@agent-native/core 0.48.2 → 0.48.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/README.md +4 -4
  2. package/dist/cli/skills.js +173 -30
  3. package/dist/cli/skills.js.map +1 -1
  4. package/dist/client/AssistantChat.d.ts.map +1 -1
  5. package/dist/client/AssistantChat.js +10 -19
  6. package/dist/client/AssistantChat.js.map +1 -1
  7. package/dist/client/ErrorBoundary.d.ts.map +1 -1
  8. package/dist/client/ErrorBoundary.js +34 -1
  9. package/dist/client/ErrorBoundary.js.map +1 -1
  10. package/dist/client/index.d.ts +2 -1
  11. package/dist/client/index.d.ts.map +1 -1
  12. package/dist/client/index.js +2 -1
  13. package/dist/client/index.js.map +1 -1
  14. package/dist/client/require-session.d.ts +61 -0
  15. package/dist/client/require-session.d.ts.map +1 -0
  16. package/dist/client/require-session.js +75 -0
  17. package/dist/client/require-session.js.map +1 -0
  18. package/dist/client/route-chunk-recovery.d.ts +17 -0
  19. package/dist/client/route-chunk-recovery.d.ts.map +1 -1
  20. package/dist/client/route-chunk-recovery.js +67 -0
  21. package/dist/client/route-chunk-recovery.js.map +1 -1
  22. package/dist/deploy/build.d.ts.map +1 -1
  23. package/dist/deploy/build.js +15 -71
  24. package/dist/deploy/build.js.map +1 -1
  25. package/dist/mcp/actions/service-token-access.d.ts.map +1 -1
  26. package/dist/mcp/actions/service-token-access.js +30 -2
  27. package/dist/mcp/actions/service-token-access.js.map +1 -1
  28. package/dist/server/auth.d.ts.map +1 -1
  29. package/dist/server/auth.js +3 -0
  30. package/dist/server/auth.js.map +1 -1
  31. package/dist/server/onboarding-html.d.ts.map +1 -1
  32. package/dist/server/onboarding-html.js +12 -11
  33. package/dist/server/onboarding-html.js.map +1 -1
  34. package/dist/server/ssr-handler.d.ts.map +1 -1
  35. package/dist/server/ssr-handler.js +42 -130
  36. package/dist/server/ssr-handler.js.map +1 -1
  37. package/dist/templates/workspace-core/.agents/skills/authentication/SKILL.md +36 -1
  38. package/docs/content/agent-web-surfaces.md +2 -2
  39. package/docs/content/authentication.md +1 -1
  40. package/docs/content/cloneable-saas.md +2 -2
  41. package/docs/content/code-agents-ui.md +16 -17
  42. package/docs/content/creating-templates.md +3 -3
  43. package/docs/content/deployment.md +18 -18
  44. package/docs/content/dispatch.md +2 -2
  45. package/docs/content/external-agents.md +21 -28
  46. package/docs/content/faq.md +1 -1
  47. package/docs/content/frames.md +1 -1
  48. package/docs/content/getting-started.md +7 -7
  49. package/docs/content/mcp-apps.md +1 -1
  50. package/docs/content/mcp-protocol.md +2 -2
  51. package/docs/content/migration-workbench.md +2 -2
  52. package/docs/content/multi-app-workspace.md +8 -8
  53. package/docs/content/multi-tenancy.md +1 -1
  54. package/docs/content/plan-plugin.md +6 -8
  55. package/docs/content/pr-visual-recap.md +23 -23
  56. package/docs/content/pure-agent-apps.md +1 -1
  57. package/docs/content/skills-guide.md +3 -3
  58. package/docs/content/template-analytics.md +1 -1
  59. package/docs/content/template-assets.md +4 -4
  60. package/docs/content/template-brain.md +1 -1
  61. package/docs/content/template-calendar.md +1 -1
  62. package/docs/content/template-clips.md +1 -1
  63. package/docs/content/template-content.md +1 -1
  64. package/docs/content/template-design.md +1 -1
  65. package/docs/content/template-dispatch.md +1 -1
  66. package/docs/content/template-forms.md +2 -2
  67. package/docs/content/template-mail.md +2 -2
  68. package/docs/content/template-plan.md +6 -12
  69. package/docs/content/template-slides.md +1 -1
  70. package/docs/content/template-starter.md +2 -2
  71. package/docs/content/template-videos.md +1 -1
  72. package/docs/content/workspace-management.md +1 -1
  73. package/package.json +1 -1
  74. package/src/templates/workspace-core/.agents/skills/authentication/SKILL.md +36 -1
package/dist/mcp/actions/service-token-access.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"service-token-access.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,EAAE,MAAM,CAAC;gBACP,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED,uEAAuE;AACvE,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAczB;AAED,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAAC,MAAM,EAAE;IACtD,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IACjC,6EAA6E;IAC7E,KAAK,EAAE,QAAQ,GAAG,MAAM,CAAC;CAC1B,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA0BrC"}
1
+ {"version":3,"file":"service-token-access.d.ts","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAElD,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,EAAE,MAAM,CAAC;gBACP,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM;CAKhD;AAED,uEAAuE;AACvE,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAczB;AAkBD,MAAM,WAAW,yBAAyB;IACxC,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAAC,MAAM,EAAE;IACtD,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IACjC,6EAA6E;IAC7E,KAAK,EAAE,QAAQ,GAAG,MAAM,CAAC;CAC1B,GAAG,OAAO,CAAC,yBAAyB,CAAC,CA2CrC"}
package/dist/mcp/actions/service-token-access.js CHANGED
@@ -37,6 +37,22 @@ export async function getOrgRoleForEmail(orgId, email) {
37
37
  return null;
38
38
  }
39
39
  }
40
+ /**
41
+ * Return all org IDs the email belongs to, or [] when the org tables are
42
+ * absent (template without orgs).
