@agent-native/core 0.51.14 → 0.52.0

package/dist/coding-tools/sandbox/index.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Sandbox-adapter selection seam.
+ *
+ * `getSandboxAdapter()` resolves which backend the `run-code` tool executes in.
+ * By default it returns the local child-process adapter (preserving today's
+ * behavior). The active adapter can be overridden in two ways, both designed so
+ * a remote/durable backend can be plugged in later WITHOUT touching the agent
+ * loop or `run-code.ts`:
+ *
+ *  1. Programmatically, via `registerSandboxAdapter(adapter)` — e.g. a host
+ *     process that wants every `run-code` call to run in a remote container.
+ *  2. By env var `AGENT_NATIVE_SANDBOX` for built-in adapters. Currently only
+ *     `local` (the default) is wired; unknown values fall back to local.
+ *
+ * Resolution order: an explicitly registered adapter wins; otherwise the env
+ * var selects a built-in; otherwise the local adapter is used.
+ *
+ * // TODO: remote/durable adapter for long jobs. The local child-process
+ * // adapter is bounded by the hosting process — on the hosted platform that
+ * // means the agent loop's soft execution ceiling (~40s before timeout/
+ * // continuation thrash). A remote or durable adapter (Docker, a
+ * // Vercel-Sandbox-style runner, or a queued background worker) is the lever
+ * // to exceed that ceiling: it would implement `SandboxAdapter.run` against an
+ * // out-of-process runtime, tunnel the loopback bridge (or proxy bridge calls
+ * // back to the parent), and let large data jobs run to completion
+ * // independently of the request lifecycle. Register it here under a new
+ * // `AGENT_NATIVE_SANDBOX` value (e.g. `remote`) and via
+ * // `registerSandboxAdapter()`.
+ */
+import type { SandboxAdapter } from "./adapter.js";
+export type { SandboxAdapter, SandboxRunRequest, SandboxRunResult, SandboxEnv, } from "./adapter.js";
+export { LocalChildProcessAdapter } from "./local-child-process-adapter.js";
+/**
+ * Override the sandbox backend for all subsequent `run-code` invocations.
+ * Intended for hosts that want to plug in a Docker/remote/durable adapter. Pass
+ * `null` to clear the override and fall back to env-var / default resolution.
+ */
+export declare function registerSandboxAdapter(adapter: SandboxAdapter | null): void;
+/**
+ * Resolve the active sandbox adapter.
+ *
+ * Order: explicitly registered adapter → built-in selected by
+ * `AGENT_NATIVE_SANDBOX` → local child-process default.
+ */
+export declare function getSandboxAdapter(): SandboxAdapter;
+/**
+ * Reset selection state (registered override + cached default). Test-only helper
+ * so specs can exercise selection without leaking adapters across cases.
+ */
+export declare function resetSandboxAdapterForTests(): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/coding-tools/sandbox/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/coding-tools/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,YAAY,EACV,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EAChB,UAAU,GACX,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAa5E;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI,GAAG,IAAI,CAE3E;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,IAAI,cAAc,CAelD;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,IAAI,IAAI,CAGlD"}

package/dist/coding-tools/sandbox/index.js

@@ -0,0 +1,79 @@
+/**
+ * Sandbox-adapter selection seam.
+ *
+ * `getSandboxAdapter()` resolves which backend the `run-code` tool executes in.
+ * By default it returns the local child-process adapter (preserving today's
+ * behavior). The active adapter can be overridden in two ways, both designed so
+ * a remote/durable backend can be plugged in later WITHOUT touching the agent
+ * loop or `run-code.ts`:
+ *
+ *  1. Programmatically, via `registerSandboxAdapter(adapter)` — e.g. a host
+ *     process that wants every `run-code` call to run in a remote container.
+ *  2. By env var `AGENT_NATIVE_SANDBOX` for built-in adapters. Currently only
+ *     `local` (the default) is wired; unknown values fall back to local.
+ *
+ * Resolution order: an explicitly registered adapter wins; otherwise the env
+ * var selects a built-in; otherwise the local adapter is used.
+ *
+ * // TODO: remote/durable adapter for long jobs. The local child-process
+ * // adapter is bounded by the hosting process — on the hosted platform that
+ * // means the agent loop's soft execution ceiling (~40s before timeout/
+ * // continuation thrash). A remote or durable adapter (Docker, a
+ * // Vercel-Sandbox-style runner, or a queued background worker) is the lever
+ * // to exceed that ceiling: it would implement `SandboxAdapter.run` against an
+ * // out-of-process runtime, tunnel the loopback bridge (or proxy bridge calls
+ * // back to the parent), and let large data jobs run to completion
+ * // independently of the request lifecycle. Register it here under a new
+ * // `AGENT_NATIVE_SANDBOX` value (e.g. `remote`) and via
+ * // `registerSandboxAdapter()`.
+ */
+import { LocalChildProcessAdapter } from "./local-child-process-adapter.js";
+export { LocalChildProcessAdapter } from "./local-child-process-adapter.js";
+/** Built-in adapter ids selectable via the `AGENT_NATIVE_SANDBOX` env var. */
+const BUILT_IN_ADAPTERS = {
+    local: () => new LocalChildProcessAdapter(),
+};
+/** Lazily-constructed default (local) adapter, shared across calls. */
+let defaultAdapter;
+/** Explicitly registered adapter, if any. Takes precedence over the env var. */
+let registeredAdapter;
+/**
+ * Override the sandbox backend for all subsequent `run-code` invocations.
+ * Intended for hosts that want to plug in a Docker/remote/durable adapter. Pass
+ * `null` to clear the override and fall back to env-var / default resolution.
+ */
+export function registerSandboxAdapter(adapter) {
+    registeredAdapter = adapter ?? undefined;
+}
+/**
+ * Resolve the active sandbox adapter.
+ *
+ * Order: explicitly registered adapter → built-in selected by
+ * `AGENT_NATIVE_SANDBOX` → local child-process default.
+ */
+export function getSandboxAdapter() {
+    if (registeredAdapter)
+        return registeredAdapter;
+    const selected = (process.env.AGENT_NATIVE_SANDBOX ?? "")
+        .trim()
+        .toLowerCase();
+    if (selected && selected !== "local") {
+        const factory = BUILT_IN_ADAPTERS[selected];
+        if (factory)
+            return factory();
+        // Unknown value: fall through to the local default rather than failing the
+        // run. (A remote adapter is registered programmatically; see the TODO above.)
+    }
+    if (!defaultAdapter)
+        defaultAdapter = new LocalChildProcessAdapter();
+    return defaultAdapter;
+}
+/**
+ * Reset selection state (registered override + cached default). Test-only helper
+ * so specs can exercise selection without leaking adapters across cases.
+ */
+export function resetSandboxAdapterForTests() {
+    registeredAdapter = undefined;
+    defaultAdapter = undefined;
+}
+//# sourceMappingURL=index.js.map

