAC,CAAC;YACxE,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAC3C,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,wCAAwC,CACzC,CAAC;YACF,iBAAiB,CACf,KAAK,EACL,8BAA8B,EAC9B,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QACD,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,iBAAiB,CAAC,KAAK,EAAE,2BAA2B,EAAE,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,2EAA2E;QAC3E,OAAO,SAAS,CAAC;IACnB,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Security response headers middleware.\n *\n * Sets a baseline set of \"no-brainer\" security headers on every framework HTTP\n * response. These headers are layered defenses: each one mitigates a specific\n * class of attack, and together they harden the surface against MIME-sniffing,\n * referrer leakage, mixed-content downgrades, and cross-origin window/embed\n * access.\n *\n * The headers we emit:\n *\n * - `Strict-Transport-Security` — forces HTTPS for the browser's lifetime\n * of the cached value, preventing SSL-strip MITM. Only emitted when the\n * request scheme is `https` (we don't want to break local-dev HTTP, and\n * emitting HSTS over HTTP is a no-op per the spec but causes confusion).\n * - `X-Content-Type-Options: nosniff` — disables browser MIME sniffing so\n * a tool /render route serving user-authored HTML can't be misinterpreted\n * as some other content type by a clever Accept header.\n * - `Referrer-Policy: strict-origin-when-cross-origin` — strips path/query\n * from outbound Referer headers when the request crosses origin, so a\n * public-share viewer's outbound link clicks never leak the share token.\n * - `Permissions-Policy: camera=(), microphone=(self), geolocation=(),\n * screen-wake-lock=()` — allows the app shell to request microphone access\n * for composer dictation while keeping camera/location/wake-lock blocked\n * by default. Templates that need broader media capture for recording UI\n * override this on their own routes.\n * - `Cross-Origin-Opener-Policy: same-origin` — isolates window.opener so\n * a popup-window opener reference can't read or modify our document.\n * - `Cross-Origin-Embedder-Policy: require-corp` — emitted only for\n * validated MCP embed-session page loads and browser iframe navigations.\n * COEP hosts such as Claude's MCP Apps proxy require framed cross-origin\n * documents to opt in explicitly.\n * - `Cross-Origin-Resource-Policy: same-site` — prevents other origins from\n * embedding our endpoints as `<img>` / `<script>` / `<audio>`, blocking\n * the simplest data-leak chain when combined with auth cookies. Validated\n * MCP embed-session page loads and browser iframe navigations use\n * `cross-origin` so COEP hosts can frame app documents.\n *\n * NOTE: `Cross-Origin-Embedder-Policy` is NOT set by default because it\n * requires every embedded subresource to opt in via CORP/CORS, which would\n * break Builder's iframe editor and template embed use cases. COOP + CORP\n * without COEP gives us most of the protection on normal responses; COEP is\n * only added for validated MCP embed-session page loads and browser iframe\n * navigations (see above).\n *\n * NOTE: `X-Frame-Options` is intentionally not set globally. Agent-native apps\n * are expected to run inside iframe hosts such as Builder, Design, and MCP app\n * shells. Routes that render especially sensitive iframe-only documents should\n * set their own route-specific CSP / frame policy.\n */\n\nimport { createHash } from \"node:crypto\";\nimport { defineEventHandler, getHeader, setResponseHeader } from \"h3\";\nimport { requestHasEmbedAuthMarker } from \"./embed-session.js\";\nimport {\n isMcpEmbedCorsOrigin,\n MCP_EMBED_CORS_ALLOW_HEADERS,\n} from \"../shared/mcp-embed-headers.js\";\n\n/**\n * Compute the sha256-<base64> hash token for an inline script's text content.\n * Pass the raw script body (no surrounding <script> tags). The resulting token\n * can be listed directly in a `script-src` CSP directive.\n */\nexport function computeInlineScriptHash(scriptContent: string): string {\n const hash = createHash(\"sha256\").update(scriptContent).digest(\"base64\");\n return `'sha256-${hash}'`;\n}\n\nconst HSTS = \"max-age=31536000; includeSubDomains; preload\";\nconst PERMISSIONS_POLICY =\n \"camera=(), microphone=(self), geolocation=(), screen-wake-lock=()\";\n\n/**\n * Returns true when the request was received over HTTPS. We trust both the\n * underlying connection (when the server is terminating TLS itself) and the\n * `x-forwarded-proto` header (set by Netlify, Vercel, Cloudflare, and any\n * other reverse proxy that fronts the framework).\n */\nfunction isHttpsRequest(event: any): boolean {\n const xfp =\n event?.node?.req?.headers?.[\"x-forwarded-proto\"] ??\n event?.headers?.get?.(\"x-forwarded-proto\");\n if (typeof xfp === \"string\" && xfp.split(\",\")[0].trim() === \"https\")\n return true;\n if (Array.isArray(xfp) && xfp[0] === \"https\") return true;\n // h3 sets `event.url.protocol` to \"http:\" or \"https:\".\n const proto = event?.url?.protocol;\n if (proto === \"https:\") return true;\n // Direct Node `req.connection.encrypted` (older runtimes).\n if (event?.node?.req?.connection?.encrypted) return true;\n return false;\n}\n\nfunction isMcpEndpointRequest(event: any): boolean {\n const pathname =\n event?.url?.pathname ??\n String(event?.node?.req?.url ?? event?.path ?? \"/\").split(\"?\")[0];\n return (\n pathname === \"/_agent-native/mcp\" || pathname.endsWith(\"/_agent-native/mcp\")\n );\n}\n\nfunction isIframeNavigationRequest(event: any): boolean {\n return getHeader(event, \"sec-fetch-dest\") === \"iframe\";\n}\n\n/**\n * Create the security-headers h3 middleware. Mount this BEFORE other route\n * handlers so the headers are present on every response (including 4xx/5xx\n * error pages). Route handlers that need to tighten a specific header can call\n * `setResponseHeader` after this runs — the latest write wins.\n */\nexport function createSecurityHeadersMiddleware() {\n return defineEventHandler((event) => {\n const embedFrameRequest = requestHasEmbedAuthMarker(event);\n const mcpEndpointRequest = isMcpEndpointRequest(event);\n const iframeNavigationRequest = isIframeNavigationRequest(event);\n const requestOrigin = getHeader(event, \"origin\");\n setResponseHeader(event, \"X-Content-Type-Options\", \"nosniff\");\n setResponseHeader(\n event,\n \"Referrer-Policy\",\n embedFrameRequest ? \"no-referrer\" : \"strict-origin-when-cross-origin\",\n );\n setResponseHeader(event, \"Permissions-Policy\", PERMISSIONS_POLICY);\n setResponseHeader(event, \"Cross-Origin-Opener-Policy\", \"same-origin\");\n if (embedFrameRequest || iframeNavigationRequest) {\n setResponseHeader(event, \"Cross-Origin-Embedder-Policy\", \"require-corp\");\n }\n setResponseHeader(\n event,\n \"Cross-Origin-Resource-Policy\",\n embedFrameRequest || mcpEndpointRequest || iframeNavigationRequest\n ? \"cross-origin\"\n : \"same-site\",\n );\n if (embedFrameRequest && isMcpEmbedCorsOrigin(requestOrigin)) {\n // requestOrigin is non-null: isMcpEmbedCorsOrigin returns true only for truthy origins\n setResponseHeader(event, \"Access-Control-Allow-Origin\", requestOrigin!);\n setResponseHeader(event, \"Vary\", \"Origin\");\n setResponseHeader(\n event,\n \"Access-Control-Allow-Methods\",\n \"GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS\",\n );\n setResponseHeader(\n event,\n \"Access-Control-Allow-Headers\",\n MCP_EMBED_CORS_ALLOW_HEADERS,\n );\n }\n if (isHttpsRequest(event)) {\n setResponseHeader(event, \"Strict-Transport-Security\", HSTS);\n }\n // Continue to the next handler — we only set headers, don't return a body.\n return undefined;\n });\n}\n"]}
package/dist/server/ssr-handler.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ssr-handler.d.ts","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAwCA,OAAO,EACL,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AAiVpC;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,2FAuE5E"}
1
+ {"version":3,"file":"ssr-handler.d.ts","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AA4CA,OAAO,EACL,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AAwapC;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,2FA8E5E"}
package/dist/server/ssr-handler.js CHANGED
@@ -18,6 +18,8 @@
18
18
  import { createRequestHandler } from "react-router";
19
19
  import { defineEventHandler } from "h3";
20
20
  import { getSentryClientConfigScript } from "./sentry-config.js";
21
+ import { computeInlineScriptHash } from "./security-headers.js";
22
+ import { getAppBasePathFromViteEnv, stripAppBasePath as canonicalStripAppBasePath, } from "./app-base-path.js";
21
23
  import { BETTER_AUTH_COOKIE_PREFIX, COOKIE_NAME, getSession } from "./auth.js";
22
24
  import { runWithRequestContext } from "./request-context.js";
23
25
  import { requestHasEmbedAuthMarker } from "./embed-session.js";
@@ -30,8 +32,22 @@ const BETTER_AUTH_SESSION_COOKIE_RE = /\.session_(?:token|data)$/;
30
32
  /**
31
33
  * Read the active org for a request without forcing every template to bundle
32
34
  * the org module. Mirrors what `core-routes-plugin` does for action handlers.
35
+ *
36
+ * Fast path: when the session already carries a valid orgId (backfilled by
37
+ * backfillSessionOrg during getSession), return it directly — no additional
38
+ * org_members round trip. Only when the session has no orgId do we fall
39
+ * through to getOrgContext for the full membership lookup.
33
40
  */
34
- async function readOrgIdForEvent(event) {
41
+ async function readOrgIdForEvent(event, session) {
42
+ // Reuse orgId already resolved by backfillSessionOrg inside getSession.
43
+ const sessionOrgId = typeof session?.orgId === "string" && session.orgId.trim()
44
+ ? session.orgId.trim()
45
+ : undefined;
46
+ if (sessionOrgId)
47
+ return sessionOrgId;
48
+ // No orgId on the session — full org_members lookup needed.
49
+ // getOrgContext is per-event memoized, so this is at most one DB read
50
+ // even if other request code calls getOrgContext independently.
