@agent-native/core 0.49.9 → 0.49.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/cli/pr-visual-recap-workflow.d.ts +1 -1
  2. package/dist/cli/pr-visual-recap-workflow.d.ts.map +1 -1
  3. package/dist/cli/pr-visual-recap-workflow.js +1 -1
  4. package/dist/cli/pr-visual-recap-workflow.js.map +1 -1
  5. package/dist/cli/recap.d.ts +4 -1
  6. package/dist/cli/recap.d.ts.map +1 -1
  7. package/dist/cli/recap.js +97 -23
  8. package/dist/cli/recap.js.map +1 -1
  9. package/dist/cli/skills.d.ts +5 -5
  10. package/dist/cli/skills.d.ts.map +1 -1
  11. package/dist/cli/skills.js +219 -24
  12. package/dist/cli/skills.js.map +1 -1
  13. package/dist/client/blocks/library/annotation-rail.d.ts.map +1 -1
  14. package/dist/client/blocks/library/annotation-rail.js +16 -6
  15. package/dist/client/blocks/library/annotation-rail.js.map +1 -1
  16. package/dist/deploy/build.d.ts.map +1 -1
  17. package/dist/deploy/build.js +10 -2
  18. package/dist/deploy/build.js.map +1 -1
  19. package/dist/extensions/actions.js +1 -1
  20. package/dist/extensions/actions.js.map +1 -1
  21. package/dist/local-artifacts/index.d.ts +101 -0
  22. package/dist/local-artifacts/index.d.ts.map +1 -0
  23. package/dist/local-artifacts/index.js +507 -0
  24. package/dist/local-artifacts/index.js.map +1 -0
  25. package/dist/secrets/substitution.js +2 -2
  26. package/dist/secrets/substitution.js.map +1 -1
  27. package/dist/server/auth-marketing.d.ts +1 -0
  28. package/dist/server/auth-marketing.d.ts.map +1 -1
  29. package/dist/server/auth-marketing.js +5 -0
  30. package/dist/server/auth-marketing.js.map +1 -1
  31. package/dist/server/auth.d.ts.map +1 -1
  32. package/dist/server/auth.js +59 -37
  33. package/dist/server/auth.js.map +1 -1
  34. package/dist/server/entry-server.d.ts +27 -4
  35. package/dist/server/entry-server.d.ts.map +1 -1
  36. package/dist/server/entry-server.js +63 -43
  37. package/dist/server/entry-server.js.map +1 -1
  38. package/dist/server/onboarding-html.d.ts.map +1 -1
  39. package/dist/server/onboarding-html.js +3 -3
  40. package/dist/server/onboarding-html.js.map +1 -1
  41. package/dist/server/social-og-image.d.ts +2 -0
  42. package/dist/server/social-og-image.d.ts.map +1 -1
  43. package/dist/server/social-og-image.js +20 -7
  44. package/dist/server/social-og-image.js.map +1 -1
  45. package/dist/server/ssr-handler.d.ts.map +1 -1
  46. package/dist/server/ssr-handler.js +2 -2
  47. package/dist/server/ssr-handler.js.map +1 -1
  48. package/dist/shared/index.d.ts +1 -1
  49. package/dist/shared/index.d.ts.map +1 -1
  50. package/dist/shared/index.js +1 -1
  51. package/dist/shared/index.js.map +1 -1
  52. package/dist/shared/social-meta.d.ts +2 -0
  53. package/dist/shared/social-meta.d.ts.map +1 -1
  54. package/dist/shared/social-meta.js +5 -0
  55. package/dist/shared/social-meta.js.map +1 -1
  56. package/dist/templates/default/.agents/skills/storing-data/SKILL.md +3 -1
  57. package/dist/templates/default/app/entry.server.tsx +8 -2
  58. package/dist/templates/starter-shell-sync.spec.ts +4 -3
  59. package/dist/templates/workspace-core/.agents/skills/extensions/SKILL.md +3 -2
  60. package/dist/templates/workspace-core/.agents/skills/storing-data/SKILL.md +3 -1
  61. package/docs/content/pr-visual-recap.md +4 -4
  62. package/docs/content/template-content.md +9 -0
  63. package/package.json +6 -1
  64. package/src/templates/default/.agents/skills/storing-data/SKILL.md +3 -1
  65. package/src/templates/default/app/entry.server.tsx +8 -2
  66. package/src/templates/starter-shell-sync.spec.ts +4 -3
  67. package/src/templates/workspace-core/.agents/skills/extensions/SKILL.md +3 -2
  68. package/src/templates/workspace-core/.agents/skills/storing-data/SKILL.md +3 -1
package/dist/secrets/substitution.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"substitution.js","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EACL,eAAe,EACf,mBAAmB,GACpB,MAAM,8BAA8B,CAAC;AAEtC,MAAM,mBAAmB,GAAG,+BAA+B,CAAC;AAE5D,SAAS,0BAA0B;IACjC,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC;IAC3D,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,CACL,UAAU,KAAK,GAAG;QAClB,UAAU,KAAK,MAAM;QACrB,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,IAAI,CACpB,CAAC;AACJ,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,wBAAwB,GAAG,0BAA0B,EAAE,CAAC;IAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,IAAI,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAChE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,IAAI,CAAC,MAAM,IAAI,KAAK,KAAK,MAAM,IAAI,wBAAwB,EAAE,CAAC;YAC5D,MAAM,GAAG,MAAM,aAAa,CAAC;gBAC3B,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,+BAA+B,KAAK,+EAA+E,CAC3I,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,IAAY,EACZ,WAAmB;IAEnB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAA2B,EAAE,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,8HAA8H,CACtJ,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;AAC5D,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,IAAY,EACZ,WAAmB;IAEnB,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,MAAM;YAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,EAAE,CAAC;IACpE,CAAC;IACD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvE,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACtD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,MAAM;KACd,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACrD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,KAAK;KACb,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;YACvC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;YAChC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO;QACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;QACvC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,KAAK,EAAE,EAAE;KACjD,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,SAA0B;IAE1B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,IAAI,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,MAAM,IAAI,0BAA0B,EAAE,EAAE,CAAC;QAC9D,IAAI,GAAG,MAAM,iBAAiB,CAAC;YAC7B,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;SACtC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC;QACnC,GAAG,EAAE,GAAG,CAAC,IAAI;QACb,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAC;IACH,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO,QAAQ,KAAK,EAAE,CAAC;AACzB,CAAC","sourcesContent":["/**\n * Server-side key substitution for automation tools.\n *\n * Resolves `${keys.NAME}` references in user-supplied strings (URLs, headers,\n * bodies, etc.) by looking up the named secret at tool-dispatch time. The\n * raw secret value NEVER enters the model's context — substitution happens\n * after the agent emits its tool call and before the request is dispatched.\n *\n * SECURITY — workspace-scope fallback (audit 05 H2):\n *\n * The user→workspace fallback is OPT-IN via the\n * `AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK=1` env flag. Default OFF.\n *\n * When a user (any org member) writes a workspace-scoped `OPENAI_API_KEY`,\n * a default-on fallback would let every other org member's tools that\n * reference `${keys.OPENAI_API_KEY}` start using the malicious key\n * (key-skimming, mirror requests, billing hijack). The previous\n * fix-wave gated workspace-scope WRITES behind an org-admin check; this\n * file is the read-side defense-in-depth.\n *\n * When the env flag is unset, `resolveKeyReferences(\"user\", scopeId)`\n * queries ONLY user-scope rows. Tools/automations that need shared\n * defaults must explicitly look up via `scope: \"workspace\"`. Most\n * installs benefit from the stricter default — opt in only after the\n * org-admin write-gate is verified to be active.\n */\n\nimport { readAppSecret, readAppSecretMeta } from \"./storage.js\";\nimport type { SecretScope } from \"./register.js\";\nimport { resolveCredentialForScope } from \"../credentials/index.js\";\nimport {\n getRequestOrgId,\n getRequestUserEmail,\n} from \"../server/request-context.js\";\n\nconst KEY_REFERENCE_REGEX = /\\$\\{keys\\.