package/dist/coding-tools/sandbox/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/coding-tools/sandbox/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAGH,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAQ5E,OAAO,EAAE,wBAAwB,EAAE,MAAM,kCAAkC,CAAC;AAE5E,8EAA8E;AAC9E,MAAM,iBAAiB,GAAyC;IAC9D,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,wBAAwB,EAAE;CAC5C,CAAC;AAEF,uEAAuE;AACvE,IAAI,cAA0C,CAAC;AAE/C,gFAAgF;AAChF,IAAI,iBAA6C,CAAC;AAElD;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAA8B;IACnE,iBAAiB,GAAG,OAAO,IAAI,SAAS,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,iBAAiB;QAAE,OAAO,iBAAiB,CAAC;IAEhD,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;SACtD,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IACjB,IAAI,QAAQ,IAAI,QAAQ,KAAK,OAAO,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,OAAO;YAAE,OAAO,OAAO,EAAE,CAAC;QAC9B,2EAA2E;QAC3E,8EAA8E;IAChF,CAAC;IAED,IAAI,CAAC,cAAc;QAAE,cAAc,GAAG,IAAI,wBAAwB,EAAE,CAAC;IACrE,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B;IACzC,iBAAiB,GAAG,SAAS,CAAC;IAC9B,cAAc,GAAG,SAAS,CAAC;AAC7B,CAAC","sourcesContent":["/**\n * Sandbox-adapter selection seam.\n *\n * `getSandboxAdapter()` resolves which backend the `run-code` tool executes in.\n * By default it returns the local child-process adapter (preserving today's\n * behavior). The active adapter can be overridden in two ways, both designed so\n * a remote/durable backend can be plugged in later WITHOUT touching the agent\n * loop or `run-code.ts`:\n *\n *  1. Programmatically, via `registerSandboxAdapter(adapter)` — e.g. a host\n *     process that wants every `run-code` call to run in a remote container.\n *  2. By env var `AGENT_NATIVE_SANDBOX` for built-in adapters. Currently only\n *     `local` (the default) is wired; unknown values fall back to local.\n *\n * Resolution order: an explicitly registered adapter wins; otherwise the env\n * var selects a built-in; otherwise the local adapter is used.\n *\n * // TODO: remote/durable adapter for long jobs. The local child-process\n * // adapter is bounded by the hosting process — on the hosted platform that\n * // means the agent loop's soft execution ceiling (~40s before timeout/\n * // continuation thrash). A remote or durable adapter (Docker, a\n * // Vercel-Sandbox-style runner, or a queued background worker) is the lever\n * // to exceed that ceiling: it would implement `SandboxAdapter.run` against an\n * // out-of-process runtime, tunnel the loopback bridge (or proxy bridge calls\n * // back to the parent), and let large data jobs run to completion\n * // independently of the request lifecycle. Register it here under a new\n * // `AGENT_NATIVE_SANDBOX` value (e.g. `remote`) and via\n * // `registerSandboxAdapter()`.\n */\n\nimport type { SandboxAdapter } from \"./adapter.js\";\nimport { LocalChildProcessAdapter } from \"./local-child-process-adapter.js\";\n\nexport type {\n  SandboxAdapter,\n  SandboxRunRequest,\n  SandboxRunResult,\n  SandboxEnv,\n} from \"./adapter.js\";\nexport { LocalChildProcessAdapter } from \"./local-child-process-adapter.js\";\n\n/** Built-in adapter ids selectable via the `AGENT_NATIVE_SANDBOX` env var. */\nconst BUILT_IN_ADAPTERS: Record<string, () => SandboxAdapter> = {\n  local: () => new LocalChildProcessAdapter(),\n};\n\n/** Lazily-constructed default (local) adapter, shared across calls. */\nlet defaultAdapter: SandboxAdapter | undefined;\n\n/** Explicitly registered adapter, if any. Takes precedence over the env var. */\nlet registeredAdapter: SandboxAdapter | undefined;\n\n/**\n * Override the sandbox backend for all subsequent `run-code` invocations.\n * Intended for hosts that want to plug in a Docker/remote/durable adapter. Pass\n * `null` to clear the override and fall back to env-var / default resolution.\n */\nexport function registerSandboxAdapter(adapter: SandboxAdapter | null): void {\n  registeredAdapter = adapter ?? undefined;\n}\n\n/**\n * Resolve the active sandbox adapter.\n *\n * Order: explicitly registered adapter → built-in selected by\n * `AGENT_NATIVE_SANDBOX` → local child-process default.\n */\nexport function getSandboxAdapter(): SandboxAdapter {\n  if (registeredAdapter) return registeredAdapter;\n\n  const selected = (process.env.AGENT_NATIVE_SANDBOX ?? \"\")\n    .trim()\n    .toLowerCase();\n  if (selected && selected !== \"local\") {\n    const factory = BUILT_IN_ADAPTERS[selected];\n    if (factory) return factory();\n    // Unknown value: fall through to the local default rather than failing the\n    // run. (A remote adapter is registered programmatically; see the TODO above.)\n  }\n\n  if (!defaultAdapter) defaultAdapter = new LocalChildProcessAdapter();\n  return defaultAdapter;\n}\n\n/**\n * Reset selection state (registered override + cached default). Test-only helper\n * so specs can exercise selection without leaking adapters across cases.\n */\nexport function resetSandboxAdapterForTests(): void {\n  registeredAdapter = undefined;\n  defaultAdapter = undefined;\n}\n"]}