35
51
  try {
36
52
  const { getOrgContext } = await import("../org/context.js");
37
53
  const ctx = await getOrgContext(event);
@@ -41,25 +57,11 @@ async function readOrgIdForEvent(event) {
41
57
  return undefined;
42
58
  }
43
59
  }
44
- function normalizeAppBasePath(value) {
45
- if (!value || value === "/")
46
- return "";
47
- const trimmed = value.trim();
48
- if (!trimmed || trimmed === "/")
49
- return "";
50
- return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
51
- }
52
60
  function getAppBasePath() {
53
- const metaEnv = import.meta.env;
54
- return normalizeAppBasePath(process.env.VITE_APP_BASE_PATH ||
55
- process.env.APP_BASE_PATH ||
56
- metaEnv?.VITE_APP_BASE_PATH ||
57
- metaEnv?.APP_BASE_PATH ||
58
- metaEnv?.BASE_URL);
61
+ return getAppBasePathFromViteEnv();
59
62
  }
60
63
  function stripAppBasePath(pathname) {
61
- const basePath = getAppBasePath();
62
- return stripBasePath(pathname, basePath);
64
+ return canonicalStripAppBasePath(pathname, getAppBasePath());
63
65
  }
64
66
  function stripBasePath(pathname, basePath) {
65
67
  if (!basePath)
@@ -190,35 +192,50 @@ function isAuthenticatedCookieName(name) {
190
192
  bareName === `${BETTER_AUTH_COOKIE_PREFIX}.session_data` ||
191
193
  BETTER_AUTH_SESSION_COOKIE_RE.test(bareName));
192
194
  }
193
- function shouldUseDefaultSsrCacheHeader(headers, status, pathname) {
195
+ const PRIVATE_NO_STORE = "private, no-store";
196
+ function isSsrHtmlOrDataResponse(headers, status, pathname) {
194
197
  if (status < 200 || status >= 400)
195
198
  return false;
196
199
  const contentType = headers.get("content-type")?.toLowerCase() ?? "";
197
- if (contentType.includes("text/html")) {
198
- // SSR HTML is public app shell in this framework; any per-user state is
199
- // fetched after hydration. Always enforce the framework SWR default here;
200
- // route-level no-cache/private headers on SSR HTML recreate the same
201
- // origin stampede this cache policy is meant to prevent.
200
+ if (contentType.includes("text/html"))
202
201
  return true;
203
- }
204
- if (!pathname.endsWith(".data"))
205
- return false;
206
- if (!contentType.includes("text/x-script"))
207
- return false;
208
- // React Router gives loader `.data` responses `cache-control: no-cache` by
209
- // default. In Agent-Native, SSR output is intentionally public app shell:
210
- // user/org-specific reads happen after hydration through actions and API
211
- // routes. Keep `.data` on the same short-fresh/long-SWR policy as HTML so
212
- // route data fetches warm the CDN instead of hammering origin.
213
- // Do not re-add a blanket cookie/auth-signal bypass here: logged-in browsers
214
- // still need CDN-cached public route data.
215
- // Also do not preserve route-level private/no-store for React Router .data:
216
- // if a route needs per-user data, it belongs behind a client-side action/API
217
- // call rather than in the shared SSR payload.
218
- return true;
202
+ return pathname.endsWith(".data") && contentType.includes("text/x-script");
219
203
  }
220
- function applyDefaultSsrCacheHeader(headers, status, pathname) {
221
- if (!shouldUseDefaultSsrCacheHeader(headers, status, pathname)) {
204
+ /**
205
+ * Apply the correct SSR cache policy to the response headers.
206
+ *
207
+ * Anonymous requests (no auth signal on the incoming request) get the public
208
+ * stale-while-revalidate default so the CDN can serve shared app-shell HTML
209
+ * and React Router loader data to every unauthenticated visitor without
210
+ * hammering origin.
211
+ *
212
+ * Authenticated requests must never be publicly CDN-cached: the loader may
213
+ * have embedded session-personalized data. If the route already returned a
214
+ * Cache-Control header we respect it; otherwise we fall back to
215
+ * `private, no-store` so the browser re-fetches but no shared cache stores
216
+ * the response.
217
+ *
218
+ * The distinction is on the *incoming* auth signal, not on whether the loader
219
+ * actually used the session — that would require inspecting the response body.
220
+ * Erring toward private for any credentialed request is the safe default.
221
+ */
222
+ function applyDefaultSsrCacheHeader(headers, status, pathname, hasAuthSignal) {
223
+ if (!isSsrHtmlOrDataResponse(headers, status, pathname))
224
+ return;
225
+ if (hasAuthSignal) {
226
+ // A route that explicitly opts into public caching (e.g. a share page that
227
+ // accepts an optional auth cookie) can signal intent via a `public` directive.
228
+ // Any other route-level or framework-default value (no-cache, private, unset)
229
+ // is overridden with private/no-store so no shared CDN cache stores a
230
+ // potentially personalized response.
231
+ const existingCc = headers.get("cache-control") ?? "";
232
+ if (!existingCc.includes("public")) {
233
+ headers.set("cache-control", PRIVATE_NO_STORE);
234
+ }
235
+ // Never propagate CDN-specific cache headers on authenticated responses,
236
+ // regardless of what the route set.
237
+ headers.delete("cdn-cache-control");
238
+ headers.delete("netlify-cdn-cache-control");
222
239
  return;
223
240
  }
224
241
  // Netlify Functions/proxies are not cached by default, and production docs
@@ -248,6 +265,72 @@ function applyDefaultSpeculationRulesHeader(headers, status, basePath) {
248
265
  const rulesPath = prefixMountedPath(DEFAULT_SPECULATION_RULES_PATH, basePath);
249
266
  headers.set("speculation-rules", `"${rulesPath}"`);
250
267
  }
268
+ /**
269
+ * Extract the plain JS body from a `<script ...>body</script>` string.
270
+ * Returns `null` if the input is falsy or has no recognisable `</script>` end.
271
+ * Used to compute the sha256 hash of framework-injected inline scripts so the
272
+ * hash can be listed in the `script-src` CSP directive without relying on
273
+ * `'unsafe-inline'`.
274
+ */
275
+ function extractScriptBody(scriptTag) {
276
+ if (!scriptTag)
277
+ return null;
278
+ const start = scriptTag.indexOf(">") + 1;
279
+ const end = scriptTag.lastIndexOf("</script>");
280
+ if (start <= 0 || end < start)
281
+ return null;
282
+ return scriptTag.slice(start, end);
283
+ }
284
+ /**
285
+ * Apply a Content-Security-Policy header to HTML document responses.
286
+ *
287
+ * Two directives are always enforced in production:
288
+ *
289
+ * - `object-src 'none'` — disables Flash / Java / PDF plugin execution,
290
+ * which are a reliable code-execution vector even in modern browsers.
291
+ * - `base-uri 'self'` — prevents a `<base href="...">` injection from
292
+ * hijacking all relative URLs in the document (a common attack target when
293
+ * user-controlled content reaches the HTML).
294
+ *
295
+ * A third directive, `script-src`, is emitted via `Content-Security-Policy-
296
+ * Report-Only` rather than enforced. The framework injects one deterministic
297
+ * inline script per process (the Sentry config block — its hash is computed
298
+ * once at process startup from the resolved env vars). Templates additionally
299
+ * render a theme-init inline script whose exact content varies by template
300
+ * (default theme param, custom docs variant, etc.) and which is rendered by
301
+ * React Router, not this handler, so its hash is not available here. Shipping
302
+ * script-src as Report-Only surfaces violations without breaking template
303
+ * customisations; teams can graduate to enforcement once their hashes are
304
+ * enumerated.
305
+ *
306
+ * Skipped in development (`NODE_ENV !== 'production'`) so HMR eval and Vite
307
+ * dev-server injects are never blocked. Set `AGENT_NATIVE_DISABLE_DOC_CSP=1`
308
+ * to opt out in production for a template with exotic needs.
309
+ */
310
+ function applyDocumentCsp(headers, sentryScript) {
311
+ if (process.env.NODE_ENV !== "production")
312
+ return;
313
+ if (process.env.AGENT_NATIVE_DISABLE_DOC_CSP === "1")
314
+ return;
315
+ // object-src / base-uri: enforced; neither directive mentions scripts, so
316
+ // they are safe even when a template's inline script hashes are unknown.
317
+ const existing = headers.get("content-security-policy") ?? "";
318
+ if (!existing) {
319
+ headers.set("content-security-policy", "object-src 'none'; base-uri 'self'");
320
+ }
321
+ // script-src as Report-Only: list 'self' plus the hash for the Sentry config
322
+ // script the SSR handler injects into every HTML response (the hash is
323
+ // computed once from the resolved env vars at process startup). Template
324
+ // theme-init hashes are NOT included here — see function comment above.
325
+ const sentryBody = extractScriptBody(sentryScript);
326
+ const sentryHash = sentryBody ? computeInlineScriptHash(sentryBody) : null;
327
+ const scriptSrcTokens = ["'self'", ...(sentryHash ? [sentryHash] : [])];
328
+ const scriptSrc = `script-src ${scriptSrcTokens.join(" ")}`;
329
+ const existingRo = headers.get("content-security-policy-report-only") ?? "";
330
+ if (!existingRo) {
331
+ headers.set("content-security-policy-report-only", scriptSrc);
332
+ }
333
+ }
251
334
  function isFrameworkOrAssetPath(pathname) {
252
335
  return (pathname.startsWith("/.well-known/") ||
253
336
  pathname.startsWith("/_agent_native/") ||
@@ -263,10 +346,10 @@ function isFrameworkOrAssetPath(pathname) {
263
346
  pathname === "/favicon.png" ||
264
347
  (/\.\w+$/.test(pathname) && !pathname.endsWith(".data")));
265
348
  }
266
- async function rewriteMountedResponse(response, basePath, pathname, requestUrl) {
349
+ async function rewriteMountedResponse(response, basePath, pathname, requestUrl, hasAuthSignal) {
267
350
  const sentryClientConfigScript = getSentryClientConfigScript();
268
351
  const headers = new Headers(response.headers);
269
- applyDefaultSsrCacheHeader(headers, response.status, pathname);
352
+ applyDefaultSsrCacheHeader(headers, response.status, pathname, hasAuthSignal);
270
353
  applyDefaultSpeculationRulesHeader(headers, response.status, basePath);
271
354
  const location = headers.get("location");
272
355
  if (location?.startsWith("/") && !location.startsWith("//")) {
@@ -282,6 +365,7 @@ async function rewriteMountedResponse(response, basePath, pathname, requestUrl)
282
365
  }
283
366
  const html = await response.text();
284
367
  headers.delete("content-length");
368
+ applyDocumentCsp(headers, sentryClientConfigScript);
285
369
  return new Response(injectHeadScript(injectDefaultSocialImageMeta(prefixMountedHtml(html, basePath), defaultSocialImageUrl(requestUrl, basePath)), sentryClientConfigScript), {
286
370
  status: response.status,
287
371
  statusText: response.statusText,
@@ -317,7 +401,12 @@ export function createH3SSRHandler(getBuild) {
317
401
  // Auth lookup failures must not break SSR; treat as unauthenticated.