43
+ */
44
+ async function getOrgIdsForEmail(email) {
45
+ try {
46
+ const { rows } = await getDbExec().execute({
47
+ sql: `SELECT org_id FROM org_members WHERE LOWER(email) = ?`,
48
+ args: [email.toLowerCase()],
49
+ });
50
+ return rows.map((r) => String(r.org_id)).filter(Boolean);
51
+ }
52
+ catch {
53
+ return [];
54
+ }
55
+ }
40
56
  /**
41
57
  * Resolve and gate the caller for a service-token action. Throws
42
58
  * `ServiceTokenError` (401/400/403) on failure so the action route maps it to
@@ -47,9 +63,21 @@ export async function requireServiceTokenCaller(params) {
47
63
  if (!email) {
48
64
  throw new ServiceTokenError("Sign in to manage org service tokens.", 401);
49
65
  }
50
- const orgId = params.orgId?.trim();
66
+ // Prefer the org ID from the token's claims; fall back to looking up the
67
+ // user's org membership when the token was minted without org context (e.g.
68
+ // a personal connect token created before the user joined an org, or one
69
+ // created from a session that had no active org at the time).
70
+ let orgId = params.orgId?.trim() || "";
51
71
  if (!orgId) {
52
- throw new ServiceTokenError("No active organization. Service tokens are org-scoped — join or create an organization first.", 400);
72
+ const memberOrgs = await getOrgIdsForEmail(email);
73
+ if (memberOrgs.length === 0) {
74
+ throw new ServiceTokenError("No active organization. Service tokens are org-scoped — join or create an organization first.", 400);
75
+ }
76
+ if (memberOrgs.length > 1) {
77
+ throw new ServiceTokenError("Your session is not scoped to a specific organization and you belong to multiple orgs. " +
78
+ "Re-authenticate with an org-scoped session to disambiguate.", 400);
79
+ }
80
+ orgId = memberOrgs[0];
53
81
  }
54
82
  const role = await getOrgRoleForEmail(orgId, email);
55
83
  if (!role) {
package/dist/mcp/actions/service-token-access.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"service-token-access.js","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAG/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,CAAS;IACnB,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;YACzC,GAAG,EAAE,4EAA4E;YACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;SACnC,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;QAC3B,OAAO,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;YAC9D,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAQD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,MAK/C;IACC,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CACzB,+FAA+F,EAC/F,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACpD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,iBAAiB,CACzB,4CAA4C,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,IAAI,iBAAiB,CACzB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAChC,CAAC","sourcesContent":["/**\n * Shared gating for the org service-token actions.\n *\n * GATING DECISION: the org model HAS roles (`org_members.role` is\n * 'owner' | 'admin' | 'member' — see `org/types.ts`), so minting and revoking\n * service tokens require the caller to be an org **owner or admin**. Listing\n * is allowed for any org member (token values are never stored, so the list\n * only exposes metadata).\n *\n * Synthetic service identities (`svc-*@service.<orgId>`) are never inserted\n * into `org_members`, so a leaked service token can NOT mint further service\n * tokens or revoke others — the role lookup simply finds no membership.\n */\nimport { getDbExec } from \"../../db/client.js\";\nimport type { OrgRole } from \"../../org/types.js\";\n\nexport class ServiceTokenError extends Error {\n statusCode: number;\n constructor(message: string, statusCode: number) {\n super(message);\n this.name = \"ServiceTokenError\";\n this.statusCode = statusCode;\n }\n}\n\n/** Look up the caller's role in `orgId`, or null when not a member. */\nexport async function getOrgRoleForEmail(\n orgId: string,\n email: string,\n): Promise<OrgRole | null> {\n try {\n const { rows } = await getDbExec().execute({\n sql: `SELECT role FROM org_members WHERE org_id = ? AND LOWER(email) = ? LIMIT 1`,\n args: [orgId, email.toLowerCase()],\n });\n const role = rows[0]?.role;\n return role === \"owner\" || role === \"admin\" || role === \"member\"\n ? role\n : null;\n } catch {\n // org tables not provisioned (template without orgs) → no membership.