package/dist/coding-tools/sandbox/local-child-process-adapter.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Default sandbox adapter: a local Node.js child process.
+ *
+ * This is the historical `run-code` execution path, extracted verbatim so the
+ * default runtime behavior is byte-for-byte equivalent to the previous inline
+ * implementation in `run-code.ts`:
+ *  - The prepared module source is written to a fresh temp dir.
+ *  - The child runs with the scrubbed env supplied by the parent (no secrets).
+ *  - When the Node permission model is available (`--permission`, or
+ *    `--experimental-permission` on Node 20), the child is denied filesystem
+ *    access outside its own temp dir, child processes, workers, and native
+ *    addons. Outbound network is NOT blocked by the permission model; the env
+ *    scrub means such requests carry no credentials, and all authenticated calls
+ *    go through the parent's loopback bridge.
+ *  - A timeout sends SIGTERM, then SIGKILL after a 2 s grace period.
+ *  - Temp files are cleaned up best-effort after the run.
+ */
+import type { SandboxAdapter, SandboxRunRequest, SandboxRunResult } from "./adapter.js";
+/** Sandbox adapter that runs code in a locked-down local Node child process. */
+export declare class LocalChildProcessAdapter implements SandboxAdapter {
+    readonly id = "local-child-process";
+    run(request: SandboxRunRequest): Promise<SandboxRunResult>;
+}
+//# sourceMappingURL=local-child-process-adapter.d.ts.map

package/dist/coding-tools/sandbox/local-child-process-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-child-process-adapter.d.ts","sourceRoot":"","sources":["../../../src/coding-tools/sandbox/local-child-process-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAOH,OAAO,KAAK,EACV,cAAc,EACd,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,cAAc,CAAC;AAmDtB,gFAAgF;AAChF,qBAAa,wBAAyB,YAAW,cAAc;IAC7D,QAAQ,CAAC,EAAE,yBAAyB;IAE9B,GAAG,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC;CA6EjE"}

package/dist/coding-tools/sandbox/local-child-process-adapter.js

@@ -0,0 +1,141 @@
+/**
+ * Default sandbox adapter: a local Node.js child process.
+ *
+ * This is the historical `run-code` execution path, extracted verbatim so the
+ * default runtime behavior is byte-for-byte equivalent to the previous inline
+ * implementation in `run-code.ts`:
+ *  - The prepared module source is written to a fresh temp dir.
+ *  - The child runs with the scrubbed env supplied by the parent (no secrets).
+ *  - When the Node permission model is available (`--permission`, or
+ *    `--experimental-permission` on Node 20), the child is denied filesystem
+ *    access outside its own temp dir, child processes, workers, and native
+ *    addons. Outbound network is NOT blocked by the permission model; the env
+ *    scrub means such requests carry no credentials, and all authenticated calls
+ *    go through the parent's loopback bridge.
+ *  - A timeout sends SIGTERM, then SIGKILL after a 2 s grace period.
+ *  - Temp files are cleaned up best-effort after the run.
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { spawn, spawnSync } from "node:child_process";
+/** Grace period between SIGTERM and SIGKILL when a run times out. */
+const SIGKILL_GRACE_MS = 2_000;
+function sandboxReadAllowPaths(tmpDir) {
+    const paths = new Set([tmpDir]);
+    try {
+        paths.add(fs.realpathSync(tmpDir));
+    }
+    catch { }
+    return [...paths];
+}
+function sandboxWriteAllowPaths(tmpDir) {
+    const paths = new Set([tmpDir]);
+    try {
+        paths.add(fs.realpathSync(tmpDir));
+    }
+    catch { }
+    return [...paths];
+}
+/**
+ * Resolve the Node permission-model flag supported by the current runtime,
+ * probing once and caching. Returns null when the permission model is
+ * unavailable (the sandbox then falls back to env-scrub isolation only).
+ */
+let cachedPermissionFlag;
+function resolvePermissionFlag() {
+    if (cachedPermissionFlag !== undefined)
+        return cachedPermissionFlag;
+    for (const flag of ["--permission", "--experimental-permission"]) {
+        try {
+            const probe = spawnSync(process.execPath, [flag, "-e", "process.exit(0)"], {
+                timeout: 10_000,
+                stdio: "ignore",
+            });
+            if (probe.status === 0) {
+                cachedPermissionFlag = flag;
+                return flag;
+            }
+        }
+        catch {
+            // Probe failure means the flag is unsupported; try the next one.
+        }
+    }
+    cachedPermissionFlag = null;
+    return null;
+}
+/** Sandbox adapter that runs code in a locked-down local Node child process. */
+export class LocalChildProcessAdapter {
+    id = "local-child-process";
+    async run(request) {
+        let tmpDir;
+        let tmpFile;
+        try {
+            // Write code to a temp ESM file (top-level await needs a module).
+            const tmpBaseDir = fs.realpathSync(os.tmpdir());
+            tmpDir = fs.mkdtempSync(path.join(tmpBaseDir, "agent-run-code-"));
+            tmpFile = path.join(tmpDir, "sandbox.mjs");
+            fs.writeFileSync(tmpFile, request.moduleSource, "utf8");
+            // The parent supplies an already-scrubbed env (no secrets). Point TMPDIR
+            // inside the sandbox dir so in-sandbox temp writes stay within the
+            // permission-model allow list.
+            const safeEnv = { ...request.env };
+            safeEnv.TMPDIR = tmpDir;
+            safeEnv.TEMP = tmpDir;
+            safeEnv.TMP = tmpDir;
+            // Lock the child down with the Node permission model when available:
+            // filesystem restricted to the sandbox temp dir, and child processes,
+            // workers, and native addons denied entirely.
+            const permissionFlag = resolvePermissionFlag();
+            const nodeArgs = permissionFlag
+                ? [
+                    permissionFlag,
+                    ...sandboxReadAllowPaths(tmpDir).map((allowedPath) => `--allow-fs-read=${allowedPath}`),
+                    ...sandboxWriteAllowPaths(tmpDir).map((allowedPath) => `--allow-fs-write=${allowedPath}`),
+                    tmpFile,
+                ]
+                : [tmpFile];
+            const child = spawn(process.execPath, nodeArgs, {
+                cwd: tmpDir,
+                env: safeEnv,
+                stdio: ["ignore", "pipe", "pipe"],
+            });
+            let stdout = "";
+            let stderr = "";
+            let timedOut = false;
+            const timer = setTimeout(() => {
+                timedOut = true;
+                child.kill("SIGTERM");
+                setTimeout(() => {
+                    try {
+                        child.kill("SIGKILL");
+                    }
+                    catch { }
+                }, SIGKILL_GRACE_MS);
+            }, request.timeoutMs);
+            child.stdout?.on("data", (chunk) => {
+                stdout += chunk.toString();
+            });
+            child.stderr?.on("data", (chunk) => {
+                stderr += chunk.toString();
+            });
+            const exitCode = await new Promise((resolve, reject) => {
+                child.once("error", reject);
+                child.once("exit", resolve);
+            });
+            clearTimeout(timer);
+            return { stdout, stderr, exitCode, timedOut };
+        }
+        finally {
+            // Clean up temp files (best-effort).
+            try {
+                if (tmpFile)
+                    fs.rmSync(tmpFile, { force: true });
+                if (tmpDir)
+                    fs.rmSync(tmpDir, { recursive: true, force: true });
+            }
+            catch { }
+        }
+    }
+}
+//# sourceMappingURL=local-child-process-adapter.js.map