318
402
  }
319
403
  }
320
- const orgId = session?.email ? await readOrgIdForEvent(event) : undefined;
404
+ // readOrgIdForEvent fast-paths when session.orgId is already backfilled
405
+ // (the common case), avoiding a duplicate org_members query. A second
406
+ // query only fires for authenticated users whose session has no orgId.
407
+ const orgId = session?.email
408
+ ? await readOrgIdForEvent(event, session)
409
+ : undefined;
321
410
  const ctx = {
322
411
  userEmail: session?.email ?? undefined,
323
412
  orgId,
@@ -333,9 +422,9 @@ export function createH3SSRHandler(getBuild) {
333
422
  status: response.status,
334
423
  statusText: response.statusText,
335
424
  headers: response.headers,
336
- }), basePath, p, request.url);
425
+ }), basePath, p, request.url, hasAuthSignal);
337
426
  }
338
- return await rewriteMountedResponse(await runWithRequestContext(ctx, () => handler(request)), basePath, p, request.url);
427
+ return await rewriteMountedResponse(await runWithRequestContext(ctx, () => handler(request)), basePath, p, request.url, hasAuthSignal);
339
428
  }
340
429
  catch (err) {
341
430
  // Log the full stack server-side, but never leak it to the client.
package/dist/server/ssr-handler.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ssr-handler.js","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAgB,MAAM,IAAI,CAAC;AACtD,OAAO,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,EAAE,yBAAyB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EACL,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,6BAA6B,EAC7B,gCAAgC,EAChC,8BAA8B,EAC9B,8BAA8B,EAC9B,+BAA+B,GAChC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAE/B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AACpC,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;AACpE,MAAM,6BAA6B,GAAG,2BAA2B,CAAC;AAElE;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAAC,KAAc;IAC7C,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAyB;IACrD,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,cAAc;IACrB,MAAM,OAAO,GACX,MAAM,CAAC,IAGR,CAAC,GAAG,CAAC;IACN,OAAO,oBAAoB,CACzB,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC5B,OAAO,CAAC,GAAG,CAAC,aAAa;QACzB,OAAO,EAAE,kBAAkB;QAC3B,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,QAAQ,CACpB,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,OAAO,aAAa,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAgB,EAChB,QAAgB,EAChB,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,QAAQ,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,aAAa,GAAG,KAAK;iBACxB,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;iBAC5C,IAAI,CAAC,GAAG,CAAC,CAAC;YACb,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;gBAC5B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;gBAC7C,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,OAAO,GAAG,IAAI,CAAC;IACjB,CAAC;IACD,IAAI,CAAC,OAAO;QAAE,OAAO,OAAO,CAAC;IAC7B,MAAM,IAAI,GAAsC;QAC9C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;IACF,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5E,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,OAAO,GAAG,QAAQ,GAAG,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO,IAAI;SACR,OAAO,CACN,iEAAiE,EACjE,CAAC,MAAM,EAAE,IAAY,EAAE,KAAa,EAAE,IAAY,EAAE,EAAE,CACpD,GAAG,IAAI,IAAI,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,KAAK,EAAE,CACjE;SACA,OAAO,CAAC,qCAAqC,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtE,MAAM,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7D,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,MAAqB;IAC3D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,gBAAgB,GAAG,oDAAoD,CAAC;AAC9E,MAAM,oBAAoB,GACxB,oDAAoD,CAAC;AACvD,MAAM,qBAAqB,GACzB,qDAAqD,CAAC;AAExD,SAAS,qBAAqB,CAAC,UAAkB,EAAE,QAAgB;IACjE,OAAO,IAAI,GAAG,CACZ,iBAAiB,CAAC,8BAA8B,EAAE,QAAQ,CAAC,EAC3D,UAAU,CACX,CAAC,QAAQ,EAAE,CAAC;AACf,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAY,EAAE,QAAgB;IAClE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAErC,MAAM,iBAAiB,GACrB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,sCAAsC,QAAQ,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,CAAC,iDAAiD,QAAQ,IAAI,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CACP,2CAA2C,8BAA8B,IAAI,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,CACP,4CAA4C,+BAA+B,IAAI,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,6CAA6C,gCAAgC,IAAI,CAClF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,0CAA0C,6BAA6B,IAAI,CAC5E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,uCAAuC,QAAQ,IAAI,CAAC,CAAC;QAC/D,IAAI,CAAC,IAAI,CACP,2CAA2C,6BAA6B,IAAI,CAC7E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;IAClC,OAAO,OAAO,CACZ,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC5B,6BAA6B,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpD,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC;QACnD,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;QACtC,yBAAyB,CAAC,KAAK,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,6BAA6B,CAAC,YAA2B;IAChE,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAChC,OAAO,YAAY;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;SACvD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SAC/C,IAAI,CAAC,yBAAyB,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,IAAI,8BAA8B,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;IACzD,OAAO,CACL,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,oBAAoB;QACjC,QAAQ,KAAK,YAAY;QACzB,QAAQ,KAAK,sBAAsB;QACnC,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;QAClC,QAAQ,KAAK,GAAG,yBAAyB,gBAAgB;QACzD,QAAQ,KAAK,GAAG,yBAAyB,eAAe;QACxD,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAC7C,CAAC;AACJ,CAAC;AAED,SAAS,8BAA8B,CACrC,OAAgB,EAChB,MAAc,EACd,QAAgB;IAEhB,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IAEhD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACrE,IAAI,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACtC,wEAAwE;QACxE,0EAA0E;QAC1E,qEAAqE;QACrE,yDAAyD;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IAEzD,2EAA2E;IAC3E,0EAA0E;IAC1E,yEAAyE;IACzE,0EAA0E;IAC1E,+DAA+D;IAC/D,6EAA6E;IAC7E,2CAA2C;IAC3C,4EAA4E;IAC5E,6EAA6E;IAC7E,8CAA8C;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,0BAA0B,CACjC,OAAgB,EAChB,MAAc,EACd,QAAgB;IAEhB,IAAI,CAAC,8BAA8B,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC/D,OAAO;IACT,CAAC;IACD,2EAA2E;IAC3E,6EAA6E;IAC7E,sEAAsE;IACtE,8EAA8E;IAC9E,uEAAuE;IACvE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CACzC,OAAgB,EAChB,MAAc,EACd,QAAgB;IAEhB,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO;IAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAAE,OAAO;IAE7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACrE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO;IAE/C,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,6EAA6E;IAC7E,4EAA4E;IAC5E,sBAAsB;IACtB,MAAM,SAAS,GAAG,iBAAiB,CAAC,8BAA8B,EAAE,QAAQ,CAAC,CAAC;IAC9E,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAgB;IAC9C,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QACpC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,KAAK,iBAAiB;QAC9B,QAAQ,KAAK,cAAc;QAC3B,QAAQ,KAAK,mBAAmB;QAChC,QAAQ,KAAK,cAAc;QAC3B,QAAQ,KAAK,cAAc;QAC3B,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,QAAkB,EAClB,QAAgB,EAChB,QAAgB,EAChB,UAAkB;IAElB,MAAM,wBAAwB,GAAG,2BAA2B,EAAE,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,0BAA0B,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC/D,kCAAkC,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,QAAQ,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACtD,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACvE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjC,OAAO,IAAI,QAAQ,CACjB,gBAAgB,CACd,4BAA4B,CAC1B,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,EACjC,qBAAqB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAC5C,EACD,wBAAwB,CACzB,EACD;QACE,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA0C;IAC3E,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAe,CAAC,CAAC;IACtD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAc,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC;YACvE,wEAAwE;YACxE,uEAAuE;YACvE,gEAAgE;YAChE,uEAAuE;YACvE,+DAA+D;YAC/D,IAAI,OAAO,GAAkD,IAAI,CAAC;YAClE,MAAM,aAAa,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;YAClD,IAAI,aAAa,EAAE,CAAC;gBAClB,IAAI,CAAC;oBACH,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;gBACpC,CAAC;gBAAC,MAAM,CAAC;oBACP,qEAAqE;gBACvE,CAAC;YACH,CAAC;YACD,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC1E,MAAM,GAAG,GAAG;gBACV,SAAS,EAAE,OAAO,EAAE,KAAK,IAAI,SAAS;gBACtC,KAAK;aACN,CAAC;YACF,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;oBAC1C,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,CACrD,OAAO,CAAC,UAAU,CAAC,CACpB,CAAC;gBACF,OAAO,MAAM,sBAAsB,CACjC,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,OAAO,EAAE,QAAQ,CAAC,OAAO;iBAC1B,CAAC,EACF,QAAQ,EACR,CAAC,EACD,OAAO,CAAC,GAAG,CACZ,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,sBAAsB,CACjC,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,EACxD,QAAQ,EACR,CAAC,EACD,OAAO,CAAC,GAAG,CACZ,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM;gBACjB,CAAC,CAAC,uBAAuB;gBACzB,CAAC,CAAC,0BAA2B,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;YAC/D,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Shared SSR catch-all handler for React Router framework mode.