npm - @agent-native/core - Versions diffs - 0.6.1 → 0.7.1 - Mend

@agent-native/core 0.6.1 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (473) hide show

package/README.md +43 -3
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +154 -4
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/types.d.ts +1 -1
package/dist/agent/types.d.ts.map +1 -1
package/dist/cli/create-workspace.d.ts +8 -0
package/dist/cli/create-workspace.d.ts.map +1 -0
package/dist/cli/create-workspace.js +18 -0
package/dist/cli/create-workspace.js.map +1 -0
package/dist/cli/create.d.ts +35 -7
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +444 -251
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +59 -5
package/dist/cli/index.js.map +1 -1
package/dist/cli/workspacify.d.ts +18 -0
package/dist/cli/workspacify.d.ts.map +1 -0
package/dist/cli/workspacify.js +74 -0
package/dist/cli/workspacify.js.map +1 -0
package/dist/client/AgentPanel.d.ts +1 -1
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +63 -225
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +86 -5
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/composer/MentionPopover.d.ts.map +1 -1
package/dist/client/composer/MentionPopover.js +15 -2
package/dist/client/composer/MentionPopover.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +3 -1
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/types.d.ts +1 -1
package/dist/client/composer/types.d.ts.map +1 -1
package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
package/dist/client/integrations/IntegrationsPanel.js +22 -9
package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
package/dist/client/onboarding/OnboardingBanner.d.ts +13 -0
package/dist/client/onboarding/OnboardingBanner.d.ts.map +1 -0
package/dist/client/onboarding/OnboardingBanner.js +36 -0
package/dist/client/onboarding/OnboardingBanner.js.map +1 -0
package/dist/client/onboarding/OnboardingPanel.d.ts +16 -0
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -0
package/dist/client/onboarding/OnboardingPanel.js +360 -0
package/dist/client/onboarding/OnboardingPanel.js.map +1 -0
package/dist/client/onboarding/SetupButton.d.ts +10 -0
package/dist/client/onboarding/SetupButton.d.ts.map +1 -0
package/dist/client/onboarding/SetupButton.js +26 -0
package/dist/client/onboarding/SetupButton.js.map +1 -0
package/dist/client/onboarding/index.d.ts +12 -0
package/dist/client/onboarding/index.d.ts.map +1 -0
package/dist/client/onboarding/index.js +11 -0
package/dist/client/onboarding/index.js.map +1 -0
package/dist/client/onboarding/use-onboarding.d.ts +34 -0
package/dist/client/onboarding/use-onboarding.d.ts.map +1 -0
package/dist/client/onboarding/use-onboarding.js +101 -0
package/dist/client/onboarding/use-onboarding.js.map +1 -0
package/dist/client/org/TeamPage.d.ts +6 -1
package/dist/client/org/TeamPage.d.ts.map +1 -1
package/dist/client/org/TeamPage.js +85 -14
package/dist/client/org/TeamPage.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
package/dist/client/resources/ResourceEditor.js +48 -77
package/dist/client/resources/ResourceEditor.js.map +1 -1
package/dist/client/resources/ResourceTree.d.ts.map +1 -1
package/dist/client/resources/ResourceTree.js +16 -3
package/dist/client/resources/ResourceTree.js.map +1 -1
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +135 -9
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-resources.d.ts +5 -0
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/AgentsSection.d.ts +2 -0
package/dist/client/settings/AgentsSection.d.ts.map +1 -0
package/dist/client/settings/AgentsSection.js +198 -0
package/dist/client/settings/AgentsSection.js.map +1 -0
package/dist/client/settings/BackgroundAgentSection.d.ts +2 -0
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -0
