@agent-native/core 0.47.1 → 0.48.2

package/dist/server/google-oauth.js

@@ -13,6 +13,7 @@ import { getAppName } from "./app-name.js";
 import { getWorkspaceA2ADerivedSecret } from "./derived-secret.js";
 import { writeDesktopSso } from "./desktop-sso.js";
 import { appendSessionToOAuthReturnUrl } from "./oauth-return-url.js";
+import { getConfiguredAppBasePath } from "./app-base-path.js";
 // ─── Platform Detection ─────────────────────────────────────────────────────
 /** Return an HTML response with the correct Content-Type.
  *  Uses a web-standard Response to ensure the header survives
@@ -224,17 +225,9 @@ export function getOrigin(event) {
     }
     return `${headerProto}://${headerHost ?? "localhost"}`;
 }
-function normalizeAppBasePath(value) {
-    if (!value || value === "/")
-        return "";
-    const trimmed = value.trim();
-    if (!trimmed || trimmed === "/")
-        return "";
-    return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
-}
 /** App mount prefix, if the template is served under APP_BASE_PATH. */
 export function getAppBasePath() {
-    return normalizeAppBasePath(process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH);
+    return getConfiguredAppBasePath();
 }
 /** Build an absolute same-origin URL that preserves APP_BASE_PATH. */
 export function getAppUrl(event, path = "/") {

package/dist/server/google-oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"google-oauth.js","sourceRoot":"","sources":["../../src/server/google-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,SAAS,EACT,QAAQ,EACR,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EACL,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAC;AAEtE,+EAA+E;AAE/E;;oDAEoD;AACpD,SAAS,YAAY,CAAC,IAAY,EAAE,MAAM,GAAG,GAAG;IAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;KACxD,CAAC,CAAC;AACL,CAAC;AAED;;;gCAGgC;AAChC,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgB,EAChB,QAAgB,EAChB,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW;QACvB,CAAC,CAAC,sEAAsE,UAAU,CAAC,WAAW,CAAC,MAAM;QACrG,CAAC,CAAC,EAAE,CAAC;IACP,OAAO,4hBAA4hB,QAAQ,qDAAqD,QAAQ,OAAO,KAAK,iFAAiF,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,IAAI,CAAC,qFAAqF,CAAC;AACh0B,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,OAAO,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,QAAQ,CAAC,KAAc;IACrC,OAAO,2BAA2B,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;;;;GAKG;AACH,MAAM,+BAA+B,GAAG;IACtC,wBAAwB;IACxB,6BAA6B;IAC7B,SAAS;IACT,cAAc;IACd,iBAAiB;IACjB,sBAAsB;IACtB,KAAK;IACL,YAAY;CACJ,CAAC;AAEX,MAAM,iCAAiC,GAAG;IACxC,uBAAuB;IACvB,4BAA4B;CACpB,CAAC;AAEX,SAAS,eAAe,CAAC,GAAuB;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAC1B,GAAgB,EAChB,GAAuB,EACvB,OAAmC;IAEnC,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO;IACpB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO;IAC/D,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CACzB,IAAuB,EACvB,OAAmC;IAEnC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,gBAAgB,CAAC,MAAM,CAAC;YAAE,SAAS;QACjE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,4BAA4B;IACnC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,+BAA+B,EAAE,CAAC;QAClD,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,iCAAiC,EAAE,CAAC;QACpD,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,0BAA0B;IACjC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,+BAA+B,EAAE;QAC3E,aAAa,EAAE,IAAI;KACpB,CAAC,CAAC;IACH,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAE9C,OAAO,kBAAkB,CAAC,iCAAiC,EAAE;QAC3D,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,IAAwB;IAC9C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACzC,OAAO,CACL,MAAM,CAAC,QAAQ,KAAK,WAAW;YAC/B,MAAM,CAAC,QAAQ,KAAK,WAAW;YAC/B,MAAM,CAAC,QAAQ,KAAK,KAAK;YACzB,MAAM,CAAC,QAAQ,KAAK,OAAO,CAC5B,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA0B;IAClD,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,OAAO,cAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAwB;IACpD,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,OAAO,CACL,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CACjC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,MAAM,UAAU,GACd,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,MAAM,WAAW,GACf,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACvE,MAAM,uBAAuB,GAAG,oCAAoC,EAAE;QACpE,CAAC,CAAC,0BAA0B,EAAE;QAC9B,CAAC,CAAC,SAAS,CAAC;IAEd,IACE,uBAAuB;QACvB,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,oBAAoB,CAAC,UAAU,CAAC,CAAC,EAChE,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,4BAA4B,EAAE,CAAC;QAC7C,yEAAyE;QACzE,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,WAAW,MAAM,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,IAAI,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,OAAO,OAAO,CAAC;YAClD,mEAAmE;YACnE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QACD,kEAAkE;QAClE,+DAA+D;QAC/D,OAAO,GAAG,WAAW,MAAM,UAAU,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,GAAG,WAAW,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAyB;IACrD,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,cAAc;IAC5B,OAAO,oBAAoB,CACzB,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAC5D,CAAC;AACJ,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,SAAS,CAAC,KAAc,EAAE,IAAI,GAAG,GAAG;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC3D,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,cAAc,EAAE,GAAG,SAAS,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,WAAW,GAAI,KAAa,CAAC,GAAG,EAAE,QAAQ,CAAC;IACjD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IAEvE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,OAAO,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAClE,CAAC;IAED,MAAM,SAAS,GAAI,KAAa,CAAC,IAAI,CAAC;IACtC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAc;IAC/C,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,WAAW,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAClD,OAAO,CACL,WAAW,KAAK,GAAG,QAAQ,gBAAgB;QAC3C,WAAW,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,CACrD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC3D,IACE,oCAAoC,EAAE;QACtC,4BAA4B,CAAC,SAAS,CAAC,EACvC,CAAC;QACD,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,SAAS,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,QAAQ,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,QAAQ,GAAG,SAAS,EAAE,CAAC;AACtD,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,yBAAyB,CACvC,SAAiB,EACjB,KAAc;IAEd,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1E,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,qCAAqC;IACrC,MAAM,cAAc,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,WAAgB,CAAC;IACrB,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAChD,yEAAyE;IACzE,4EAA4E;IAC5E,wEAAwE;IACxE,mCAAmC;IACnC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,MAAM,eAAe,GACnB,QAAQ,IAAI,yBAAyB,CAAC,KAAK,CAAC;QAC1C,CAAC,CAAC;YACE,GAAG,QAAQ,iBAAiB;YAC5B,GAAG,CAAC,oCAAoC,EAAE;gBAC1C,4BAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC;gBACxC,CAAC,CAAC,CAAC,iBAAiB,CAAC;gBACrB,CAAC,CAAC,EAAE,CAAC;SACR;QACH,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC1B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACvE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAc,EACd,WAAW,GAAG,gCAAgC;IAE9C,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC;IAC9C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,yBAAyB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IACtE,CAAC;IACD,OAAO,0BAA0B,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AAqBD;;;;;GAKG;AACH,IAAI,mBAAuC,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,kBAAkB;IACzB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,4BAA4B,CAAC,aAAa,CAAC,CAAC;IAC9C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,gDAAgD;YAC9C,4FAA4F,CAC/F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AA0CD,MAAM,UAAU,gBAAgB,CAC9B,iBAAmD,EACnD,KAAc,EACd,OAAiB,EACjB,UAAoB,EACpB,GAAY,EACZ,SAAkB,EAClB,MAAe;IAEf,MAAM,IAAI,GACR,OAAO,iBAAiB,KAAK,QAAQ;QACnC,CAAC,CAAC;YACE,WAAW,EAAE,iBAAiB;YAC9B,KAAK;YACL,OAAO;YACP,UAAU;YACV,GAAG;YACH,SAAS;YACT,MAAM;SACP;QACH,CAAC,CAAC,iBAAiB,CAAC;IAExB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAqC;QAChD,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,IAAI,CAAC,WAAW;KACpB,CAAC;IACF,IAAI,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;IACvC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IACnC,IAAI,IAAI,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IACtC,IAAI,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrC,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;IAChD,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,MAAM;SACf,UAAU,CAAC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;SAC1C,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAA8B,EAC9B,WAAmB;IAEnB,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,MAAM,KAAK,CAAC,CAAC;gBAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;YAEvD,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM;iBACpB,UAAU,CAAC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;iBAC1C,MAAM,CAAC,IAAI,CAAC;iBACZ,MAAM,CAAC,WAAW,CAAC,CAAC;YAEvB,IACE,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;gBAC9B,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;YACtC,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrE,OAAO;gBACL,WAAW,EAAE,MAAM,CAAC,CAAC,IAAI,WAAW;gBACpC,KAAK,EAAE,MAAM,CAAC,CAAC,IAAI,SAAS;gBAC5B,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;gBACnB,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;gBACtB,GAAG,EAAE,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBAC5D,oEAAoE;gBACpE,kEAAkE;gBAClE,kEAAkE;gBAClE,4CAA4C;gBAC5C,SAAS,EAAE,OAAO,MAAM,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;gBAChE,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,SAAS;aAC9B,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;AACtC,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAc,EACd,UAAmB;IAEnB,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;IAChD,MAAM,oBAAoB,GAAG,CAAC,CAAC,eAAe,EAAE,KAAK,CAAC;IACtD,MAAM,KAAK,GAAG,oBAAoB;QAChC,CAAC,CAAC,eAAgB,CAAC,KAAK;QACxB,CAAC,CAAC,UAAU,IAAI,SAAS,CAAC;IAE5B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;AACzC,CAAC;AAMD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAc,EACd,KAAa,EACb,IAGC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAElC,IAAI,YAAgC,CAAC;IACrC,IAAI,CAAC,IAAI,CAAC,oBAAoB,IAAI,aAAa,EAAE,CAAC;QAChD,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,UAAU,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACtC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/C,kEAAkE;QAClE,iEAAiE;QACjE,6DAA6D;QAC7D,8DAA8D;QAC9D,8DAA8D;QAC9D,gEAAgE;QAChE,iCAAiC;QACjC,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC/C,MAAM,eAAe,CAAC;gBACpB,KAAK;gBACL,KAAK,EAAE,YAAY;gBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,CAAC;AAC1B,CAAC;AAED,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAAc,EACd,KAAa,EACb,IAaC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QACvD,CAAC,CAAC,KAAK,CAAC,KAAK;QACb,CAAC,CAAC,SAAS,CAAC;IAEhB,uCAAuC;IACvC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,0BAA0B,CACzC,IAAI,CAAC,YAAY,EACjB,aAAa,CACd,CAAC;QACF,OAAO,YAAY,CACjB,sYAAsY,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,+EAA+E,CAC9e,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,4EAA4E;IAC5E,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,aAAa,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;QACjE,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,wCAAwC,WAAW,GAAG,EACtD,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAC9B,CACF,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1E,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;IAC5E,CAAC;IAED,wEAAwE;IACxE,iEAAiE;IACjE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,gBAAgB,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;QACpE,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,wCAAwC,WAAW,GAAG,EACtD,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAC9B,CACF,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,0EAA0E;IAC1E,2EAA2E;IAC3E,yEAAyE;IACzE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;IAC5E,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,oEAAoE;IACpE,mDAAmD;IACnD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACzE,OAAO,YAAY,CAAC;;;;yCAIiB,SAAS;;8BAEpB,CAAC,CAAC;IAC9B,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,wEAAwE;IACxE,oEAAoE;IACpE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,iBAAiB,CACf,KAAK,EACL,UAAU,EACV,6BAA6B,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CACjE,CAAC;IACF,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;kEAGkE;AAClE,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,YAAY,CACjB,ilBAAilB,IAAI,0KAA0K,EAC/vB,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,OAAO,GAAG,yBAAyB;IAEnC,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,YAAY,CACjB,yPAAyP,IAAI,mDAAmD,CACjT,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF,SAAS,mBAAmB,CAAC,QAAiB;IAC5C,MAAM,GAAG,GAAG,QAAQ,IAAI,UAAU,EAAE,IAAI,cAAc,CAAC;IACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC3C,OAAO,GAAG;SACP,KAAK,CAAC,OAAO,CAAC;SACd,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACpD,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,0BAA0B,CACjC,YAAqB,EACrB,KAAc;IAEd,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,IAAI,YAAY;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACpD,IAAI,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACjC,OAAO,MAAM;QACX,CAAC,CAAC,gCAAgC,MAAM,EAAE;QAC1C,CAAC,CAAC,8BAA8B,CAAC;AACrC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAe,EACf,KAAc,EACd,YAAqB,EACrB,KAAc;IAEd,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjD,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,aAAa,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,QAAQ,GAAG,0BAA0B,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,wEAAwE;QACxE,yEAAyE;QACzE,qEAAqE;QACrE,qEAAqE;QACrE,yEAAyE;QACzE,OAAO,YAAY,CACjB,isBAAisB,GAAG,2FAA2F,YAAY,2bAA2b,YAAY,4KAA4K,CAC/5C,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,oDAAoD,CACrD,CACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Shared Google OAuth utilities for all templates.\n *\n * Handles platform detection (desktop/mobile), state encoding,\n * session token creation, and deep-link responses — the logic\n * that was previously copy-pasted across every template's\n * google-auth.ts handler.\n */\n\nimport crypto from \"node:crypto\";\nimport {\n  getHeader,\n  getQuery,\n  setResponseStatus,\n  setResponseHeader,\n  type H3Event,\n} from \"h3\";\nimport {\n  addSession,\n  getSession,\n  getSessionMaxAge,\n  setFrameworkSessionCookie,\n} from \"./auth.js\";\nimport { getAppName } from \"./app-name.js\";\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\nimport { writeDesktopSso } from \"./desktop-sso.js\";\nimport { appendSessionToOAuthReturnUrl } from \"./oauth-return-url.js\";\n\n// ─── Platform Detection ─────────────────────────────────────────────────────\n\n/** Return an HTML response with the correct Content-Type.\n *  Uses a web-standard Response to ensure the header survives\n *  Nitro dev mode's mock-node-response pipeline. */\nfunction htmlResponse(html: string, status = 200): Response {\n  return new Response(html, {\n    status,\n    headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n  });\n}\n\n/** Shared markup for OAuth success \"close this tab\" pages. Renders a green\n *  check icon above the message, with a little breathing room between the\n *  headline and secondary line. Used by every template that goes through the\n *  shared Google OAuth flow. */\nfunction oauthDebugFlowId(flowId?: string): string | undefined {\n  return flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthSuccessCloseTabHtml(\n  headline: string,\n  footnote: string,\n  debugFlowId?: string,\n): string {\n  const debug = debugFlowId\n    ? `<p style=\"font-size:11px;color:#555;margin:12px 0 0 0\">Debug flow: ${escapeHtml(debugFlowId)}</p>`\n    : \"\";\n  return `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connected</title></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column\"><svg width=\"44\" height=\"44\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"#22c55e\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"margin-bottom:14px\" aria-hidden=\"true\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><path d=\"M9 12l2 2l4 -4\"/></svg><p style=\"font-size:16px;margin:0 0 12px 0\">${headline}</p><p style=\"font-size:13px;color:#888;margin:0\">${footnote}</p>${debug}<script>console.info(\"[agent-native][google-oauth] success page loaded\",{flow:${JSON.stringify(debugFlowId || null)}});setTimeout(function(){try{window.close()}catch(e){}},250)</script></body></html>`;\n}\n\n/**\n * HTML escape — minimal but covers the cases that matter when interpolating\n * user-controlled values into our OAuth callback HTML. Mirrors the helper in\n * email-template.ts; kept inline here to avoid a circular import.\n */\nfunction escapeHtml(s: string): string {\n  return String(s ?? \"\")\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/'/g, \"&#39;\");\n}\n\n/**\n * Detect requests from the Agent Native desktop app specifically.\n *\n * The desktop app appends `AgentNativeDesktop/<version>` to its user-agent\n * (see `packages/desktop-app/src/main/index.ts`). We check for that marker\n * rather than matching generic `Electron`, which would also match other\n * Electron-based webviews like Builder.io's Fusion, Slack desktop, Discord,\n * etc. Falsely treating those as \"the desktop app\" sends users to the\n * `agentnative://oauth-complete` deep-link success page after Google sign-in,\n * where the protocol handler can't fire and the \"Open Agent Native\" button\n * does nothing.\n *\n * Kept exported as `isElectron` for backwards compatibility with consumers.