\n return null;\n }\n}\n\nexport interface ServiceTokenCallerContext {\n email: string;\n orgId: string;\n role: OrgRole;\n}\n\n/**\n * Resolve and gate the caller for a service-token action. Throws\n * `ServiceTokenError` (401/400/403) on failure so the action route maps it to\n * the right HTTP status.\n */\nexport async function requireServiceTokenCaller(params: {\n userEmail: string | undefined;\n orgId: string | null | undefined;\n /** 'manage' = mint/revoke (owner/admin only); 'read' = list (any member). */\n level: \"manage\" | \"read\";\n}): Promise<ServiceTokenCallerContext> {\n const email = params.userEmail?.trim();\n if (!email) {\n throw new ServiceTokenError(\"Sign in to manage org service tokens.\", 401);\n }\n const orgId = params.orgId?.trim();\n if (!orgId) {\n throw new ServiceTokenError(\n \"No active organization. Service tokens are org-scoped — join or create an organization first.\",\n 400,\n );\n }\n const role = await getOrgRoleForEmail(orgId, email);\n if (!role) {\n throw new ServiceTokenError(\n \"You are not a member of this organization.\",\n 403,\n );\n }\n if (params.level === \"manage\" && role === \"member\") {\n throw new ServiceTokenError(\n \"Only org owners or admins can create or revoke service tokens.\",\n 403,\n );\n }\n return { email, orgId, role };\n}\n"]}
1
+ {"version":3,"file":"service-token-access.js","sourceRoot":"","sources":["../../../src/mcp/actions/service-token-access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAG/C,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1C,UAAU,CAAS;IACnB,YAAY,OAAe,EAAE,UAAkB;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED,uEAAuE;AACvE,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,KAAa,EACb,KAAa;IAEb,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;YACzC,GAAG,EAAE,4EAA4E;YACjF,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;SACnC,CAAC,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;QAC3B,OAAO,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,QAAQ;YAC9D,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAAC,MAAM,CAAC;QACP,sEAAsE;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,iBAAiB,CAAC,KAAa;IAC5C,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,SAAS,EAAE,CAAC,OAAO,CAAC;YACzC,GAAG,EAAE,uDAAuD;YAC5D,IAAI,EAAE,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;SAC5B,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAQD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,MAK/C;IACC,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CAAC,uCAAuC,EAAE,GAAG,CAAC,CAAC;IAC5E,CAAC;IAED,yEAAyE;IACzE,4EAA4E;IAC5E,yEAAyE;IACzE,8DAA8D;IAC9D,IAAI,KAAK,GAAG,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,UAAU,GAAG,MAAM,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,iBAAiB,CACzB,+FAA+F,EAC/F,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,iBAAiB,CACzB,yFAAyF;gBACvF,6DAA6D,EAC/D,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACpD,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,iBAAiB,CACzB,4CAA4C,EAC5C,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,IAAI,iBAAiB,CACzB,gEAAgE,EAChE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AAChC,CAAC","sourcesContent":["/**\n * Shared gating for the org service-token actions.\n *\n * GATING DECISION: the org model HAS roles (`org_members.role` is\n * 'owner' | 'admin' | 'member' — see `org/types.ts`), so minting and revoking\n * service tokens require the caller to be an org **owner or admin**. Listing\n * is allowed for any org member (token values are never stored, so the list\n * only exposes metadata).\n *\n * Synthetic service identities (`svc-*@service.<orgId>`) are never inserted\n * into `org_members`, so a leaked service token can NOT mint further service\n * tokens or revoke others — the role lookup simply finds no membership.\n */\nimport { getDbExec } from \"../../db/client.js\";\nimport type { OrgRole } from \"../../org/types.js\";\n\nexport class ServiceTokenError extends Error {\n statusCode: number;\n constructor(message: string, statusCode: number) {\n super(message);\n this.name = \"ServiceTokenError\";\n this.statusCode = statusCode;\n }\n}\n\n/** Look up the caller's role in `orgId`, or null when not a member. */\nexport async function getOrgRoleForEmail(\n orgId: string,\n email: string,\n): Promise<OrgRole | null> {\n try {\n const { rows } = await getDbExec().execute({\n sql: `SELECT role FROM org_members WHERE org_id = ? AND LOWER(email) = ? LIMIT 1`,\n args: [orgId, email.toLowerCase()],\n });\n const role = rows[0]?.role;\n return role === \"owner\" || role === \"admin\" || role === \"member\"\n ? role\n : null;\n } catch {\n // org tables not provisioned (template without orgs) → no membership.