package/dist/client/settings/BackgroundAgentSection.js +46 -0
package/dist/client/settings/BackgroundAgentSection.js.map +1 -0
package/dist/client/settings/BrowserSection.d.ts +2 -0
package/dist/client/settings/BrowserSection.d.ts.map +1 -0
package/dist/client/settings/BrowserSection.js +10 -0
package/dist/client/settings/BrowserSection.js.map +1 -0
package/dist/client/settings/ComingSoonSection.d.ts +13 -0
package/dist/client/settings/ComingSoonSection.d.ts.map +1 -0
package/dist/client/settings/ComingSoonSection.js +9 -0
package/dist/client/settings/ComingSoonSection.js.map +1 -0
package/dist/client/settings/LLMSection.d.ts +2 -0
package/dist/client/settings/LLMSection.d.ts.map +1 -0
package/dist/client/settings/LLMSection.js +64 -0
package/dist/client/settings/LLMSection.js.map +1 -0
package/dist/client/settings/SettingsPanel.d.ts +8 -0
package/dist/client/settings/SettingsPanel.d.ts.map +1 -0
package/dist/client/settings/SettingsPanel.js +118 -0
package/dist/client/settings/SettingsPanel.js.map +1 -0
package/dist/client/settings/SettingsSection.d.ts +19 -0
package/dist/client/settings/SettingsSection.d.ts.map +1 -0
package/dist/client/settings/SettingsSection.js +10 -0
package/dist/client/settings/SettingsSection.js.map +1 -0
package/dist/client/settings/index.d.ts +3 -0
package/dist/client/settings/index.d.ts.map +1 -0
package/dist/client/settings/index.js +3 -0
package/dist/client/settings/index.js.map +1 -0
package/dist/client/settings/useBuilderStatus.d.ts +22 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -0
package/dist/client/settings/useBuilderStatus.js +41 -0
package/dist/client/settings/useBuilderStatus.js.map +1 -0
package/dist/deploy/build.js +198 -54
package/dist/deploy/build.js.map +1 -1
package/dist/deploy/route-discovery.d.ts +5 -0
package/dist/deploy/route-discovery.d.ts.map +1 -1
package/dist/deploy/route-discovery.js +38 -7
package/dist/deploy/route-discovery.js.map +1 -1
package/dist/deploy/workspace-core.d.ts +28 -0
package/dist/deploy/workspace-core.d.ts.map +1 -0
package/dist/deploy/workspace-core.js +223 -0
package/dist/deploy/workspace-core.js.map +1 -0
package/dist/deploy/workspace-deploy.d.ts +11 -0
package/dist/deploy/workspace-deploy.d.ts.map +1 -0
package/dist/deploy/workspace-deploy.js +148 -0
package/dist/deploy/workspace-deploy.js.map +1 -0
package/dist/file-upload/builder.d.ts +11 -0
package/dist/file-upload/builder.d.ts.map +1 -0
package/dist/file-upload/builder.js +53 -0
package/dist/file-upload/builder.js.map +1 -0
package/dist/file-upload/index.d.ts +4 -0
package/dist/file-upload/index.d.ts.map +1 -0
package/dist/file-upload/index.js +3 -0
package/dist/file-upload/index.js.map +1 -0
package/dist/file-upload/registry.d.ts +23 -0
package/dist/file-upload/registry.d.ts.map +1 -0
package/dist/file-upload/registry.js +52 -0
package/dist/file-upload/registry.js.map +1 -0
package/dist/file-upload/types.d.ts +37 -0
package/dist/file-upload/types.d.ts.map +1 -0
package/dist/file-upload/types.js +10 -0
package/dist/file-upload/types.js.map +1 -0
package/dist/integrations/adapters/google-docs.d.ts +89 -0
package/dist/integrations/adapters/google-docs.d.ts.map +1 -0
package/dist/integrations/adapters/google-docs.js +261 -0
package/dist/integrations/adapters/google-docs.js.map +1 -0
package/dist/integrations/adapters/slack.d.ts.map +1 -1
package/dist/integrations/adapters/slack.js +34 -0
package/dist/integrations/adapters/slack.js.map +1 -1
package/dist/integrations/adapters/telegram.d.ts.map +1 -1
package/dist/integrations/adapters/telegram.js +32 -0
package/dist/integrations/adapters/telegram.js.map +1 -1
package/dist/integrations/google-docs-poller.d.ts +54 -0
package/dist/integrations/google-docs-poller.d.ts.map +1 -0
package/dist/integrations/google-docs-poller.js +442 -0