\n */\nexport function isElectron(event: H3Event): boolean {\n  return /AgentNativeDesktop/i.test(getHeader(event, \"user-agent\") || \"\");\n}\n\n/** Detect requests from a mobile browser (iOS/Android). */\nexport function isMobile(event: H3Event): boolean {\n  return /iPhone|iPad|iPod|Android/i.test(getHeader(event, \"user-agent\") || \"\");\n}\n\n/**\n * Build the static allowlist of origins we trust for `getOrigin`. Reads\n * deployment-known public URLs. Each entry is normalised to\n * `${proto}://${host}` (no path). Duplicates collapse, invalid entries are\n * dropped silently.\n */\nconst EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS = [\n  \"WORKSPACE_OAUTH_ORIGIN\",\n  \"VITE_WORKSPACE_OAUTH_ORIGIN\",\n  \"APP_URL\",\n  \"VITE_APP_URL\",\n  \"BETTER_AUTH_URL\",\n  \"VITE_BETTER_AUTH_URL\",\n  \"URL\",\n  \"DEPLOY_URL\",\n] as const;\n\nconst WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS = [\n  \"WORKSPACE_GATEWAY_URL\",\n  \"VITE_WORKSPACE_GATEWAY_URL\",\n] as const;\n\nfunction normalizeOrigin(raw: string | undefined): string | undefined {\n  if (!raw) return undefined;\n  try {\n    const u = new URL(raw);\n    return `${u.protocol}//${u.host}`;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction addNormalizedOrigin(\n  out: Set<string>,\n  raw: string | undefined,\n  options: { allowLoopback: boolean },\n): void {\n  const origin = normalizeOrigin(raw);\n  if (!origin) return;\n  if (!options.allowLoopback && isLoopbackOrigin(origin)) return;\n  out.add(origin);\n}\n\nfunction firstOriginFromEnv(\n  keys: readonly string[],\n  options: { allowLoopback: boolean },\n): string | undefined {\n  for (const key of keys) {\n    const origin = normalizeOrigin(process.env[key]);\n    if (!origin) continue;\n    if (!options.allowLoopback && isLoopbackOrigin(origin)) continue;\n    return origin;\n  }\n  return undefined;\n}\n\nfunction getConfiguredOriginAllowlist(): Set<string> {\n  const out = new Set<string>();\n  for (const key of EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS) {\n    addNormalizedOrigin(out, process.env[key], { allowLoopback: true });\n  }\n  for (const key of WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS) {\n    addNormalizedOrigin(out, process.env[key], { allowLoopback: false });\n  }\n  return out;\n}\n\nfunction getWorkspaceCallbackOrigin(): string | undefined {\n  const publicAuthOrigin = firstOriginFromEnv(EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS, {\n    allowLoopback: true,\n  });\n  if (publicAuthOrigin) return publicAuthOrigin;\n\n  return firstOriginFromEnv(WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS, {\n    allowLoopback: false,\n  });\n}\n\nfunction isLoopbackHost(host: string | undefined): boolean {\n  if (!host) return false;\n  try {\n    const parsed = new URL(`http://${host}`);\n    return (\n      parsed.hostname === \"localhost\" ||\n      parsed.hostname === \"127.0.0.1\" ||\n      parsed.hostname === \"::1\" ||\n      parsed.hostname === \"[::1]\"\n    );\n  } catch {\n    return false;\n  }\n}\n\nfunction isLoopbackOrigin(origin: string | undefined): boolean {\n  if (!origin) return false;\n  try {\n    return isLoopbackHost(new URL(origin).host);\n  } catch {\n    return false;\n  }\n}\n\nfunction isBuilderPreviewHost(host: string | undefined): boolean {\n  if (!host) return false;\n  try {\n    const parsed = new URL(`http://${host}`);\n    const hostname = parsed.hostname.toLowerCase();\n    return (\n      hostname === \"builderio.xyz\" ||\n      hostname.endsWith(\".builderio.xyz\") ||\n      hostname === \"builderio.dev\" ||\n      hostname.endsWith(\".builderio.dev\") ||\n      hostname === \"builder.codes\" ||\n      hostname.endsWith(\".builder.codes\") ||\n      hostname === \"builder.io\" ||\n      hostname.endsWith(\".builder.io\") ||\n      hostname === \"builder.my\" ||\n      hostname.endsWith(\".builder.my\")\n    );\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Get the origin from forwarded headers or Host.\n *\n * Defends against Host-header injection: in production we require the resolved\n * origin to match `APP_URL` / `BETTER_AUTH_URL` / `WORKSPACE_GATEWAY_URL`,\n * falling back to those values when inbound headers are missing or don't match.\n * In dev we accept inbound `Host` so localhost / ngrok / preview hosts keep\n * working without configuration, except workspace OAuth requests from loopback\n * or Builder preview hosts use the configured gateway origin when one exists.\n * The protocol defaults to `https` in production (so a TLS-terminating proxy\n * that drops `x-forwarded-proto` doesn't downgrade us to plain HTTP).\n */\nexport function getOrigin(event: H3Event): string {\n  const headerHost =\n    getHeader(event, \"x-forwarded-host\") || getHeader(event, \"host\");\n  const isProd = process.env.NODE_ENV === \"production\";\n  const headerProto =\n    getHeader(event, \"x-forwarded-proto\") || (isProd ? \"https\" : \"http\");\n  const workspaceCallbackOrigin = isWorkspaceOAuthCallbackRelayEnabled()\n    ? getWorkspaceCallbackOrigin()\n    : undefined;\n\n  if (\n    workspaceCallbackOrigin &&\n    (isLoopbackHost(headerHost) || isBuilderPreviewHost(headerHost))\n  ) {\n    return workspaceCallbackOrigin;\n  }\n\n  if (isProd) {\n    const allow = getConfiguredOriginAllowlist();\n    // If the deploy declares its public URL, prefer it over inbound headers.\n    if (allow.size > 0) {\n      const inbound = headerHost ? `${headerProto}://${headerHost}` : \"\";\n      if (inbound && allow.has(inbound)) return inbound;\n      // Inbound didn't match — fall back to the first configured origin.\n      return [...allow][0];\n    }\n    // No allowlist configured: still default to https, but accept the\n    // inbound Host (best we can do without a configured base URL).\n    return `${headerProto}://${headerHost ?? \"\"}`;\n  }\n\n  return `${headerProto}://${headerHost ?? \"localhost\"}`;\n}\n\nfunction normalizeAppBasePath(value: string | undefined): string {\n  if (!value || value === \"/\") return \"\";\n  const trimmed = value.trim();\n  if (!trimmed || trimmed === \"/\") return \"\";\n  return `/${trimmed.replace(/^\\/+/, \"\").replace(/\\/+$/, \"\")}`;\n}\n\n/** App mount prefix, if the template is served under APP_BASE_PATH. */\nexport function getAppBasePath(): string {\n  return normalizeAppBasePath(\n    process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH,\n  );\n}\n\n/** Build an absolute same-origin URL that preserves APP_BASE_PATH. */\nexport function getAppUrl(event: H3Event, path = \"/\"): string {\n  const cleanPath = path.startsWith(\"/\") ? path : `/${path}`;\n  return `${getOrigin(event)}${getAppBasePath()}${cleanPath}`;\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n  return (\n    process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n    process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n  );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n  return (\n    pathname.startsWith(\"/_agent-native/\") &&\n    (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n  );\n}\n\nfunction getOriginalRequestPath(event: H3Event): string {\n  const mountedPathname = (event as any).context?._mountedPathname;\n  if (typeof mountedPathname === \"string\" && mountedPathname) {\n    return mountedPathname;\n  }\n\n  const urlPathname = (event as any).url?.pathname;\n  if (typeof urlPathname === \"string\" && urlPathname) return urlPathname;\n\n  const nodeUrl = event.node?.req?.url;\n  if (typeof nodeUrl === \"string\" && nodeUrl) {\n    const queryStart = nodeUrl.indexOf(\"?\");\n    return queryStart >= 0 ? nodeUrl.slice(0, queryStart) : nodeUrl;\n  }\n\n  const eventPath = (event as any).path;\n  if (typeof eventPath === \"string\" && eventPath) {\n    const queryStart = eventPath.indexOf(\"?\");\n    return queryStart >= 0 ? eventPath.slice(0, queryStart) : eventPath;\n  }\n\n  return \"/\";\n}\n\nfunction isRequestUnderAppBasePath(event: H3Event): boolean {\n  const basePath = getAppBasePath();\n  if (!basePath) return false;\n  const requestPath = getOriginalRequestPath(event);\n  return (\n    requestPath === `${basePath}/_agent-native` ||\n    requestPath.startsWith(`${basePath}/_agent-native/`)\n  );\n}\n\nfunction getDefaultOAuthRedirectUrl(event: H3Event, path: string): string {\n  const cleanPath = path.startsWith(\"/\") ? path : `/${path}`;\n  if (\n    isWorkspaceOAuthCallbackRelayEnabled() &&\n    isFrameworkOAuthCallbackPath(cleanPath)\n  ) {\n    return `${getOrigin(event)}${cleanPath}`;\n  }\n  const basePath = isRequestUnderAppBasePath(event) ? getAppBasePath() : \"\";\n  return `${getOrigin(event)}${basePath}${cleanPath}`;\n}\n\n// ─── redirect_uri Allowlist ──────────────────────────────────────────────────\n\n/**\n * Validate a user-supplied `redirect_uri` for OAuth flows.\n *\n * Defends against authorization-code interception (RFC 6819 §4.4.1.7):\n * even though the upstream provider (Google/Atlassian/Zoom) refuses\n * unregistered redirect URIs, prefix-style registrations and side\n * registrations on the same host let a malicious caller swap in an\n * attacker-controlled URI that the provider still accepts. We reject any\n * candidate that isn't on this server's own origin AND under the\n * framework's `/_agent-native/` namespace. Returns the validated URI on\n * success, or `undefined` on rejection — callers must treat `undefined`\n * as a 400.\n *\n * The intentional shape is exact-prefix:\n *   - Origin must equal `getOrigin(event)` — no Host-header injection\n *     reusing somebody else's registered redirect URI.\n *   - Path must start with `${appBasePath}/_agent-native/` so we never\n *     hand auth codes to a public marketing or open-redirect endpoint\n *     on the same registered host.\n *\n * For desktop / native flows that need ephemeral `http://127.0.0.1:<port>`\n * loopback URIs, callers should validate those at the template level\n * with a dedicated allowlist — this helper rejects them by design.\n */\nexport function isAllowedOAuthRedirectUri(\n  candidate: string,\n  event: H3Event,\n): boolean {\n  if (typeof candidate !== \"string\" || candidate.length === 0) return false;\n  let url: URL;\n  try {\n    url = new URL(candidate);\n  } catch {\n    return false;\n  }\n  // Must be same origin as our server.\n  const expectedOrigin = getOrigin(event);\n  let expectedUrl: URL;\n  try {\n    expectedUrl = new URL(expectedOrigin);\n  } catch {\n    return false;\n  }\n  if (url.protocol !== expectedUrl.protocol) return false;\n  if (url.host !== expectedUrl.host) return false;\n  // Must live under the framework's namespace. Workspace deploys can route\n  // root /_agent-native/* to Dispatch even when Dispatch itself is mounted at\n  // /dispatch, but app-prefixed requests should not be able to swap their\n  // callback to that root namespace.\n  const basePath = getAppBasePath();\n  const allowedPrefixes =\n    basePath && isRequestUnderAppBasePath(event)\n      ? [\n          `${basePath}/_agent-native/`,\n          ...(isWorkspaceOAuthCallbackRelayEnabled() &&\n          isFrameworkOAuthCallbackPath(url.pathname)\n            ? [\"/_agent-native/\"]\n            : []),\n        ]\n      : [\"/_agent-native/\"];\n  if (!allowedPrefixes.some((prefix) => url.pathname.startsWith(prefix))) {\n    return false;\n  }\n  return true;\n}\n\n/**\n * Resolve the `redirect_uri` for an outbound OAuth `auth-url` request.\n *\n * Reads `?redirect_uri=` from the query and validates it via\n * `isAllowedOAuthRedirectUri`. Returns:\n *   - the validated URI when supplied and allowed, OR\n *   - the framework default when no override was supplied, OR\n *   - `null` when an override was supplied but rejected — callers must\n *     respond with 400 in that case.\n *\n * Templates that need a non-default redirect path can pass it via\n * `defaultPath` (e.g. `\"/_agent-native/google/desktop-callback\"` for\n * desktop flows).\n */\nexport function resolveOAuthRedirectUri(\n  event: H3Event,\n  defaultPath = \"/_agent-native/google/callback\",\n): string | null {\n  const supplied = getQuery(event).redirect_uri;\n  if (typeof supplied === \"string\" && supplied.length > 0) {\n    return isAllowedOAuthRedirectUri(supplied, event) ? supplied : null;\n  }\n  return getDefaultOAuthRedirectUrl(event, defaultPath);\n}\n\n// ─── OAuth State ─────────────────────────────────────────────────────────────\n\nexport interface OAuthStatePayload {\n  redirectUri: string;\n  owner?: string;\n  desktop?: boolean;\n  addAccount?: boolean;\n  app?: string;\n  /**\n   * Same-origin path to redirect to after a successful web-flow sign-in.\n   * Threaded through the (HMAC-signed) state so it survives the round trip\n   * to Google. Validated again on decode via safeReturnPath as defence in\n   * depth. Has no effect on desktop / mobile / add-account flows, which\n   * use their own deep-link / close-tab handling.\n   */\n  returnUrl?: string;\n  flowId?: string;\n}\n\n/**\n * Ephemeral in-memory state-signing key for development. Generated lazily\n * on first read so dev sessions don't depend on filesystem writability or\n * env-var configuration. Sessions reset on each restart, which is fine\n * for dev — no real users / production data are involved.\n */\nlet _devStateSigningKey: string | undefined;\n\n/**\n * Derive a server-only signing key for HMAC verification of OAuth state.\n *\n * Uses a dedicated secret — never an OAuth client secret. Reusing a\n * client_secret (which is shared with Google / GitHub / Atlassian) as our\n * own HMAC key conflates two trust domains: rotating the client secret\n * silently invalidates every in-flight OAuth state, and any leak of the\n * client secret also lets an attacker forge our state envelopes.\n *\n * Resolution order:\n *   1. OAUTH_STATE_SECRET (preferred — dedicated to this purpose)\n *   2. BETTER_AUTH_SECRET (already used by Better Auth as a server secret)\n *   3. Hosted workspace deploys derive a per-purpose key from A2A_SECRET\n *   4. In dev only, an ephemeral random key (per-process)\n *\n * In production, throws if no usable server secret is set.\n */\nfunction getStateSigningKey(): string {\n  const secret =\n    process.env.OAUTH_STATE_SECRET ||\n    process.env.BETTER_AUTH_SECRET ||\n    getWorkspaceA2ADerivedSecret(\"oauth-state\");\n  if (secret) return secret;\n\n  const isProd = process.env.NODE_ENV === \"production\";\n  if (isProd) {\n    throw new Error(\n      \"OAuth state signing requires a server secret. \" +\n        \"Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.\",\n    );\n  }\n\n  if (!_devStateSigningKey) {\n    _devStateSigningKey = crypto.randomBytes(32).toString(\"hex\");\n  }\n  return _devStateSigningKey;\n}\n\n/**\n * Options for the named-argument form of {@link encodeOAuthState}.\n * Prefer this form — the positional overload is easy to misuse (the mail\n * and calendar templates historically passed `flowId` in the `returnUrl`\n * slot, smuggling state into a defence-in-depth path).\n */\nexport interface EncodeOAuthStateOptions {\n  redirectUri: string;\n  owner?: string;\n  desktop?: boolean;\n  addAccount?: boolean;\n  app?: string;\n  returnUrl?: string;\n  flowId?: string;\n}\n\n/**\n * Encode OAuth state into a signed base64url string.\n * The state is HMAC-signed so the callback can verify it wasn't forged,\n * preventing CSRF attacks on the OAuth flow.\n *\n * Two call shapes are supported:\n *   - Recommended: pass an options object — clear, mismatch-proof.\n *     `encodeOAuthState({ redirectUri, owner, desktop, ... })`\n *   - Legacy positional form (kept working for backward compatibility):\n *     `encodeOAuthState(redirectUri, owner, desktop, addAccount, app, returnUrl, flowId)`.\n *     Callers should migrate to the options form — see the audit on\n *     templates/mail and templates/calendar where the positional shape\n *     led to `flowId` being smuggled in via the `returnUrl` slot.\n */\nexport function encodeOAuthState(opts: EncodeOAuthStateOptions): string;\nexport function encodeOAuthState(\n  redirectUri: string,\n  owner?: string,\n  desktop?: boolean,\n  addAccount?: boolean,\n  app?: string,\n  returnUrl?: string,\n  flowId?: string,\n): string;\nexport function encodeOAuthState(\n  redirectUriOrOpts: string | EncodeOAuthStateOptions,\n  owner?: string,\n  desktop?: boolean,\n  addAccount?: boolean,\n  app?: string,\n  returnUrl?: string,\n  flowId?: string,\n): string {\n  const opts: EncodeOAuthStateOptions =\n    typeof redirectUriOrOpts === \"string\"\n      ? {\n          redirectUri: redirectUriOrOpts,\n          owner,\n          desktop,\n          addAccount,\n          app,\n          returnUrl,\n          flowId,\n        }\n      : redirectUriOrOpts;\n\n  const nonce = crypto.randomBytes(8).toString(\"hex\");\n  const payload: Record<string, string | boolean> = {\n    n: nonce,\n    r: opts.redirectUri,\n  };\n  if (opts.owner) payload.o = opts.owner;\n  if (opts.desktop) payload.d = true;\n  if (opts.addAccount) payload.a = true;\n  if (opts.app) payload.app = opts.app;\n  if (opts.returnUrl) payload.r2 = opts.returnUrl;\n  if (opts.flowId) payload.f = opts.flowId;\n  const data = Buffer.from(JSON.stringify(payload)).toString(\"base64url\");\n  const sig = crypto\n    .createHmac(\"sha256\", getStateSigningKey())\n    .update(data)\n    .digest(\"base64url\");\n  return `${data}.${sig}`;\n}\n\n/**\n * Decode and verify OAuth state from the callback's state query parameter.\n * Rejects forged or tampered state by checking the HMAC signature.\n * Falls back to the provided URI if decoding or verification fails.\n */\nexport function decodeOAuthState(\n  stateParam: string | undefined,\n  fallbackUri: string,\n): OAuthStatePayload {\n  if (stateParam) {\n    try {\n      const dotIdx = stateParam.lastIndexOf(\".\");\n      if (dotIdx === -1) return { redirectUri: fallbackUri };\n\n      const data = stateParam.slice(0, dotIdx);\n      const sig = stateParam.slice(dotIdx + 1);\n      const expected = crypto\n        .createHmac(\"sha256\", getStateSigningKey())\n        .update(data)\n        .digest(\"base64url\");\n\n      if (\n        sig.length !