package/dist/coding-tools/sandbox/local-child-process-adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-child-process-adapter.js","sourceRoot":"","sources":["../../../src/coding-tools/sandbox/local-child-process-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAQtD,qEAAqE;AACrE,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B,SAAS,qBAAqB,CAAC,MAAc;IAC3C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAc;IAC5C,MAAM,KAAK,GAAG,IAAI,GAAG,CAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,CAAC;QACH,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC,CAAA,CAAC;IACV,OAAO,CAAC,GAAG,KAAK,CAAC,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,IAAI,oBAA+C,CAAC;AACpD,SAAS,qBAAqB;IAC5B,IAAI,oBAAoB,KAAK,SAAS;QAAE,OAAO,oBAAoB,CAAC;IACpE,KAAK,MAAM,IAAI,IAAI,CAAC,cAAc,EAAE,2BAA2B,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,SAAS,CACrB,OAAO,CAAC,QAAQ,EAChB,CAAC,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,EAC/B;gBACE,OAAO,EAAE,MAAM;gBACf,KAAK,EAAE,QAAQ;aAChB,CACF,CAAC;YACF,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,oBAAoB,GAAG,IAAI,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IACD,oBAAoB,GAAG,IAAI,CAAC;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,gFAAgF;AAChF,MAAM,OAAO,wBAAwB;IAC1B,EAAE,GAAG,qBAAqB,CAAC;IAEpC,KAAK,CAAC,GAAG,CAAC,OAA0B;QAClC,IAAI,MAA0B,CAAC;QAC/B,IAAI,OAA2B,CAAC;QAChC,IAAI,CAAC;YACH,kEAAkE;YAClE,MAAM,UAAU,GAAG,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC;YAChD,MAAM,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;YAClE,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;YAC3C,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YAExD,yEAAyE;YACzE,mEAAmE;YACnE,+BAA+B;YAC/B,MAAM,OAAO,GAA2B,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;YAC3D,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;YACxB,OAAO,CAAC,IAAI,GAAG,MAAM,CAAC;YACtB,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC;YAErB,qEAAqE;YACrE,sEAAsE;YACtE,8CAA8C;YAC9C,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,cAAc;gBAC7B,CAAC,CAAC;oBACE,cAAc;oBACd,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC,GAAG,CAClC,CAAC,WAAW,EAAE,EAAE,CAAC,mBAAmB,WAAW,EAAE,CAClD;oBACD,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC,GAAG,CACnC,CAAC,WAAW,EAAE,EAAE,CAAC,oBAAoB,WAAW,EAAE,CACnD;oBACD,OAAO;iBACR;gBACH,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;YAEd,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE;gBAC9C,GAAG,EAAE,MAAM;gBACX,GAAG,EAAE,OAAO;gBACZ,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC;YAEH,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBACtB,UAAU,CAAC,GAAG,EAAE;oBACd,IAAI,CAAC;wBACH,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;oBACxB,CAAC;oBAAC,MAAM,CAAC,CAAA,CAAC;gBACZ,CAAC,EAAE,gBAAgB,CAAC,CAAC;YACvB,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;YAEtB,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC7B,CAAC,CAAC,CAAC;YACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBACzC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAC7B,CAAC,CAAC,CAAC;YAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,OAAO,CAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;gBACpE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;gBAC5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC9B,CAAC,CAAC,CAAC;YACH,YAAY,CAAC,KAAK,CAAC,CAAC;YAEpB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC;QAChD,CAAC;gBAAS,CAAC;YACT,qCAAqC;YACrC,IAAI,CAAC;gBACH,IAAI,OAAO;oBAAE,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;gBACjD,IAAI,MAAM;oBAAE,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YAClE,CAAC;YAAC,MAAM,CAAC,CAAA,CAAC;QACZ,CAAC;IACH,CAAC;CACF","sourcesContent":["/**\n * Default sandbox adapter: a local Node.js child process.\n *\n * This is the historical `run-code` execution path, extracted verbatim so the\n * default runtime behavior is byte-for-byte equivalent to the previous inline\n * implementation in `run-code.ts`:\n *  - The prepared module source is written to a fresh temp dir.\n *  - The child runs with the scrubbed env supplied by the parent (no secrets).\n *  - When the Node permission model is available (`--permission`, or\n *    `--experimental-permission` on Node 20), the child is denied filesystem\n *    access outside its own temp dir, child processes, workers, and native\n *    addons. Outbound network is NOT blocked by the permission model; the env\n *    scrub means such requests carry no credentials, and all authenticated calls\n *    go through the parent's loopback bridge.\n *  - A timeout sends SIGTERM, then SIGKILL after a 2 s grace period.\n *  - Temp files are cleaned up best-effort after the run.\n */\n\nimport fs from \"node:fs\";\nimport os from \"node:os\";\nimport path from \"node:path\";\nimport { spawn, spawnSync } from \"node:child_process\";\n\nimport type {\n  SandboxAdapter,\n  SandboxRunRequest,\n  SandboxRunResult,\n} from \"./adapter.js\";\n\n/** Grace period between SIGTERM and SIGKILL when a run times out. */\nconst SIGKILL_GRACE_MS = 2_000;\n\nfunction sandboxReadAllowPaths(tmpDir: string): string[] {\n  const paths = new Set<string>([tmpDir]);\n  try {\n    paths.add(fs.realpathSync(tmpDir));\n  } catch {}\n  return [...paths];\n}\n\nfunction sandboxWriteAllowPaths(tmpDir: string): string[] {\n  const paths = new Set<string>([tmpDir]);\n  try {\n    paths.add(fs.realpathSync(tmpDir));\n  } catch {}\n  return [...paths];\n}\n\n/**\n * Resolve the Node permission-model flag supported by the current runtime,\n * probing once and caching. Returns null when the permission model is\n * unavailable (the sandbox then falls back to env-scrub isolation only).\n */\nlet cachedPermissionFlag: string | null | undefined;\nfunction resolvePermissionFlag(): string | null {\n  if (cachedPermissionFlag !== undefined) return cachedPermissionFlag;\n  for (const flag of [\"--permission\", \"--experimental-permission\"]) {\n    try {\n      const probe = spawnSync(\n        process.execPath,\n        [flag, \"-e\", \"process.exit(0)\"],\n        {\n          timeout: 10_000,\n          stdio: \"ignore\",\n        },\n      );\n      if (probe.status === 0) {\n        cachedPermissionFlag = flag;\n        return flag;\n      }\n    } catch {\n      // Probe failure means the flag is unsupported; try the next one.\n    }\n  }\n  cachedPermissionFlag = null;\n  return null;\n}\n\n/** Sandbox adapter that runs code in a locked-down local Node child process. */\nexport class LocalChildProcessAdapter implements SandboxAdapter {\n  readonly id = \"local-child-process\";\n\n  async run(request: SandboxRunRequest): Promise<SandboxRunResult> {\n    let tmpDir: string | undefined;\n    let tmpFile: string | undefined;\n    try {\n      // Write code to a temp ESM file (top-level await needs a module).\n      const tmpBaseDir = fs.realpathSync(os.tmpdir());\n      tmpDir = fs.mkdtempSync(path.join(tmpBaseDir, \"agent-run-code-\"));\n      tmpFile = path.join(tmpDir, \"sandbox.mjs\");\n      fs.writeFileSync(tmpFile, request.moduleSource, \"utf8\");\n\n      // The parent supplies an already-scrubbed env (no secrets). Point TMPDIR\n      // inside the sandbox dir so in-sandbox temp writes stay within the\n      // permission-model allow list.\n      const safeEnv: Record<string, string> = { ...request.env };\n      safeEnv.TMPDIR = tmpDir;\n      safeEnv.TEMP = tmpDir;\n      safeEnv.TMP = tmpDir;\n\n      // Lock the child down with the Node permission model when available:\n      // filesystem restricted to the sandbox temp dir, and child processes,\n      // workers, and native addons denied entirely.\n      const permissionFlag = resolvePermissionFlag();\n      const nodeArgs = permissionFlag\n        ? [\n            permissionFlag,\n            ...sandboxReadAllowPaths(tmpDir).map(\n              (allowedPath) => `--allow-fs-read=${allowedPath}`,\n            ),\n            ...sandboxWriteAllowPaths(tmpDir).map(\n              (allowedPath) => `--allow-fs-write=${allowedPath}`,\n            ),\n            tmpFile,\n          ]\n        : [tmpFile];\n\n      const child = spawn(process.execPath, nodeArgs, {\n        cwd: tmpDir,\n        env: safeEnv,\n        stdio: [\"ignore\", \"pipe\", \"pipe\"],\n      });\n\n      let stdout = \"\";\n      let stderr = \"\";\n      let timedOut = false;\n\n      const timer = setTimeout(() => {\n        timedOut = true;\n        child.kill(\"SIGTERM\");\n        setTimeout(() => {\n          try {\n            child.kill(\"SIGKILL\");\n          } catch {}\n        }, SIGKILL_GRACE_MS);\n      }, request.timeoutMs);\n\n      child.stdout?.on(\"data\", (chunk: Buffer) => {\n        stdout += chunk.toString();\n      });\n      child.stderr?.on(\"data\", (chunk: Buffer) => {\n        stderr += chunk.toString();\n      });\n\n      const exitCode = await new Promise<number | null>((resolve, reject) => {\n        child.once(\"error\", reject);\n        child.once(\"exit\", resolve);\n      });\n      clearTimeout(timer);\n\n      return { stdout, stderr, exitCode, timedOut };\n    } finally {\n      // Clean up temp files (best-effort).\n      try {\n        if (tmpFile) fs.rmSync(tmpFile, { force: true });\n        if (tmpDir) fs.rmSync(tmpDir, { recursive: true, force: true });\n      } catch {}\n    }\n  }\n}\n"]}