([A-Za-z0-9_-]+)\\}/g;\n\nfunction isWorkspaceFallbackEnabled(): boolean {\n const v = process.env.AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK;\n if (!v) return false;\n const normalized = v.trim().toLowerCase();\n return (\n normalized === \"1\" ||\n normalized === \"true\" ||\n normalized === \"yes\" ||\n normalized === \"on\"\n );\n}\n\nexport interface ResolveKeyReferencesResult {\n resolved: string;\n usedKeys: string[];\n secretValues: string[];\n resolvedKeys?: ResolvedKeyReference[];\n}\n\nexport interface ResolvedKeyReference {\n name: string;\n scope: SecretScope;\n scopeId: string;\n}\n\n/**\n * Resolve `${keys.NAME}` references in `text`. For each reference, looks up\n * the named secret at the given scope, falling back to workspace-scope when\n * the user-scope row doesn't exist. Throws when a referenced key is missing\n * so the agent receives a clear error rather than dispatching with the\n * literal placeholder.\n */\nexport async function resolveKeyReferences(\n text: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [] };\n }\n\n const resolutions = new Map<string, string>();\n const secretValues: string[] = [];\n const workspaceFallbackEnabled = isWorkspaceFallbackEnabled();\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n let result = await readAppSecret({ key: name, scope, scopeId });\n // SECURITY (audit 05 H2): user→workspace fallback is opt-in. Default\n // off prevents one malicious org member from poisoning every other\n // member's `${keys.NAME}` resolution with a workspace-scoped value.\n if (!result && scope === \"user\" && workspaceFallbackEnabled) {\n result = await readAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for scope \"${scope}\". Create it in Settings or via the secrets API before using this automation.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues };\n}\n\n/**\n * Resolve `${keys.NAME}` for browser extension fetches and other request-bound\n * code paths that should honor the active workspace's shared credential store.\n *\n * Lookup order:\n * 1. user scope for personal overrides\n * 2. active org scope (Dispatch vault sync writes here for org workspaces)\n * 3. active org workspace scope (legacy shared rows)\n * 4. solo workspace scope when no org is active\n * 5. legacy app credential store user/org scopes\n */\nexport async function resolveKeyReferencesWithRequestScopes(\n text: string,\n userScopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [], resolvedKeys: [] };\n }\n\n const resolutions = new Map<string, string>();\n const resolvedKeys: ResolvedKeyReference[] = [];\n const secretValues: string[] = [];\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n const result = await readRequestScopedSecret(name, userScopeId);\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for this user or active workspace. Create it in Settings or the Dispatch vault before using this extension.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n resolvedKeys.push(result.ref);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues, resolvedKeys };\n}\n\nasync function readRequestScopedSecret(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } | null> {\n const candidates = requestSecretCandidates(userScopeId);\n for (const ref of candidates) {\n const result = await readAppSecret({ key: name, ...ref });\n if (result) return { value: result.value, ref: { name, ...ref } };\n }\n const legacyCredential = await readLegacyCredential(name, userScopeId);\n if (legacyCredential) return legacyCredential;\n return null;\n}\n\nasync function readLegacyCredential(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } | null> {\n const orgId = getRequestOrgId();\n const userValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"user\",\n }).catch(() => undefined);\n if (userValue) {\n return {\n value: userValue,\n ref: { name, scope: \"user\", scopeId: userScopeId },\n };\n }\n\n if (!orgId) return null;\n const orgValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"org\",\n }).catch(() => undefined);\n if (!orgValue) return null;\n\n return {\n value: orgValue,\n ref: { name, scope: \"org\", scopeId: orgId },\n };\n}\n\nfunction requestSecretCandidates(\n userScopeId: string,\n): Array<{ scope: SecretScope; scopeId: string }> {\n const orgId = getRequestOrgId();\n if (orgId) {\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"org\", scopeId: orgId },\n { scope: \"workspace\", scopeId: orgId },\n ];\n }\n\n const email = getRequestUserEmail() || userScopeId;\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"workspace\", scopeId: `solo:${email}` },\n ];\n}\n\n/**\n * Check if a URL is allowed by a key's URL allowlist. Returns true when no\n * allowlist is configured (permissive default — the allowlist is opt-in).\n *\n * Matching is exact on the URL's origin (scheme + host + port), so an entry\n * like `https://hooks.slack.com` blocks `https://evil.example.com` even if\n * the agent tries to redirect the request elsewhere.\n */\nexport function validateUrlAllowlist(\n url: string,\n allowlist: string[] | null,\n): boolean {\n if (!allowlist || allowlist.length === 0) return true;\n let origin: string;\n try {\n origin = new URL(url).origin;\n } catch {\n return false;\n }\n return allowlist.some((entry) => {\n try {\n return new URL(entry).origin === origin;\n } catch {\n return false;\n }\n });\n}\n\n/**\n * Convenience helper: look up a key's allowlist by name+scope. Returns null\n * when the key doesn't exist or has no allowlist configured.\n *\n * SECURITY: workspace fallback obeys the same opt-in flag as\n * `resolveKeyReferences` so the allowlist check stays consistent with the\n * resolved secret. If a future caller queries the allowlist for a key the\n * resolver wouldn't return, we'd risk allowing requests that the resolver\n * would refuse — keep them aligned.\n */\nexport async function getKeyAllowlist(\n name: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<string[] | null> {\n let meta = await readAppSecretMeta({ key: name, scope, scopeId });\n if (!meta && scope === \"user\" && isWorkspaceFallbackEnabled()) {\n meta = await readAppSecretMeta({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n return meta?.urlAllowlist ?? null;\n}\n\nexport async function getResolvedKeyAllowlist(\n ref: ResolvedKeyReference,\n): Promise<string[] | null> {\n const meta = await readAppSecretMeta({\n key: ref.name,\n scope: ref.scope,\n scopeId: ref.scopeId,\n });\n return meta?.urlAllowlist ?? null;\n}\n\nfunction getWorkspaceScopeId(userScopeId: string): string {\n const orgId = getRequestOrgId();\n if (orgId) return orgId;\n const email = getRequestUserEmail() || userScopeId;\n return `solo:${email}`;\n}\n"]}
1