== expected.length ||\n        !crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))\n      ) {\n        return { redirectUri: fallbackUri };\n      }\n\n      const parsed = JSON.parse(Buffer.from(data, \"base64url\").toString());\n      return {\n        redirectUri: parsed.r || fallbackUri,\n        owner: parsed.o || undefined,\n        desktop: !!parsed.d,\n        addAccount: !!parsed.a,\n        app: typeof parsed.app === \"string\" ? parsed.app : undefined,\n        // Pass returnUrl through as-is — same-origin validation runs at the\n        // consumer (oauthCallbackResponse → safeReturnPath). The state is\n        // HMAC-signed, but we still validate at consumption as defence in\n        // depth in case the signing key ever leaks.\n        returnUrl: typeof parsed.r2 === \"string\" ? parsed.r2 : undefined,\n        flowId: parsed.f || undefined,\n      };\n    } catch {}\n  }\n  return { redirectUri: fallbackUri };\n}\n\n// ─── Session Creation ────────────────────────────────────────────────────────\n\nexport interface OAuthOwnerResult {\n  owner: string | undefined;\n  hasProductionSession: boolean;\n}\n\n/**\n * Determine the token owner from the current session and OAuth state.\n * Call this BEFORE exchangeCode to get the owner parameter.\n */\nexport async function resolveOAuthOwner(\n  event: H3Event,\n  stateOwner?: string,\n): Promise<OAuthOwnerResult> {\n  const existingSession = await getSession(event);\n  const hasProductionSession = !!existingSession?.email;\n  const owner = hasProductionSession\n    ? existingSession!.email\n    : stateOwner || undefined;\n\n  return { owner, hasProductionSession };\n}\n\nexport interface OAuthSessionResult {\n  sessionToken: string | undefined;\n}\n\n/**\n * Create a session token after a successful OAuth exchange.\n *\n * Desktop and mobile apps have separate cookie jars from the system\n * browser, so they always get a fresh session token (even if the browser\n * already has one). The token is then passed via deep link so the native\n * app can inject it.\n */\nexport async function createOAuthSession(\n  event: H3Event,\n  email: string,\n  opts: {\n    hasProductionSession: boolean;\n    desktop?: boolean;\n  },\n): Promise<OAuthSessionResult> {\n  const mobile = isMobile(event);\n  const needsDeepLink = opts.desktop || mobile;\n  const maxAge = getSessionMaxAge();\n\n  let sessionToken: string | undefined;\n  if (!opts.hasProductionSession || needsDeepLink) {\n    sessionToken = crypto.randomBytes(32).toString(\"hex\");\n    await addSession(sessionToken, email);\n    setFrameworkSessionCookie(event, sessionToken);\n    // Desktop SSO: record this session in the home-dir broker file so\n    // sibling templates (each with its own database) can resolve the\n    // same token without a DB row of their own. Only the PRIMARY\n    // sign-in writes the broker — if a production session already\n    // exists, this is an add-account flow (connecting a secondary\n    // Google account for scraping) and must never switch the active\n    // user across sibling templates.\n    if (opts.desktop && !opts.hasProductionSession) {\n      await writeDesktopSso({\n        email,\n        token: sessionToken,\n        expiresAt: Date.now() + maxAge * 1000,\n      });\n    }\n  }\n\n  return { sessionToken };\n}\n\n// ─── Callback Responses ──────────────────────────────────────────────────────\n\n/**\n * Return the appropriate response after a successful OAuth callback.\n *\n * Handles mobile deep links, desktop deep links, add-account close-tab\n * pages, and plain web redirects — so templates don't have to.\n */\nexport function oauthCallbackResponse(\n  event: H3Event,\n  email: string,\n  opts: {\n    sessionToken?: string;\n    desktop?: boolean;\n    addAccount?: boolean;\n    /**\n     * Same-origin path to return the viewer to after a successful web\n     * sign-in. Validated via safeReturnPath; falls back to \"/\" for any\n     * shape that escapes same-origin. Has no effect on desktop / mobile\n     * / add-account flows — those use their own deep-link handling.\n     */\n    returnUrl?: string;\n    flowId?: string;\n    appName?: string;\n  },\n): Response | string | unknown | Promise<Response | string | unknown> {\n  const mobile = isMobile(event);\n  const query = getQuery(event);\n  const callbackState =\n    typeof query.state === \"string\" && query.state.length > 0\n      ? query.state\n      : undefined;\n\n  // Mobile: deep link back to native app\n  if (mobile) {\n    const deepLink = buildOAuthCompleteDeepLink(\n      opts.sessionToken,\n      callbackState,\n    );\n    return htmlResponse(\n      `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\"><title>Connected</title></head><body style=\"background:#111;color:#aaa;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0\"><p>Connected! Returning to app…</p><script>window.location.href=${JSON.stringify(deepLink)};setTimeout(function(){window.location.href=\"/\"},1500)</script></body></html>`,\n    );\n  }\n\n  // Desktop add-account: close-tab page (must come before general desktop check\n  // to ensure no deep link fires and the existing session is never switched).\n  if (opts.desktop && opts.addAccount) {\n    const safeEmail = email ? escapeHtml(email) : \"\";\n    const safeAppName = escapeHtml(resolveOAuthAppName(opts.appName));\n    const msg = safeEmail ? `Connected ${safeEmail}!` : \"Connected!\";\n    return htmlResponse(\n      oauthSuccessCloseTabHtml(\n        msg,\n        `You can close this tab and return to ${safeAppName}.`,\n        oauthDebugFlowId(opts.flowId),\n      ),\n    );\n  }\n\n  // Electron desktop exchange flow: mail/calendar still pass a flow id so the\n  // renderer can poll as a fallback, but the main handoff should use the\n  // protocol deep link so the popup returns focus to the desktop app.\n  if (opts.desktop && opts.flowId && isElectron(event) && opts.sessionToken) {\n    return desktopSuccessPage(event, email, opts.sessionToken, callbackState);\n  }\n\n  // Desktop exchange flow (non-Electron tray app): the tray app polls the\n  // desktop-exchange endpoint for the token — no deep link needed.\n  if (opts.desktop && opts.flowId) {\n    const safeEmail = email ? escapeHtml(email) : \"\";\n    const safeAppName = escapeHtml(resolveOAuthAppName(opts.appName));\n    const msg = safeEmail ? `Signed in as ${safeEmail}!` : \"Signed in!\";\n    return htmlResponse(\n      oauthSuccessCloseTabHtml(\n        msg,\n        `You can close this tab and return to ${safeAppName}.`,\n        oauthDebugFlowId(opts.flowId),\n      ),\n    );\n  }\n\n  // Desktop login: deep link back to Electron app — only when the callback\n  // request actually carries the AgentNativeDesktop UA marker. Without this\n  // check, any client whose OAuth state was minted with `desktop=true` (e.g.\n  // a stale link, or an upstream that wrongly set `?desktop=1`) would land\n  // on the `agentnative://` page where the deep link can't fire and the\n  // \"Open Agent Native\" button does nothing — surfaces inside Builder.io's\n  // Fusion webview hit this exact dead-end. Fall through to the web flow\n  // for non-Agent-Native-Desktop clients so they get a real redirect.\n  if (opts.desktop && isElectron(event)) {\n    return desktopSuccessPage(event, email, opts.sessionToken, callbackState);\n  }\n\n  // Add-account web flow: close-tab page. The email is rendered into the\n  // page via DOM `textContent` (safe), but we still JSON-stringify so a\n  // payload containing `</script>` can't break out of the script tag —\n  // and explicitly assert it's a string so a callbacks like `null` or\n  // an object won't end up serialised into the page.\n  if (opts.addAccount) {\n    const safeEmail = JSON.stringify(typeof email === \"string\" ? email : \"\");\n    return htmlResponse(`<!DOCTYPE html><html><body><script>\n        window.close();\n        var p = document.createElement('p');\n        p.style.cssText = 'font-family:system-ui;text-align:center;margin-top:40vh';\n        p.textContent = 'Connected ' + ${safeEmail} + '! You can close this tab.';\n        document.body.appendChild(p);\n      </script></body></html>`);\n  }\n\n  // Web: redirect to the requested return target. Path-only returns stay\n  // same-origin; Builder desktop workspace returns may point back to the\n  // local loopback gateway and carry the short-lived `_session` bridge so\n  // the local app can promote the newly created hosted OAuth session.\n  setResponseStatus(event, 302);\n  setResponseHeader(\n    event,\n    \"Location\",\n    appendSessionToOAuthReturnUrl(opts.returnUrl, opts.sessionToken),\n  );\n  setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n  return \"\";\n}\n\n/** HTML error page for OAuth failures. The message is HTML-escaped — most\n *  callers pass `error.message` from a token-exchange or userinfo failure,\n *  which can echo upstream provider strings (and historically attacker-\n *  controlled query params via the `error_description` field). */\nexport function oauthErrorPage(message: string): Response {\n  const safe = escapeHtml(message);\n  return htmlResponse(\n    `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connection failed</title></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column;text-align:center\"><svg width=\"44\" height=\"44\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"#ef4444\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"margin-bottom:14px\" aria-hidden=\"true\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><path d=\"M15 9l-6 6\"/><path d=\"M9 9l6 6\"/></svg><p style=\"font-size:16px;margin:0 0 12px 0;color:#ddd\">${safe}</p><p style=\"font-size:13px;color:#888;margin:0\"><a href=\"/\" style=\"color:#888;text-decoration:underline;text-underline-offset:3px\">Back to login</a></p></body></html>`,\n    400,\n  );\n}\n\nexport function oauthDesktopExchangePage(\n  message = \"Returning to the app...\",\n): Response {\n  const safe = escapeHtml(message);\n  return htmlResponse(\n    `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Returning</title></head><body style=\"background:#111;color:#aaa;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0\"><p style=\"font-size:14px\">${safe}</p><script>window.close()</script></body></html>`,\n  );\n}\n\n// ─── Internal ────────────────────────────────────────────────────────────────\n\nfunction resolveOAuthAppName(explicit?: string): string {\n  const raw = explicit || getAppName() || \"Agent Native\";\n  if (!/^[a-z0-9_-]+$/.test(raw)) return raw;\n  return raw\n    .split(/[-_]+/)\n    .filter(Boolean)\n    .map((word) => word[0].toUpperCase() + word.slice(1))\n    .join(\" \");\n}\n\nfunction buildOAuthCompleteDeepLink(\n  sessionToken?: string,\n  state?: string,\n): string {\n  const params = new URLSearchParams();\n  if (sessionToken) params.set(\"token\", sessionToken);\n  if (state) params.set(\"state\", state);\n  const suffix = params.toString();\n  return suffix\n    ? `agentnative://oauth-complete?${suffix}`\n    : \"agentnative://oauth-complete\";\n}\n\nfunction desktopSuccessPage(\n  _event: H3Event,\n  email?: string,\n  sessionToken?: string,\n  state?: string,\n): Response {\n  const safeEmail = email ? escapeHtml(email) : \"\";\n  const msg = safeEmail ? `Connected ${safeEmail}!` : \"Connected!\";\n  if (sessionToken) {\n    const deepLink = buildOAuthCompleteDeepLink(sessionToken, state);\n    const deepLinkJson = JSON.stringify(deepLink);\n    // Defence in depth: if this page somehow gets served to a UA that isn't\n    // the Agent Native desktop app (server gate bypassed, stale link, etc.),\n    // skip the `agentnative://` deep link entirely and bounce to the app\n    // root. The deep link silently fails outside the desktop app and the\n    // \"Open Agent Native\" button is a dead end in a generic browser/webview.\n    return htmlResponse(\n      `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connected</title><style>@keyframes spin{to{transform:rotate(360deg)}}@keyframes fadeIn{from{opacity:0;transform:translateY(4px)}to{opacity:1;transform:translateY(0)}}.spinner{width:28px;height:28px;border:2px solid #333;border-top-color:#fff;border-radius:50%;animation:spin .8s linear infinite}.fallback{display:none;flex-direction:column;align-items:center;gap:8px;animation:fadeIn .2s ease-out}.fallback.show{display:flex}</style></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column;gap:16px\"><p style=\"font-size:16px;margin:0\">${msg}</p><div id=\"loading\" class=\"spinner\"></div><div id=\"fallback\" class=\"fallback\"><a href=${deepLinkJson} style=\"display:inline-block;padding:10px 24px;background:#fff;color:#000;border-radius:8px;text-decoration:none;font-size:14px;font-weight:500\">Open Agent Native</a><p style=\"font-size:12px;color:#666;margin:0\">If the app didn\\u2019t open automatically, click the button above.</p></div><script>(function(){var ua=(navigator.userAgent||\"\");if(ua.indexOf(\"AgentNativeDesktop\")===-1){window.location.replace(\"/\");return}window.location.href=${deepLinkJson};setTimeout(function(){document.getElementById(\"loading\").style.display=\"none\";document.getElementById(\"fallback\").classList.add(\"show\")},3000)})()</script></body></html>`,\n    );\n  }\n  return htmlResponse(\n    oauthSuccessCloseTabHtml(\n      msg,\n      \"You can close this tab and return to Agent Native.\",\n    ),\n  );\n}\n"]}
+{"version":3,"file":"google-oauth.js","sourceRoot":"","sources":["../../src/server/google-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EACL,SAAS,EACT,QAAQ,EACR,iBAAiB,EACjB,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EACL,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,yBAAyB,GAC1B,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,6BAA6B,EAAE,MAAM,uBAAuB,CAAC;AACtE,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,+EAA+E;AAE/E;;oDAEoD;AACpD,SAAS,YAAY,CAAC,IAAY,EAAE,MAAM,GAAG,GAAG;IAC9C,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;QACxB,MAAM;QACN,OAAO,EAAE,EAAE,cAAc,EAAE,0BAA0B,EAAE;KACxD,CAAC,CAAC;AACL,CAAC;AAED;;;gCAGgC;AAChC,SAAS,gBAAgB,CAAC,MAAe;IACvC,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAChD,CAAC;AAED,SAAS,wBAAwB,CAC/B,QAAgB,EAChB,QAAgB,EAChB,WAAoB;IAEpB,MAAM,KAAK,GAAG,WAAW;QACvB,CAAC,CAAC,sEAAsE,UAAU,CAAC,WAAW,CAAC,MAAM;QACrG,CAAC,CAAC,EAAE,CAAC;IACP,OAAO,4hBAA4hB,QAAQ,qDAAqD,QAAQ,OAAO,KAAK,iFAAiF,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,IAAI,CAAC,qFAAqF,CAAC;AACh0B,CAAC;AAED;;;;GAIG;AACH,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;SACnB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,QAAQ,CAAC;SACvB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,OAAO,qBAAqB,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,2DAA2D;AAC3D,MAAM,UAAU,QAAQ,CAAC,KAAc;IACrC,OAAO,2BAA2B,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,EAAE,CAAC,CAAC;AAChF,CAAC;AAED;;;;;GAKG;AACH,MAAM,+BAA+B,GAAG;IACtC,wBAAwB;IACxB,6BAA6B;IAC7B,SAAS;IACT,cAAc;IACd,iBAAiB;IACjB,sBAAsB;IACtB,KAAK;IACL,YAAY;CACJ,CAAC;AAEX,MAAM,iCAAiC,GAAG;IACxC,uBAAuB;IACvB,4BAA4B;CACpB,CAAC;AAEX,SAAS,eAAe,CAAC,GAAuB;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,OAAO,GAAG,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAC1B,GAAgB,EAChB,GAAuB,EACvB,OAAmC;IAEnC,MAAM,MAAM,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,MAAM;QAAE,OAAO;IACpB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,gBAAgB,CAAC,MAAM,CAAC;QAAE,OAAO;IAC/D,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;AAClB,CAAC;AAED,SAAS,kBAAkB,CACzB,IAAuB,EACvB,OAAmC;IAEnC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM;YAAE,SAAS;QACtB,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,gBAAgB,CAAC,MAAM,CAAC;YAAE,SAAS;QACjE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,4BAA4B;IACnC,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,GAAG,IAAI,+BAA+B,EAAE,CAAC;QAClD,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACtE,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,iCAAiC,EAAE,CAAC;QACpD,mBAAmB,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,0BAA0B;IACjC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,+BAA+B,EAAE;QAC3E,aAAa,EAAE,IAAI;KACpB,CAAC,CAAC;IACH,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAE9C,OAAO,kBAAkB,CAAC,iCAAiC,EAAE;QAC3D,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,IAAwB;IAC9C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACzC,OAAO,CACL,MAAM,CAAC,QAAQ,KAAK,WAAW;YAC/B,MAAM,CAAC,QAAQ,KAAK,WAAW;YAC/B,MAAM,CAAC,QAAQ,KAAK,KAAK;YACzB,MAAM,CAAC,QAAQ,KAAK,OAAO,CAC5B,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,MAA0B;IAClD,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1B,IAAI,CAAC;QACH,OAAO,cAAc,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAwB;IACpD,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,OAAO,CACL,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,eAAe;YAC5B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACnC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,QAAQ,KAAK,YAAY;YACzB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,CACjC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,MAAM,UAAU,GACd,SAAS,CAAC,KAAK,EAAE,kBAAkB,CAAC,IAAI,SAAS,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACnE,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,MAAM,WAAW,GACf,SAAS,CAAC,KAAK,EAAE,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACvE,MAAM,uBAAuB,GAAG,oCAAoC,EAAE;QACpE,CAAC,CAAC,0BAA0B,EAAE;QAC9B,CAAC,CAAC,SAAS,CAAC;IAEd,IACE,uBAAuB;QACvB,CAAC,cAAc,CAAC,UAAU,CAAC,IAAI,oBAAoB,CAAC,UAAU,CAAC,CAAC,EAChE,CAAC;QACD,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,4BAA4B,EAAE,CAAC;QAC7C,yEAAyE;QACzE,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,GAAG,WAAW,MAAM,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,IAAI,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;gBAAE,OAAO,OAAO,CAAC;YAClD,mEAAmE;YACnE,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACvB,CAAC;QACD,kEAAkE;QAClE,+DAA+D;QAC/D,OAAO,GAAG,WAAW,MAAM,UAAU,IAAI,EAAE,EAAE,CAAC;IAChD,CAAC;IAED,OAAO,GAAG,WAAW,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;AACzD,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,cAAc;IAC5B,OAAO,wBAAwB,EAAE,CAAC;AACpC,CAAC;AAED,sEAAsE;AACtE,MAAM,UAAU,SAAS,CAAC,KAAc,EAAE,IAAI,GAAG,GAAG;IAClD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC3D,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,cAAc,EAAE,GAAG,SAAS,EAAE,CAAC;AAC9D,CAAC;AAED,SAAS,oCAAoC;IAC3C,OAAO,CACL,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,GAAG;QAC1C,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,GAAG,CAChD,CAAC;AACJ,CAAC;AAED,SAAS,4BAA4B,CAAC,QAAgB;IACpD,OAAO,CACL,QAAQ,CAAC,UAAU,CAAC,iBAAiB,CAAC;QACtC,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAc;IAC5C,MAAM,eAAe,GAAI,KAAa,CAAC,OAAO,EAAE,gBAAgB,CAAC;IACjE,IAAI,OAAO,eAAe,KAAK,QAAQ,IAAI,eAAe,EAAE,CAAC;QAC3D,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,WAAW,GAAI,KAAa,CAAC,GAAG,EAAE,QAAQ,CAAC;IACjD,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,WAAW;QAAE,OAAO,WAAW,CAAC;IAEvE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC;IACrC,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC3C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,OAAO,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IAClE,CAAC;IAED,MAAM,SAAS,GAAI,KAAa,CAAC,IAAI,CAAC;IACtC,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC/C,MAAM,UAAU,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,UAAU,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACtE,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAc;IAC/C,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC5B,MAAM,WAAW,GAAG,sBAAsB,CAAC,KAAK,CAAC,CAAC;IAClD,OAAO,CACL,WAAW,KAAK,GAAG,QAAQ,gBAAgB;QAC3C,WAAW,CAAC,UAAU,CAAC,GAAG,QAAQ,iBAAiB,CAAC,CACrD,CAAC;AACJ,CAAC;AAED,SAAS,0BAA0B,CAAC,KAAc,EAAE,IAAY;IAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;IAC3D,IACE,oCAAoC,EAAE;QACtC,4BAA4B,CAAC,SAAS,CAAC,EACvC,CAAC;QACD,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,SAAS,EAAE,CAAC;IAC3C,CAAC;IACD,MAAM,QAAQ,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,QAAQ,GAAG,SAAS,EAAE,CAAC;AACtD,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,UAAU,yBAAyB,CACvC,SAAiB,EACjB,KAAc;IAEd,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1E,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,qCAAqC;IACrC,MAAM,cAAc,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,WAAgB,CAAC;IACrB,IAAI,CAAC;QACH,WAAW,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAChD,yEAAyE;IACzE,4EAA4E;IAC5E,wEAAwE;IACxE,mCAAmC;IACnC,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;IAClC,MAAM,eAAe,GACnB,QAAQ,IAAI,yBAAyB,CAAC,KAAK,CAAC;QAC1C,CAAC,CAAC;YACE,GAAG,QAAQ,iBAAiB;YAC5B,GAAG,CAAC,oCAAoC,EAAE;gBAC1C,4BAA4B,CAAC,GAAG,CAAC,QAAQ,CAAC;gBACxC,CAAC,CAAC,CAAC,iBAAiB,CAAC;gBACrB,CAAC,CAAC,EAAE,CAAC;SACR;QACH,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;IAC1B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;QACvE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAc,EACd,WAAW,GAAG,gCAAgC;IAE9C,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC;IAC9C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,OAAO,yBAAyB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IACtE,CAAC;IACD,OAAO,0BAA0B,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;AACxD,CAAC;AAqBD;;;;;GAKG;AACH,IAAI,mBAAuC,CAAC;AAE5C;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,kBAAkB;IACzB,MAAM,MAAM,GACV,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,OAAO,CAAC,GAAG,CAAC,kBAAkB;QAC9B,4BAA4B,CAAC,aAAa,CAAC,CAAC;IAC9C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC;IACrD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,gDAAgD;YAC9C,4FAA4F,CAC/F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,mBAAmB,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/D,CAAC;IACD,OAAO,mBAAmB,CAAC;AAC7B,CAAC;AA0CD,MAAM,UAAU,gBAAgB,CAC9B,iBAAmD,EACnD,KAAc,EACd,OAAiB,EACjB,UAAoB,EACpB,GAAY,EACZ,SAAkB,EAClB,MAAe;IAEf,MAAM,IAAI,GACR,OAAO,iBAAiB,KAAK,QAAQ;QACnC,CAAC,CAAC;YACE,WAAW,EAAE,iBAAiB;YAC9B,KAAK;YACL,OAAO;YACP,UAAU;YACV,GAAG;YACH,SAAS;YACT,MAAM;SACP;QACH,CAAC,CAAC,iBAAiB,CAAC;IAExB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAqC;QAChD,CAAC,EAAE,KAAK;QACR,CAAC,EAAE,IAAI,CAAC,WAAW;KACpB,CAAC;IACF,IAAI,IAAI,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;IACvC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IACnC,IAAI,IAAI,CAAC,UAAU;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;IACtC,IAAI,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrC,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,CAAC,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;IAChD,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC;IACzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,GAAG,GAAG,MAAM;SACf,UAAU,CAAC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;SAC1C,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,WAAW,CAAC,CAAC;IACvB,OAAO,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,UAA8B,EAC9B,WAAmB;IAEnB,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,MAAM,KAAK,CAAC,CAAC;gBAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;YAEvD,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YACzC,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM;iBACpB,UAAU,CAAC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;iBAC1C,MAAM,CAAC,IAAI,CAAC;iBACZ,MAAM,CAAC,WAAW,CAAC,CAAC;YAEvB,IACE,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;gBAC9B,CAAC,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;YACtC,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;YACrE,OAAO;gBACL,WAAW,EAAE,MAAM,CAAC,CAAC,IAAI,WAAW;gBACpC,KAAK,EAAE,MAAM,CAAC,CAAC,IAAI,SAAS;gBAC5B,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;gBACnB,UAAU,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;gBACtB,GAAG,EAAE,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;gBAC5D,oEAAoE;gBACpE,kEAAkE;gBAClE,kEAAkE;gBAClE,4CAA4C;gBAC5C,SAAS,EAAE,OAAO,MAAM,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;gBAChE,MAAM,EAAE,MAAM,CAAC,CAAC,IAAI,SAAS;aAC9B,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC,CAAA,CAAC;IACZ,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,CAAC;AACtC,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,KAAc,EACd,UAAmB;IAEnB,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC;IAChD,MAAM,oBAAoB,GAAG,CAAC,CAAC,eAAe,EAAE,KAAK,CAAC;IACtD,MAAM,KAAK,GAAG,oBAAoB;QAChC,CAAC,CAAC,eAAgB,CAAC,KAAK;QACxB,CAAC,CAAC,UAAU,IAAI,SAAS,CAAC;IAE5B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;AACzC,CAAC;AAMD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAc,EACd,KAAa,EACb,IAGC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC;IAC7C,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAElC,IAAI,YAAgC,CAAC;IACrC,IAAI,CAAC,IAAI,CAAC,oBAAoB,IAAI,aAAa,EAAE,CAAC;QAChD,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,MAAM,UAAU,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACtC,yBAAyB,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;QAC/C,kEAAkE;QAClE,iEAAiE;QACjE,6DAA6D;QAC7D,8DAA8D;QAC9D,8DAA8D;QAC9D,gEAAgE;QAChE,iCAAiC;QACjC,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC/C,MAAM,eAAe,CAAC;gBACpB,KAAK;gBACL,KAAK,EAAE,YAAY;gBACnB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,IAAI;aACtC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,YAAY,EAAE,CAAC;AAC1B,CAAC;AAED,gFAAgF;AAEhF;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAAc,EACd,KAAa,EACb,IAaC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC9B,MAAM,aAAa,GACjB,OAAO,KAAK,CAAC,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;QACvD,CAAC,CAAC,KAAK,CAAC,KAAK;QACb,CAAC,CAAC,SAAS,CAAC;IAEhB,uCAAuC;IACvC,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,0BAA0B,CACzC,IAAI,CAAC,YAAY,EACjB,aAAa,CACd,CAAC;QACF,OAAO,YAAY,CACjB,sYAAsY,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,+EAA+E,CAC9e,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,4EAA4E;IAC5E,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,aAAa,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;QACjE,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,wCAAwC,WAAW,GAAG,EACtD,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAC9B,CACF,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC1E,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;IAC5E,CAAC;IAED,wEAAwE;IACxE,iEAAiE;IACjE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACjD,MAAM,WAAW,GAAG,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,gBAAgB,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;QACpE,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,wCAAwC,WAAW,GAAG,EACtD,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAC9B,CACF,CAAC;IACJ,CAAC;IAED,yEAAyE;IACzE,0EAA0E;IAC1E,2EAA2E;IAC3E,yEAAyE;IACzE,sEAAsE;IACtE,yEAAyE;IACzE,uEAAuE;IACvE,oEAAoE;IACpE,IAAI,IAAI,CAAC,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;IAC5E,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,oEAAoE;IACpE,mDAAmD;IACnD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACzE,OAAO,YAAY,CAAC;;;;yCAIiB,SAAS;;8BAEpB,CAAC,CAAC;IAC9B,CAAC;IAED,uEAAuE;IACvE,uEAAuE;IACvE,wEAAwE;IACxE,oEAAoE;IACpE,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9B,iBAAiB,CACf,KAAK,EACL,UAAU,EACV,6BAA6B,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,CACjE,CAAC;IACF,iBAAiB,CAAC,KAAK,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAC;IAC3D,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;kEAGkE;AAClE,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,YAAY,CACjB,ilBAAilB,IAAI,0KAA0K,EAC/vB,GAAG,CACJ,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,OAAO,GAAG,yBAAyB;IAEnC,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IACjC,OAAO,YAAY,CACjB,yPAAyP,IAAI,mDAAmD,CACjT,CAAC;AACJ,CAAC;AAED,gFAAgF;AAEhF,SAAS,mBAAmB,CAAC,QAAiB;IAC5C,MAAM,GAAG,GAAG,QAAQ,IAAI,UAAU,EAAE,IAAI,cAAc,CAAC;IACvD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC3C,OAAO,GAAG;SACP,KAAK,CAAC,OAAO,CAAC;SACd,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;SACpD,IAAI,CAAC,GAAG,CAAC,CAAC;AACf,CAAC;AAED,SAAS,0BAA0B,CACjC,YAAqB,EACrB,KAAc;IAEd,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,IAAI,YAAY;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IACpD,IAAI,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;IACjC,OAAO,MAAM;QACX,CAAC,CAAC,gCAAgC,MAAM,EAAE;QAC1C,CAAC,CAAC,8BAA8B,CAAC;AACrC,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAe,EACf,KAAc,EACd,YAAqB,EACrB,KAAc;IAEd,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjD,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,aAAa,SAAS,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC;IACjE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,QAAQ,GAAG,0BAA0B,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC9C,wEAAwE;QACxE,yEAAyE;QACzE,qEAAqE;QACrE,qEAAqE;QACrE,yEAAyE;QACzE,OAAO,YAAY,CACjB,isBAAisB,GAAG,2FAA2F,YAAY,2bAA2b,YAAY,4KAA4K,CAC/5C,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CACjB,wBAAwB,CACtB,GAAG,EACH,oDAAoD,CACrD,CACF,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Shared Google OAuth utilities for all templates.\n *\n * Handles platform detection (desktop/mobile), state encoding,\n * session token creation, and deep-link responses — the logic\n * that was previously copy-pasted across every template's\n * google-auth.ts handler.\n */\n\nimport crypto from \"node:crypto\";\nimport {\n  getHeader,\n  getQuery,\n  setResponseStatus,\n  setResponseHeader,\n  type H3Event,\n} from \"h3\";\nimport {\n  addSession,\n  getSession,\n  getSessionMaxAge,\n  setFrameworkSessionCookie,\n} from \"./auth.js\";\nimport { getAppName } from \"./app-name.js\";\nimport { getWorkspaceA2ADerivedSecret } from \"./derived-secret.js\";\nimport { writeDesktopSso } from \"./desktop-sso.js\";\nimport { appendSessionToOAuthReturnUrl } from \"./oauth-return-url.js\";\nimport { getConfiguredAppBasePath } from \"./app-base-path.js\";\n\n// ─── Platform Detection ─────────────────────────────────────────────────────\n\n/** Return an HTML response with the correct Content-Type.\n *  Uses a web-standard Response to ensure the header survives\n *  Nitro dev mode's mock-node-response pipeline. */\nfunction htmlResponse(html: string, status = 200): Response {\n  return new Response(html, {\n    status,\n    headers: { \"Content-Type\": \"text/html; charset=utf-8\" },\n  });\n}\n\n/** Shared markup for OAuth success \"close this tab\" pages. Renders a green\n *  check icon above the message, with a little breathing room between the\n *  headline and secondary line. Used by every template that goes through the\n *  shared Google OAuth flow. */\nfunction oauthDebugFlowId(flowId?: string): string | undefined {\n  return flowId ? flowId.slice(-10) : undefined;\n}\n\nfunction oauthSuccessCloseTabHtml(\n  headline: string,\n  footnote: string,\n  debugFlowId?: string,\n): string {\n  const debug = debugFlowId\n    ? `<p style=\"font-size:11px;color:#555;margin:12px 0 0 0\">Debug flow: ${escapeHtml(debugFlowId)}</p>`\n    : \"\";\n  return `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connected</title></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column\"><svg width=\"44\" height=\"44\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"#22c55e\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"margin-bottom:14px\" aria-hidden=\"true\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><path d=\"M9 12l2 2l4 -4\"/></svg><p style=\"font-size:16px;margin:0 0 12px 0\">${headline}</p><p style=\"font-size:13px;color:#888;margin:0\">${footnote}</p>${debug}<script>console.info(\"[agent-native][google-oauth] success page loaded\",{flow:${JSON.stringify(debugFlowId || null)}});setTimeout(function(){try{window.close()}catch(e){}},250)</script></body></html>`;\n}\n\n/**\n * HTML escape — minimal but covers the cases that matter when interpolating\n * user-controlled values into our OAuth callback HTML. Mirrors the helper in\n * email-template.ts; kept inline here to avoid a circular import.\n */\nfunction escapeHtml(s: string): string {\n  return String(s ?? \"\")\n    .replace(/&/g, \"&amp;\")\n    .replace(/</g, \"&lt;\")\n    .replace(/>/g, \"&gt;\")\n    .replace(/\"/g, \"&quot;\")\n    .replace(/'/g, \"&#39;\");\n}\n\n/**\n * Detect requests from the Agent Native desktop app specifically.\n *\n * The desktop app appends `AgentNativeDesktop/<version>` to its user-agent\n * (see `packages/desktop-app/src/main/index.ts`). We check for that marker\n * rather than matching generic `Electron`, which would also match other\n * Electron-based webviews like Builder.io's Fusion, Slack desktop, Discord,\n * etc. Falsely treating those as \"the desktop app\" sends users to the\n * `agentnative://oauth-complete` deep-link success page after Google sign-in,\n * where the protocol handler can't fire and the \"Open Agent Native\" button\n * does nothing.\n *\n * Kept exported as `isElectron` for backwards compatibility with consumers.\n */\nexport function isElectron(event: H3Event): boolean {\n  return /AgentNativeDesktop/i.test(getHeader(event, \"user-agent\") || \"\");\n}\n\n/** Detect requests from a mobile browser (iOS/Android). */\nexport function isMobile(event: H3Event): boolean {\n  return /iPhone|iPad|iPod|Android/i.test(getHeader(event, \"user-agent\") || \"\");\n}\n\n/**\n * Build the static allowlist of origins we trust for `getOrigin`. Reads\n * deployment-known public URLs. Each entry is normalised to\n * `${proto}://${host}` (no path). Duplicates collapse, invalid entries are\n * dropped silently.\n */\nconst EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS = [\n  \"WORKSPACE_OAUTH_ORIGIN\",\n  \"VITE_WORKSPACE_OAUTH_ORIGIN\",\n  \"APP_URL\",\n  \"VITE_APP_URL\",\n  \"BETTER_AUTH_URL\",\n  \"VITE_BETTER_AUTH_URL\",\n  \"URL\",\n  \"DEPLOY_URL\",\n] as const;\n\nconst WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS = [\n  \"WORKSPACE_GATEWAY_URL\",\n  \"VITE_WORKSPACE_GATEWAY_URL\",\n] as const;\n\nfunction normalizeOrigin(raw: string | undefined): string | undefined {\n  if (!raw) return undefined;\n  try {\n    const u = new URL(raw);\n    return `${u.protocol}//${u.host}`;\n  } catch {\n    return undefined;\n  }\n}\n\nfunction addNormalizedOrigin(\n  out: Set<string>,\n  raw: string | undefined,\n  options: { allowLoopback: boolean },\n): void {\n  const origin = normalizeOrigin(raw);\n  if (!origin) return;\n  if (!options.allowLoopback && isLoopbackOrigin(origin)) return;\n  out.add(origin);\n}\n\nfunction firstOriginFromEnv(\n  keys: readonly string[],\n  options: { allowLoopback: boolean },\n): string | undefined {\n  for (const key of keys) {\n    const origin = normalizeOrigin(process.env[key]);\n    if (!origin) continue;\n    if (!options.allowLoopback && isLoopbackOrigin(origin)) continue;\n    return origin;\n  }\n  return undefined;\n}\n\nfunction getConfiguredOriginAllowlist(): Set<string> {\n  const out = new Set<string>();\n  for (const key of EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS) {\n    addNormalizedOrigin(out, process.env[key], { allowLoopback: true });\n  }\n  for (const key of WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS) {\n    addNormalizedOrigin(out, process.env[key], { allowLoopback: false });\n  }\n  return out;\n}\n\nfunction getWorkspaceCallbackOrigin(): string | undefined {\n  const publicAuthOrigin = firstOriginFromEnv(EXPLICIT_PUBLIC_ORIGIN_ENV_KEYS, {\n    allowLoopback: true,\n  });\n  if (publicAuthOrigin) return publicAuthOrigin;\n\n  return firstOriginFromEnv(WORKSPACE_GATEWAY_ORIGIN_ENV_KEYS, {\n    allowLoopback: false,\n  });\n}\n\nfunction isLoopbackHost(host: string | undefined): boolean {\n  if (!host) return false;\n  try {\n    const parsed = new URL(`http://${host}`);\n    return (\n      parsed.hostname === \"localhost\" ||\n      parsed.hostname === \"127.0.0.1\" ||\n      parsed.hostname === \"::1\" ||\n      parsed.hostname === \"[::1]\"\n    );\n  } catch {\n    return false;\n  }\n}\n\nfunction isLoopbackOrigin(origin: string | undefined): boolean {\n  if (!origin) return false;\n  try {\n    return isLoopbackHost(new URL(origin).host);\n  } catch {\n    return false;\n  }\n}\n\nfunction isBuilderPreviewHost(host: string | undefined): boolean {\n  if (!host) return false;\n  try {\n    const parsed = new URL(`http://${host}`);\n    const hostname = parsed.hostname.toLowerCase();\n    return (\n      hostname === \"builderio.xyz\" ||\n      hostname.endsWith(\".builderio.xyz\") ||\n      hostname === \"builderio.dev\" ||\n      hostname.endsWith(\".builderio.dev\") ||\n      hostname === \"builder.codes\" ||\n      hostname.endsWith(\".builder.codes\") ||\n      hostname === \"builder.io\" ||\n      hostname.endsWith(\".builder.io\") ||\n      hostname === \"builder.my\" ||\n      hostname.endsWith(\".builder.my\")\n    );\n  } catch {\n    return false;\n  }\n}\n\n/**\n * Get the origin from forwarded headers or Host.