package/dist/server/agent-engine-api-key-route.d.ts

@@ -0,0 +1,37 @@
+import { type H3Event } from "h3";
+type AgentEngineApiKeyScope = "user" | "org";
+export interface AgentEngineApiKeyWriteTarget {
+    scope: AgentEngineApiKeyScope;
+    scopeId: string;
+}
+export declare function normalizeAgentEngineApiKeyPayload(body: unknown): {
+    ok: true;
+    key: string;
+    value: string;
+    scope: AgentEngineApiKeyScope;
+} | {
+    ok: false;
+    statusCode: number;
+    error: string;
+};
+export declare function resolveAgentEngineApiKeyWriteTarget(event: H3Event, scope: AgentEngineApiKeyScope): Promise<{
+    ok: true;
+    target: AgentEngineApiKeyWriteTarget;
+} | {
+    ok: false;
+    statusCode: number;
+    error: string;
+}>;
+export declare function createAgentEngineApiKeyHandler(): import("h3").EventHandlerWithFetch<import("h3").EventHandlerRequest, Promise<{
+    error: any;
+    ok?: undefined;
+    key?: undefined;
+    scope?: undefined;
+} | {
+    ok: boolean;
+    key: string;
+    scope: AgentEngineApiKeyScope;
+    error?: undefined;
+}>>;
+export {};
+//# sourceMappingURL=agent-engine-api-key-route.d.ts.map