\n *\n * Templates wire this up via:\n *\n * // server/routes/[...page].get.ts\n * import { createH3SSRHandler } from \"@agent-native/core/server/ssr-handler\";\n * export default createH3SSRHandler(\n * () => import(\"virtual:react-router/server-build\"),\n * );\n *\n * The `getBuild` callback MUST live in the template's own source so Vite's\n * @react-router/dev plugin can resolve the `virtual:` module. Pulling the\n * import into core (e.g. via a re-export) puts it in node_modules where\n * Vite's SSR externalizer leaves it untouched and Node's ESM loader rejects\n * the unknown scheme — silently 302'ing every request to \"/\".\n */\nimport { createRequestHandler } from \"react-router\";\nimport { defineEventHandler, type H3Event } from \"h3\";\nimport { getSentryClientConfigScript } from \"./sentry-config.js\";\nimport { BETTER_AUTH_COOKIE_PREFIX, COOKIE_NAME, getSession } from \"./auth.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { requestHasEmbedAuthMarker } from \"./embed-session.js\";\nimport {\n EMBED_SESSION_COOKIE,\n EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\nimport {\n AGENT_NATIVE_SOCIAL_IMAGE_ALT,\n AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT,\n AGENT_NATIVE_SOCIAL_IMAGE_PATH,\n AGENT_NATIVE_SOCIAL_IMAGE_TYPE,\n AGENT_NATIVE_SOCIAL_IMAGE_WIDTH,\n} from \"../shared/social-meta.js\";\nimport {\n DEFAULT_SSR_CACHE_HEADERS,\n DEFAULT_SPECULATION_RULES_PATH,\n DEFAULT_SSR_CACHE_CONTROL,\n} from \"../shared/cache-control.js\";\n\nexport {\n DEFAULT_SSR_CACHE_HEADERS,\n DEFAULT_SPECULATION_RULES_HEADER,\n DEFAULT_SSR_CACHE_CONTROL,\n} from \"../shared/cache-control.js\";\nconst ANONYMOUS_SESSION_COOKIE_NAMES = new Set([\"an_docs_session\"]);\nconst BETTER_AUTH_SESSION_COOKIE_RE = /\\.session_(?:token|data)$/;\n\n/**\n * Read the active org for a request without forcing every template to bundle\n * the org module. Mirrors what `core-routes-plugin` does for action handlers.\n */\nasync function readOrgIdForEvent(event: H3Event): Promise<string | undefined> {\n try {\n const { getOrgContext } = await import(\"../org/context.js\");\n const ctx = await getOrgContext(event);\n return ctx?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction normalizeAppBasePath(value: string | undefined): string {\n if (!value || value === \"/\") return \"\";\n const trimmed = value.trim();\n if (!trimmed || trimmed === \"/\") return \"\";\n return `/${trimmed.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\")}`;\n}\n\nfunction getAppBasePath(): string {\n const metaEnv = (\n import.meta as unknown as {\n env?: Record<string, string | undefined>;\n }\n ).env;\n return normalizeAppBasePath(\n process.env.VITE_APP_BASE_PATH ||\n process.env.APP_BASE_PATH ||\n metaEnv?.VITE_APP_BASE_PATH ||\n metaEnv?.APP_BASE_PATH ||\n metaEnv?.BASE_URL,\n );\n}\n\nfunction stripAppBasePath(pathname: string): string {\n const basePath = getAppBasePath();\n return stripBasePath(pathname, basePath);\n}\n\nfunction stripBasePath(pathname: string, basePath: string): string {\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\nfunction requestWithPathname(\n request: Request,\n pathname: string,\n basePath: string,\n): Request {\n const url = new URL(request.url);\n let changed = false;\n if (basePath && pathname === \"/__manifest\") {\n const paths = url.searchParams.get(\"paths\");\n if (paths) {\n const strippedPaths = paths\n .split(\",\")\n .map((path) => stripBasePath(path, basePath))\n .join(\",\");\n if (strippedPaths !== paths) {\n url.searchParams.set(\"paths\", strippedPaths);\n changed = true;\n }\n }\n }\n if (url.pathname !== pathname) {\n url.pathname = pathname;\n changed = true;\n }\n if (!changed) return request;\n const init: RequestInit & { duplex?: \"half\" } = {\n method: request.method,\n headers: request.headers,\n signal: request.signal,\n };\n if (request.body && ![\"GET\", \"HEAD\"].includes(request.method.toUpperCase())) {\n init.body = request.body;\n init.duplex = \"half\";\n }\n return new Request(url, init);\n}\n\nfunction prefixMountedPath(path: string, basePath: string): string {\n if (!basePath || !path.startsWith(\"/\") || path.startsWith(\"//\")) return path;\n if (path === basePath || path.startsWith(`${basePath}/`)) return path;\n return `${basePath}${path}`;\n}\n\nfunction prefixMountedHtml(html: string, basePath: string): string {\n if (!basePath) return html;\n return html\n .replace(\n /\\b(href|src|action|formaction|poster)=([\"'])(\\/(?!\\/)[^\"']*)\\2/g,\n (_match, attr: string, quote: string, path: string) =>\n `${attr}=${quote}${prefixMountedPath(path, basePath)}${quote}`,\n )\n .replace(/url\\(([\"']?)(\\/(?!\\/)[^)'\" ]+)\\1\\)/g, (_match, quote, path) => {\n const q = quote || \"\";\n return `url(${q}${prefixMountedPath(path, basePath)}${q})`;\n });\n}\n\nfunction injectHeadScript(html: string, script: string | null): string {\n if (!script) return html;\n const headCloseIdx = html.indexOf(\"</head>\");\n if (headCloseIdx === -1) return html;\n return html.slice(0, headCloseIdx) + script + html.slice(headCloseIdx);\n}\n\nconst OG_IMAGE_META_RE = /<meta\\b(?=[^>]*\\bproperty=([\"'])og:image\\1)[^>]*>/i;\nconst TWITTER_CARD_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:card\\1)[^>]*>/i;\nconst TWITTER_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:image\\1)[^>]*>/i;\n\nfunction defaultSocialImageUrl(requestUrl: string, basePath: string): string {\n return new URL(\n prefixMountedPath(AGENT_NATIVE_SOCIAL_IMAGE_PATH, basePath),\n requestUrl,\n ).toString();\n}\n\nfunction injectDefaultSocialImageMeta(html: string, imageUrl: string): string {\n const headCloseIdx = html.indexOf(\"</head>\");\n if (headCloseIdx === -1) return html;\n\n const hasAnySocialImage =\n OG_IMAGE_META_RE.test(html) || TWITTER_IMAGE_META_RE.test(html);\n const tags: string[] = [];\n\n if (!hasAnySocialImage) {\n tags.push(`<meta property=\"og:image\" content=\"${imageUrl}\">`);\n tags.push(`<meta property=\"og:image:secure_url\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta property=\"og:image:type\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_TYPE}\">`,\n );\n tags.push(\n `<meta property=\"og:image:width\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_WIDTH}\">`,\n );\n tags.push(\n `<meta property=\"og:image:height\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT}\">`,\n );\n tags.push(\n `<meta property=\"og:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n if (!TWITTER_CARD_META_RE.test(html)) {\n tags.push(`<meta name=\"twitter:card\" content=\"summary_large_image\">`);\n }\n if (!hasAnySocialImage) {\n tags.push(`<meta name=\"twitter:image\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta name=\"twitter:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n\n if (tags.length === 0) return html;\n return html.slice(0, headCloseIdx) + tags.join(\"\") + html.slice(headCloseIdx);\n}\n\nfunction requestHasAuthSignal(event: H3Event): boolean {\n const headers = event.req.headers;\n return Boolean(\n headers.get(\"authorization\") ||\n requestHasAuthenticatedCookie(headers.get(\"cookie\")) ||\n event.url.searchParams.has(EMBED_TOKEN_QUERY_PARAM) ||\n event.url.searchParams.has(\"_session\") ||\n requestHasEmbedAuthMarker(event),\n );\n}\n\nfunction requestHasAuthenticatedCookie(cookieHeader: string | null): boolean {\n if (!cookieHeader) return false;\n return cookieHeader\n .split(\";\")\n .map((cookie) => cookie.trim().split(\"=\", 1)[0]?.trim())\n .filter((name): name is string => Boolean(name))\n .some(isAuthenticatedCookieName);\n}\n\nfunction isAuthenticatedCookieName(name: string): boolean {\n if (ANONYMOUS_SESSION_COOKIE_NAMES.has(name)) return false;\n const bareName = name.replace(/^__(?:Secure|Host)-/, \"\");\n return (\n bareName === COOKIE_NAME ||\n bareName === EMBED_SESSION_COOKIE ||\n bareName === \"an_session\" ||\n bareName === \"an_session_workspace\" ||\n bareName.startsWith(\"an_session_\") ||\n bareName === `${BETTER_AUTH_COOKIE_PREFIX}.session_token` ||\n bareName === `${BETTER_AUTH_COOKIE_PREFIX}.session_data` ||\n BETTER_AUTH_SESSION_COOKIE_RE.test(bareName)\n );\n}\n\nfunction shouldUseDefaultSsrCacheHeader(\n headers: Headers,\n status: number,\n pathname: string,\n): boolean {\n if (status < 200 || status >= 400) return false;\n\n const contentType = headers.get(\"content-type\")?.toLowerCase() ?? \"\";\n if (contentType.includes(\"text/html\")) {\n // SSR HTML is public app shell in this framework; any per-user state is\n // fetched after hydration. Always enforce the framework SWR default here;\n // route-level no-cache/private headers on SSR HTML recreate the same\n // origin stampede this cache policy is meant to prevent.\n return true;\n }\n\n if (!pathname.endsWith(\".data\")) return false;\n if (!contentType.includes(\"text/x-script\")) return false;\n\n // React Router gives loader `.data` responses `cache-control: no-cache` by\n // default. In Agent-Native, SSR output is intentionally public app shell:\n // user/org-specific reads happen after hydration through actions and API\n // routes. Keep `.data` on the same short-fresh/long-SWR policy as HTML so\n // route data fetches warm the CDN instead of hammering origin.\n // Do not re-add a blanket cookie/auth-signal bypass here: logged-in browsers\n // still need CDN-cached public route data.\n // Also do not preserve route-level private/no-store for React Router .data:\n // if a route needs per-user data, it belongs behind a client-side action/API\n // call rather than in the shared SSR payload.\n return true;\n}\n\nfunction applyDefaultSsrCacheHeader(\n headers: Headers,\n status: number,\n pathname: string,\n) {\n if (!shouldUseDefaultSsrCacheHeader(headers, status, pathname)) {\n return;\n }\n // Netlify Functions/proxies are not cached by default, and production docs\n // requests often carry stale auth/doc cookies. Keep all three cache headers:\n // Cache-Control for browsers, CDN-Cache-Control for generic CDNs, and\n // Netlify-CDN-Cache-Control (with durable) so Netlify's shared cache actually\n // serves SSR HTML/.data instead of forwarding every request to origin.