\n *\n * Defends against Host-header injection: in production we require the resolved\n * origin to match `APP_URL` / `BETTER_AUTH_URL` / `WORKSPACE_GATEWAY_URL`,\n * falling back to those values when inbound headers are missing or don't match.\n * In dev we accept inbound `Host` so localhost / ngrok / preview hosts keep\n * working without configuration, except workspace OAuth requests from loopback\n * or Builder preview hosts use the configured gateway origin when one exists.\n * The protocol defaults to `https` in production (so a TLS-terminating proxy\n * that drops `x-forwarded-proto` doesn't downgrade us to plain HTTP).\n */\nexport function getOrigin(event: H3Event): string {\n  const headerHost =\n    getHeader(event, \"x-forwarded-host\") || getHeader(event, \"host\");\n  const isProd = process.env.NODE_ENV === \"production\";\n  const headerProto =\n    getHeader(event, \"x-forwarded-proto\") || (isProd ? \"https\" : \"http\");\n  const workspaceCallbackOrigin = isWorkspaceOAuthCallbackRelayEnabled()\n    ? getWorkspaceCallbackOrigin()\n    : undefined;\n\n  if (\n    workspaceCallbackOrigin &&\n    (isLoopbackHost(headerHost) || isBuilderPreviewHost(headerHost))\n  ) {\n    return workspaceCallbackOrigin;\n  }\n\n  if (isProd) {\n    const allow = getConfiguredOriginAllowlist();\n    // If the deploy declares its public URL, prefer it over inbound headers.\n    if (allow.size > 0) {\n      const inbound = headerHost ? `${headerProto}://${headerHost}` : \"\";\n      if (inbound && allow.has(inbound)) return inbound;\n      // Inbound didn't match — fall back to the first configured origin.\n      return [...allow][0];\n    }\n    // No allowlist configured: still default to https, but accept the\n    // inbound Host (best we can do without a configured base URL).\n    return `${headerProto}://${headerHost ?? \"\"}`;\n  }\n\n  return `${headerProto}://${headerHost ?? \"localhost\"}`;\n}\n\n/** App mount prefix, if the template is served under APP_BASE_PATH. */\nexport function getAppBasePath(): string {\n  return getConfiguredAppBasePath();\n}\n\n/** Build an absolute same-origin URL that preserves APP_BASE_PATH. */\nexport function getAppUrl(event: H3Event, path = \"/\"): string {\n  const cleanPath = path.startsWith(\"/\") ? path : `/${path}`;\n  return `${getOrigin(event)}${getAppBasePath()}${cleanPath}`;\n}\n\nfunction isWorkspaceOAuthCallbackRelayEnabled(): boolean {\n  return (\n    process.env.AGENT_NATIVE_WORKSPACE === \"1\" ||\n    process.env.VITE_AGENT_NATIVE_WORKSPACE === \"1\"\n  );\n}\n\nfunction isFrameworkOAuthCallbackPath(pathname: string): boolean {\n  return (\n    pathname.startsWith(\"/_agent-native/\") &&\n    (pathname.endsWith(\"/callback\") || pathname.includes(\"/callback/\"))\n  );\n}\n\nfunction getOriginalRequestPath(event: H3Event): string {\n  const mountedPathname = (event as any).context?._mountedPathname;\n  if (typeof mountedPathname === \"string\" && mountedPathname) {\n    return mountedPathname;\n  }\n\n  const urlPathname = (event as any).url?.pathname;\n  if (typeof urlPathname === \"string\" && urlPathname) return urlPathname;\n\n  const nodeUrl = event.node?.req?.url;\n  if (typeof nodeUrl === \"string\" && nodeUrl) {\n    const queryStart = nodeUrl.indexOf(\"?\");\n    return queryStart >= 0 ? nodeUrl.slice(0, queryStart) : nodeUrl;\n  }\n\n  const eventPath = (event as any).path;\n  if (typeof eventPath === \"string\" && eventPath) {\n    const queryStart = eventPath.indexOf(\"?\");\n    return queryStart >= 0 ? eventPath.slice(0, queryStart) : eventPath;\n  }\n\n  return \"/\";\n}\n\nfunction isRequestUnderAppBasePath(event: H3Event): boolean {\n  const basePath = getAppBasePath();\n  if (!basePath) return false;\n  const requestPath = getOriginalRequestPath(event);\n  return (\n    requestPath === `${basePath}/_agent-native` ||\n    requestPath.startsWith(`${basePath}/_agent-native/`)\n  );\n}\n\nfunction getDefaultOAuthRedirectUrl(event: H3Event, path: string): string {\n  const cleanPath = path.startsWith(\"/\") ? path : `/${path}`;\n  if (\n    isWorkspaceOAuthCallbackRelayEnabled() &&\n    isFrameworkOAuthCallbackPath(cleanPath)\n  ) {\n    return `${getOrigin(event)}${cleanPath}`;\n  }\n  const basePath = isRequestUnderAppBasePath(event) ? getAppBasePath() : \"\";\n  return `${getOrigin(event)}${basePath}${cleanPath}`;\n}\n\n// ─── redirect_uri Allowlist ──────────────────────────────────────────────────\n\n/**\n * Validate a user-supplied `redirect_uri` for OAuth flows.\n *\n * Defends against authorization-code interception (RFC 6819 §4.4.1.7):\n * even though the upstream provider (Google/Atlassian/Zoom) refuses\n * unregistered redirect URIs, prefix-style registrations and side\n * registrations on the same host let a malicious caller swap in an\n * attacker-controlled URI that the provider still accepts. We reject any\n * candidate that isn't on this server's own origin AND under the\n * framework's `/_agent-native/` namespace. Returns the validated URI on\n * success, or `undefined` on rejection — callers must treat `undefined`\n * as a 400.\n *\n * The intentional shape is exact-prefix:\n *   - Origin must equal `getOrigin(event)` — no Host-header injection\n *     reusing somebody else's registered redirect URI.\n *   - Path must start with `${appBasePath}/_agent-native/` so we never\n *     hand auth codes to a public marketing or open-redirect endpoint\n *     on the same registered host.\n *\n * For desktop / native flows that need ephemeral `http://127.0.0.1:<port>`\n * loopback URIs, callers should validate those at the template level\n * with a dedicated allowlist — this helper rejects them by design.\n */\nexport function isAllowedOAuthRedirectUri(\n  candidate: string,\n  event: H3Event,\n): boolean {\n  if (typeof candidate !== \"string\" || candidate.length === 0) return false;\n  let url: URL;\n  try {\n    url = new URL(candidate);\n  } catch {\n    return false;\n  }\n  // Must be same origin as our server.\n  const expectedOrigin = getOrigin(event);\n  let expectedUrl: URL;\n  try {\n    expectedUrl = new URL(expectedOrigin);\n  } catch {\n    return false;\n  }\n  if (url.protocol !== expectedUrl.protocol) return false;\n  if (url.host !== expectedUrl.host) return false;\n  // Must live under the framework's namespace. Workspace deploys can route\n  // root /_agent-native/* to Dispatch even when Dispatch itself is mounted at\n  // /dispatch, but app-prefixed requests should not be able to swap their\n  // callback to that root namespace.\n  const basePath = getAppBasePath();\n  const allowedPrefixes =\n    basePath && isRequestUnderAppBasePath(event)\n      ? [\n          `${basePath}/_agent-native/`,\n          ...(isWorkspaceOAuthCallbackRelayEnabled() &&\n          isFrameworkOAuthCallbackPath(url.pathname)\n            ? [\"/_agent-native/\"]\n            : []),\n        ]\n      : [\"/_agent-native/\"];\n  if (!allowedPrefixes.some((prefix) => url.pathname.startsWith(prefix))) {\n    return false;\n  }\n  return true;\n}\n\n/**\n * Resolve the `redirect_uri` for an outbound OAuth `auth-url` request.\n *\n * Reads `?redirect_uri=` from the query and validates it via\n * `isAllowedOAuthRedirectUri`. Returns:\n *   - the validated URI when supplied and allowed, OR\n *   - the framework default when no override was supplied, OR\n *   - `null` when an override was supplied but rejected — callers must\n *     respond with 400 in that case.\n *\n * Templates that need a non-default redirect path can pass it via\n * `defaultPath` (e.g. `\"/_agent-native/google/desktop-callback\"` for\n * desktop flows).\n */\nexport function resolveOAuthRedirectUri(\n  event: H3Event,\n  defaultPath = \"/_agent-native/google/callback\",\n): string | null {\n  const supplied = getQuery(event).redirect_uri;\n  if (typeof supplied === \"string\" && supplied.length > 0) {\n    return isAllowedOAuthRedirectUri(supplied, event) ? supplied : null;\n  }\n  return getDefaultOAuthRedirectUrl(event, defaultPath);\n}\n\n// ─── OAuth State ─────────────────────────────────────────────────────────────\n\nexport interface OAuthStatePayload {\n  redirectUri: string;\n  owner?: string;\n  desktop?: boolean;\n  addAccount?: boolean;\n  app?: string;\n  /**\n   * Same-origin path to redirect to after a successful web-flow sign-in.\n   * Threaded through the (HMAC-signed) state so it survives the round trip\n   * to Google. Validated again on decode via safeReturnPath as defence in\n   * depth. Has no effect on desktop / mobile / add-account flows, which\n   * use their own deep-link / close-tab handling.\n   */\n  returnUrl?: string;\n  flowId?: string;\n}\n\n/**\n * Ephemeral in-memory state-signing key for development. Generated lazily\n * on first read so dev sessions don't depend on filesystem writability or\n * env-var configuration. Sessions reset on each restart, which is fine\n * for dev — no real users / production data are involved.\n */\nlet _devStateSigningKey: string | undefined;\n\n/**\n * Derive a server-only signing key for HMAC verification of OAuth state.\n *\n * Uses a dedicated secret — never an OAuth client secret. Reusing a\n * client_secret (which is shared with Google / GitHub / Atlassian) as our\n * own HMAC key conflates two trust domains: rotating the client secret\n * silently invalidates every in-flight OAuth state, and any leak of the\n * client secret also lets an attacker forge our state envelopes.\n *\n * Resolution order:\n *   1. OAUTH_STATE_SECRET (preferred — dedicated to this purpose)\n *   2. BETTER_AUTH_SECRET (already used by Better Auth as a server secret)\n *   3. Hosted workspace deploys derive a per-purpose key from A2A_SECRET\n *   4. In dev only, an ephemeral random key (per-process)\n *\n * In production, throws if no usable server secret is set.\n */\nfunction getStateSigningKey(): string {\n  const secret =\n    process.env.OAUTH_STATE_SECRET ||\n    process.env.BETTER_AUTH_SECRET ||\n    getWorkspaceA2ADerivedSecret(\"oauth-state\");\n  if (secret) return secret;\n\n  const isProd = process.env.NODE_ENV === \"production\";\n  if (isProd) {\n    throw new Error(\n      \"OAuth state signing requires a server secret. \" +\n        \"Set OAUTH_STATE_SECRET, BETTER_AUTH_SECRET, or A2A_SECRET in production workspace deploys.\",\n    );\n  }\n\n  if (!_devStateSigningKey) {\n    _devStateSigningKey = crypto.randomBytes(32).toString(\"hex\");\n  }\n  return _devStateSigningKey;\n}\n\n/**\n * Options for the named-argument form of {@link encodeOAuthState}.\n * Prefer this form — the positional overload is easy to misuse (the mail\n * and calendar templates historically passed `flowId` in the `returnUrl`\n * slot, smuggling state into a defence-in-depth path).\n */\nexport interface EncodeOAuthStateOptions {\n  redirectUri: string;\n  owner?: string;\n  desktop?: boolean;\n  addAccount?: boolean;\n  app?: string;\n  returnUrl?: string;\n  flowId?: string;\n}\n\n/**\n * Encode OAuth state into a signed base64url string.\n * The state is HMAC-signed so the callback can verify it wasn't forged,\n * preventing CSRF attacks on the OAuth flow.\n *\n * Two call shapes are supported:\n *   - Recommended: pass an options object — clear, mismatch-proof.\n *     `encodeOAuthState({ redirectUri, owner, desktop, ... })`\n *   - Legacy positional form (kept working for backward compatibility):\n *     `encodeOAuthState(redirectUri, owner, desktop, addAccount, app, returnUrl, flowId)`.\n *     Callers should migrate to the options form — see the audit on\n *     templates/mail and templates/calendar where the positional shape\n *     led to `flowId` being smuggled in via the `returnUrl` slot.\n */\nexport function encodeOAuthState(opts: EncodeOAuthStateOptions): string;\nexport function encodeOAuthState(\n  redirectUri: string,\n  owner?: string,\n  desktop?: boolean,\n  addAccount?: boolean,\n  app?: string,\n  returnUrl?: string,\n  flowId?: string,\n): string;\nexport function encodeOAuthState(\n  redirectUriOrOpts: string | EncodeOAuthStateOptions,\n  owner?: string,\n  desktop?: boolean,\n  addAccount?: boolean,\n  app?: string,\n  returnUrl?: string,\n  flowId?: string,\n): string {\n  const opts: EncodeOAuthStateOptions =\n    typeof redirectUriOrOpts === \"string\"\n      ? {\n          redirectUri: redirectUriOrOpts,\n          owner,\n          desktop,\n          addAccount,\n          app,\n          returnUrl,\n          flowId,\n        }\n      : redirectUriOrOpts;\n\n  const nonce = crypto.randomBytes(8).toString(\"hex\");\n  const payload: Record<string, string | boolean> = {\n    n: nonce,\n    r: opts.redirectUri,\n  };\n  if (opts.owner) payload.o = opts.owner;\n  if (opts.desktop) payload.d = true;\n  if (opts.addAccount) payload.a = true;\n  if (opts.app) payload.app = opts.app;\n  if (opts.returnUrl) payload.r2 = opts.returnUrl;\n  if (opts.flowId) payload.f = opts.flowId;\n  const data = Buffer.from(JSON.stringify(payload)).toString(\"base64url\");\n  const sig = crypto\n    .createHmac(\"sha256\", getStateSigningKey())\n    .update(data)\n    .digest(\"base64url\");\n  return `${data}.${sig}`;\n}\n\n/**\n * Decode and verify OAuth state from the callback's state query parameter.\n * Rejects forged or tampered state by checking the HMAC signature.\n * Falls back to the provided URI if decoding or verification fails.\n */\nexport function decodeOAuthState(\n  stateParam: string | undefined,\n  fallbackUri: string,\n): OAuthStatePayload {\n  if (stateParam) {\n    try {\n      const dotIdx = stateParam.lastIndexOf(\".\");\n      if (dotIdx === -1) return { redirectUri: fallbackUri };\n\n      const data = stateParam.slice(0, dotIdx);\n      const sig = stateParam.slice(dotIdx + 1);\n      const expected = crypto\n        .createHmac(\"sha256\", getStateSigningKey())\n        .update(data)\n        .digest(\"base64url\");\n\n      if (\n        sig.length !== expected.length ||\n        !crypto.timingSafeEqual(Buffer.from(sig), Buffer.from(expected))\n      ) {\n        return { redirectUri: fallbackUri };\n      }\n\n      const parsed = JSON.parse(Buffer.from(data, \"base64url\").toString());\n      return {\n        redirectUri: parsed.r || fallbackUri,\n        owner: parsed.o || undefined,\n        desktop: !!parsed.d,\n        addAccount: !!parsed.a,\n        app: typeof parsed.app === \"string\" ? parsed.app : undefined,\n        // Pass returnUrl through as-is — same-origin validation runs at the\n        // consumer (oauthCallbackResponse → safeReturnPath). The state is\n        // HMAC-signed, but we still validate at consumption as defence in\n        // depth in case the signing key ever leaks.\n        returnUrl: typeof parsed.r2 === \"string\" ? parsed.r2 : undefined,\n        flowId: parsed.f || undefined,\n      };\n    } catch {}\n  }\n  return { redirectUri: fallbackUri };\n}\n\n// ─── Session Creation ────────────────────────────────────────────────────────\n\nexport interface OAuthOwnerResult {\n  owner: string | undefined;\n  hasProductionSession: boolean;\n}\n\n/**\n * Determine the token owner from the current session and OAuth state.\n * Call this BEFORE exchangeCode to get the owner parameter.\n */\nexport async function resolveOAuthOwner(\n  event: H3Event,\n  stateOwner?: string,\n): Promise<OAuthOwnerResult> {\n  const existingSession = await getSession(event);\n  const hasProductionSession = !!existingSession?.email;\n  const owner = hasProductionSession\n    ? existingSession!.email\n    : stateOwner || undefined;\n\n  return { owner, hasProductionSession };\n}\n\nexport interface OAuthSessionResult {\n  sessionToken: string | undefined;\n}\n\n/**\n * Create a session token after a successful OAuth exchange.\n *\n * Desktop and mobile apps have separate cookie jars from the system\n * browser, so they always get a fresh session token (even if the browser\n * already has one). The token is then passed via deep link so the native\n * app can inject it.\n */\nexport async function createOAuthSession(\n  event: H3Event,\n  email: string,\n  opts: {\n    hasProductionSession: boolean;\n    desktop?: boolean;\n  },\n): Promise<OAuthSessionResult> {\n  const mobile = isMobile(event);\n  const needsDeepLink = opts.desktop || mobile;\n  const maxAge = getSessionMaxAge();\n\n  let sessionToken: string | undefined;\n  if (!opts.hasProductionSession || needsDeepLink) {\n    sessionToken = crypto.randomBytes(32).toString(\"hex\");\n    await addSession(sessionToken, email);\n    setFrameworkSessionCookie(event, sessionToken);\n    // Desktop SSO: record this session in the home-dir broker file so\n    // sibling templates (each with its own database) can resolve the\n    // same token without a DB row of their own. Only the PRIMARY\n    // sign-in writes the broker — if a production session already\n    // exists, this is an add-account flow (connecting a secondary\n    // Google account for scraping) and must never switch the active\n    // user across sibling templates.