package/dist/server/agent-engine-api-key-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-engine-api-key-route.d.ts","sourceRoot":"","sources":["../../src/server/agent-engine-api-key-route.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,OAAO,EACb,MAAM,IAAI,CAAC;AAeZ,KAAK,sBAAsB,GAAG,MAAM,GAAG,KAAK,CAAC;AAE7C,MAAM,WAAW,4BAA4B;IAC3C,KAAK,EAAE,sBAAsB,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,iCAAiC,CAAC,IAAI,EAAE,OAAO,GAC3D;IACE,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,sBAAsB,CAAC;CAC/B,GACD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAgDnD;AAED,wBAAsB,mCAAmC,CACvD,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,sBAAsB,GAC5B,OAAO,CACN;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,4BAA4B,CAAA;CAAE,GAClD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CACnD,CA6BA;AAED,wBAAgB,8BAA8B;;;;;;;;;;IAqC7C"}

package/dist/server/agent-engine-api-key-route.js

@@ -0,0 +1,105 @@
+import { defineEventHandler, getMethod, setResponseStatus, } from "h3";
+import { PROVIDER_ENV_META } from "../agent/engine/provider-env-vars.js";
+import { getOrgContext } from "../org/context.js";
+import { writeAppSecret } from "../secrets/storage.js";
+import { getSession } from "./auth.js";
+import { readBody } from "./h3-helpers.js";
+const PROVIDER_TO_ENV_VAR = new Map(Object.entries(PROVIDER_ENV_META).map(([provider, meta]) => [
+    provider,
+    meta.envVar,
+]));
+const PROVIDER_ENV_VAR_KEYS = new Set(PROVIDER_TO_ENV_VAR.values());
+export function normalizeAgentEngineApiKeyPayload(body) {
+    const payload = body && typeof body === "object" ? body : {};
+    const raw = payload;
+    const key = typeof raw.key === "string"
+        ? raw.key.trim()
+        : typeof raw.provider === "string"
+            ? (PROVIDER_TO_ENV_VAR.get(raw.provider.trim()) ?? "")
+            : "";
+    if (!key || !PROVIDER_ENV_VAR_KEYS.has(key)) {
+        return {
+            ok: false,
+            statusCode: 400,
+            error: "Unsupported agent engine provider key.",
+        };
+    }
+    const value = typeof raw.value === "string"
+        ? raw.value.trim()
+        : typeof raw.apiKey === "string"
+            ? raw.apiKey.trim()
+            : "";
+    if (!value) {
+        return { ok: false, statusCode: 400, error: "value is required" };
+    }
+    if (raw.scope != null && raw.scope !== "user" && raw.scope !== "org") {
+        return {
+            ok: false,
+            statusCode: 400,
+            error: 'scope must be "user" or "org"',
+        };
+    }
+    return {
+        ok: true,
+        key,
+        value,
+        scope: raw.scope === "org" ? "org" : "user",
+    };
+}
+export async function resolveAgentEngineApiKeyWriteTarget(event, scope) {
+    const session = await getSession(event).catch(() => null);
+    if (!session?.email) {
+        return { ok: false, statusCode: 401, error: "Authentication required" };
+    }
+    if (scope === "user") {
+        return {
+            ok: true,
+            target: { scope: "user", scopeId: session.email },
+        };
+    }
+    const ctx = await getOrgContext(event).catch(() => null);
+    if (!ctx?.orgId) {
+        return { ok: false, statusCode: 400, error: "No active organization" };
+    }
+    if (ctx.role !== "owner" && ctx.role !== "admin") {
+        return {
+            ok: false,
+            statusCode: 403,
+            error: "Only organization owners and admins can set org-scoped keys",
+        };
+    }
+    return {
+        ok: true,
+        target: { scope: "org", scopeId: ctx.orgId },
+    };
+}
+export function createAgentEngineApiKeyHandler() {
+    return defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const payload = normalizeAgentEngineApiKeyPayload(await readBody(event).catch(() => ({})));
+        if (!payload.ok) {
+            setResponseStatus(event, payload.statusCode);
+            return { error: payload.error };
+        }
+        const resolved = await resolveAgentEngineApiKeyWriteTarget(event, payload.scope);
+        if (!resolved.ok) {
+            setResponseStatus(event, resolved.statusCode);
+            return { error: resolved.error };
+        }
+        await writeAppSecret({
+            key: payload.key,
+            value: payload.value,
+            scope: resolved.target.scope,
+            scopeId: resolved.target.scopeId,
+        });
+        return {
+            ok: true,
+            key: payload.key,
+            scope: resolved.target.scope,
+        };
+    });
+}
+//# sourceMappingURL=agent-engine-api-key-route.js.map