package/dist/integrations/google-docs-poller.js.map +1 -0
package/dist/integrations/index.d.ts +2 -0
package/dist/integrations/index.d.ts.map +1 -1
package/dist/integrations/index.js +3 -0
package/dist/integrations/index.js.map +1 -1
package/dist/integrations/plugin.d.ts.map +1 -1
package/dist/integrations/plugin.js +49 -2
package/dist/integrations/plugin.js.map +1 -1
package/dist/integrations/types.d.ts +33 -0
package/dist/integrations/types.d.ts.map +1 -1
package/dist/integrations/webhook-handler.d.ts +10 -1
package/dist/integrations/webhook-handler.d.ts.map +1 -1
package/dist/integrations/webhook-handler.js +13 -3
package/dist/integrations/webhook-handler.js.map +1 -1
package/dist/jobs/scheduler.d.ts +3 -0
package/dist/jobs/scheduler.d.ts.map +1 -1
package/dist/jobs/scheduler.js +81 -60
package/dist/jobs/scheduler.js.map +1 -1
package/dist/jobs/tools.d.ts.map +1 -1
package/dist/jobs/tools.js +20 -3
package/dist/jobs/tools.js.map +1 -1
package/dist/mcp-client/config.d.ts +46 -0
package/dist/mcp-client/config.d.ts.map +1 -0
package/dist/mcp-client/config.js +152 -0
package/dist/mcp-client/config.js.map +1 -0
package/dist/mcp-client/index.d.ts +17 -0
package/dist/mcp-client/index.d.ts.map +1 -0
package/dist/mcp-client/index.js +53 -0
package/dist/mcp-client/index.js.map +1 -0
package/dist/mcp-client/manager.d.ts +76 -0
package/dist/mcp-client/manager.d.ts.map +1 -0
package/dist/mcp-client/manager.js +212 -0
package/dist/mcp-client/manager.js.map +1 -0
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +3 -1
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/onboarding/default-steps.d.ts +10 -0
package/dist/onboarding/default-steps.d.ts.map +1 -0
package/dist/onboarding/default-steps.js +164 -0
package/dist/onboarding/default-steps.js.map +1 -0
package/dist/onboarding/index.d.ts +12 -0
package/dist/onboarding/index.d.ts.map +1 -0
package/dist/onboarding/index.js +11 -0
package/dist/onboarding/index.js.map +1 -0
package/dist/onboarding/plugin.d.ts +19 -0
package/dist/onboarding/plugin.d.ts.map +1 -0
package/dist/onboarding/plugin.js +147 -0
package/dist/onboarding/plugin.js.map +1 -0
package/dist/onboarding/registry.d.ts +24 -0
package/dist/onboarding/registry.d.ts.map +1 -0
package/dist/onboarding/registry.js +40 -0
package/dist/onboarding/registry.js.map +1 -0
package/dist/onboarding/types.d.ts +71 -0
package/dist/onboarding/types.d.ts.map +1 -0
package/dist/onboarding/types.js +10 -0
package/dist/onboarding/types.js.map +1 -0
package/dist/resources/agents.d.ts +4 -0
package/dist/resources/agents.d.ts.map +1 -0
package/dist/resources/agents.js +44 -0
package/dist/resources/agents.js.map +1 -0
package/dist/resources/handlers.d.ts +17 -0
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +49 -12
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/metadata.d.ts +48 -0
package/dist/resources/metadata.d.ts.map +1 -0
package/dist/resources/metadata.js +150 -0
package/dist/resources/metadata.js.map +1 -0
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +3 -2
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +32 -17
package/dist/resources/store.js.map +1 -1
package/dist/scripts/call-agent.d.ts.map +1 -1
package/dist/scripts/call-agent.js +3 -2
package/dist/scripts/call-agent.js.map +1 -1
package/dist/scripts/chat/search-chats.d.ts.map +1 -1
package/dist/scripts/chat/search-chats.js +2 -1
package/dist/scripts/chat/search-chats.js.map +1 -1
package/dist/scripts/core-scripts.d.ts.map +1 -1
package/dist/scripts/core-scripts.js +2 -0
package/dist/scripts/core-scripts.js.map +1 -1
package/dist/scripts/db/scoping.d.ts.map +1 -1
package/dist/scripts/db/scoping.js +3 -2
package/dist/scripts/db/scoping.js.map +1 -1
package/dist/scripts/docs/index.d.ts +2 -0