+ {"version":3,"file":"substitution.js","sourceRoot":"","sources":["../../src/secrets/substitution.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,yBAAyB,EAAE,MAAM,yBAAyB,CAAC;AACpE,OAAO,EACL,eAAe,EACf,mBAAmB,GACpB,MAAM,8BAA8B,CAAC;AAEtC,MAAM,mBAAmB,GAAG,+BAA+B,CAAC;AAE5D,SAAS,0BAA0B;IACjC,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC;IAC3D,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,OAAO,CACL,UAAU,KAAK,GAAG;QAClB,UAAU,KAAK,MAAM;QACrB,UAAU,KAAK,KAAK;QACpB,UAAU,KAAK,IAAI,CACpB,CAAC;AACJ,CAAC;AAeD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,wBAAwB,GAAG,0BAA0B,EAAE,CAAC;IAC9D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,IAAI,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;QAChE,qEAAqE;QACrE,mEAAmE;QACnE,oEAAoE;QACpE,IAAI,CAAC,MAAM,IAAI,KAAK,KAAK,MAAM,IAAI,wBAAwB,EAAE,CAAC;YAC5D,MAAM,GAAG,MAAM,aAAa,CAAC;gBAC3B,GAAG,EAAE,IAAI;gBACT,KAAK,EAAE,WAAW;gBAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;aACtC,CAAC,CAAC;QACL,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,+BAA+B,KAAK,wGAAwG,CACpK,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,qCAAqC,CACzD,IAAY,EACZ,WAAmB;IAEnB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IAC1E,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC9C,MAAM,YAAY,GAA2B,EAAE,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAChE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mBAAmB,IAAI,kIAAkI,CAC1J,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,KAAK;YAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,IAAY,EAAE,EAAE;QACrE,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,oBAAoB,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,YAAY,EAAE,CAAC;AAC5D,CAAC;AAED,KAAK,UAAU,uBAAuB,CACpC,IAAY,EACZ,WAAmB;IAEnB,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IACxD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,MAAM;YAAE,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,GAAG,GAAG,EAAE,EAAE,CAAC;IACpE,CAAC;IACD,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvE,IAAI,gBAAgB;QAAE,OAAO,gBAAgB,CAAC;IAC9C,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACtD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,MAAM;KACd,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,QAAQ,GAAG,MAAM,yBAAyB,CAAC,IAAI,EAAE;QACrD,SAAS,EAAE,WAAW;QACtB,KAAK;QACL,KAAK,EAAE,KAAK;KACb,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC1B,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;KAC5C,CAAC;AACJ,CAAC;AAED,SAAS,uBAAuB,CAC9B,WAAmB;IAEnB,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;YACvC,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE;YAChC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO;QACL,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE;QACvC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,KAAK,EAAE,EAAE;KACjD,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,SAA0B;IAE1B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QAC9B,IAAI,CAAC;YACH,OAAO,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAAY,EACZ,KAAkB,EAClB,OAAe;IAEf,IAAI,IAAI,GAAG,MAAM,iBAAiB,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,IAAI,IAAI,KAAK,KAAK,MAAM,IAAI,0BAA0B,EAAE,EAAE,CAAC;QAC9D,IAAI,GAAG,MAAM,iBAAiB,CAAC;YAC7B,GAAG,EAAE,IAAI;YACT,KAAK,EAAE,WAAW;YAClB,OAAO,EAAE,mBAAmB,CAAC,OAAO,CAAC;SACtC,CAAC,CAAC;IACL,CAAC;IACD,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,GAAyB;IAEzB,MAAM,IAAI,GAAG,MAAM,iBAAiB,CAAC;QACnC,GAAG,EAAE,GAAG,CAAC,IAAI;QACb,KAAK,EAAE,GAAG,CAAC,KAAK;QAChB,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAC;IACH,OAAO,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC;AACpC,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAmB;IAC9C,MAAM,KAAK,GAAG,eAAe,EAAE,CAAC;IAChC,IAAI,KAAK;QAAE,OAAO,KAAK,CAAC;IACxB,MAAM,KAAK,GAAG,mBAAmB,EAAE,IAAI,WAAW,CAAC;IACnD,OAAO,QAAQ,KAAK,EAAE,CAAC;AACzB,CAAC","sourcesContent":["/**\n * Server-side key substitution for automation tools.\n *\n * Resolves `${keys.NAME}` references in user-supplied strings (URLs, headers,\n * bodies, etc.) by looking up the named secret at tool-dispatch time. The\n * raw secret value NEVER enters the model's context — substitution happens\n * after the agent emits its tool call and before the request is dispatched.\n *\n * SECURITY — workspace-scope fallback (audit 05 H2):\n *\n * The user→workspace fallback is OPT-IN via the\n * `AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK=1` env flag. Default OFF.\n *\n * When a user (any org member) writes a workspace-scoped `OPENAI_API_KEY`,\n * a default-on fallback would let every other org member's tools that\n * reference `${keys.OPENAI_API_KEY}` start using the malicious key\n * (key-skimming, mirror requests, billing hijack). The previous\n * fix-wave gated workspace-scope WRITES behind an org-admin check; this\n * file is the read-side defense-in-depth.\n *\n * When the env flag is unset, `resolveKeyReferences(\"user\", scopeId)`\n * queries ONLY user-scope rows. Tools/automations that need shared\n * defaults must explicitly look up via `scope: \"workspace\"`. Most\n * installs benefit from the stricter default — opt in only after the\n * org-admin write-gate is verified to be active.\n */\n\nimport { readAppSecret, readAppSecretMeta } from \"./storage.js\";\nimport type { SecretScope } from \"./register.js\";\nimport { resolveCredentialForScope } from \"../credentials/index.js\";\nimport {\n getRequestOrgId,\n getRequestUserEmail,\n} from \"../server/request-context.js\";\n\nconst KEY_REFERENCE_REGEX = /\\$\\{keys\\.([A-Za-z0-9_-]+)\\}/g;\n\nfunction isWorkspaceFallbackEnabled(): boolean {\n const v = process.env.AGENT_NATIVE_KEYS_WORKSPACE_FALLBACK;\n if (!v) return false;\n const normalized = v.trim().toLowerCase();\n return (\n normalized === \"1\" ||\n normalized === \"true\" ||\n normalized === \"yes\" ||\n normalized === \"on\"\n );\n}\n\nexport interface ResolveKeyReferencesResult {\n resolved: string;\n usedKeys: string[];\n secretValues: string[];\n resolvedKeys?: ResolvedKeyReference[];\n}\n\nexport interface ResolvedKeyReference {\n name: string;\n scope: SecretScope;\n scopeId: string;\n}\n\n/**\n * Resolve `${keys.NAME}` references in `text`. For each reference, looks up\n * the named secret at the given scope, falling back to workspace-scope when\n * the user-scope row doesn't exist. Throws when a referenced key is missing\n * so the agent receives a clear error rather than dispatching with the\n * literal placeholder.\n */\nexport async function resolveKeyReferences(\n text: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [] };\n }\n\n const resolutions = new Map<string, string>();\n const secretValues: string[] = [];\n const workspaceFallbackEnabled = isWorkspaceFallbackEnabled();\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n let result = await readAppSecret({ key: name, scope, scopeId });\n // SECURITY (audit 05 H2): user→workspace fallback is opt-in. Default\n // off prevents one malicious org member from poisoning every other\n // member's `${keys.NAME}` resolution with a workspace-scoped value.\n if (!result && scope === \"user\" && workspaceFallbackEnabled) {\n result = await readAppSecret({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for scope \"${scope}\". Create it in the Dispatch Vault, app Settings, or via the secrets API before using this automation.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues };\n}\n\n/**\n * Resolve `${keys.NAME}` for browser extension fetches and other request-bound\n * code paths that should honor the active workspace's shared credential store.\n *\n * Lookup order:\n * 1. user scope for personal overrides\n * 2. active org scope (Dispatch vault sync writes here for org workspaces)\n * 3. active org workspace scope (legacy shared rows)\n * 4. solo workspace scope when no org is active\n * 5. legacy app credential store user/org scopes\n */\nexport async function resolveKeyReferencesWithRequestScopes(\n text: string,\n userScopeId: string,\n): Promise<ResolveKeyReferencesResult> {\n const usedKeys: string[] = [];\n const matches = Array.from(text.matchAll(KEY_REFERENCE_REGEX));\n if (matches.length === 0) {\n return { resolved: text, usedKeys, secretValues: [], resolvedKeys: [] };\n }\n\n const resolutions = new Map<string, string>();\n const resolvedKeys: ResolvedKeyReference[] = [];\n const secretValues: string[] = [];\n for (const match of matches) {\n const name = match[1];\n if (resolutions.has(name)) continue;\n\n const result = await readRequestScopedSecret(name, userScopeId);\n if (!result) {\n throw new Error(\n `Referenced key \"${name}\" is not defined for this user or active workspace. Create it in the Dispatch Vault or app Settings before using this extension.