package/dist/server/agent-engine-api-key-route.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"agent-engine-api-key-route.js","sourceRoot":"","sources":["../../src/server/agent-engine-api-key-route.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,iBAAiB,GAElB,MAAM,IAAI,CAAC;AACZ,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE3C,MAAM,mBAAmB,GAAG,IAAI,GAAG,CACjC,MAAM,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC;IAC1D,QAAQ;IACR,IAAI,CAAC,MAAM;CACZ,CAAC,CACH,CAAC;AACF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,mBAAmB,CAAC,MAAM,EAAE,CAAC,CAAC;AASpE,MAAM,UAAU,iCAAiC,CAAC,IAAa;IAQ7D,MAAM,OAAO,GAAG,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;IAC7D,MAAM,GAAG,GAAG,OAMX,CAAC;IAEF,MAAM,GAAG,GACP,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;QACzB,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE;QAChB,CAAC,CAAC,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ;YAChC,CAAC,CAAC,CAAC,mBAAmB,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC;YACtD,CAAC,CAAC,EAAE,CAAC;IACX,IAAI,CAAC,GAAG,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,wCAAwC;SAChD,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GACT,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;QAC3B,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE;QAClB,CAAC,CAAC,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;YAC9B,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE;YACnB,CAAC,CAAC,EAAE,CAAC;IACX,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,mBAAmB,EAAE,CAAC;IACpE,CAAC;IAED,IAAI,GAAG,CAAC,KAAK,IAAI,IAAI,IAAI,GAAG,CAAC,KAAK,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QACrE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,+BAA+B;SACvC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,GAAG;QACH,KAAK;QACL,KAAK,EAAE,GAAG,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,KAAc,EACd,KAA6B;IAK7B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;QACpB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IAC1E,CAAC;IAED,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACrB,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,KAAK,EAAE;SAClD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IACzD,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC;QAChB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC;IACzE,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,IAAI,GAAG,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;QACjD,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,KAAK,EAAE,6DAA6D;SACrE,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,KAAK,EAAE;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,8BAA8B;IAC5C,OAAO,kBAAkB,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;QACjD,IAAI,SAAS,CAAC,KAAK,CAAC,KAAK,MAAM,EAAE,CAAC;YAChC,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC;QAED,MAAM,OAAO,GAAG,iCAAiC,CAC/C,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CACxC,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,iBAAiB,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;YAC7C,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC;QAClC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,mCAAmC,CACxD,KAAK,EACL,OAAO,CAAC,KAAK,CACd,CAAC;QACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,iBAAiB,CAAC,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC9C,OAAO,EAAE,KAAK,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnC,CAAC;QAED,MAAM,cAAc,CAAC;YACnB,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK;YAC5B,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO;SACjC,CAAC,CAAC;QAEH,OAAO;YACL,EAAE,EAAE,IAAI;YACR,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,KAAK;SAC7B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC","sourcesContent":["import {\n  defineEventHandler,\n  getMethod,\n  setResponseStatus,\n  type H3Event,\n} from \"h3\";\nimport { PROVIDER_ENV_META } from \"../agent/engine/provider-env-vars.js\";\nimport { getOrgContext } from \"../org/context.js\";\nimport { writeAppSecret } from \"../secrets/storage.js\";\nimport { getSession } from \"./auth.js\";\nimport { readBody } from \"./h3-helpers.js\";\n\nconst PROVIDER_TO_ENV_VAR = new Map(\n  Object.entries(PROVIDER_ENV_META).map(([provider, meta]) => [\n    provider,\n    meta.envVar,\n  ]),\n);\nconst PROVIDER_ENV_VAR_KEYS = new Set(PROVIDER_TO_ENV_VAR.values());\n\ntype AgentEngineApiKeyScope = \"user\" | \"org\";\n\nexport interface AgentEngineApiKeyWriteTarget {\n  scope: AgentEngineApiKeyScope;\n  scopeId: string;\n}\n\nexport function normalizeAgentEngineApiKeyPayload(body: unknown):\n  | {\n      ok: true;\n      key: string;\n      value: string;\n      scope: AgentEngineApiKeyScope;\n    }\n  | { ok: false; statusCode: number; error: string } {\n  const payload = body && typeof body === \"object\" ? body : {};\n  const raw = payload as {\n    key?: unknown;\n    provider?: unknown;\n    value?: unknown;\n    apiKey?: unknown;\n    scope?: unknown;\n  };\n\n  const key =\n    typeof raw.key === \"string\"\n      ? raw.key.trim()\n      : typeof raw.provider === \"string\"\n        ? (PROVIDER_TO_ENV_VAR.get(raw.provider.trim()) ?? \"\")\n        : \"\";\n  if (!key || !PROVIDER_ENV_VAR_KEYS.has(key)) {\n    return {\n      ok: false,\n      statusCode: 400,\n      error: \"Unsupported agent engine provider key.\",\n    };\n  }\n\n  const value =\n    typeof raw.value === \"string\"\n      ? raw.value.trim()\n      : typeof raw.apiKey === \"string\"\n        ? raw.apiKey.trim()\n        : \"\";\n  if (!value) {\n    return { ok: false, statusCode: 400, error: \"value is required\" };\n  }\n\n  if (raw.scope != null && raw.scope !== \"user\" && raw.scope !== \"org\") {\n    return {\n      ok: false,\n      statusCode: 400,\n      error: 'scope must be \"user\" or \"org\"',\n    };\n  }\n\n  return {\n    ok: true,\n    key,\n    value,\n    scope: raw.scope === \"org\" ? \"org\" : \"user\",\n  };\n}\n\nexport async function resolveAgentEngineApiKeyWriteTarget(\n  event: H3Event,\n  scope: AgentEngineApiKeyScope,\n): Promise<\n  | { ok: true; target: AgentEngineApiKeyWriteTarget }\n  | { ok: false; statusCode: number; error: string }\n> {\n  const session = await getSession(event).catch(() => null);\n  if (!session?.email) {\n    return { ok: false, statusCode: 401, error: \"Authentication required\" };\n  }\n\n  if (scope === \"user\") {\n    return {\n      ok: true,\n      target: { scope: \"user\", scopeId: session.email },\n    };\n  }\n\n  const ctx = await getOrgContext(event).catch(() => null);\n  if (!ctx?.orgId) {\n    return { ok: false, statusCode: 400, error: \"No active organization\" };\n  }\n  if (ctx.role !== \"owner\" && ctx.role !== \"admin\") {\n    return {\n      ok: false,\n      statusCode: 403,\n      error: \"Only organization owners and admins can set org-scoped keys\",\n    };\n  }\n\n  return {\n    ok: true,\n    target: { scope: \"org\", scopeId: ctx.orgId },\n  };\n}\n\nexport function createAgentEngineApiKeyHandler() {\n  return defineEventHandler(async (event: H3Event) => {\n    if (getMethod(event) !== \"POST\") {\n      setResponseStatus(event, 405);\n      return { error: \"Method not allowed\" };\n    }\n\n    const payload = normalizeAgentEngineApiKeyPayload(\n      await readBody(event).catch(() => ({})),\n    );\n    if (!payload.ok) {\n      setResponseStatus(event, payload.statusCode);\n      return { error: payload.error };\n    }\n\n    const resolved = await resolveAgentEngineApiKeyWriteTarget(\n      event,\n      payload.scope,\n    );\n    if (!resolved.ok) {\n      setResponseStatus(event, resolved.statusCode);\n      return { error: resolved.error };\n    }\n\n    await writeAppSecret({\n      key: payload.key,\n      value: payload.value,\n      scope: resolved.target.scope,\n      scopeId: resolved.target.scopeId,\n    });\n\n    return {\n      ok: true,\n      key: payload.key,\n      scope: resolved.target.scope,\n    };\n  });\n}\n"]}