package/dist/scripts/docs/index.d.ts.map +1 -0
package/dist/scripts/docs/index.js +4 -0
package/dist/scripts/docs/index.js.map +1 -0
package/dist/scripts/docs/search.d.ts +13 -0
package/dist/scripts/docs/search.d.ts.map +1 -0
package/dist/scripts/docs/search.js +130 -0
package/dist/scripts/docs/search.js.map +1 -0
package/dist/scripts/resources/delete-memory.d.ts +7 -0
package/dist/scripts/resources/delete-memory.d.ts.map +1 -0
package/dist/scripts/resources/delete-memory.js +49 -0
package/dist/scripts/resources/delete-memory.js.map +1 -0
package/dist/scripts/resources/delete.d.ts.map +1 -1
package/dist/scripts/resources/delete.js +2 -1
package/dist/scripts/resources/delete.js.map +1 -1
package/dist/scripts/resources/index.d.ts.map +1 -1
package/dist/scripts/resources/index.js +2 -0
package/dist/scripts/resources/index.js.map +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +2 -1
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
package/dist/scripts/resources/migrate-learnings.js +2 -1
package/dist/scripts/resources/migrate-learnings.js.map +1 -1
package/dist/scripts/resources/read.d.ts.map +1 -1
package/dist/scripts/resources/read.js +2 -1
package/dist/scripts/resources/read.js.map +1 -1
package/dist/scripts/resources/save-memory.d.ts +9 -0
package/dist/scripts/resources/save-memory.d.ts.map +1 -0
package/dist/scripts/resources/save-memory.js +78 -0
package/dist/scripts/resources/save-memory.js.map +1 -0
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +2 -1
package/dist/scripts/resources/write.js.map +1 -1
package/dist/scripts/utils.d.ts +10 -1
package/dist/scripts/utils.d.ts.map +1 -1
package/dist/scripts/utils.js +45 -2
package/dist/scripts/utils.js.map +1 -1
package/dist/server/action-discovery.d.ts +5 -0
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +51 -20
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/action-routes.d.ts.map +1 -1
package/dist/server/action-routes.js +63 -57
package/dist/server/action-routes.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts +3 -0
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +363 -48
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +11 -23
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/agent-teams.d.ts.map +1 -1
package/dist/server/agent-teams.js +2 -1
package/dist/server/agent-teams.js.map +1 -1
package/dist/server/agents-bundle.d.ts +33 -5
package/dist/server/agents-bundle.d.ts.map +1 -1
package/dist/server/agents-bundle.js +108 -64
package/dist/server/agents-bundle.js.map +1 -1
package/dist/server/auth.d.ts +1 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +172 -60
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +202 -6
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +40 -0
package/dist/server/builder-browser.d.ts.map +1 -0
package/dist/server/builder-browser.js +166 -0
package/dist/server/builder-browser.js.map +1 -0
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +152 -6
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/credential-provider.d.ts +37 -0
package/dist/server/credential-provider.d.ts.map +1 -0
package/dist/server/credential-provider.js +49 -0
package/dist/server/credential-provider.js.map +1 -0
package/dist/server/framework-request-handler.d.ts.map +1 -1
package/dist/server/framework-request-handler.js +42 -3
package/dist/server/framework-request-handler.js.map +1 -1
package/dist/server/google-auth-plugin.js +1 -1
package/dist/server/google-oauth.d.ts +1 -1
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +15 -10
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +3 -0
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +3 -0
package/dist/server/index.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +1 -0
package/dist/server/oauth-helpers.d.ts.map +1 -1