\n for (const [name, value] of Object.entries(DEFAULT_SSR_CACHE_HEADERS)) {\n headers.set(name, value);\n }\n}\n\nfunction applyDefaultSpeculationRulesHeader(\n headers: Headers,\n status: number,\n basePath: string,\n) {\n if (status < 200 || status >= 400) return;\n if (headers.has(\"speculation-rules\")) return;\n\n const contentType = headers.get(\"content-type\")?.toLowerCase() ?? \"\";\n if (!contentType.includes(\"text/html\")) return;\n\n // Cloudflare Speed Brain injects its own Speculation-Rules header when the\n // origin omits one. Those browser prefetches carry `Sec-Purpose: prefetch`,\n // and Cloudflare refuses cache-ineligible dynamic pages with a 503 before\n // the request can reach Netlify/origin. We publish an explicit no-op ruleset\n // by default so Cloudflare does not inject its edge prefetch rules. Preserve\n // an app-provided Speculation-Rules header above if a template deliberately\n // owns this behavior.\n const rulesPath = prefixMountedPath(DEFAULT_SPECULATION_RULES_PATH, basePath);\n headers.set(\"speculation-rules\", `\"${rulesPath}\"`);\n}\n\nfunction isFrameworkOrAssetPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/.well-known/\") ||\n pathname.startsWith(\"/_agent_native/\") ||\n pathname.startsWith(\"/_agent-native/\") ||\n pathname.startsWith(\"/api/\") ||\n pathname.startsWith(\"/@vite/\") ||\n pathname.startsWith(\"/@id/\") ||\n pathname.startsWith(\"/@fs/\") ||\n pathname === \"/@react-refresh\" ||\n pathname === \"/__vite_ping\" ||\n pathname === \"/__open-in-editor\" ||\n pathname === \"/favicon.ico\" ||\n pathname === \"/favicon.png\" ||\n (/\\.\\w+$/.test(pathname) && !pathname.endsWith(\".data\"))\n );\n}\n\nasync function rewriteMountedResponse(\n response: Response,\n basePath: string,\n pathname: string,\n requestUrl: string,\n): Promise<Response> {\n const sentryClientConfigScript = getSentryClientConfigScript();\n const headers = new Headers(response.headers);\n applyDefaultSsrCacheHeader(headers, response.status, pathname);\n applyDefaultSpeculationRulesHeader(headers, response.status, basePath);\n\n const location = headers.get(\"location\");\n if (location?.startsWith(\"/\") && !location.startsWith(\"//\")) {\n headers.set(\"location\", prefixMountedPath(location, basePath));\n }\n\n const contentType = headers.get(\"content-type\") ?? \"\";\n if (!contentType.toLowerCase().includes(\"text/html\") || !response.body) {\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers,\n });\n }\n\n const html = await response.text();\n headers.delete(\"content-length\");\n return new Response(\n injectHeadScript(\n injectDefaultSocialImageMeta(\n prefixMountedHtml(html, basePath),\n defaultSocialImageUrl(requestUrl, basePath),\n ),\n sentryClientConfigScript,\n ),\n {\n status: response.status,\n statusText: response.statusText,\n headers,\n },\n );\n}\n\n/**\n * Create an h3 catch-all that hands page routes to React Router and\n * returns 404 for framework / asset paths that React Router doesn't own.\n */\nexport function createH3SSRHandler(getBuild: () => Promise<unknown> | unknown) {\n const handler = createRequestHandler(getBuild as any);\n return defineEventHandler(async (event) => {\n const basePath = getAppBasePath();\n const p = stripAppBasePath(event.url.pathname);\n if (isFrameworkOrAssetPath(p)) {\n return new Response(null, { status: 404 });\n }\n try {\n const request = requestWithPathname(event.req as Request, p, basePath);\n // Pin the active session onto the async request context so React Router\n // loaders that call `getRequestUserEmail()` / `accessFilter()` see the\n // signed-in user. Without this, SSR loaders fall through to the\n // unauthenticated branch even when the user is logged in — which broke\n // shared-deck \"Presentation link\" access for non-public decks.\n let session: Awaited<ReturnType<typeof getSession>> | null = null;\n const hasAuthSignal = requestHasAuthSignal(event);\n if (hasAuthSignal) {\n try {\n session = await getSession(event);\n } catch {\n // Auth lookup failures must not break SSR; treat as unauthenticated.\n }\n }\n const orgId = session?.email ? await readOrgIdForEvent(event) : undefined;\n const ctx = {\n userEmail: session?.email ?? undefined,\n orgId,\n };\n if (request.method === \"HEAD\") {\n const getRequest = new Request(request.url, {\n method: \"GET\",\n headers: request.headers,\n signal: request.signal,\n });\n const response = await runWithRequestContext(ctx, () =>\n handler(getRequest),\n );\n return await rewriteMountedResponse(\n new Response(null, {\n status: response.status,\n statusText: response.statusText,\n headers: response.headers,\n }),\n basePath,\n p,\n request.url,\n );\n }\n return await rewriteMountedResponse(\n await runWithRequestContext(ctx, () => handler(request)),\n basePath,\n p,\n request.url,\n );\n } catch (err) {\n // Log the full stack server-side, but never leak it to the client.\n // Stack traces expose file paths, library versions, and code structure\n // that aid reconnaissance attacks. In dev we surface the message text\n // so devtools shows something useful; in prod we return a bare 500.\n console.error(\"[ssr-handler] SSR error:\", err);\n const isProd = process.env.NODE_ENV === \"production\";\n const body = isProd\n ? \"Internal Server Error\"\n : `Internal Server Error: ${(err as Error)?.message ?? err}`;\n return new Response(body, {\n status: 500,\n headers: { \"content-type\": \"text/plain\" },\n });\n }\n });\n}\n"]}
1
+ {"version":3,"file":"ssr-handler.js","sourceRoot":"","sources":["../../src/server/ssr-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAgB,MAAM,IAAI,CAAC;AACtD,OAAO,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,EAAE,uBAAuB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EACL,yBAAyB,EACzB,gBAAgB,IAAI,yBAAyB,GAC9C,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,yBAAyB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC/E,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EACL,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,6BAA6B,EAC7B,gCAAgC,EAChC,8BAA8B,EAC9B,8BAA8B,EAC9B,+BAA+B,GAChC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,yBAAyB,EACzB,8BAA8B,GAC/B,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,yBAAyB,EACzB,gCAAgC,EAChC,yBAAyB,GAC1B,MAAM,4BAA4B,CAAC;AACpC,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC;AACpE,MAAM,6BAA6B,GAAG,2BAA2B,CAAC;AAElE;;;;;;;;GAQG;AACH,KAAK,UAAU,iBAAiB,CAC9B,KAAc,EACd,OAA+C;IAE/C,wEAAwE;IACxE,MAAM,YAAY,GAChB,OAAO,OAAO,EAAE,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE;QACxD,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE;QACtB,CAAC,CAAC,SAAS,CAAC;IAChB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,4DAA4D;IAC5D,sEAAsE;IACtE,gEAAgE;IAChE,IAAI,CAAC;QACH,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,GAAG,EAAE,KAAK,IAAI,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,yBAAyB,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAgB;IACxC,OAAO,yBAAyB,CAAC,QAAQ,EAAE,cAAc,EAAE,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC/B,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACtC,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;IAChD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,mBAAmB,CAC1B,OAAgB,EAChB,QAAgB,EAChB,QAAgB;IAEhB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,QAAQ,IAAI,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,aAAa,GAAG,KAAK;iBACxB,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;iBAC5C,IAAI,CAAC,GAAG,CAAC,CAAC;YACb,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;gBAC5B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;gBAC7C,OAAO,GAAG,IAAI,CAAC;YACjB,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACxB,OAAO,GAAG,IAAI,CAAC;IACjB,CAAC;IACD,IAAI,CAAC,OAAO;QAAE,OAAO,OAAO,CAAC;IAC7B,MAAM,IAAI,GAAsC;QAC9C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;IACF,IAAI,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAC5E,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC7E,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACtE,OAAO,GAAG,QAAQ,GAAG,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IACvD,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,OAAO,IAAI;SACR,OAAO,CACN,iEAAiE,EACjE,CAAC,MAAM,EAAE,IAAY,EAAE,KAAa,EAAE,IAAY,EAAE,EAAE,CACpD,GAAG,IAAI,IAAI,KAAK,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,KAAK,EAAE,CACjE;SACA,OAAO,CAAC,qCAAqC,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QACtE,MAAM,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,GAAG,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;IAC7D,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,MAAqB;IAC3D,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,GAAG,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;AACzE,CAAC;AAED,MAAM,gBAAgB,GAAG,oDAAoD,CAAC;AAC9E,MAAM,oBAAoB,GACxB,oDAAoD,CAAC;AACvD,MAAM,qBAAqB,GACzB,qDAAqD,CAAC;AAExD,SAAS,qBAAqB,CAAC,UAAkB,EAAE,QAAgB;IACjE,OAAO,IAAI,GAAG,CACZ,iBAAiB,CAAC,8BAA8B,EAAE,QAAQ,CAAC,EAC3D,UAAU,CACX,CAAC,QAAQ,EAAE,CAAC;AACf,CAAC;AAED,SAAS,4BAA4B,CAAC,IAAY,EAAE,QAAgB;IAClE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,IAAI,YAAY,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAErC,MAAM,iBAAiB,GACrB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClE,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,sCAAsC,QAAQ,IAAI,CAAC,CAAC;QAC9D,IAAI,CAAC,IAAI,CAAC,iDAAiD,QAAQ,IAAI,CAAC,CAAC;QACzE,IAAI,CAAC,IAAI,CACP,2CAA2C,8BAA8B,IAAI,CAC9E,CAAC;QACF,IAAI,CAAC,IAAI,CACP,4CAA4C,+BAA+B,IAAI,CAChF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,6CAA6C,gCAAgC,IAAI,CAClF,CAAC;QACF,IAAI,CAAC,IAAI,CACP,0CAA0C,6BAA6B,IAAI,CAC5E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,IAAI,CAAC,IAAI,CAAC,uCAAuC,QAAQ,IAAI,CAAC,CAAC;QAC/D,IAAI,CAAC,IAAI,CACP,2CAA2C,6BAA6B,IAAI,CAC7E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,YAAY,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;AAChF,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;IAClC,OAAO,OAAO,CACZ,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC5B,6BAA6B,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpD,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,CAAC;QACnD,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC;QACtC,yBAAyB,CAAC,KAAK,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,SAAS,6BAA6B,CAAC,YAA2B;IAChE,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAChC,OAAO,YAAY;SAChB,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;SACvD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SAC/C,IAAI,CAAC,yBAAyB,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,yBAAyB,CAAC,IAAY;IAC7C,IAAI,8BAA8B,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC,CAAC;IACzD,OAAO,CACL,QAAQ,KAAK,WAAW;QACxB,QAAQ,KAAK,oBAAoB;QACjC,QAAQ,KAAK,YAAY;QACzB,QAAQ,KAAK,sBAAsB;QACnC,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC;QAClC,QAAQ,KAAK,GAAG,yBAAyB,gBAAgB;QACzD,QAAQ,KAAK,GAAG,yBAAyB,eAAe;QACxD,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAC7C,CAAC;AACJ,CAAC;AAED,MAAM,gBAAgB,GAAG,mBAAmB,CAAC;AAE7C,SAAS,uBAAuB,CAC9B,OAAgB,EAChB,MAAc,EACd,QAAgB;IAEhB,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO,KAAK,CAAC;IAChD,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACrE,IAAI,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IACnD,OAAO,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;AAC7E,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAS,0BAA0B,CACjC,OAAgB,EAChB,MAAc,EACd,QAAgB,EAChB,aAAsB;IAEtB,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC;QAAE,OAAO;IAEhE,IAAI,aAAa,EAAE,CAAC;QAClB,2EAA2E;QAC3E,+EAA+E;QAC/E,8EAA8E;QAC9E,sEAAsE;QACtE,qCAAqC;QACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,gBAAgB,CAAC,CAAC;QACjD,CAAC;QACD,yEAAyE;QACzE,oCAAoC;QACpC,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;QACpC,OAAO,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,sEAAsE;IACtE,8EAA8E;IAC9E,uEAAuE;IACvE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,CAAC;QACtE,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,SAAS,kCAAkC,CACzC,OAAgB,EAChB,MAAc,EACd,QAAgB;IAEhB,IAAI,MAAM,GAAG,GAAG,IAAI,MAAM,IAAI,GAAG;QAAE,OAAO;IAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAAE,OAAO;IAE7C,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IACrE,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO;IAE/C,2EAA2E;IAC3E,4EAA4E;IAC5E,0EAA0E;IAC1E,6EAA6E;IAC7E,6EAA6E;IAC7E,4EAA4E;IAC5E,sBAAsB;IACtB,MAAM,SAAS,GAAG,iBAAiB,CAAC,8BAA8B,EAAE,QAAQ,CAAC,CAAC;IAC9E,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,SAAwB;IACjD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IAC/C,IAAI,KAAK,IAAI,CAAC,IAAI,GAAG,GAAG,KAAK;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,SAAS,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,SAAS,gBAAgB,CAAC,OAAgB,EAAE,YAA2B;IACrE,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,OAAO;IAClD,IAAI,OAAO,CAAC,GAAG,CAAC,4BAA4B,KAAK,GAAG;QAAE,OAAO;IAE7D,0EAA0E;IAC1E,yEAAyE;IACzE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,IAAI,EAAE,CAAC;IAC9D,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,yBAAyB,EACzB,oCAAoC,CACrC,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,uEAAuE;IACvE,yEAAyE;IACzE,wEAAwE;IACxE,MAAM,UAAU,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC3E,MAAM,eAAe,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,cAAc,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;IAE5D,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,IAAI,EAAE,CAAC;IAC5E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,qCAAqC,EAAE,SAAS,CAAC,CAAC;IAChE,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,QAAgB;IAC9C,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QACpC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;QAC5B,QAAQ,KAAK,iBAAiB;QAC9B,QAAQ,KAAK,cAAc;QAC3B,QAAQ,KAAK,mBAAmB;QAChC,QAAQ,KAAK,cAAc;QAC3B,QAAQ,KAAK,cAAc;QAC3B,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CACzD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,QAAkB,EAClB,QAAgB,EAChB,QAAgB,EAChB,UAAkB,EAClB,aAAsB;IAEtB,MAAM,wBAAwB,GAAG,2BAA2B,EAAE,CAAC;IAC/D,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,0BAA0B,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC;IAC9E,kCAAkC,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,QAAQ,EAAE,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IACtD,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACvE,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;YACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;YACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,OAAO;SACR,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjC,gBAAgB,CAAC,OAAO,EAAE,wBAAwB,CAAC,CAAC;IACpD,OAAO,IAAI,QAAQ,CACjB,gBAAgB,CACd,4BAA4B,CAC1B,iBAAiB,CAAC,IAAI,EAAE,QAAQ,CAAC,EACjC,qBAAqB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAC5C,EACD,wBAAwB,CACzB,EACD;QACE,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CACF,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAA0C;IAC3E,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAe,CAAC,CAAC;IACtD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;QACxC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC9B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7C,CAAC;QACD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,GAAc,EAAE,CAAC,EAAE,QAAQ,CAAC,CAAC;YACvE,wEAAwE;YACxE,uEAAuE;YACvE,gEAAgE;YAChE,uEAAuE;YACvE,+DAA+D;YAC/D,IAAI,OAAO,GAAkD,IAAI,CAAC;YAClE,MAAM,aAAa,GAAG,oBAAoB,CAAC,KAAK,CAAC,CAAC;YAClD,IAAI,aAAa,EAAE,CAAC;gBAClB,IAAI,CAAC;oBACH,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;gBACpC,CAAC;gBAAC,MAAM,CAAC;oBACP,qEAAqE;gBACvE,CAAC;YACH,CAAC;YACD,wEAAwE;YACxE,sEAAsE;YACtE,uEAAuE;YACvE,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK;gBAC1B,CAAC,CAAC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC;gBACzC,CAAC,CAAC,SAAS,CAAC;YACd,MAAM,GAAG,GAAG;gBACV,SAAS,EAAE,OAAO,EAAE,KAAK,IAAI,SAAS;gBACtC,KAAK;aACN,CAAC;YACF,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;oBAC1C,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,CACrD,OAAO,CAAC,UAAU,CAAC,CACpB,CAAC;gBACF,OAAO,MAAM,sBAAsB,CACjC,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACjB,MAAM,EAAE,QAAQ,CAAC,MAAM;oBACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;oBAC/B,OAAO,EAAE,QAAQ,CAAC,OAAO;iBAC1B,CAAC,EACF,QAAQ,EACR,CAAC,EACD,OAAO,CAAC,GAAG,EACX,aAAa,CACd,CAAC;YACJ,CAAC;YACD,OAAO,MAAM,sBAAsB,CACjC,MAAM,qBAAqB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,EACxD,QAAQ,EACR,CAAC,EACD,OAAO,CAAC,GAAG,EACX,aAAa,CACd,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,mEAAmE;YACnE,uEAAuE;YACvE,sEAAsE;YACtE,oEAAoE;YACpE,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAC/C,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM;gBACjB,CAAC,CAAC,uBAAuB;gBACzB,CAAC,CAAC,0BAA2B,GAAa,EAAE,OAAO,IAAI,GAAG,EAAE,CAAC;YAC/D,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,GAAG;gBACX,OAAO,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE;aAC1C,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["/**\n * Shared SSR catch-all handler for React Router framework mode.\n *\n * Templates wire this up via:\n *\n * // server/routes/[...page].get.ts\n * import { createH3SSRHandler } from \"@agent-native/core/server/ssr-handler\";\n * export default createH3SSRHandler(\n * () => import(\"virtual:react-router/server-build\"),\n * );\n *\n * The `getBuild` callback MUST live in the template's own source so Vite's\n * @react-router/dev plugin can resolve the `virtual:` module. Pulling the\n * import into core (e.g. via a re-export) puts it in node_modules where\n * Vite's SSR externalizer leaves it untouched and Node's ESM loader rejects\n * the unknown scheme — silently 302'ing every request to \"/\".\n */\nimport { createRequestHandler } from \"react-router\";\nimport { defineEventHandler, type H3Event } from \"h3\";\nimport { getSentryClientConfigScript } from \"./sentry-config.js\";\nimport { computeInlineScriptHash } from \"./security-headers.js\";\nimport {\n getAppBasePathFromViteEnv,\n stripAppBasePath as canonicalStripAppBasePath,\n} from \"./app-base-path.js\";\nimport { BETTER_AUTH_COOKIE_PREFIX, COOKIE_NAME, getSession } from \"./auth.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { requestHasEmbedAuthMarker } from \"./embed-session.js\";\nimport {\n EMBED_SESSION_COOKIE,\n EMBED_TOKEN_QUERY_PARAM,\n} from \"../shared/embed-auth.js\";\nimport {\n AGENT_NATIVE_SOCIAL_IMAGE_ALT,\n AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT,\n AGENT_NATIVE_SOCIAL_IMAGE_PATH,\n AGENT_NATIVE_SOCIAL_IMAGE_TYPE,\n AGENT_NATIVE_SOCIAL_IMAGE_WIDTH,\n} from \"../shared/social-meta.js\";\nimport {\n DEFAULT_SSR_CACHE_HEADERS,\n DEFAULT_SPECULATION_RULES_PATH,\n} from \"../shared/cache-control.js\";\n\nexport {\n DEFAULT_SSR_CACHE_HEADERS,\n DEFAULT_SPECULATION_RULES_HEADER,\n DEFAULT_SSR_CACHE_CONTROL,\n} from \"../shared/cache-control.js\";\nconst ANONYMOUS_SESSION_COOKIE_NAMES = new Set([\"an_docs_session\"]);\nconst BETTER_AUTH_SESSION_COOKIE_RE = /\\.session_(?:token|data)$/;\n\n/**\n * Read the active org for a request without forcing every template to bundle\n * the org module. Mirrors what `core-routes-plugin` does for action handlers.