\n    if (opts.desktop && !opts.hasProductionSession) {\n      await writeDesktopSso({\n        email,\n        token: sessionToken,\n        expiresAt: Date.now() + maxAge * 1000,\n      });\n    }\n  }\n\n  return { sessionToken };\n}\n\n// ─── Callback Responses ──────────────────────────────────────────────────────\n\n/**\n * Return the appropriate response after a successful OAuth callback.\n *\n * Handles mobile deep links, desktop deep links, add-account close-tab\n * pages, and plain web redirects — so templates don't have to.\n */\nexport function oauthCallbackResponse(\n  event: H3Event,\n  email: string,\n  opts: {\n    sessionToken?: string;\n    desktop?: boolean;\n    addAccount?: boolean;\n    /**\n     * Same-origin path to return the viewer to after a successful web\n     * sign-in. Validated via safeReturnPath; falls back to \"/\" for any\n     * shape that escapes same-origin. Has no effect on desktop / mobile\n     * / add-account flows — those use their own deep-link handling.\n     */\n    returnUrl?: string;\n    flowId?: string;\n    appName?: string;\n  },\n): Response | string | unknown | Promise<Response | string | unknown> {\n  const mobile = isMobile(event);\n  const query = getQuery(event);\n  const callbackState =\n    typeof query.state === \"string\" && query.state.length > 0\n      ? query.state\n      : undefined;\n\n  // Mobile: deep link back to native app\n  if (mobile) {\n    const deepLink = buildOAuthCompleteDeepLink(\n      opts.sessionToken,\n      callbackState,\n    );\n    return htmlResponse(\n      `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\"><title>Connected</title></head><body style=\"background:#111;color:#aaa;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0\"><p>Connected! Returning to app…</p><script>window.location.href=${JSON.stringify(deepLink)};setTimeout(function(){window.location.href=\"/\"},1500)</script></body></html>`,\n    );\n  }\n\n  // Desktop add-account: close-tab page (must come before general desktop check\n  // to ensure no deep link fires and the existing session is never switched).\n  if (opts.desktop && opts.addAccount) {\n    const safeEmail = email ? escapeHtml(email) : \"\";\n    const safeAppName = escapeHtml(resolveOAuthAppName(opts.appName));\n    const msg = safeEmail ? `Connected ${safeEmail}!` : \"Connected!\";\n    return htmlResponse(\n      oauthSuccessCloseTabHtml(\n        msg,\n        `You can close this tab and return to ${safeAppName}.`,\n        oauthDebugFlowId(opts.flowId),\n      ),\n    );\n  }\n\n  // Electron desktop exchange flow: mail/calendar still pass a flow id so the\n  // renderer can poll as a fallback, but the main handoff should use the\n  // protocol deep link so the popup returns focus to the desktop app.\n  if (opts.desktop && opts.flowId && isElectron(event) && opts.sessionToken) {\n    return desktopSuccessPage(event, email, opts.sessionToken, callbackState);\n  }\n\n  // Desktop exchange flow (non-Electron tray app): the tray app polls the\n  // desktop-exchange endpoint for the token — no deep link needed.\n  if (opts.desktop && opts.flowId) {\n    const safeEmail = email ? escapeHtml(email) : \"\";\n    const safeAppName = escapeHtml(resolveOAuthAppName(opts.appName));\n    const msg = safeEmail ? `Signed in as ${safeEmail}!` : \"Signed in!\";\n    return htmlResponse(\n      oauthSuccessCloseTabHtml(\n        msg,\n        `You can close this tab and return to ${safeAppName}.`,\n        oauthDebugFlowId(opts.flowId),\n      ),\n    );\n  }\n\n  // Desktop login: deep link back to Electron app — only when the callback\n  // request actually carries the AgentNativeDesktop UA marker. Without this\n  // check, any client whose OAuth state was minted with `desktop=true` (e.g.\n  // a stale link, or an upstream that wrongly set `?desktop=1`) would land\n  // on the `agentnative://` page where the deep link can't fire and the\n  // \"Open Agent Native\" button does nothing — surfaces inside Builder.io's\n  // Fusion webview hit this exact dead-end. Fall through to the web flow\n  // for non-Agent-Native-Desktop clients so they get a real redirect.\n  if (opts.desktop && isElectron(event)) {\n    return desktopSuccessPage(event, email, opts.sessionToken, callbackState);\n  }\n\n  // Add-account web flow: close-tab page. The email is rendered into the\n  // page via DOM `textContent` (safe), but we still JSON-stringify so a\n  // payload containing `</script>` can't break out of the script tag —\n  // and explicitly assert it's a string so a callbacks like `null` or\n  // an object won't end up serialised into the page.\n  if (opts.addAccount) {\n    const safeEmail = JSON.stringify(typeof email === \"string\" ? email : \"\");\n    return htmlResponse(`<!DOCTYPE html><html><body><script>\n        window.close();\n        var p = document.createElement('p');\n        p.style.cssText = 'font-family:system-ui;text-align:center;margin-top:40vh';\n        p.textContent = 'Connected ' + ${safeEmail} + '! You can close this tab.';\n        document.body.appendChild(p);\n      </script></body></html>`);\n  }\n\n  // Web: redirect to the requested return target. Path-only returns stay\n  // same-origin; Builder desktop workspace returns may point back to the\n  // local loopback gateway and carry the short-lived `_session` bridge so\n  // the local app can promote the newly created hosted OAuth session.\n  setResponseStatus(event, 302);\n  setResponseHeader(\n    event,\n    \"Location\",\n    appendSessionToOAuthReturnUrl(opts.returnUrl, opts.sessionToken),\n  );\n  setResponseHeader(event, \"Referrer-Policy\", \"no-referrer\");\n  return \"\";\n}\n\n/** HTML error page for OAuth failures. The message is HTML-escaped — most\n *  callers pass `error.message` from a token-exchange or userinfo failure,\n *  which can echo upstream provider strings (and historically attacker-\n *  controlled query params via the `error_description` field). */\nexport function oauthErrorPage(message: string): Response {\n  const safe = escapeHtml(message);\n  return htmlResponse(\n    `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connection failed</title></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column;text-align:center\"><svg width=\"44\" height=\"44\" viewBox=\"0 0 24 24\" fill=\"none\" stroke=\"#ef4444\" stroke-width=\"2\" stroke-linecap=\"round\" stroke-linejoin=\"round\" style=\"margin-bottom:14px\" aria-hidden=\"true\"><circle cx=\"12\" cy=\"12\" r=\"10\"/><path d=\"M15 9l-6 6\"/><path d=\"M9 9l6 6\"/></svg><p style=\"font-size:16px;margin:0 0 12px 0;color:#ddd\">${safe}</p><p style=\"font-size:13px;color:#888;margin:0\"><a href=\"/\" style=\"color:#888;text-decoration:underline;text-underline-offset:3px\">Back to login</a></p></body></html>`,\n    400,\n  );\n}\n\nexport function oauthDesktopExchangePage(\n  message = \"Returning to the app...\",\n): Response {\n  const safe = escapeHtml(message);\n  return htmlResponse(\n    `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Returning</title></head><body style=\"background:#111;color:#aaa;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0\"><p style=\"font-size:14px\">${safe}</p><script>window.close()</script></body></html>`,\n  );\n}\n\n// ─── Internal ────────────────────────────────────────────────────────────────\n\nfunction resolveOAuthAppName(explicit?: string): string {\n  const raw = explicit || getAppName() || \"Agent Native\";\n  if (!/^[a-z0-9_-]+$/.test(raw)) return raw;\n  return raw\n    .split(/[-_]+/)\n    .filter(Boolean)\n    .map((word) => word[0].toUpperCase() + word.slice(1))\n    .join(\" \");\n}\n\nfunction buildOAuthCompleteDeepLink(\n  sessionToken?: string,\n  state?: string,\n): string {\n  const params = new URLSearchParams();\n  if (sessionToken) params.set(\"token\", sessionToken);\n  if (state) params.set(\"state\", state);\n  const suffix = params.toString();\n  return suffix\n    ? `agentnative://oauth-complete?${suffix}`\n    : \"agentnative://oauth-complete\";\n}\n\nfunction desktopSuccessPage(\n  _event: H3Event,\n  email?: string,\n  sessionToken?: string,\n  state?: string,\n): Response {\n  const safeEmail = email ? escapeHtml(email) : \"\";\n  const msg = safeEmail ? `Connected ${safeEmail}!` : \"Connected!\";\n  if (sessionToken) {\n    const deepLink = buildOAuthCompleteDeepLink(sessionToken, state);\n    const deepLinkJson = JSON.stringify(deepLink);\n    // Defence in depth: if this page somehow gets served to a UA that isn't\n    // the Agent Native desktop app (server gate bypassed, stale link, etc.),\n    // skip the `agentnative://` deep link entirely and bounce to the app\n    // root. The deep link silently fails outside the desktop app and the\n    // \"Open Agent Native\" button is a dead end in a generic browser/webview.\n    return htmlResponse(\n      `<!DOCTYPE html><html><head><meta charset=\"utf-8\"><title>Connected</title><style>@keyframes spin{to{transform:rotate(360deg)}}@keyframes fadeIn{from{opacity:0;transform:translateY(4px)}to{opacity:1;transform:translateY(0)}}.spinner{width:28px;height:28px;border:2px solid #333;border-top-color:#fff;border-radius:50%;animation:spin .8s linear infinite}.fallback{display:none;flex-direction:column;align-items:center;gap:8px;animation:fadeIn .2s ease-out}.fallback.show{display:flex}</style></head><body style=\"background:#111;color:#ccc;font-family:system-ui;display:flex;align-items:center;justify-content:center;height:100vh;margin:0;flex-direction:column;gap:16px\"><p style=\"font-size:16px;margin:0\">${msg}</p><div id=\"loading\" class=\"spinner\"></div><div id=\"fallback\" class=\"fallback\"><a href=${deepLinkJson} style=\"display:inline-block;padding:10px 24px;background:#fff;color:#000;border-radius:8px;text-decoration:none;font-size:14px;font-weight:500\">Open Agent Native</a><p style=\"font-size:12px;color:#666;margin:0\">If the app didn\\u2019t open automatically, click the button above.</p></div><script>(function(){var ua=(navigator.userAgent||\"\");if(ua.indexOf(\"AgentNativeDesktop\")===-1){window.location.replace(\"/\");return}window.location.href=${deepLinkJson};setTimeout(function(){document.getElementById(\"loading\").style.display=\"none\";document.getElementById(\"fallback\").classList.add(\"show\")},3000)})()</script></body></html>`,\n    );\n  }\n  return htmlResponse(\n    oauthSuccessCloseTabHtml(\n      msg,\n      \"You can close this tab and return to Agent Native.\",\n    ),\n  );\n}\n"]}

package/dist/server/google-realtime-session.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google-realtime-session.d.ts","sourceRoot":"","sources":["../../src/server/google-realtime-session.ts"],"names":[],"mappings":"AAgBA,UAAU,6BAA6B;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAqCD,wBAAsB,gCAAgC,CAAC,IAAI,EAAE;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAkDzB;AAED,wBAAgB,kCAAkC;;IAoGjD"}
+{"version":3,"file":"google-realtime-session.d.ts","sourceRoot":"","sources":["../../src/server/google-realtime-session.ts"],"names":[],"mappings":"AAgBA,UAAU,6BAA6B;IACrC,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAqCD,wBAAsB,gCAAgC,CAAC,IAAI,EAAE;IAC3D,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAoDzB;AAED,wBAAgB,kCAAkC;;IAoGjD"}

package/dist/server/google-realtime-session.js

@@ -63,10 +63,12 @@ export async function resolveGoogleRealtimeCredentials(opts) {
         if (fromSecret)
             return fromSecret;
     }
-    const stored = await resolveCredential("GOOGLE_APPLICATION_CREDENTIALS", {
-        userEmail: opts.userEmail ?? undefined,
-        orgId: opts.orgId ?? undefined,
-    }).catch(() => undefined);
+    const stored = opts.userEmail
+        ? await resolveCredential("GOOGLE_APPLICATION_CREDENTIALS", {
+            userEmail: opts.userEmail,
+            orgId: opts.orgId ?? undefined,
+        }).catch(() => undefined)
+        : undefined;
     const fromSettings = stored?.trim();
     if (fromSettings)
         return fromSettings;

package/dist/server/google-realtime-session.js.map

@@ -1 +1 @@
-{"version":3,"file":"google-realtime-session.js","sourceRoot":"","sources":["../../src/server/google-realtime-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,QAAQ,EACR,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AAQrE,SAAS,mBAAmB,CAAC,KAAc;IACzC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjD,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;YAC/B,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YACtC,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACpE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;gBAC7D,MAAM,CAAC,QAAQ,KAAK,iBAAiB;gBACrC,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,MAAM,CAAC,QAAQ,KAAK,OAAO;gBAC3B,CAAC,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,CAAC;gBACpE,MAAM,CAAC,IAAI,KAAK,MAAM;gBACtB,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAC5D,IAAI,SAAS;QAAE,OAAO,SAAS,KAAK,aAAa,IAAI,SAAS,KAAK,MAAM,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,IAGtD;IACC,MAAM,UAAU,GAGX,EAAE,CAAC;IACR,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,CACb,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,EACrC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,CAC5C,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC;gBACd,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,IAAI,CAAC,SAAS,EAAE;aAClC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,gCAAgC;YACrC,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,UAAU,GAAG,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzC,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,gCAAgC,EAAE;QACvE,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,SAAS;QACtC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;KAC/B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,MAAM,YAAY,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IACpC,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE9C,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,OAAO,OAAO,IAAI,IAAI,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,0FAA0F,CAC3F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kCAAkC;IAChD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG;YACrB,SAAS,EAAE,OAAO,CAAC,KAAK;YACxB,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,SAAS;SAClC,CAAC;QAEF,OAAO,qBAAqB,CAAC,cAAc,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,4BAA4B,GAChC,MAAM,gCAAgC,CAAC;gBACrC,SAAS,EAAE,OAAO,CAAC,KAAK;gBACxB,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,SAAS;aAClC,CAAC,CAAC;YACL,IAAI,CAAC,4BAA4B,EAAE,CAAC;gBAClC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,4FAA4F;iBAC/F,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACvD,IAAI,CAAC,YAAY,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;gBACxD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,6EAA6E;iBAChF,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,wBAAwB,CAAC;YACzE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAE5D,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,OAAO,yCAAyC,EACnD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,YAAY,CAAC,UAAU,EAAE;oBAClD,mBAAmB,EAAE,YAAY,CAAC,SAAS;oBAC3C,GAAG,CAAC,YAAY,CAAC,MAAM;wBACrB,CAAC,CAAC,EAAE,mBAAmB,EAAE,YAAY,CAAC,MAAM,EAAE;wBAC9C,CAAC,CAAC,EAAE,CAAC;iBACR;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,4BAA4B;oBAC5B,QAAQ,EACN,OAAO,IAAI,EAAE,QAAQ,KAAK,QAAQ;wBAChC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;wBACtB,CAAC,CAAC,SAAS;iBAChB,CAAC;aACH,CACF,CAAC,KAAK,CAAC,CAAC,GAAQ,EAAE,EAAE;gBACnB,MAAM,IAAI,KAAK,CACb,GAAG,EAAE,OAAO,IAAI,gDAAgD,CACjE,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,GAAG;qBACxB,IAAI,EAAE;qBACN,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;gBAClD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;gBACrC,OAAO;oBACL,KAAK,EACH,OAAO,SAAS,EAAE,KAAK,KAAK,QAAQ;wBAClC,CAAC,CAAC,SAAS,CAAC,KAAK;wBACjB,CAAC,CAAC,4BAA4B,GAAG,CAAC,MAAM,GAAG;iBAChD,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkC,CAAC;YACpE,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,CAAC;gBAC3B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,gEAAgE;iBACnE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { readFile } from \"node:fs/promises\";\nimport {\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  readBody,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport { readAppSecret } from \"../secrets/storage.js\";\nimport { resolveCredential } from \"../credentials/index.js\";\nimport { getSession } from \"./auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { resolveBuilderCredentials } from \"./credential-provider.js\";\n\ninterface GoogleRealtimeSessionResponse {\n  websocketUrl: string;\n  sessionToken: string;\n  websocketProtocol?: string;\n}\n\nfunction isSameOriginRequest(event: H3Event): boolean {\n  const host = getRequestHeader(event, \"host\");\n  const origin = getRequestHeader(event, \"origin\");\n  if (origin && host) {\n    try {\n      const parsed = new URL(origin);\n      if (parsed.host === host) return true;\n      if (parsed.protocol === \"tauri:\" && parsed.hostname === \"localhost\") {\n        return true;\n      }\n      if (\n        (parsed.protocol === \"http:\" || parsed.protocol === \"https:\") &&\n        parsed.hostname === \"tauri.localhost\" &&\n        (host.startsWith(\"localhost:\") || host.startsWith(\"127.0.0.1:\"))\n      ) {\n        return true;\n      }\n      if (\n        parsed.protocol === \"http:\" &&\n        (parsed.hostname === \"localhost\" || parsed.hostname === \"127.0.0.1\") &&\n        parsed.port === \"1420\" &&\n        (host.startsWith(\"localhost:\") || host.startsWith(\"127.0.0.1:\"))\n      ) {\n        return true;\n      }\n      return false;\n    } catch {\n      return false;\n    }\n  }\n  const fetchSite = getRequestHeader(event, \"sec-fetch-site\");\n  if (fetchSite) return fetchSite === \"same-origin\" || fetchSite === \"none\";\n  return true;\n}\n\nexport async function resolveGoogleRealtimeCredentials(opts: {\n  userEmail?: string | null;\n  orgId?: string | null;\n}): Promise<string | null> {\n  const secretRefs: Array<{\n    scope: \"user\" | \"org\" | \"workspace\";\n    scopeId: string;\n  }> = [];\n  if (opts.userEmail) {\n    secretRefs.push({ scope: \"user\", scopeId: opts.userEmail });\n    if (opts.orgId) {\n      secretRefs.push(\n        { scope: \"org\", scopeId: opts.orgId },\n        { scope: \"workspace\", scopeId: opts.orgId },\n      );\n    } else {\n      secretRefs.push({\n        scope: \"workspace\",\n        scopeId: `solo:${opts.userEmail}`,\n      });\n    }\n  }\n\n  for (const ref of secretRefs) {\n    const secret = await readAppSecret({\n      key: \"GOOGLE_APPLICATION_CREDENTIALS\",\n      scope: ref.scope,\n      scopeId: ref.scopeId,\n    }).catch(() => null);\n    const fromSecret = secret?.value?.trim();\n    if (fromSecret) return fromSecret;\n  }\n\n  const stored = await resolveCredential(\"GOOGLE_APPLICATION_CREDENTIALS\", {\n    userEmail: opts.userEmail ?? undefined,\n    orgId: opts.orgId ?? undefined,\n  }).catch(() => undefined);\n  const fromSettings = stored?.trim();\n  if (fromSettings) return fromSettings;\n\n  const envValue = process.env.GOOGLE_APPLICATION_CREDENTIALS?.trim();\n  if (!envValue) return null;\n  if (envValue.startsWith(\"{\")) return envValue;\n\n  try {\n    const fileContents = await readFile(envValue, \"utf8\");\n    const trimmed = fileContents.trim();\n    return trimmed || null;\n  } catch {\n    throw new Error(\n      \"GOOGLE_APPLICATION_CREDENTIALS points to a file path the framework server could not read\",\n    );\n  }\n}\n\nexport function createGoogleRealtimeSessionHandler() {\n  return defineEventHandler(async (event: H3Event) => {\n    if (getMethod(event) !