`,\n );\n }\n resolutions.set(name, result.value);\n usedKeys.push(name);\n resolvedKeys.push(result.ref);\n if (result.value) secretValues.push(result.value);\n }\n\n const resolved = text.replace(KEY_REFERENCE_REGEX, (_, name: string) => {\n const value = resolutions.get(name);\n if (value === undefined) {\n throw new Error(`Referenced key \"${name}\" was not resolved`);\n }\n return value;\n });\n\n return { resolved, usedKeys, secretValues, resolvedKeys };\n}\n\nasync function readRequestScopedSecret(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } | null> {\n const candidates = requestSecretCandidates(userScopeId);\n for (const ref of candidates) {\n const result = await readAppSecret({ key: name, ...ref });\n if (result) return { value: result.value, ref: { name, ...ref } };\n }\n const legacyCredential = await readLegacyCredential(name, userScopeId);\n if (legacyCredential) return legacyCredential;\n return null;\n}\n\nasync function readLegacyCredential(\n name: string,\n userScopeId: string,\n): Promise<{ value: string; ref: ResolvedKeyReference } | null> {\n const orgId = getRequestOrgId();\n const userValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"user\",\n }).catch(() => undefined);\n if (userValue) {\n return {\n value: userValue,\n ref: { name, scope: \"user\", scopeId: userScopeId },\n };\n }\n\n if (!orgId) return null;\n const orgValue = await resolveCredentialForScope(name, {\n userEmail: userScopeId,\n orgId,\n scope: \"org\",\n }).catch(() => undefined);\n if (!orgValue) return null;\n\n return {\n value: orgValue,\n ref: { name, scope: \"org\", scopeId: orgId },\n };\n}\n\nfunction requestSecretCandidates(\n userScopeId: string,\n): Array<{ scope: SecretScope; scopeId: string }> {\n const orgId = getRequestOrgId();\n if (orgId) {\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"org\", scopeId: orgId },\n { scope: \"workspace\", scopeId: orgId },\n ];\n }\n\n const email = getRequestUserEmail() || userScopeId;\n return [\n { scope: \"user\", scopeId: userScopeId },\n { scope: \"workspace\", scopeId: `solo:${email}` },\n ];\n}\n\n/**\n * Check if a URL is allowed by a key's URL allowlist. Returns true when no\n * allowlist is configured (permissive default — the allowlist is opt-in).\n *\n * Matching is exact on the URL's origin (scheme + host + port), so an entry\n * like `https://hooks.slack.com` blocks `https://evil.example.com` even if\n * the agent tries to redirect the request elsewhere.\n */\nexport function validateUrlAllowlist(\n url: string,\n allowlist: string[] | null,\n): boolean {\n if (!allowlist || allowlist.length === 0) return true;\n let origin: string;\n try {\n origin = new URL(url).origin;\n } catch {\n return false;\n }\n return allowlist.some((entry) => {\n try {\n return new URL(entry).origin === origin;\n } catch {\n return false;\n }\n });\n}\n\n/**\n * Convenience helper: look up a key's allowlist by name+scope. Returns null\n * when the key doesn't exist or has no allowlist configured.\n *\n * SECURITY: workspace fallback obeys the same opt-in flag as\n * `resolveKeyReferences` so the allowlist check stays consistent with the\n * resolved secret. If a future caller queries the allowlist for a key the\n * resolver wouldn't return, we'd risk allowing requests that the resolver\n * would refuse — keep them aligned.\n */\nexport async function getKeyAllowlist(\n name: string,\n scope: SecretScope,\n scopeId: string,\n): Promise<string[] | null> {\n let meta = await readAppSecretMeta({ key: name, scope, scopeId });\n if (!meta && scope === \"user\" && isWorkspaceFallbackEnabled()) {\n meta = await readAppSecretMeta({\n key: name,\n scope: \"workspace\",\n scopeId: getWorkspaceScopeId(scopeId),\n });\n }\n return meta?.urlAllowlist ?? null;\n}\n\nexport async function getResolvedKeyAllowlist(\n ref: ResolvedKeyReference,\n): Promise<string[] | null> {\n const meta = await readAppSecretMeta({\n key: ref.name,\n scope: ref.scope,\n scopeId: ref.scopeId,\n });\n return meta?.urlAllowlist ?? null;\n}\n\nfunction getWorkspaceScopeId(userScopeId: string): string {\n const orgId = getRequestOrgId();\n if (orgId) return orgId;\n const email = getRequestUserEmail() || userScopeId;\n return `solo:${email}`;\n}\n"]}
package/dist/server/auth-marketing.d.ts CHANGED
@@ -11,4 +11,5 @@ export interface ResolveBuiltInAuthMarketingOptions {
11
11
  }
12
12
  export declare const BUILT_IN_AUTH_MARKETING: Record<string, AuthMarketingContent>;
13
13
  export declare function resolveBuiltInAuthMarketing(opts?: ResolveBuiltInAuthMarketingOptions): AuthMarketingContent | undefined;
14
+ export declare function resolveBuiltInAuthMarketingByName(value: string | undefined): AuthMarketingContent | undefined;
14
15
  //# sourceMappingURL=auth-marketing.d.ts.map
package/dist/server/auth-marketing.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-marketing.d.ts","sourceRoot":"","sources":["../../src/server/auth-marketing.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kCAAkC;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAoIxE,CAAC;AAmFF,wBAAgB,2BAA2B,CACzC,IAAI,GAAE,kCAAuC,GAC5C,oBAAoB,GAAG,SAAS,CAMlC"}
1
+ {"version":3,"file":"auth-marketing.d.ts","sourceRoot":"","sources":["../../src/server/auth-marketing.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,kCAAkC;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,uBAAuB,EAAE,MAAM,CAAC,MAAM,EAAE,oBAAoB,CAoIxE,CAAC;AAmFF,wBAAgB,2BAA2B,CACzC,IAAI,GAAE,kCAAuC,GAC5C,oBAAoB,GAAG,SAAS,CAMlC;AAED,wBAAgB,iCAAiC,CAC/C,KAAK,EAAE,MAAM,GAAG,SAAS,GACxB,oBAAoB,GAAG,SAAS,CAIlC"}
package/dist/server/auth-marketing.js CHANGED
@@ -204,4 +204,9 @@ export function resolveBuiltInAuthMarketing(opts = {}) {
204
204
  }
205
205
  return undefined;
206
206
  }
207
+ export function resolveBuiltInAuthMarketingByName(value) {
208
+ const slug = normalizeSlug(value);
209
+ const marketing = slug ? BUILT_IN_AUTH_MARKETING[slug] : undefined;
210
+ return marketing ? cloneMarketing(marketing) : undefined;
211
+ }
207
212
  //# sourceMappingURL=auth-marketing.js.map
package/dist/server/auth-marketing.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth-marketing.js","sourceRoot":"","sources":["../../src/server/auth-marketing.ts"],"names":[],"mappings":"AAaA,MAAM,CAAC,MAAM,uBAAuB,GAAyC;IAC3E,SAAS,EAAE;QACT,OAAO,EAAE,wBAAwB;QACjC,OAAO,EACL,2GAA2G;QAC7G,QAAQ,EAAE;YACR,yEAAyE;YACzE,kEAAkE;YAClE,kEAAkE;SACnE;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,qGAAqG;QACvG,QAAQ,EAAE;YACR,iEAAiE;YACjE,iDAAiD;YACjD,0DAA0D;SAC3D;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,uBAAuB;QAChC,OAAO,EACL,uFAAuF;QACzF,QAAQ,EAAE;YACR,oDAAoD;YACpD,sDAAsD;YACtD,6DAA6D;SAC9D;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,0FAA0F;QAC5F,QAAQ,EAAE;YACR,2EAA2E;YAC3E,sEAAsE;YACtE,oEAAoE;SACrE;KACF;IACD,OAAO,EAAE;QACP,OAAO,EAAE,sBAAsB;QAC/B,OAAO,EACL,iGAAiG;QACnG,QAAQ,EAAE;YACR,mEAAmE;YACnE,0EAA0E;YAC1E,4DAA4D;SAC7D;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,wIAAwI;QAC1I,QAAQ,EAAE;YACR,oDAAoD;YACpD,4DAA4D;YAC5D,0CAA0C;SAC3C;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,uBAAuB;QAChC,OAAO,EACL,sGAAsG;QACxG,QAAQ,EAAE;YACR,4DAA4D;YAC5D,6DAA6D;YAC7D,oDAAoD;SACrD;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,oEAAoE;QACtE,QAAQ,EAAE;YACR,8CAA8C;YAC9C,qDAAqD;YACrD,2DAA2D;SAC5D;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,8EAA8E;QAChF,QAAQ,EAAE;YACR,kFAAkF;YAClF,iFAAiF;YACjF,sEAAsE;SACvE;KACF;IACD,IAAI,EAAE;QACJ,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE;YACR,wCAAwC;YACxC,+CAA+C;YAC/C,8CAA8C;SAC/C;QACD,eAAe,EACb,kEAAkE;KACrE;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,uEAAuE;QACzE,QAAQ,EAAE;YACR,4CAA4C;YAC5C,kDAAkD;YAClD,mDAAmD;SACpD;KACF;IACD,OAAO,EAAE;QACP,OAAO,EAAE,WAAW;QACpB,OAAO,EACL,wFAAwF;QAC1F,QAAQ,EAAE;YACR,4EAA4E;YAC5E,kEAAkE;YAClE,qEAAqE;SACtE;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,gFAAgF;QAClF,QAAQ,EAAE;YACR,kEAAkE;YAClE,+DAA+D;YAC/D,yEAAyE;SAC1E;KACF;CACF,CAAC;AAEF,MAAM,YAAY,GAA2B;IAC3C,cAAc,EAAE,EAAE;IAClB,WAAW,EAAE,SAAS;IACtB,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF,SAAS,cAAc,CAAC,SAA+B;IACrD,OAAO;QACL,GAAG,SAAS;QACZ,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnE,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAC5C,IAAI,GAAG,IAAI;SACR,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;IAClC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC1D,CAAC;AAED,SAAS,WAAW,CAAC,KAAyB;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;IACtE,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACvC,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,aAAa,CAAC,YAAY,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,cAAc,CACrB,OAA2C,EAAE;IAE7C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7D,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7D,aAAa,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACxC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3B,aAAa,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACpC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC;QACxB,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC;QAChC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACrC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC;QAC3B,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;KAClC,CAAC;IAEF,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,OAA2C,EAAE;IAE7C,KAAK,MAAM,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,SAAS;YAAE,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC","sourcesContent":["export