\n *\n * Fast path: when the session already carries a valid orgId (backfilled by\n * backfillSessionOrg during getSession), return it directly — no additional\n * org_members round trip. Only when the session has no orgId do we fall\n * through to getOrgContext for the full membership lookup.\n */\nasync function readOrgIdForEvent(\n event: H3Event,\n session: Awaited<ReturnType<typeof getSession>>,\n): Promise<string | undefined> {\n // Reuse orgId already resolved by backfillSessionOrg inside getSession.\n const sessionOrgId =\n typeof session?.orgId === \"string\" && session.orgId.trim()\n ? session.orgId.trim()\n : undefined;\n if (sessionOrgId) return sessionOrgId;\n\n // No orgId on the session — full org_members lookup needed.\n // getOrgContext is per-event memoized, so this is at most one DB read\n // even if other request code calls getOrgContext independently.\n try {\n const { getOrgContext } = await import(\"../org/context.js\");\n const ctx = await getOrgContext(event);\n return ctx?.orgId ?? undefined;\n } catch {\n return undefined;\n }\n}\n\nfunction getAppBasePath(): string {\n return getAppBasePathFromViteEnv();\n}\n\nfunction stripAppBasePath(pathname: string): string {\n return canonicalStripAppBasePath(pathname, getAppBasePath());\n}\n\nfunction stripBasePath(pathname: string, basePath: string): string {\n if (!basePath) return pathname;\n if (pathname === basePath) return \"/\";\n if (pathname.startsWith(`${basePath}/`)) {\n return pathname.slice(basePath.length) || \"/\";\n }\n return pathname;\n}\n\nfunction requestWithPathname(\n request: Request,\n pathname: string,\n basePath: string,\n): Request {\n const url = new URL(request.url);\n let changed = false;\n if (basePath && pathname === \"/__manifest\") {\n const paths = url.searchParams.get(\"paths\");\n if (paths) {\n const strippedPaths = paths\n .split(\",\")\n .map((path) => stripBasePath(path, basePath))\n .join(\",\");\n if (strippedPaths !== paths) {\n url.searchParams.set(\"paths\", strippedPaths);\n changed = true;\n }\n }\n }\n if (url.pathname !== pathname) {\n url.pathname = pathname;\n changed = true;\n }\n if (!changed) return request;\n const init: RequestInit & { duplex?: \"half\" } = {\n method: request.method,\n headers: request.headers,\n signal: request.signal,\n };\n if (request.body && ![\"GET\", \"HEAD\"].includes(request.method.toUpperCase())) {\n init.body = request.body;\n init.duplex = \"half\";\n }\n return new Request(url, init);\n}\n\nfunction prefixMountedPath(path: string, basePath: string): string {\n if (!basePath || !path.startsWith(\"/\") || path.startsWith(\"//\")) return path;\n if (path === basePath || path.startsWith(`${basePath}/`)) return path;\n return `${basePath}${path}`;\n}\n\nfunction prefixMountedHtml(html: string, basePath: string): string {\n if (!basePath) return html;\n return html\n .replace(\n /\\b(href|src|action|formaction|poster)=([\"'])(\\/(?!\\/)[^\"']*)\\2/g,\n (_match, attr: string, quote: string, path: string) =>\n `${attr}=${quote}${prefixMountedPath(path, basePath)}${quote}`,\n )\n .replace(/url\\(([\"']?)(\\/(?!\\/)[^)'\" ]+)\\1\\)/g, (_match, quote, path) => {\n const q = quote || \"\";\n return `url(${q}${prefixMountedPath(path, basePath)}${q})`;\n });\n}\n\nfunction injectHeadScript(html: string, script: string | null): string {\n if (!script) return html;\n const headCloseIdx = html.indexOf(\"</head>\");\n if (headCloseIdx === -1) return html;\n return html.slice(0, headCloseIdx) + script + html.slice(headCloseIdx);\n}\n\nconst OG_IMAGE_META_RE = /<meta\\b(?=[^>]*\\bproperty=([\"'])og:image\\1)[^>]*>/i;\nconst TWITTER_CARD_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:card\\1)[^>]*>/i;\nconst TWITTER_IMAGE_META_RE =\n /<meta\\b(?=[^>]*\\bname=([\"'])twitter:image\\1)[^>]*>/i;\n\nfunction defaultSocialImageUrl(requestUrl: string, basePath: string): string {\n return new URL(\n prefixMountedPath(AGENT_NATIVE_SOCIAL_IMAGE_PATH, basePath),\n requestUrl,\n ).toString();\n}\n\nfunction injectDefaultSocialImageMeta(html: string, imageUrl: string): string {\n const headCloseIdx = html.indexOf(\"</head>\");\n if (headCloseIdx === -1) return html;\n\n const hasAnySocialImage =\n OG_IMAGE_META_RE.test(html) || TWITTER_IMAGE_META_RE.test(html);\n const tags: string[] = [];\n\n if (!hasAnySocialImage) {\n tags.push(`<meta property=\"og:image\" content=\"${imageUrl}\">`);\n tags.push(`<meta property=\"og:image:secure_url\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta property=\"og:image:type\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_TYPE}\">`,\n );\n tags.push(\n `<meta property=\"og:image:width\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_WIDTH}\">`,\n );\n tags.push(\n `<meta property=\"og:image:height\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT}\">`,\n );\n tags.push(\n `<meta property=\"og:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n if (!TWITTER_CARD_META_RE.test(html)) {\n tags.push(`<meta name=\"twitter:card\" content=\"summary_large_image\">`);\n }\n if (!hasAnySocialImage) {\n tags.push(`<meta name=\"twitter:image\" content=\"${imageUrl}\">`);\n tags.push(\n `<meta name=\"twitter:image:alt\" content=\"${AGENT_NATIVE_SOCIAL_IMAGE_ALT}\">`,\n );\n }\n\n if (tags.length === 0) return html;\n return html.slice(0, headCloseIdx) + tags.join(\"\") + html.slice(headCloseIdx);\n}\n\nfunction requestHasAuthSignal(event: H3Event): boolean {\n const headers = event.req.headers;\n return Boolean(\n headers.get(\"authorization\") ||\n requestHasAuthenticatedCookie(headers.get(\"cookie\")) ||\n event.url.searchParams.has(EMBED_TOKEN_QUERY_PARAM) ||\n event.url.searchParams.has(\"_session\") ||\n requestHasEmbedAuthMarker(event),\n );\n}\n\nfunction requestHasAuthenticatedCookie(cookieHeader: string | null): boolean {\n if (!cookieHeader) return false;\n return cookieHeader\n .split(\";\")\n .map((cookie) => cookie.trim().split(\"=\", 1)[0]?.trim())\n .filter((name): name is string => Boolean(name))\n .some(isAuthenticatedCookieName);\n}\n\nfunction isAuthenticatedCookieName(name: string): boolean {\n if (ANONYMOUS_SESSION_COOKIE_NAMES.has(name)) return false;\n const bareName = name.replace(/^__(?:Secure|Host)-/, \"\");\n return (\n bareName === COOKIE_NAME ||\n bareName === EMBED_SESSION_COOKIE ||\n bareName === \"an_session\" ||\n bareName === \"an_session_workspace\" ||\n bareName.startsWith(\"an_session_\") ||\n bareName === `${BETTER_AUTH_COOKIE_PREFIX}.session_token` ||\n bareName === `${BETTER_AUTH_COOKIE_PREFIX}.session_data` ||\n BETTER_AUTH_SESSION_COOKIE_RE.test(bareName)\n );\n}\n\nconst PRIVATE_NO_STORE = \"private, no-store\";\n\nfunction isSsrHtmlOrDataResponse(\n headers: Headers,\n status: number,\n pathname: string,\n): boolean {\n if (status < 200 || status >= 400) return false;\n const contentType = headers.get(\"content-type\")?.toLowerCase() ?? \"\";\n if (contentType.includes(\"text/html\")) return true;\n return pathname.endsWith(\".data\") && contentType.includes(\"text/x-script\");\n}\n\n/**\n * Apply the correct SSR cache policy to the response headers.\n *\n * Anonymous requests (no auth signal on the incoming request) get the public\n * stale-while-revalidate default so the CDN can serve shared app-shell HTML\n * and React Router loader data to every unauthenticated visitor without\n * hammering origin.\n *\n * Authenticated requests must never be publicly CDN-cached: the loader may\n * have embedded session-personalized data. If the route already returned a\n * Cache-Control header we respect it; otherwise we fall back to\n * `private, no-store` so the browser re-fetches but no shared cache stores\n * the response.\n *\n * The distinction is on the *incoming* auth signal, not on whether the loader\n * actually used the session — that would require inspecting the response body.\n * Erring toward private for any credentialed request is the safe default.\n */\nfunction applyDefaultSsrCacheHeader(\n headers: Headers,\n status: number,\n pathname: string,\n hasAuthSignal: boolean,\n) {\n if (!isSsrHtmlOrDataResponse(headers, status, pathname)) return;\n\n if (hasAuthSignal) {\n // A route that explicitly opts into public caching (e.g. a share page that\n // accepts an optional auth cookie) can signal intent via a `public` directive.\n // Any other route-level or framework-default value (no-cache, private, unset)\n // is overridden with private/no-store so no shared CDN cache stores a\n // potentially personalized response.\n const existingCc = headers.get(\"cache-control\") ?? \"\";\n if (!existingCc.includes(\"public\")) {\n headers.set(\"cache-control\", PRIVATE_NO_STORE);\n }\n // Never propagate CDN-specific cache headers on authenticated responses,\n // regardless of what the route set.\n headers.delete(\"cdn-cache-control\");\n headers.delete(\"netlify-cdn-cache-control\");\n return;\n }\n\n // Netlify Functions/proxies are not cached by default, and production docs\n // requests often carry stale auth/doc cookies. Keep all three cache headers:\n // Cache-Control for browsers, CDN-Cache-Control for generic CDNs, and\n // Netlify-CDN-Cache-Control (with durable) so Netlify's shared cache actually\n // serves SSR HTML/.data instead of forwarding every request to origin.