== \"POST\") {\n      setResponseStatus(event, 405);\n      return { error: \"Method not allowed\" };\n    }\n    if (!isSameOriginRequest(event)) {\n      setResponseStatus(event, 403);\n      return { error: \"Cross-origin request rejected\" };\n    }\n\n    const session = await getSession(event).catch(() => null);\n    if (!session?.email) {\n      setResponseStatus(event, 401);\n      return { error: \"Authentication required\" };\n    }\n\n    const orgCtx = await getOrgContext(event).catch(() => null);\n    const requestContext = {\n      userEmail: session.email,\n      orgId: orgCtx?.orgId ?? undefined,\n    };\n\n    return runWithRequestContext(requestContext, async () => {\n      const googleApplicationCredentials =\n        await resolveGoogleRealtimeCredentials({\n          userEmail: session.email,\n          orgId: orgCtx?.orgId ?? undefined,\n        });\n      if (!googleApplicationCredentials) {\n        setResponseStatus(event, 400);\n        return {\n          error:\n            \"Configure GOOGLE_APPLICATION_CREDENTIALS in Settings to use Google realtime transcription.\",\n        };\n      }\n\n      const builderCreds = await resolveBuilderCredentials();\n      if (!builderCreds.privateKey || !builderCreds.publicKey) {\n        setResponseStatus(event, 400);\n        return {\n          error:\n            \"Builder must be connected to mint a managed realtime transcription session.\",\n        };\n      }\n\n      const apiHost = process.env.BUILDER_API_HOST || \"https://api.builder.io\";\n      const body = ((await readBody(event).catch(() => ({}))) || {}) as {\n        language?: unknown;\n      };\n      const res = await fetch(\n        `${apiHost}/agent-native/transcribe-stream/session`,\n        {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/json\",\n            Authorization: `Bearer ${builderCreds.privateKey}`,\n            \"x-builder-api-key\": builderCreds.publicKey,\n            ...(builderCreds.userId\n              ? { \"x-builder-user-id\": builderCreds.userId }\n              : {}),\n          },\n          body: JSON.stringify({\n            googleApplicationCredentials,\n            language:\n              typeof body?.language === \"string\"\n                ? body.language.trim()\n                : undefined,\n          }),\n        },\n      ).catch((err: any) => {\n        throw new Error(\n          err?.message || \"Failed to reach realtime transcription service\",\n        );\n      });\n\n      if (!res.ok) {\n        const errorBody = await res\n          .json()\n          .catch(() => ({ error: `HTTP ${res.status}` }));\n        setResponseStatus(event, res.status);\n        return {\n          error:\n            typeof errorBody?.error === \"string\"\n              ? errorBody.error\n              : `Realtime session failed (${res.status})`,\n        };\n      }\n\n      const payload = (await res.json()) as GoogleRealtimeSessionResponse;\n      if (!payload?.websocketUrl) {\n        setResponseStatus(event, 502);\n        return {\n          error:\n            \"Realtime transcription service did not return a websocket URL.\",\n        };\n      }\n      return payload;\n    });\n  });\n}\n"]}
+{"version":3,"file":"google-realtime-session.js","sourceRoot":"","sources":["../../src/server/google-realtime-session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,QAAQ,EACR,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AAQrE,SAAS,mBAAmB,CAAC,KAAc;IACzC,MAAM,IAAI,GAAG,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjD,IAAI,MAAM,IAAI,IAAI,EAAE,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;YAC/B,IAAI,MAAM,CAAC,IAAI,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YACtC,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;gBACpE,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;gBAC7D,MAAM,CAAC,QAAQ,KAAK,iBAAiB;gBACrC,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,IACE,MAAM,CAAC,QAAQ,KAAK,OAAO;gBAC3B,CAAC,MAAM,CAAC,QAAQ,KAAK,WAAW,IAAI,MAAM,CAAC,QAAQ,KAAK,WAAW,CAAC;gBACpE,MAAM,CAAC,IAAI,KAAK,MAAM;gBACtB,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,EAChE,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAC5D,IAAI,SAAS;QAAE,OAAO,SAAS,KAAK,aAAa,IAAI,SAAS,KAAK,MAAM,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,IAGtD;IACC,MAAM,UAAU,GAGX,EAAE,CAAC;IACR,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QACnB,UAAU,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC;QAC5D,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,CACb,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,EACrC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,EAAE,CAC5C,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC;gBACd,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,QAAQ,IAAI,CAAC,SAAS,EAAE;aAClC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC;YACjC,GAAG,EAAE,gCAAgC;YACrC,KAAK,EAAE,GAAG,CAAC,KAAK;YAChB,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACrB,MAAM,UAAU,GAAG,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACzC,IAAI,UAAU;YAAE,OAAO,UAAU,CAAC;IACpC,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS;QAC3B,CAAC,CAAC,MAAM,iBAAiB,CAAC,gCAAgC,EAAE;YACxD,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS;SAC/B,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC;QAC3B,CAAC,CAAC,SAAS,CAAC;IACd,MAAM,YAAY,GAAG,MAAM,EAAE,IAAI,EAAE,CAAC;IACpC,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IAEtC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,EAAE,IAAI,EAAE,CAAC;IACpE,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE9C,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;QACpC,OAAO,OAAO,IAAI,IAAI,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,0FAA0F,CAC3F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kCAAkC;IAChD,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QACD,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,+BAA+B,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;YACpB,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QAC9C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QAC5D,MAAM,cAAc,GAAG;YACrB,SAAS,EAAE,OAAO,CAAC,KAAK;YACxB,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,SAAS;SAClC,CAAC;QAEF,OAAO,qBAAqB,CAAC,cAAc,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,4BAA4B,GAChC,MAAM,gCAAgC,CAAC;gBACrC,SAAS,EAAE,OAAO,CAAC,KAAK;gBACxB,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,SAAS;aAClC,CAAC,CAAC;YACL,IAAI,CAAC,4BAA4B,EAAE,CAAC;gBAClC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,4FAA4F;iBAC/F,CAAC;YACJ,CAAC;YAED,MAAM,YAAY,GAAG,MAAM,yBAAyB,EAAE,CAAC;YACvD,IAAI,CAAC,YAAY,CAAC,UAAU,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;gBACxD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,6EAA6E;iBAChF,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,wBAAwB,CAAC;YACzE,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAE5D,CAAC;YACF,MAAM,GAAG,GAAG,MAAM,KAAK,CACrB,GAAG,OAAO,yCAAyC,EACnD;gBACE,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;oBAClC,aAAa,EAAE,UAAU,YAAY,CAAC,UAAU,EAAE;oBAClD,mBAAmB,EAAE,YAAY,CAAC,SAAS;oBAC3C,GAAG,CAAC,YAAY,CAAC,MAAM;wBACrB,CAAC,CAAC,EAAE,mBAAmB,EAAE,YAAY,CAAC,MAAM,EAAE;wBAC9C,CAAC,CAAC,EAAE,CAAC;iBACR;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,4BAA4B;oBAC5B,QAAQ,EACN,OAAO,IAAI,EAAE,QAAQ,KAAK,QAAQ;wBAChC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;wBACtB,CAAC,CAAC,SAAS;iBAChB,CAAC;aACH,CACF,CAAC,KAAK,CAAC,CAAC,GAAQ,EAAE,EAAE;gBACnB,MAAM,IAAI,KAAK,CACb,GAAG,EAAE,OAAO,IAAI,gDAAgD,CACjE,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,SAAS,GAAG,MAAM,GAAG;qBACxB,IAAI,EAAE;qBACN,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,KAAK,EAAE,QAAQ,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC;gBAClD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;gBACrC,OAAO;oBACL,KAAK,EACH,OAAO,SAAS,EAAE,KAAK,KAAK,QAAQ;wBAClC,CAAC,CAAC,SAAS,CAAC,KAAK;wBACjB,CAAC,CAAC,4BAA4B,GAAG,CAAC,MAAM,GAAG;iBAChD,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkC,CAAC;YACpE,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,CAAC;gBAC3B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC9B,OAAO;oBACL,KAAK,EACH,gEAAgE;iBACnE,CAAC;YACJ,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { readFile } from \"node:fs/promises\";\nimport {\n  defineEventHandler,\n  getMethod,\n  getRequestHeader,\n  readBody,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport { readAppSecret } from \"../secrets/storage.js\";\nimport { resolveCredential } from \"../credentials/index.js\";\nimport { getSession } from \"./auth.js\";\nimport { getOrgContext } from \"../org/context.js\";\nimport { runWithRequestContext } from \"./request-context.js\";\nimport { resolveBuilderCredentials } from \"./credential-provider.js\";\n\ninterface GoogleRealtimeSessionResponse {\n  websocketUrl: string;\n  sessionToken: string;\n  websocketProtocol?: string;\n}\n\nfunction isSameOriginRequest(event: H3Event): boolean {\n  const host = getRequestHeader(event, \"host\");\n  const origin = getRequestHeader(event, \"origin\");\n  if (origin && host) {\n    try {\n      const parsed = new URL(origin);\n      if (parsed.host === host) return true;\n      if (parsed.protocol === \"tauri:\" && parsed.hostname === \"localhost\") {\n        return true;\n      }\n      if (\n        (parsed.protocol === \"http:\" || parsed.protocol === \"https:\") &&\n        parsed.hostname === \"tauri.localhost\" &&\n        (host.startsWith(\"localhost:\") || host.startsWith(\"127.0.0.1:\"))\n      ) {\n        return true;\n      }\n      if (\n        parsed.protocol === \"http:\" &&\n        (parsed.hostname === \"localhost\" || parsed.hostname === \"127.0.0.1\") &&\n        parsed.port === \"1420\" &&\n        (host.startsWith(\"localhost:\") || host.startsWith(\"127.0.0.1:\"))\n      ) {\n        return true;\n      }\n      return false;\n    } catch {\n      return false;\n    }\n  }\n  const fetchSite = getRequestHeader(event, \"sec-fetch-site\");\n  if (fetchSite) return fetchSite === \"same-origin\" || fetchSite === \"none\";\n  return true;\n}\n\nexport async function resolveGoogleRealtimeCredentials(opts: {\n  userEmail?: string | null;\n  orgId?: string | null;\n}): Promise<string | null> {\n  const secretRefs: Array<{\n    scope: \"user\" | \"org\" | \"workspace\";\n    scopeId: string;\n  }> = [];\n  if (opts.userEmail) {\n    secretRefs.push({ scope: \"user\", scopeId: opts.userEmail });\n    if (opts.orgId) {\n      secretRefs.push(\n        { scope: \"org\", scopeId: opts.orgId },\n        { scope: \"workspace\", scopeId: opts.orgId },\n      );\n    } else {\n      secretRefs.push({\n        scope: \"workspace\",\n        scopeId: `solo:${opts.userEmail}`,\n      });\n    }\n  }\n\n  for (const ref of secretRefs) {\n    const secret = await readAppSecret({\n      key: \"GOOGLE_APPLICATION_CREDENTIALS\",\n      scope: ref.scope,\n      scopeId: ref.scopeId,\n    }).catch(() => null);\n    const fromSecret = secret?.value?.trim();\n    if (fromSecret) return fromSecret;\n  }\n\n  const stored = opts.userEmail\n    ? await resolveCredential(\"GOOGLE_APPLICATION_CREDENTIALS\", {\n        userEmail: opts.userEmail,\n        orgId: opts.orgId ?? undefined,\n      }).catch(() => undefined)\n    : undefined;\n  const fromSettings = stored?.trim();\n  if (fromSettings) return fromSettings;\n\n  const envValue = process.env.GOOGLE_APPLICATION_CREDENTIALS?.trim();\n  if (!envValue) return null;\n  if (envValue.startsWith(\"{\")) return envValue;\n\n  try {\n    const fileContents = await readFile(envValue, \"utf8\");\n    const trimmed = fileContents.trim();\n    return trimmed || null;\n  } catch {\n    throw new Error(\n      \"GOOGLE_APPLICATION_CREDENTIALS points to a file path the framework server could not read\",\n    );\n  }\n}\n\nexport function createGoogleRealtimeSessionHandler() {\n  return defineEventHandler(async (event: H3Event) => {\n    if (getMethod(event) !== \"POST\") {\n      setResponseStatus(event, 405);\n      return { error: \"Method not allowed\" };\n    }\n    if (!isSameOriginRequest(event)) {\n      setResponseStatus(event, 403);\n      return { error: \"Cross-origin request rejected\" };\n    }\n\n    const session = await getSession(event).catch(() => null);\n    if (!session?.email) {\n      setResponseStatus(event, 401);\n      return { error: \"Authentication required\" };\n    }\n\n    const orgCtx = await getOrgContext(event).catch(() => null);\n    const requestContext = {\n      userEmail: session.email,\n      orgId: orgCtx?.orgId ?? undefined,\n    };\n\n    return runWithRequestContext(requestContext, async () => {\n      const googleApplicationCredentials =\n        await resolveGoogleRealtimeCredentials({\n          userEmail: session.email,\n          orgId: orgCtx?.orgId ?? undefined,\n        });\n      if (!googleApplicationCredentials) {\n        setResponseStatus(event, 400);\n        return {\n          error:\n            \"Configure GOOGLE_APPLICATION_CREDENTIALS in Settings to use Google realtime transcription.\",\n        };\n      }\n\n      const builderCreds = await resolveBuilderCredentials();\n      if (!builderCreds.privateKey || !builderCreds.publicKey) {\n        setResponseStatus(event, 400);\n        return {\n          error:\n            \"Builder must be connected to mint a managed realtime transcription session.\",\n        };\n      }\n\n      const apiHost = process.env.BUILDER_API_HOST || \"https://api.builder.io\";\n      const body = ((await readBody(event).catch(() => ({}))) || {}) as {\n        language?: unknown;\n      };\n      const res = await fetch(\n        `${apiHost}/agent-native/transcribe-stream/session`,\n        {\n          method: \"POST\",\n          headers: {\n            \"Content-Type\": \"application/json\",\n            Authorization: `Bearer ${builderCreds.privateKey}`,\n            \"x-builder-api-key\": builderCreds.publicKey,\n            ...(builderCreds.userId\n              ? { \"x-builder-user-id\": builderCreds.userId }\n              : {}),\n          },\n          body: JSON.stringify({\n            googleApplicationCredentials,\n            language:\n              typeof body?.language === \"string\"\n                ? body.language.trim()\n                : undefined,\n          }),\n        },\n      ).catch((err: any) => {\n        throw new Error(\n          err?.message || \"Failed to reach realtime transcription service\",\n        );\n      });\n\n      if (!res.ok) {\n        const errorBody = await res\n          .json()\n          .catch(() => ({ error: `HTTP ${res.status}` }));\n        setResponseStatus(event, res.status);\n        return {\n          error:\n            typeof errorBody?.error === \"string\"\n              ? errorBody.error\n              : `Realtime session failed (${res.status})`,\n        };\n      }\n\n      const payload = (await res.json()) as GoogleRealtimeSessionResponse;\n      if (!payload?.websocketUrl) {\n        setResponseStatus(event, 502);\n        return {\n          error:\n            \"Realtime transcription service did not return a websocket URL.\",\n        };\n      }\n      return payload;\n    });\n  });\n}\n"]}

package/dist/server/h3-helpers.d.ts

@@ -1,5 +1,33 @@
 import type { H3Event } from "h3";
 import type { ReadStream } from "node:fs";
+/**
+ * Default maximum chat-POST body size (25 MB uncompressed). The agent chat
+ * body carries base64-encoded attachments so a 25 MB cap is generous while
+ * still protecting against runaway payloads. Override per-route by passing a
+ * different `maxBytes` value to `readBodyWithSizeLimit`.
+ */
+export declare const DEFAULT_CHAT_MAX_BODY_BYTES: number;
+/**
+ * Maximum file size for upload routes (25 MB). Mirrors Whisper's hard limit
+ * so audio, image, and document uploads share a consistent ceiling.
+ */
+export declare const DEFAULT_UPLOAD_MAX_FILE_BYTES: number;
+/**
+ * Maximum number of attachments per chat message. Guards against pathological
+ * requests that would fan out into hundreds of parallel model content-parts.
+ */
+export declare const MAX_CHAT_ATTACHMENTS_PER_MESSAGE = 20;
+/**
+ * MIME types allowed on the file-upload routes. Executables and scripts are
+ * explicitly excluded; everything else is allowed at the default tier.
+ * Pass `allowedMimeTypes` to `assertAllowedMimeType` to enforce on a route.