package/dist/server/core-routes-plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAqBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAuBlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA+CvD,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,WAAW,CAAC;AAyDzD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AACvD,eAAO,MAAM,sBAAsB,0BAAqC,CAAC;AACzE,eAAO,MAAM,6BAA6B,+BAA0C,CAAC;AAErF,wBAAgB,yBAAyB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAQrE;AAmBD,eAAO,MAAM,kBAAkB,QAAwC,CAAC;AAsHxE,KAAK,6BAA6B,GAAG,CACnC,KAAK,EAAE,OAAO,KACX,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;AAE5C,MAAM,MAAM,mBAAmB,GAAG;IAChC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,OAAO,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,wBAAsB,oCAAoC,CACxD,KAAK,EAAE,OAAO,EACd,OAAO,GAAE;IACP,cAAc,CAAC,EAAE,6BAA6B,CAAC;IAC/C,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACjE,EACN,IAAI,CAAC,EAAE,SAAS,GAAG,UAAU,GAC5B,OAAO,CAAC,mBAAmB,CAAC,CAsD9B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CASf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qEAAqE;IACrE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;wCACoC;IACpC,eAAe,CAAC,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAChF,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,6BAA6B,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CA4hFhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}
+{"version":3,"file":"core-routes-plugin.d.ts","sourceRoot":"","sources":["../../src/server/core-routes-plugin.ts"],"names":[],"mappings":"AAqBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAuBlC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AA+CvD,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,WAAW,CAAC;AA6DzD;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,mBAAmB,CAAC;AACvD,eAAO,MAAM,sBAAsB,0BAAqC,CAAC;AACzE,eAAO,MAAM,6BAA6B,+BAA0C,CAAC;AAErF,wBAAgB,yBAAyB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAQrE;AAmBD,eAAO,MAAM,kBAAkB,QAAwC,CAAC;AAsHxE,KAAK,6BAA6B,GAAG,CACnC,KAAK,EAAE,OAAO,KACX,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;AAE5C,MAAM,MAAM,mBAAmB,GAAG;IAChC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,OAAO,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5B,SAAS,EAAE,OAAO,CAAC;CACpB,CAAC;AAEF,wBAAsB,oCAAoC,CACxD,KAAK,EAAE,OAAO,EACd,OAAO,GAAE;IACP,cAAc,CAAC,EAAE,6BAA6B,CAAC;IAC/C,kBAAkB,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;CACjE,EACN,IAAI,CAAC,EAAE,SAAS,GAAG,UAAU,GAC5B,OAAO,CAAC,mBAAmB,CAAC,CAsD9B;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,MAAM,GACb,MAAM,GAAG,IAAI,CASf;AAUD,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,wEAAwE;IACxE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,oDAAoD;IACpD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2DAA2D;IAC3D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,sEAAsE;IACtE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qEAAqE;IACrE,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,oDAAoD;IACpD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;wCACoC;IACpC,eAAe,CAAC,EAAE,OAAO,iBAAiB,EAAE,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAChF,qEAAqE;IACrE,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB;;;;OAIG;IACH,cAAc,CAAC,EAAE,6BAA6B,CAAC;CAChD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,GAAE,uBAA4B,GACpC,cAAc,CAkiFhB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAAyC,CAAC"}

package/dist/server/core-routes-plugin.js

@@ -40,7 +40,8 @@ import { runWithRequestContext } from "./request-context.js";
 import { createVoiceProvidersStatusHandler } from "./voice-providers-status.js";
 import { PROVIDER_ENV_META } from "../agent/engine/provider-env-vars.js";
 import { DEFAULT_MODEL } from "../agent/default-model.js";
-import { canUseDeployCredentialFallbackForRequest } from "./credential-provider.js";
+import { canUseDeployCredentialFallbackForRequest, resolveSecret, } from "./credential-provider.js";
+import { createAgentEngineApiKeyHandler } from "./agent-engine-api-key-route.js";
 import { canUpdateAgentLoopSettings, readAgentLoopSettings, resetAgentLoopSettings, validateMaxIterationsInput, writeAgentLoopSettings, } from "../agent/loop-settings.js";
 import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, detectEngineFromUserSecrets, isAgentEnginePackageInstalled, isStoredEngineUsableForRequest, } from "../agent/engine/registry.js";
 import { registerBuiltinEngines } from "../agent/engine/builtin.js";
@@ -1410,17 +1411,19 @@ export function createCoreRoutesPlugin(options = {}) {
                             /* org module not present in this template */
                         }
                     }
-                    const canUseDeployEnv = await runWithRequestContext({ userEmail, orgId }, () => canUseDeployCredentialFallbackForRequest());
-                    return envKeys.map((cfg) => {
+                    return Promise.all(envKeys.map(async (cfg) => {
                         const isProviderKey = PROVIDER_ENV_VAR_KEYS.has(cfg.key);
+                        const configured = isProviderKey
+                            ? await runWithRequestContext({ userEmail, orgId }, () => resolveSecret(cfg.key).then(Boolean))
+                            : !!process.env[cfg.key];
                         return {
                             key: cfg.key,
                             label: cfg.label,
                             required: cfg.required ?? false,
-                            configured: !!process.env[cfg.key] && (!isProviderKey || canUseDeployEnv),
+                            configured,
                             ...(cfg.helpText ? { helpText: cfg.helpText } : {}),
                         };
-                    });
+                    }));
                 }));
                 getH3App(nitroApp).use(`${P}/env-vars`, defineEventHandler(async (event) => {
                     if (getMethod(event) !== "POST") {
@@ -1436,7 +1439,7 @@ export function createCoreRoutesPlugin(options = {}) {
                     if (!isEnvVarWriteAllowed()) {
                         setResponseStatus(event, 403);
                         return {
-                            error: "env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.",
+                            error: "env-vars endpoint disabled on multi-tenant deployments. Use scoped secrets or credentials for user/org API keys.",
                         };
                     }
                     const body = await readBody(event);
@@ -1503,6 +1506,7 @@ export function createCoreRoutesPlugin(options = {}) {
                     return { saved: filtered.map((v) => v.key) };
                 }));
             }
+            getH3App(nitroApp).use(`${P}/agent-engine/api-key`, createAgentEngineApiKeyHandler());
             // GET /_agent-native/agent-engine/status — reports whether an engine
             // is configured (settings row, settings+env, or auto-detected from env).
             // The agent-chat UI uses this to skip the onboarding gate for providers