\n for (const [name, value] of Object.entries(DEFAULT_SSR_CACHE_HEADERS)) {\n headers.set(name, value);\n }\n}\n\nfunction applyDefaultSpeculationRulesHeader(\n headers: Headers,\n status: number,\n basePath: string,\n) {\n if (status < 200 || status >= 400) return;\n if (headers.has(\"speculation-rules\")) return;\n\n const contentType = headers.get(\"content-type\")?.toLowerCase() ?? \"\";\n if (!contentType.includes(\"text/html\")) return;\n\n // Cloudflare Speed Brain injects its own Speculation-Rules header when the\n // origin omits one. Those browser prefetches carry `Sec-Purpose: prefetch`,\n // and Cloudflare refuses cache-ineligible dynamic pages with a 503 before\n // the request can reach Netlify/origin. We publish an explicit no-op ruleset\n // by default so Cloudflare does not inject its edge prefetch rules. Preserve\n // an app-provided Speculation-Rules header above if a template deliberately\n // owns this behavior.\n const rulesPath = prefixMountedPath(DEFAULT_SPECULATION_RULES_PATH, basePath);\n headers.set(\"speculation-rules\", `\"${rulesPath}\"`);\n}\n\n/**\n * Extract the plain JS body from a `<script ...>body</script>` string.\n * Returns `null` if the input is falsy or has no recognisable `</script>` end.\n * Used to compute the sha256 hash of framework-injected inline scripts so the\n * hash can be listed in the `script-src` CSP directive without relying on\n * `'unsafe-inline'`.\n */\nfunction extractScriptBody(scriptTag: string | null): string | null {\n if (!scriptTag) return null;\n const start = scriptTag.indexOf(\">\") + 1;\n const end = scriptTag.lastIndexOf(\"</script>\");\n if (start <= 0 || end < start) return null;\n return scriptTag.slice(start, end);\n}\n\n/**\n * Apply a Content-Security-Policy header to HTML document responses.\n *\n * Two directives are always enforced in production:\n *\n * - `object-src 'none'` — disables Flash / Java / PDF plugin execution,\n * which are a reliable code-execution vector even in modern browsers.\n * - `base-uri 'self'` — prevents a `<base href=\"...\">` injection from\n * hijacking all relative URLs in the document (a common attack target when\n * user-controlled content reaches the HTML).\n *\n * A third directive, `script-src`, is emitted via `Content-Security-Policy-\n * Report-Only` rather than enforced. The framework injects one deterministic\n * inline script per process (the Sentry config block — its hash is computed\n * once at process startup from the resolved env vars). Templates additionally\n * render a theme-init inline script whose exact content varies by template\n * (default theme param, custom docs variant, etc.) and which is rendered by\n * React Router, not this handler, so its hash is not available here. Shipping\n * script-src as Report-Only surfaces violations without breaking template\n * customisations; teams can graduate to enforcement once their hashes are\n * enumerated.\n *\n * Skipped in development (`NODE_ENV !== 'production'`) so HMR eval and Vite\n * dev-server injects are never blocked. Set `AGENT_NATIVE_DISABLE_DOC_CSP=1`\n * to opt out in production for a template with exotic needs.\n */\nfunction applyDocumentCsp(headers: Headers, sentryScript: string | null): void {\n if (process.env.NODE_ENV !== \"production\") return;\n if (process.env.AGENT_NATIVE_DISABLE_DOC_CSP === \"1\") return;\n\n // object-src / base-uri: enforced; neither directive mentions scripts, so\n // they are safe even when a template's inline script hashes are unknown.\n const existing = headers.get(\"content-security-policy\") ?? \"\";\n if (!existing) {\n headers.set(\n \"content-security-policy\",\n \"object-src 'none'; base-uri 'self'\",\n );\n }\n\n // script-src as Report-Only: list 'self' plus the hash for the Sentry config\n // script the SSR handler injects into every HTML response (the hash is\n // computed once from the resolved env vars at process startup). Template\n // theme-init hashes are NOT included here — see function comment above.\n const sentryBody = extractScriptBody(sentryScript);\n const sentryHash = sentryBody ? computeInlineScriptHash(sentryBody) : null;\n const scriptSrcTokens = [\"'self'\", ...(sentryHash ? [sentryHash] : [])];\n const scriptSrc = `script-src ${scriptSrcTokens.join(\" \")}`;\n\n const existingRo = headers.get(\"content-security-policy-report-only\") ?? \"\";\n if (!existingRo) {\n headers.set(\"content-security-policy-report-only\", scriptSrc);\n }\n}\n\nfunction isFrameworkOrAssetPath(pathname: string): boolean {\n return (\n pathname.startsWith(\"/.well-known/\") ||\n pathname.startsWith(\"/_agent_native/\") ||\n pathname.startsWith(\"/_agent-native/\") ||\n pathname.startsWith(\"/api/\") ||\n pathname.startsWith(\"/@vite/\") ||\n pathname.startsWith(\"/@id/\") ||\n pathname.startsWith(\"/@fs/\") ||\n pathname === \"/@react-refresh\" ||\n pathname === \"/__vite_ping\" ||\n pathname === \"/__open-in-editor\" ||\n pathname === \"/favicon.ico\" ||\n pathname === \"/favicon.png\" ||\n (/\\.\\w+$/.test(pathname) && !pathname.endsWith(\".data\"))\n );\n}\n\nasync function rewriteMountedResponse(\n response: Response,\n basePath: string,\n pathname: string,\n requestUrl: string,\n hasAuthSignal: boolean,\n): Promise<Response> {\n const sentryClientConfigScript = getSentryClientConfigScript();\n const headers = new Headers(response.headers);\n applyDefaultSsrCacheHeader(headers, response.status, pathname, hasAuthSignal);\n applyDefaultSpeculationRulesHeader(headers, response.status, basePath);\n\n const location = headers.get(\"location\");\n if (location?.startsWith(\"/\") && !location.startsWith(\"//\")) {\n headers.set(\"location\", prefixMountedPath(location, basePath));\n }\n\n const contentType = headers.get(\"content-type\") ?? \"\";\n if (!contentType.toLowerCase().includes(\"text/html\") || !response.body) {\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers,\n });\n }\n\n const html = await response.text();\n headers.delete(\"content-length\");\n applyDocumentCsp(headers, sentryClientConfigScript);\n return new Response(\n injectHeadScript(\n injectDefaultSocialImageMeta(\n prefixMountedHtml(html, basePath),\n defaultSocialImageUrl(requestUrl, basePath),\n ),\n sentryClientConfigScript,\n ),\n {\n status: response.status,\n statusText: response.statusText,\n headers,\n },\n );\n}\n\n/**\n * Create an h3 catch-all that hands page routes to React Router and\n * returns 404 for framework / asset paths that React Router doesn't own.\n */\nexport function createH3SSRHandler(getBuild: () => Promise<unknown> | unknown) {\n const handler = createRequestHandler(getBuild as any);\n return defineEventHandler(async (event) => {\n const basePath = getAppBasePath();\n const p = stripAppBasePath(event.url.pathname);\n if (isFrameworkOrAssetPath(p)) {\n return new Response(null, { status: 404 });\n }\n try {\n const request = requestWithPathname(event.req as Request, p, basePath);\n // Pin the active session onto the async request context so React Router\n // loaders that call `getRequestUserEmail()` / `accessFilter()` see the\n // signed-in user. Without this, SSR loaders fall through to the\n // unauthenticated branch even when the user is logged in — which broke\n // shared-deck \"Presentation link\" access for non-public decks.\n let session: Awaited<ReturnType<typeof getSession>> | null = null;\n const hasAuthSignal = requestHasAuthSignal(event);\n if (hasAuthSignal) {\n try {\n session = await getSession(event);\n } catch {\n // Auth lookup failures must not break SSR; treat as unauthenticated.\n }\n }\n // readOrgIdForEvent fast-paths when session.orgId is already backfilled\n // (the common case), avoiding a duplicate org_members query. A second\n // query only fires for authenticated users whose session has no orgId.\n const orgId = session?.email\n ? await readOrgIdForEvent(event, session)\n : undefined;\n const ctx = {\n userEmail: session?.email ?? undefined,\n orgId,\n };\n if (request.method === \"HEAD\") {\n const getRequest = new Request(request.url, {\n method: \"GET\",\n headers: request.headers,\n signal: request.signal,\n });\n const response = await runWithRequestContext(ctx, () =>\n handler(getRequest),\n );\n return await rewriteMountedResponse(\n new Response(null, {\n status: response.status,\n statusText: response.statusText,\n headers: response.headers,\n }),\n basePath,\n p,\n request.url,\n hasAuthSignal,\n );\n }\n return await rewriteMountedResponse(\n await runWithRequestContext(ctx, () => handler(request)),\n basePath,\n p,\n request.url,\n hasAuthSignal,\n );\n } catch (err) {\n // Log the full stack server-side, but never leak it to the client.\n // Stack traces expose file paths, library versions, and code structure\n // that aid reconnaissance attacks. In dev we surface the message text\n // so devtools shows something useful; in prod we return a bare 500.\n console.error(\"[ssr-handler] SSR error:\", err);\n const isProd = process.env.NODE_ENV === \"production\";\n const body = isProd\n ? \"Internal Server Error\"\n : `Internal Server Error: ${(err as Error)?.message ?? err}`;\n return new Response(body, {\n status: 500,\n headers: { \"content-type\": \"text/plain\" },\n });\n }\n });\n}\n"]}
package/dist/server/transcribe-voice.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"transcribe-voice.d.ts","sourceRoot":"","sources":["../../src/server/transcribe-voice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AA8FH,wBAAgB,4BAA4B;UA8bxB,MAAM;;;IA7FzB"}
1
+ {"version":3,"file":"transcribe-voice.d.ts","sourceRoot":"","sources":["../../src/server/transcribe-voice.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AA8FH,wBAAgB,4BAA4B;UAmcxB,MAAM;;;IA7FzB"}