+ */
+export declare const UPLOAD_ALLOWED_MIME_PREFIXES: string[];
+/**
+ * Returns true when the given MIME type is acceptable for uploads.
+ * Blocks executables and scripts; allows everything else in the allow-prefix list.
+ */
+export declare function isAllowedUploadMimeType(mimeType: string): boolean;
 /**
  * Parse a JSON request body. Returns `{}` if the body is empty or absent
  * so callers don't have to null-check before destructuring.
@@ -10,6 +38,17 @@ import type { ReadStream } from "node:fs";
  *   const { email, password } = await readBody<LoginRequest>(event);
  */
 export declare function readBody<T = any>(event: H3Event): Promise<T>;
+/**
+ * Like `readBody` but rejects with a 413 response when the declared
+ * `content-length` (or the actual buffered body) exceeds `maxBytes`.
+ *
+ * @param event - H3 event
+ * @param maxBytes - Maximum allowed body size in bytes (default: 25 MB)
+ * @returns Parsed body or `{}` when absent
+ * @throws Never — on over-size it sets status 413 and throws an object with
+ *   `{ statusCode: 413, message }` so the h3 handler can propagate it.
+ */
+export declare function readBodyWithSizeLimit<T = any>(event: H3Event, maxBytes?: number): Promise<T>;
 /**
  * Convert a Node `ReadStream` (e.g. from `fs.createReadStream`) into a web
  * `ReadableStream`, suitable for returning directly from an h3 v2 handler.

package/dist/server/h3-helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"h3-helpers.d.ts","sourceRoot":"","sources":["../../src/server/h3-helpers.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAElC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAElE;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAE7D"}
+{"version":3,"file":"h3-helpers.d.ts","sourceRoot":"","sources":["../../src/server/h3-helpers.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAElC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,QAAmB,CAAC;AAE5D;;;GAGG;AACH,eAAO,MAAM,6BAA6B,QAAmB,CAAC;AAE9D;;;GAGG;AACH,eAAO,MAAM,gCAAgC,KAAK,CAAC;AAEnD;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,UAaxC,CAAC;AAWF;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAMjE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,CAAC,GAAG,GAAG,EAAE,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC,CAElE;AAED;;;;;;;;;GASG;AACH,wBAAsB,qBAAqB,CAAC,CAAC,GAAG,GAAG,EACjD,KAAK,EAAE,OAAO,EACd,QAAQ,GAAE,MAAoC,GAC7C,OAAO,CAAC,CAAC,CAAC,CAwCZ;AAED;;;;;;;;GAQG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAE7D"}

package/dist/server/h3-helpers.js

@@ -4,12 +4,71 @@
  * `readBody` — wraps h3's `readBody` so the result is typed `any` by default
  * (h3 v2 infers `unknown`, which forces `as` casts at every call site).
  *
+ * `readBodyWithSizeLimit` — like `readBody` but rejects with a 413 response
+ * when the `content-length` header (or the buffered body size) exceeds the
+ * given threshold. Use this on any route whose payload can include inline
+ * base64 attachments (chat POST, upload routes).
+ *
  * `streamFile` — converts a Node `ReadStream` to a web `ReadableStream` so
  * route handlers can return file content without importing `node:stream`
  * inline. h3 v2 expects web streams everywhere.
  */
-import { readBody as _readBody } from "h3";
+import { readBody as _readBody, getHeader, setResponseStatus } from "h3";
 import { Readable } from "node:stream";
+/**
+ * Default maximum chat-POST body size (25 MB uncompressed). The agent chat
+ * body carries base64-encoded attachments so a 25 MB cap is generous while
+ * still protecting against runaway payloads. Override per-route by passing a
+ * different `maxBytes` value to `readBodyWithSizeLimit`.
+ */
+export const DEFAULT_CHAT_MAX_BODY_BYTES = 25 * 1024 * 1024;
+/**
+ * Maximum file size for upload routes (25 MB). Mirrors Whisper's hard limit
+ * so audio, image, and document uploads share a consistent ceiling.
+ */
+export const DEFAULT_UPLOAD_MAX_FILE_BYTES = 25 * 1024 * 1024;
+/**
+ * Maximum number of attachments per chat message. Guards against pathological
+ * requests that would fan out into hundreds of parallel model content-parts.
+ */
+export const MAX_CHAT_ATTACHMENTS_PER_MESSAGE = 20;
+/**
+ * MIME types allowed on the file-upload routes. Executables and scripts are
+ * explicitly excluded; everything else is allowed at the default tier.
+ * Pass `allowedMimeTypes` to `assertAllowedMimeType` to enforce on a route.
+ */
+export const UPLOAD_ALLOWED_MIME_PREFIXES = [
+    "image/",
+    "video/",
+    "audio/",
+    "text/",
+    "application/pdf",
+    "application/json",
+    "application/zip",
+    "application/gzip",
+    "application/x-tar",
+    "application/vnd.ms-excel",
+    "application/vnd.openxmlformats-officedocument",
+    "application/msword",
+];
+/** Mime types that are always rejected even if a prefix matches. */
+const UPLOAD_BLOCKED_MIME_TYPES = new Set([
+    "application/x-msdownload",
+    "application/x-executable",
+    "application/x-sh",
+    "application/x-bat",
+    "application/x-msdos-program",
+]);
+/**
+ * Returns true when the given MIME type is acceptable for uploads.
+ * Blocks executables and scripts; allows everything else in the allow-prefix list.
+ */
+export function isAllowedUploadMimeType(mimeType) {
+    const lower = (mimeType || "").toLowerCase().split(";")[0].trim();
+    if (UPLOAD_BLOCKED_MIME_TYPES.has(lower))
+        return false;
+    return UPLOAD_ALLOWED_MIME_PREFIXES.some((prefix) => lower.startsWith(prefix));
+}
 /**
  * Parse a JSON request body. Returns `{}` if the body is empty or absent
  * so callers don't have to null-check before destructuring.
@@ -22,6 +81,50 @@ import { Readable } from "node:stream";
 export async function readBody(event) {
     return ((await _readBody(event)) ?? {});
 }
+/**
+ * Like `readBody` but rejects with a 413 response when the declared
+ * `content-length` (or the actual buffered body) exceeds `maxBytes`.
+ *
+ * @param event - H3 event
+ * @param maxBytes - Maximum allowed body size in bytes (default: 25 MB)
+ * @returns Parsed body or `{}` when absent
+ * @throws Never — on over-size it sets status 413 and throws an object with
+ *   `{ statusCode: 413, message }` so the h3 handler can propagate it.
+ */
+export async function readBodyWithSizeLimit(event, maxBytes = DEFAULT_CHAT_MAX_BODY_BYTES) {
+    // Fast-path: check Content-Length before buffering the body.
+    const clRaw = getHeader(event, "content-length");
+    if (clRaw) {
+        const declared = parseInt(clRaw, 10);
+        if (!Number.isNaN(declared) && declared > maxBytes) {
+            setResponseStatus(event, 413);
+            throw Object.assign(new Error(`Request body too large (max ${maxBytes} bytes)`), {
+                statusCode: 413,
+            });
+        }
+    }
+    const body = await _readBody(event);
+    // Also check the actual serialised size for chunked requests that omit C-L.
+    if (body !== null && body !== undefined) {
+        let actualBytes;
+        if (typeof body === "string") {
+            actualBytes = Buffer.byteLength(body, "utf8");
+        }
+        else {
+            try {
+                actualBytes = Buffer.byteLength(JSON.stringify(body), "utf8");
+            }
+            catch {
+                actualBytes = 0;
+            }
+        }
+        if (actualBytes > maxBytes) {
+            setResponseStatus(event, 413);
+            throw Object.assign(new Error(`Request body too large (max ${maxBytes} bytes)`), { statusCode: 413 });
+        }
+    }
+    return (body ?? {});
+}
 /**
  * Convert a Node `ReadStream` (e.g. from `fs.createReadStream`) into a web
  * `ReadableStream`, suitable for returning directly from an h3 v2 handler.

package/dist/server/h3-helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"h3-helpers.js","sourceRoot":"","sources":["../../src/server/h3-helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,EAAE,QAAQ,IAAI,SAAS,EAAE,MAAM,IAAI,CAAC;AAE3C,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAU,KAAc;IACpD,OAAO,CAAC,CAAC,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAmB,CAAC;AAClD,CAAC","sourcesContent":["/**\n * Small helpers around h3 v2 that polish ergonomics for templates.\n *\n * `readBody` — wraps h3's `readBody` so the result is typed `any` by default\n * (h3 v2 infers `unknown`, which forces `as` casts at every call site).\n *\n * `streamFile` — converts a Node `ReadStream` to a web `ReadableStream` so\n * route handlers can return file content without importing `node:stream`\n * inline. h3 v2 expects web streams everywhere.\n */\nimport { readBody as _readBody } from \"h3\";\nimport type { H3Event } from \"h3\";\nimport { Readable } from \"node:stream\";\nimport type { ReadStream } from \"node:fs\";\n\n/**\n * Parse a JSON request body. Returns `{}` if the body is empty or absent\n * so callers don't have to null-check before destructuring.\n *\n * Defaults T to `any` for ergonomic field access. Pass an explicit type\n * argument when you want a typed result:\n *\n *   const { email, password } = await readBody<LoginRequest>(event);\n */\nexport async function readBody<T = any>(event: H3Event): Promise<T> {\n  return ((await _readBody(event)) ?? {}) as T;\n}\n\n/**\n * Convert a Node `ReadStream` (e.g. from `fs.createReadStream`) into a web\n * `ReadableStream`, suitable for returning directly from an h3 v2 handler.\n *\n *   import { streamFile } from \"@agent-native/core/server\";\n *   import fs from \"node:fs\";\n *\n *   return streamFile(fs.createReadStream(filePath));\n */\nexport function streamFile(stream: ReadStream): ReadableStream {\n  return Readable.toWeb(stream) as ReadableStream;\n}\n"]}
+{"version":3,"file":"h3-helpers.js","sourceRoot":"","sources":["../../src/server/h3-helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,QAAQ,IAAI,SAAS,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAEzE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAGvC;;;;;GAKG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE5D;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAE9D;;;GAGG;AACH,MAAM,CAAC,MAAM,gCAAgC,GAAG,EAAE,CAAC;AAEnD;;;;GAIG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAG;IAC1C,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,iBAAiB;IACjB,kBAAkB;IAClB,iBAAiB;IACjB,kBAAkB;IAClB,mBAAmB;IACnB,0BAA0B;IAC1B,+CAA+C;IAC/C,oBAAoB;CACrB,CAAC;AAEF,oEAAoE;AACpE,MAAM,yBAAyB,GAAG,IAAI,GAAG,CAAC;IACxC,0BAA0B;IAC1B,0BAA0B;IAC1B,kBAAkB;IAClB,mBAAmB;IACnB,6BAA6B;CAC9B,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,MAAM,KAAK,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI,yBAAyB,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACvD,OAAO,4BAA4B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAClD,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAU,KAAc;IACpD,OAAO,CAAC,CAAC,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAM,CAAC;AAC/C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,KAAc,EACd,WAAmB,2BAA2B;IAE9C,6DAA6D;IAC7D,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACjD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;YACnD,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,+BAA+B,QAAQ,SAAS,CAAC,EAC3D;gBACE,UAAU,EAAE,GAAG;aAChB,CACF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,KAAK,CAAC,CAAC;IAEpC,4EAA4E;IAC5E,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,WAAmB,CAAC;QACxB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,IAAI,CAAC;gBACH,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC;YAChE,CAAC;YAAC,MAAM,CAAC;gBACP,WAAW,GAAG,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QACD,IAAI,WAAW,GAAG,QAAQ,EAAE,CAAC;YAC3B,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,MAAM,MAAM,CAAC,MAAM,CACjB,IAAI,KAAK,CAAC,+BAA+B,QAAQ,SAAS,CAAC,EAC3D,EAAE,UAAU,EAAE,GAAG,EAAE,CACpB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,CAAC,IAAI,IAAI,EAAE,CAAM,CAAC;AAC3B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAmB,CAAC;AAClD,CAAC","sourcesContent":["/**\n * Small helpers around h3 v2 that polish ergonomics for templates.\n *\n * `readBody` — wraps h3's `readBody` so the result is typed `any` by default\n * (h3 v2 infers `unknown`, which forces `as` casts at every call site).\n *\n * `readBodyWithSizeLimit` — like `readBody` but rejects with a 413 response\n * when the `content-length` header (or the buffered body size) exceeds the\n * given threshold. Use this on any route whose payload can include inline\n * base64 attachments (chat POST, upload routes).\n *\n * `streamFile` — converts a Node `ReadStream` to a web `ReadableStream` so\n * route handlers can return file content without importing `node:stream`\n * inline. h3 v2 expects web streams everywhere.\n */\nimport { readBody as _readBody, getHeader, setResponseStatus } from \"h3\";\nimport type { H3Event } from \"h3\";\nimport { Readable } from \"node:stream\";\nimport type { ReadStream } from \"node:fs\";\n\n/**\n * Default maximum chat-POST body size (25 MB uncompressed). The agent chat\n * body carries base64-encoded attachments so a 25 MB cap is generous while\n * still protecting against runaway payloads. Override per-route by passing a\n * different `maxBytes` value to `readBodyWithSizeLimit`.\n */\nexport const DEFAULT_CHAT_MAX_BODY_BYTES = 25 * 1024 * 1024;\n\n/**\n * Maximum file size for upload routes (25 MB). Mirrors Whisper's hard limit\n * so audio, image, and document uploads share a consistent ceiling.\n */\nexport const DEFAULT_UPLOAD_MAX_FILE_BYTES = 25 * 1024 * 1024;\n\n/**\n * Maximum number of attachments per chat message. Guards against pathological\n * requests that would fan out into hundreds of parallel model content-parts.\n */\nexport const MAX_CHAT_ATTACHMENTS_PER_MESSAGE = 20;\n\n/**\n * MIME types allowed on the file-upload routes. Executables and scripts are\n * explicitly excluded; everything else is allowed at the default tier.\n * Pass `allowedMimeTypes` to `assertAllowedMimeType` to enforce on a route.\n */\nexport const UPLOAD_ALLOWED_MIME_PREFIXES = [\n  \"image/\",\n  \"video/\",\n  \"audio/\",\n  \"text/\",\n  \"application/pdf\",\n  \"application/json\",\n  \"application/zip\",\n  \"application/gzip\",\n  \"application/x-tar\",\n  \"application/vnd.ms-excel\",\n  \"application/vnd.openxmlformats-officedocument\",\n  \"application/msword\",\n];\n\n/** Mime types that are always rejected even if a prefix matches. */\nconst UPLOAD_BLOCKED_MIME_TYPES = new Set([\n  \"application/x-msdownload\",\n  \"application/x-executable\",\n  \"application/x-sh\",\n  \"application/x-bat\",\n  \"application/x-msdos-program\",\n]);\n\n/**\n * Returns true when the given MIME type is acceptable for uploads.\n * Blocks executables and scripts; allows everything else in the allow-prefix list.\n */\nexport function isAllowedUploadMimeType(mimeType: string): boolean {\n  const lower = (mimeType || \"\").toLowerCase().split(\";\")[0].trim();\n  if (UPLOAD_BLOCKED_MIME_TYPES.has(lower)) return false;\n  return UPLOAD_ALLOWED_MIME_PREFIXES.some((prefix) =>\n    lower.startsWith(prefix),\n  );\n}\n\n/**\n * Parse a JSON request body. Returns `{}` if the body is empty or absent\n * so callers don't have to null-check before destructuring.\n *\n * Defaults T to `any` for ergonomic field access. Pass an explicit type\n * argument when you want a typed result:\n *\n *   const { email, password } = await readBody<LoginRequest>(event);\n */\nexport async function readBody<T = any>(event: H3Event): Promise<T> {\n  return ((await _readBody(event)) ?? {}) as T;\n}\n\n/**\n * Like `readBody` but rejects with a 413 response when the declared\n * `content-length` (or the actual buffered body) exceeds `maxBytes`.\n *\n * @param event - H3 event\n * @param maxBytes - Maximum allowed body size in bytes (default: 25 MB)\n * @returns Parsed body or `{}` when absent\n * @throws Never — on over-size it sets status 413 and throws an object with\n *   `{ statusCode: 413, message }` so the h3 handler can propagate it.\n */\nexport async function readBodyWithSizeLimit<T = any>(\n  event: H3Event,\n  maxBytes: number = DEFAULT_CHAT_MAX_BODY_BYTES,\n): Promise<T> {\n  // Fast-path: check Content-Length before buffering the body.\n  const clRaw = getHeader(event, \"content-length\");\n  if (clRaw) {\n    const declared = parseInt(clRaw, 10);\n    if (!Number.isNaN(declared) && declared > maxBytes) {\n      setResponseStatus(event, 413);\n      throw Object.assign(\n        new Error(`Request body too large (max ${maxBytes} bytes)`),\n        {\n          statusCode: 413,\n        },\n      );\n    }\n  }\n\n  const body = await _readBody(event);\n\n  // Also check the actual serialised size for chunked requests that omit C-L.\n  if (body !== null && body !== undefined) {\n    let actualBytes: number;\n    if (typeof body === \"string\") {\n      actualBytes = Buffer.byteLength(body, \"utf8\");\n    } else {\n      try {\n        actualBytes = Buffer.byteLength(JSON.stringify(body), \"utf8\");\n      } catch {\n        actualBytes = 0;\n      }\n    }\n    if (actualBytes > maxBytes) {\n      setResponseStatus(event, 413);\n      throw Object.assign(\n        new Error(`Request body too large (max ${maxBytes} bytes)`),\n        { statusCode: 413 },\n      );\n    }\n  }\n\n  return (body ?? {}) as T;\n}\n\n/**\n * Convert a Node `ReadStream` (e.g. from `fs.createReadStream`) into a web\n * `ReadableStream`, suitable for returning directly from an h3 v2 handler.\n *\n *   import { streamFile } from \"@agent-native/core/server\";\n *   import fs from \"node:fs\";\n *\n *   return streamFile(fs.createReadStream(filePath));\n */\nexport function streamFile(stream: ReadStream): ReadableStream {\n  return Readable.toWeb(stream) as ReadableStream;\n}\n"]}