interface AuthMarketingContent {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n}\n\nexport interface ResolveBuiltInAuthMarketingOptions {\n requestHost?: string;\n requestPath?: string;\n}\n\nexport const BUILT_IN_AUTH_MARKETING: Record<string, AuthMarketingContent> = {\n analytics: {\n appName: \"Agent-Native Analytics\",\n tagline:\n \"Your AI agent queries your data sources, builds dashboards, and answers business questions alongside you.\",\n features: [\n \"Ask any question and get answers from BigQuery, HubSpot, Jira, and more\",\n \"Agent-built dashboards that pull live data from all your sources\",\n \"Saved analyses the agent can re-run on demand with fresh numbers\",\n ],\n },\n brain: {\n appName: \"Agent-Native Brain\",\n tagline:\n \"A company memory layer where raw conversations become reviewed, searchable institutional knowledge.\",\n features: [\n \"Import transcripts, notes, Slack exports, and Granola summaries\",\n \"Validate every fact against exact source quotes\",\n \"Review company-wide knowledge through proposal workflows\",\n ],\n },\n calendar: {\n appName: \"Agent-Native Calendar\",\n tagline:\n \"Your AI agent schedules, reschedules, and manages your calendar so you never have to.\",\n features: [\n \"Finds open slots and books meetings on your behalf\",\n \"Manages availability and booking links automatically\",\n \"Answers schedule questions and resolves conflicts instantly\",\n ],\n },\n clips: {\n appName: \"Agent-Native Clips\",\n tagline:\n \"Your AI agent transcribes, summarizes, and searches everything you record alongside you.\",\n features: [\n \"One-click screen recording with automatic titles, summaries, and chapters\",\n \"Calendar-synced meeting notes with live transcripts and action items\",\n \"One searchable library across recordings, meetings, and dictations\",\n ],\n },\n content: {\n appName: \"Agent-Native Content\",\n tagline:\n \"Your AI agent creates, edits, and organizes documents alongside you in a Notion-like workspace.\",\n features: [\n \"Create and restructure entire document trees from a single prompt\",\n \"Surgical edits that sync live to your editor via real-time collaboration\",\n \"Search, summarize, and cross-reference documents instantly\",\n ],\n },\n design: {\n appName: \"Agent-Native Design\",\n tagline:\n \"Design and prototype by describing what you want. The AI agent turns your ideas into interactive, fully responsive designs in seconds.\",\n features: [\n \"Create polished prototypes just by describing them\",\n \"Build and apply design systems to keep everything on-brand\",\n \"Export your work or share it with a link\",\n ],\n },\n dispatch: {\n appName: \"Agent-Native Dispatch\",\n tagline:\n \"Your AI agent manages secrets, orchestrates other agents, and routes messages across your workspace.\",\n features: [\n \"Centralized vault for secrets with granular per-app grants\",\n \"Cross-agent orchestration and delegation to specialist apps\",\n \"Slack and Telegram routing with approval workflows\",\n ],\n },\n forms: {\n appName: \"Agent-Native Forms\",\n tagline:\n \"Your AI agent builds, publishes, and analyzes forms alongside you.\",\n features: [\n \"Create complete forms from a single sentence\",\n \"Instant publishing with shareable links and captcha\",\n \"Response summaries, exports, and trend analysis on demand\",\n ],\n },\n assets: {\n appName: \"Agent-Native Assets\",\n tagline:\n \"Your AI agent creates, refines, and organizes on-brand assets alongside you.\",\n features: [\n \"Build reusable asset libraries from logos, product shots, videos, and references\",\n \"Generate heroes, diagrams, slide art, product visuals, and videos from a prompt\",\n \"Audit prompts, references, outputs, and refinements across every run\",\n ],\n },\n mail: {\n appName: \"Agent-Native Mail\",\n tagline: \"Your AI agent reads, drafts, and organizes email alongside you.\",\n features: [\n \"Replies that match your tone and style\",\n \"Multi-account Gmail in a single unified inbox\",\n \"Autonomous triage, archiving, and follow-ups\",\n ],\n runLocalCommand:\n \"npx @agent-native/core@latest create my-mail-app --template mail\",\n },\n slides: {\n appName: \"Agent-Native Slides\",\n tagline:\n \"Your AI agent builds, edits, and refines presentations alongside you.\",\n features: [\n \"Generate entire decks from a single prompt\",\n \"Surgical slide edits while you present or review\",\n \"Real-time collaboration between you and the agent\",\n ],\n },\n starter: {\n appName: \"Blank app\",\n tagline:\n \"Build an agent-native app where the AI agent and UI share state, actions, and context.\",\n features: [\n \"Define once, use everywhere: actions work as agent tools and API endpoints\",\n \"The agent always knows what you are looking at and can act on it\",\n \"Modify your app's own code, routes, and styles through conversation\",\n ],\n },\n videos: {\n appName: \"Agent-Native Videos\",\n tagline:\n \"Your AI agent builds, animates, and refines programmatic videos alongside you.\",\n features: [\n \"Generate animated components and compositions from a description\",\n \"Fine-tune tracks, keyframes, and easing without touching code\",\n \"Camera moves, interactive elements, and effects the agent wires for you\",\n ],\n },\n};\n\nconst SLUG_ALIASES: Record<string, string> = {\n \"agent-native\": \"\",\n \"blank-app\": \"starter\",\n asset: \"assets\",\n image: \"assets\",\n images: \"assets\",\n video: \"videos\",\n};\n\nfunction cloneMarketing(marketing: AuthMarketingContent): AuthMarketingContent {\n return {\n ...marketing,\n features: marketing.features ? [...marketing.features] : undefined,\n };\n}\n\nfunction normalizeSlug(value: string | undefined): string | undefined {\n if (!value) return undefined;\n let slug = value.trim().toLowerCase();\n if (!slug) return undefined;\n\n slug = slug.replace(/^@agent-native\\//, \"\");\n slug = slug\n .replace(/&/g, \" and \")\n .replace(/[^a-z0-9]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n slug = slug.replace(/^agent-native-/, \"\");\n slug = SLUG_ALIASES[slug] ?? slug;\n if (!slug) return undefined;\n return BUILT_IN_AUTH_MARKETING[slug] ? slug : undefined;\n}\n\nfunction slugFromUrl(value: string | undefined): string | undefined {\n if (!value) return undefined;\n try {\n const url = new URL(value);\n return slugFromHost(url.host) ?? slugFromPath(url.pathname);\n } catch {\n return undefined;\n }\n}\n\nfunction slugFromHost(value: string | undefined): string | undefined {\n if (!value) return undefined;\n const host = value.split(\",\")[0]?.trim().split(\":\")[0]?.toLowerCase();\n if (!host) return undefined;\n if (host.endsWith(\".agent-native.com\")) {\n return normalizeSlug(host.slice(0, -\".agent-native.com\".length));\n }\n return undefined;\n}\n\nfunction slugFromPath(value: string | undefined): string | undefined {\n if (!value) return undefined;\n const firstSegment = value.split(\"?