\n return null;\n }\n}\n\n/**\n * Return all org IDs the email belongs to, or [] when the org tables are\n * absent (template without orgs).\n */\nasync function getOrgIdsForEmail(email: string): Promise<string[]> {\n try {\n const { rows } = await getDbExec().execute({\n sql: `SELECT org_id FROM org_members WHERE LOWER(email) = ?`,\n args: [email.toLowerCase()],\n });\n return rows.map((r) => String(r.org_id)).filter(Boolean);\n } catch {\n return [];\n }\n}\n\nexport interface ServiceTokenCallerContext {\n email: string;\n orgId: string;\n role: OrgRole;\n}\n\n/**\n * Resolve and gate the caller for a service-token action. Throws\n * `ServiceTokenError` (401/400/403) on failure so the action route maps it to\n * the right HTTP status.\n */\nexport async function requireServiceTokenCaller(params: {\n userEmail: string | undefined;\n orgId: string | null | undefined;\n /** 'manage' = mint/revoke (owner/admin only); 'read' = list (any member). */\n level: \"manage\" | \"read\";\n}): Promise<ServiceTokenCallerContext> {\n const email = params.userEmail?.trim();\n if (!email) {\n throw new ServiceTokenError(\"Sign in to manage org service tokens.\", 401);\n }\n\n // Prefer the org ID from the token's claims; fall back to looking up the\n // user's org membership when the token was minted without org context (e.g.\n // a personal connect token created before the user joined an org, or one\n // created from a session that had no active org at the time).\n let orgId = params.orgId?.trim() || \"\";\n if (!orgId) {\n const memberOrgs = await getOrgIdsForEmail(email);\n if (memberOrgs.length === 0) {\n throw new ServiceTokenError(\n \"No active organization. Service tokens are org-scoped — join or create an organization first.\",\n 400,\n );\n }\n if (memberOrgs.length > 1) {\n throw new ServiceTokenError(\n \"Your session is not scoped to a specific organization and you belong to multiple orgs. \" +\n \"Re-authenticate with an org-scoped session to disambiguate.\",\n 400,\n );\n }\n orgId = memberOrgs[0];\n }\n\n const role = await getOrgRoleForEmail(orgId, email);\n if (!role) {\n throw new ServiceTokenError(\n \"You are not a member of this organization.\",\n 403,\n );\n }\n if (params.level === \"manage\" && role === \"member\") {\n throw new ServiceTokenError(\n \"Only org owners or admins can create or revoke service tokens.\",\n 403,\n );\n }\n return { email, orgId, role };\n}\n"]}
package/dist/server/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAkDhE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAgC5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAe7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mNAAmN;IACnN,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAgND,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAiHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAwvBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAsID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAknCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAkDhE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAgC5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAe7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mNAAmN;IACnN,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAgND,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAiHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AA2vBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAsID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAknCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
package/dist/server/auth.js CHANGED
@@ -1026,6 +1026,9 @@ function loginHtmlResponse(loginHtml, event) {
1026
1026
  // The sign-in document is part of the public server shell. Keep it on the
1027
1027
  // same short-fresh/long-SWR CDN policy as React Router SSR so hosted
1028
1028
  // template roots do not invoke origin just to render anonymous login UI.
1029
+ // The login HTML is env-INDEPENDENT (a Google-only app always renders a
1030
+ // working button), so a cached copy is never "wrong" — never downgrade
1031
+ // this to private/no-store.
1029
1032
  ...DEFAULT_SSR_CACHE_HEADERS,
1030
1033
  "X-Robots-Tag": "noindex, nofollow",
1031
1034
  },