\")[0]?.split(\"/\").filter(Boolean)[0];\n return normalizeSlug(firstSegment);\n}\n\nfunction candidateSlugs(\n opts: ResolveBuiltInAuthMarketingOptions = {},\n): string[] {\n const env = process.env;\n const candidates = [\n opts.requestHost ? slugFromHost(opts.requestHost) : undefined,\n opts.requestPath ? slugFromPath(opts.requestPath) : undefined,\n normalizeSlug(env.AGENT_NATIVE_TEMPLATE),\n normalizeSlug(env.APP_NAME),\n normalizeSlug(env.npm_package_name),\n slugFromPath(env.APP_BASE_PATH),\n slugFromPath(env.VITE_APP_BASE_PATH),\n slugFromUrl(env.APP_URL),\n slugFromUrl(env.BETTER_AUTH_URL),\n slugFromUrl(env.VITE_BETTER_AUTH_URL),\n slugFromUrl(env.URL),\n slugFromUrl(env.DEPLOY_URL),\n slugFromUrl(env.DEPLOY_PRIME_URL),\n ];\n\n return candidates.filter((slug): slug is string => !!slug);\n}\n\nexport function resolveBuiltInAuthMarketing(\n opts: ResolveBuiltInAuthMarketingOptions = {},\n): AuthMarketingContent | undefined {\n for (const slug of candidateSlugs(opts)) {\n const marketing = BUILT_IN_AUTH_MARKETING[slug];\n if (marketing) return cloneMarketing(marketing);\n }\n return undefined;\n}\n"]}
1
+ {"version":3,"file":"auth-marketing.js","sourceRoot":"","sources":["../../src/server/auth-marketing.ts"],"names":[],"mappings":"AAaA,MAAM,CAAC,MAAM,uBAAuB,GAAyC;IAC3E,SAAS,EAAE;QACT,OAAO,EAAE,wBAAwB;QACjC,OAAO,EACL,2GAA2G;QAC7G,QAAQ,EAAE;YACR,yEAAyE;YACzE,kEAAkE;YAClE,kEAAkE;SACnE;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,qGAAqG;QACvG,QAAQ,EAAE;YACR,iEAAiE;YACjE,iDAAiD;YACjD,0DAA0D;SAC3D;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,uBAAuB;QAChC,OAAO,EACL,uFAAuF;QACzF,QAAQ,EAAE;YACR,oDAAoD;YACpD,sDAAsD;YACtD,6DAA6D;SAC9D;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,0FAA0F;QAC5F,QAAQ,EAAE;YACR,2EAA2E;YAC3E,sEAAsE;YACtE,oEAAoE;SACrE;KACF;IACD,OAAO,EAAE;QACP,OAAO,EAAE,sBAAsB;QAC/B,OAAO,EACL,iGAAiG;QACnG,QAAQ,EAAE;YACR,mEAAmE;YACnE,0EAA0E;YAC1E,4DAA4D;SAC7D;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,wIAAwI;QAC1I,QAAQ,EAAE;YACR,oDAAoD;YACpD,4DAA4D;YAC5D,0CAA0C;SAC3C;KACF;IACD,QAAQ,EAAE;QACR,OAAO,EAAE,uBAAuB;QAChC,OAAO,EACL,sGAAsG;QACxG,QAAQ,EAAE;YACR,4DAA4D;YAC5D,6DAA6D;YAC7D,oDAAoD;SACrD;KACF;IACD,KAAK,EAAE;QACL,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EACL,oEAAoE;QACtE,QAAQ,EAAE;YACR,8CAA8C;YAC9C,qDAAqD;YACrD,2DAA2D;SAC5D;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,8EAA8E;QAChF,QAAQ,EAAE;YACR,kFAAkF;YAClF,iFAAiF;YACjF,sEAAsE;SACvE;KACF;IACD,IAAI,EAAE;QACJ,OAAO,EAAE,mBAAmB;QAC5B,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE;YACR,wCAAwC;YACxC,+CAA+C;YAC/C,8CAA8C;SAC/C;QACD,eAAe,EACb,kEAAkE;KACrE;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,uEAAuE;QACzE,QAAQ,EAAE;YACR,4CAA4C;YAC5C,kDAAkD;YAClD,mDAAmD;SACpD;KACF;IACD,OAAO,EAAE;QACP,OAAO,EAAE,WAAW;QACpB,OAAO,EACL,wFAAwF;QAC1F,QAAQ,EAAE;YACR,4EAA4E;YAC5E,kEAAkE;YAClE,qEAAqE;SACtE;KACF;IACD,MAAM,EAAE;QACN,OAAO,EAAE,qBAAqB;QAC9B,OAAO,EACL,gFAAgF;QAClF,QAAQ,EAAE;YACR,kEAAkE;YAClE,+DAA+D;YAC/D,yEAAyE;SAC1E;KACF;CACF,CAAC;AAEF,MAAM,YAAY,GAA2B;IAC3C,cAAc,EAAE,EAAE;IAClB,WAAW,EAAE,SAAS;IACtB,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF,SAAS,cAAc,CAAC,SAA+B;IACrD,OAAO;QACL,GAAG,SAAS;QACZ,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;KACnE,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB;IAC9C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACtC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAE5B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAC5C,IAAI,GAAG,IAAI;SACR,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SACtB,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC;IAClC,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,OAAO,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC1D,CAAC;AAED,SAAS,WAAW,CAAC,KAAyB;IAC5C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3B,OAAO,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC;IACtE,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACvC,OAAO,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,YAAY,CAAC,KAAyB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,OAAO,aAAa,CAAC,YAAY,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,cAAc,CACrB,OAA2C,EAAE;IAE7C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IACxB,MAAM,UAAU,GAAG;QACjB,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7D,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS;QAC7D,aAAa,CAAC,GAAG,CAAC,qBAAqB,CAAC;QACxC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC3B,aAAa,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACnC,YAAY,CAAC,GAAG,CAAC,aAAa,CAAC;QAC/B,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACpC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC;QACxB,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC;QAChC,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACrC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC;QACpB,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC;QAC3B,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;KAClC,CAAC;IAEF,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,OAA2C,EAAE;IAE7C,KAAK,MAAM,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC;QAChD,IAAI,SAAS;YAAE,OAAO,cAAc,CAAC,SAAS,CAAC,CAAC;IAClD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,KAAyB;IAEzB,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACnE,OAAO,SAAS,CAAC,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC","sourcesContent":["export interface AuthMarketingContent {\n appName: string;\n tagline: string;\n description?: string;\n features?: string[];\n runLocalCommand?: string;\n}\n\nexport interface ResolveBuiltInAuthMarketingOptions {\n requestHost?: string;\n requestPath?: string;\n}\n\nexport const BUILT_IN_AUTH_MARKETING: Record<string, AuthMarketingContent> = {\n analytics: {\n appName: \"Agent-Native Analytics\",\n tagline:\n \"Your AI agent queries your data sources, builds dashboards, and answers business questions alongside you.\",\n features: [\n \"Ask any question and get answers from BigQuery, HubSpot, Jira, and more\",\n \"Agent-built dashboards that pull live data from all your sources\",\n \"Saved analyses the agent can re-run on demand with fresh numbers\",\n ],\n },\n brain: {\n appName: \"Agent-Native Brain\",\n tagline:\n \"A company memory layer where raw conversations become reviewed, searchable institutional knowledge.\",\n features: [\n \"Import transcripts, notes, Slack exports, and Granola summaries\",\n \"Validate every fact against exact source quotes\",\n \"Review company-wide knowledge through proposal workflows\",\n ],\n },\n calendar: {\n appName: \"Agent-Native Calendar\",\n tagline:\n \"Your AI agent schedules, reschedules, and manages your calendar so you never have to.\",\n features: [\n \"Finds open slots and books meetings on your behalf\",\n \"Manages availability and booking links automatically\",\n \"Answers schedule questions and resolves conflicts instantly\",\n ],\n },\n clips: {\n appName: \"Agent-Native Clips\",\n tagline:\n \"Your AI agent transcribes, summarizes, and searches everything you record alongside you.\",\n features: [\n \"One-click screen recording with automatic titles, summaries, and chapters\",\n \"Calendar-synced meeting notes with live transcripts and action items\",\n \"One searchable library across recordings, meetings, and dictations\",\n ],\n },\n content: {\n appName: \"Agent-Native Content\",\n tagline:\n \"Your AI agent creates, edits, and organizes documents alongside you in a Notion-like workspace.\",\n features: [\n \"Create and restructure entire document trees from a single prompt\",\n \"Surgical edits that sync live to your editor via real-time collaboration\",\n \"Search, summarize, and cross-reference documents instantly\",\n ],\n },\n design: {\n appName: \"Agent-Native Design\",\n tagline:\n \"Design and prototype by describing what you want. The AI agent turns your ideas into interactive, fully responsive designs in seconds.\",\n features: [\n \"Create polished prototypes just by describing them\",\n \"Build and apply design systems to keep everything on-brand\",\n \"Export your work or share it with a link\",\n ],\n },\n dispatch: {\n appName: \"Agent-Native Dispatch\",\n tagline:\n \"Your AI agent manages secrets, orchestrates other agents, and routes messages across your workspace.\",\n features: [\n \"Centralized vault for secrets with granular per-app grants\",\n \"Cross-agent orchestration and delegation to specialist apps\",\n \"Slack and Telegram routing with approval workflows\",\n ],\n },\n forms: {\n appName: \"Agent-Native Forms\",\n tagline:\n \"Your AI agent builds, publishes, and analyzes forms alongside you.\",\n features: [\n \"Create complete forms from a single sentence\",\n \"Instant publishing with shareable links and captcha\",\n \"Response summaries, exports, and trend analysis on demand\",\n ],\n },\n assets: {\n appName: \"Agent-Native Assets\",\n tagline:\n \"Your AI agent creates, refines, and organizes on-brand assets alongside you.\",\n features: [\n \"Build reusable asset libraries from logos, product shots, videos, and references\",\n \"Generate heroes, diagrams, slide art, product visuals, and videos from a prompt\",\n \"Audit prompts, references, outputs, and refinements across every run\",\n ],\n },\n mail: {\n appName: \"Agent-Native Mail\",\n tagline: \"Your AI agent reads, drafts, and organizes email alongside you.\",\n features: [\n \"Replies that match your tone and style\",\n \"Multi-account Gmail in a single unified inbox\",\n \"Autonomous triage, archiving, and follow-ups\",\n ],\n runLocalCommand:\n \"npx @agent-native/core@latest create my-mail-app --template mail\",\n },\n slides: {\n appName: \"Agent-Native Slides\",\n tagline:\n \"Your AI agent builds, edits, and refines presentations alongside you.\",\n features: [\n \"Generate entire decks from a single prompt\",\n \"Surgical slide edits while you present or review\",\n \"Real-time collaboration between you and the agent\",\n ],\n },\n starter: {\n appName: \"Blank app\",\n tagline:\n \"Build an agent-native app where the AI agent and UI share state, actions, and context.\",\n features: [\n \"Define once, use everywhere: actions work as agent tools and API endpoints\",\n \"The agent always knows what you are looking at and can act on it\",\n \"Modify your app's own code, routes, and styles through conversation\",\n ],\n },\n videos: {\n appName: \"Agent-Native Videos\",\n tagline:\n \"Your AI agent builds, animates, and refines programmatic videos alongside you.\",\n features: [\n \"Generate animated components and compositions from a description\",\n \"Fine-tune tracks, keyframes, and easing without touching code\",\n \"Camera moves, interactive elements, and effects the agent wires for you\",\n ],\n },\n};\n\nconst SLUG_ALIASES: Record<string, string> = {\n \"agent-native\": \"\",\n \"blank-app\": \"starter\",\n asset: \"assets\",\n image: \"assets\",\n images: \"assets\",\n video: \"videos\",\n};\n\nfunction cloneMarketing(marketing: AuthMarketingContent): AuthMarketingContent {\n return {\n ...marketing,\n features: marketing.features ? [...marketing.features] : undefined,\n };\n}\n\nfunction normalizeSlug(value: string | undefined): string | undefined {\n if (!value) return undefined;\n let slug = value.trim().toLowerCase();\n if (!slug) return undefined;\n\n slug = slug.replace(/^@agent-native\\//, \"\");\n slug = slug\n .replace(/&/g, \" and \")\n .replace(/[^a-z0-9]+/g, \"-\")\n .replace(/^-+|-+$/g, \"\");\n slug = slug.replace(/^agent-native-/, \"\");\n slug = SLUG_ALIASES[slug] ?? slug;\n if (!slug) return undefined;\n return BUILT_IN_AUTH_MARKETING[slug] ? slug : undefined;\n}\n\nfunction slugFromUrl(value: string | undefined): string | undefined {\n if (!value) return undefined;\n try {\n const url = new URL(value);\n return slugFromHost(url.host) ?? slugFromPath(url.pathname);\n } catch {\n return undefined;\n }\n}\n\nfunction slugFromHost(value: string | undefined): string | undefined {\n if (!value) return undefined;\n const host = value.split(\",\")[0]?.trim().split(\":\")[0]?.toLowerCase();\n if (!host) return undefined;\n if (host.endsWith(\".agent-native.com\")) {\n return normalizeSlug(host.slice(0, -\".agent-native.com\".length));\n }\n return undefined;\n}\n\nfunction slugFromPath(value: string | undefined): string | undefined {\n if (!value) return undefined;\n const firstSegment = value.split(\"?\")[0]?.split(\"/\").filter(Boolean)[0];\n return normalizeSlug(firstSegment);\n}\n\nfunction candidateSlugs(\n opts: ResolveBuiltInAuthMarketingOptions = {},\n): string[] {\n const env = process.env;\n const candidates = [\n opts.requestHost ? slugFromHost(opts.requestHost) : undefined,\n opts.requestPath ? slugFromPath(opts.requestPath) : undefined,\n normalizeSlug(env.AGENT_NATIVE_TEMPLATE),\n normalizeSlug(env.APP_NAME),\n normalizeSlug(env.npm_package_name),\n slugFromPath(env.APP_BASE_PATH),\n slugFromPath(env.VITE_APP_BASE_PATH),\n slugFromUrl(env.APP_URL),\n slugFromUrl(env.BETTER_AUTH_URL),\n slugFromUrl(env.VITE_BETTER_AUTH_URL),\n slugFromUrl(env.URL),\n slugFromUrl(env.DEPLOY_URL),\n slugFromUrl(env.DEPLOY_PRIME_URL),\n ];\n\n return candidates.filter((slug): slug is string => !!slug);\n}\n\nexport function resolveBuiltInAuthMarketing(\n opts: ResolveBuiltInAuthMarketingOptions = {},\n): AuthMarketingContent | undefined {\n for (const slug of candidateSlugs(opts)) {\n const marketing = BUILT_IN_AUTH_MARKETING[slug];\n if (marketing) return cloneMarketing(marketing);\n }\n return undefined;\n}\n\nexport function resolveBuiltInAuthMarketingByName(\n value: string | undefined,\n): AuthMarketingContent | undefined {\n const slug = normalizeSlug(value);\n const marketing = slug ? BUILT_IN_AUTH_MARKETING[slug] : undefined;\n return marketing ? cloneMarketing(marketing) : undefined;\n}\n"]}
package/dist/server/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAkDhE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAgC5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAe7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mNAAmN;IACnN,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAgND,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAiHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AA2vBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAsID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAknCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAkDhE,KAAK,KAAK,GAAG,SAAS,CAAC;AASvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAUlE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAiC5D,OAAO,EAIL,KAAK,oBAAoB,EAC1B,MAAM,qCAAqC,CAAC;AAe7C;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mFAAmF;IACnF,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,4DAA4D;IAC5D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mNAAmN;IACnN,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;IAC5C;;;;OAIG;IACH,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;OAGG;IACH,0BAA0B,CAAC,EAAE,MAAM,EAAE,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;;;;OAmBG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;OAIG;IACH,SAAS,CAAC,EAAE;QACV,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF;;;OAGG;IACH,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IACF;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAoCD;;;;GAIG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD;AAED,eAAO,MAAM,WAAW,QAA4C,CAAC;AACrE,eAAO,MAAM,yBAAyB,QACQ,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,iBAAiB,IAAI;IAAE,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CAGvD;AAmCD,wBAAgB,+BAA+B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAExE;AAgCD,wBAAgB,4BAA4B,CAAC,KAAK,EAAE,OAAO,GAAG,IAAI,CAIjE;AAkGD;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,OAAO,CAG1C;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAUrE;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CASpE;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CASjE;AAED;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAQzD;AAgND,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAI7D;AAyDD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAW7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAShE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAmB3E;AAiHD,MAAM,WAAW,2BAA2B;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAmBD,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,QAWd;AAED,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,2BAA2B,QAOnC;AAmGD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAiyBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAY5E;AAsID,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAS7E;AAknCD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CAqKlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAMzE"}
package/dist/server/auth.js CHANGED
@@ -49,7 +49,7 @@ import { safeOAuthReturnUrl } from "./oauth-return-url.js";
49
49
  import { captureAuthError } from "./sentry.js";
50
50
  import { extractOAuthStateAppId } from "../shared/oauth-state.js";
51
51
  import { isValidWorkspaceAppIdFormat } from "../shared/workspace-app-id.js";
52
- import { AGENT_NATIVE_SOCIAL_IMAGE_ALT, AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT, AGENT_NATIVE_SOCIAL_IMAGE_PATH, AGENT_NATIVE_SOCIAL_IMAGE_TYPE, AGENT_NATIVE_SOCIAL_IMAGE_WIDTH, } from "../shared/social-meta.js";
52
+ import { AGENT_NATIVE_SOCIAL_IMAGE_ALT, AGENT_NATIVE_SOCIAL_IMAGE_HEIGHT, AGENT_NATIVE_SOCIAL_IMAGE_PATH, AGENT_NATIVE_SOCIAL_IMAGE_TYPE, AGENT_NATIVE_SOCIAL_IMAGE_WIDTH, withAgentNativeSocialImageCacheBuster, } from "../shared/social-meta.js";
53
53
  import { DEFAULT_SSR_CACHE_HEADERS } from "../shared/cache-control.js";
54
54
  import { normalizeWorkspaceAppAudience, workspaceAppAudienceFromEnv, workspaceAppRouteAccessFromEnv, } from "../shared/workspace-app-audience.js";
55
55
  import { resolveAuthCookieNamespace } from "./cookie-namespace.js";
@@ -995,7 +995,7 @@ function injectLoginSocialImageMeta(loginHtml, event) {
995
995
  return loginHtml;
996
996
  const hasAnySocialImage = LOGIN_OG_IMAGE_META_RE.test(loginHtml) ||
997
997
  LOGIN_TWITTER_IMAGE_META_RE.test(loginHtml);
998
- const imageUrl = escapeHtmlAttr(getAppUrl(event, AGENT_NATIVE_SOCIAL_IMAGE_PATH));
998
+ const imageUrl = escapeHtmlAttr(withAgentNativeSocialImageCacheBuster(getAppUrl(event, AGENT_NATIVE_SOCIAL_IMAGE_PATH)));
999
999
  const tags = [];
1000
1000
  if (!hasAnySocialImage) {
1001
1001
  tags.push(`<meta property="og:image" content="${imageUrl}">`);
@@ -1318,6 +1318,57 @@ async function hasAutoDevAccountUser(db) {
1318
1318
  });
1319
1319
  return rows.length > 0;
1320
1320
  }
1321
+ const autoDevAccountCreationPromises = new Map();
1322
+ function getAutoDevAccountCreationKey() {
1323
+ return `${process.cwd()}:${process.env.APP_BASE_PATH ?? ""}`;
1324
+ }
1325
+ async function createAutoDevAccountForSession(auth, db) {
1326
+ const key = getAutoDevAccountCreationKey();
1327
+ let creationPromise = autoDevAccountCreationPromises.get(key);
1328
+ if (!creationPromise) {
1329
+ const devPassword = crypto.randomBytes(18).toString("base64url");
1330
+ creationPromise = (async () => {
1331
+ try {
1332
+ await auth.api.signUpEmail({
1333
+ body: {
1334
+ email: AUTO_DEV_ACCOUNT_EMAIL,
1335
+ password: devPassword,
1336
+ name: "Dev",
1337
+ },
1338
+ });
1339
+ }
1340
+ catch (e) {
1341
+ // Another process can still win the create race after our SELECT.
1342
+ // In-process first-page races share this promise and do not issue a
1343
+ // duplicate Better Auth signup, which keeps local SQLite logs quiet.
1344
+ if (await hasAutoDevAccountUser(db))
1345
+ return null;
1346
+ if (!isExpectedAuthFailure(e))
1347
+ throw e;
1348
+ return null;
1349
+ }
1350
+ // Print the throwaway credential exactly once so the developer can
1351
+ // sign back in manually after logout (auto-flow won't refire once the
1352
+ // dev row exists). Local console only — never Sentry.
1353
+ console.log(`\n[agent-native] Local dev auto-login ready.\n` +
1354
+ ` email: ${AUTO_DEV_ACCOUNT_EMAIL}\n` +
1355
+ ` password: ${devPassword}\n` +
1356
+ ` (random, this DB only — needed to sign back in after logout.\n` +
1357
+ ` Set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1 to disable.)\n`);
1358
+ return { password: devPassword };
1359
+ })();
1360
+ autoDevAccountCreationPromises.set(key, creationPromise);
1361
+ creationPromise
1362
+ .finally(() => {
1363
+ if (autoDevAccountCreationPromises.get(key) === creationPromise) {
1364
+ autoDevAccountCreationPromises.delete(key);
1365
+ }
1366
+ })
1367
+ .catch(() => { });
1368
+ }
1369
+ const result = await creationPromise;
1370
+ return result?.password ?? null;
1371
+ }
1321
1372
  /**
1322
1373
  * Local-dev convenience: skip the sign-up wall on first run.
1323
1374
  *
@@ -1386,35 +1437,14 @@ async function maybeAutoCreateDevSession(event, redirectTo) {
1386
1437
  const auth = await getBetterAuth();
1387
1438
  if (!auth)
1388
1439
  return null;
1389
- // Random per-DB password — there is no source-code-known credential
1390
- // for this account. Printed once below so the developer can sign back
1391
- // in after logout (the auto-flow won't refire while the dev row
1392
- // exists).
1393
- const devPassword = crypto.randomBytes(18).toString("base64url");
1394
1440
  // The dev account does not exist at this point (the devUsers check
1395
- // above returned early otherwise). The "already exists" swallow only
1396
- // matters under a rare concurrent first-hit race in that case the
1397
- // sign-in below fails the password check and we return null, leaving
1398
- // the racing request that already won to keep the session.
1399
- try {
1400
- await auth.api.signUpEmail({
1401
- body: {
1402
- email: AUTO_DEV_ACCOUNT_EMAIL,
1403
- password: devPassword,
1404
- name: "Dev",
1405
- },
1406
- });
1407
- }
1408
- catch (e) {
1409
- // A concurrent first page load can win the Better Auth signup after our
1410
- // preflight SELECT. Once the dev row exists, do not sign in with this
1411
- // request's random password or log a scary local-only stack trace.
1412
- if (await hasAutoDevAccountUser(db))
1413
- return null;
1414
- if (!isExpectedAuthFailure(e))
1415
- throw e;
1441
+ // above returned early otherwise). Concurrent in-process first page
1442
+ // loads share one signup promise so the losing request never asks Better
1443
+ // Auth to insert the same email and therefore never emits a SQLite
1444
+ // unique-constraint log.
1445
+ const devPassword = await createAutoDevAccountForSession(auth, db);
1446
+ if (!devPassword)
1416
1447
  return null;
1417
- }
1418
1448
  const result = await auth.api.signInEmail({
1419
1449
  body: {
1420
1450
  email: AUTO_DEV_ACCOUNT_EMAIL,
@@ -1425,14 +1455,6 @@ async function maybeAutoCreateDevSession(event, redirectTo) {
1425
1455
  return null;
1426
1456
  setFrameworkSessionCookie(event, result.token);
1427
1457
  await addSession(result.token, AUTO_DEV_ACCOUNT_EMAIL);
1428
- // Print the throwaway credential exactly once so the developer can
1429
- // sign back in manually after logout (auto-flow won't refire once the
1430
- // dev row exists). Local console only — never Sentry.
1431
- console.log(`\n[agent-native] Local dev auto-login ready.\n` +
1432
- ` email: ${AUTO_DEV_ACCOUNT_EMAIL}\n` +
1433
- ` password: ${devPassword}\n` +
1434
- ` (random, this DB only — needed to sign back in after logout.\n` +
1435
- ` Set AGENT_NATIVE_DISABLE_AUTO_DEV_ACCOUNT=1 to disable.)\n`);
1436
1458
  // Emit the session cookie ON the 302 itself. Returning a bare
1437
1459
  // `new Response(...)` here drops the cookie staged on event.node.res
1438
1460
  // (see redirectWithStagedCookies), so the developer would 302 to the