package/dist/server/oauth-helpers.js +5 -4
package/dist/server/oauth-helpers.js.map +1 -1
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +94 -3
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/request-context.d.ts +20 -0
package/dist/server/request-context.d.ts.map +1 -0
package/dist/server/request-context.js +41 -0
package/dist/server/request-context.js.map +1 -0
package/dist/templates/default/.agents/skills/actions/SKILL.md +2 -1
package/dist/templates/default/.agents/skills/security/SKILL.md +145 -40
package/dist/templates/default/.agents/skills/storing-data/SKILL.md +7 -1
package/dist/templates/default/_gitignore +1 -0
package/dist/templates/default/app/root.tsx +4 -1
package/dist/templates/workspace-core/AGENTS.md +62 -0
package/dist/templates/workspace-core/actions/company-directory.ts +38 -0
package/dist/templates/workspace-core/package.json +39 -0
package/dist/templates/workspace-core/skills/company-policies/SKILL.md +42 -0
package/dist/templates/workspace-core/src/client/AuthenticatedLayout.tsx +37 -0
package/dist/templates/workspace-core/src/client/index.ts +26 -0
package/dist/templates/workspace-core/src/credentials.ts +29 -0
package/dist/templates/workspace-core/src/index.ts +21 -0
package/dist/templates/workspace-core/src/server/agent-chat-plugin.ts +30 -0
package/dist/templates/workspace-core/src/server/auth-plugin.ts +35 -0
package/dist/templates/workspace-core/src/server/index.ts +22 -0
package/dist/templates/workspace-core/tailwind.preset.ts +34 -0
package/dist/templates/workspace-core/tsconfig.json +9 -0
package/dist/templates/workspace-root/.env.example +37 -0
package/dist/templates/workspace-root/README.md +62 -0
package/dist/templates/workspace-root/_gitignore +23 -0
package/dist/templates/workspace-root/package.json +18 -0
package/dist/templates/workspace-root/pnpm-workspace.yaml +3 -0
package/dist/templates/workspace-root/tsconfig.base.json +21 -0
package/dist/vite/agents-bundle-plugin.d.ts.map +1 -1
package/dist/vite/agents-bundle-plugin.js +65 -15
package/dist/vite/agents-bundle-plugin.js.map +1 -1
package/dist/vite/client.d.ts +16 -0
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +75 -0
package/dist/vite/client.js.map +1 -1
package/docs/content/a2a-protocol.md +223 -0
package/docs/content/actions.md +129 -0
package/docs/content/agent-mentions.md +171 -0
package/docs/content/authentication.md +155 -0
package/docs/content/cli-adapters.md +244 -0
package/docs/content/client.md +175 -0
package/docs/content/context-awareness.md +168 -0
package/docs/content/creating-templates.md +311 -0
package/docs/content/database.md +82 -0
package/docs/content/deployment.md +180 -0
package/docs/content/enterprise-workspace.md +235 -0
package/docs/content/faq.md +101 -0
package/docs/content/file-uploads.md +102 -0
package/docs/content/frames.md +47 -0
package/docs/content/getting-started.md +104 -0
package/docs/content/integrations.md +198 -0
package/docs/content/key-concepts.md +246 -0
package/docs/content/mcp-clients.md +110 -0
package/docs/content/mcp-protocol.md +168 -0
package/docs/content/onboarding.md +107 -0
package/docs/content/real-time-collaboration.md +185 -0
package/docs/content/resources.md +277 -0
package/docs/content/security.md +158 -0
package/docs/content/server.md +200 -0
package/docs/content/skills-guide.md +107 -0
package/docs/content/what-is-agent-native.md +100 -0
package/docs/content/workspace-management.md +224 -0
package/package.json +12 -2
package/src/templates/default/.agents/skills/actions/SKILL.md +2 -1
package/src/templates/default/.agents/skills/security/SKILL.md +145 -40
package/src/templates/default/.agents/skills/storing-data/SKILL.md +7 -1
package/src/templates/default/_gitignore +1 -0
package/src/templates/default/app/root.tsx +4 -1
package/src/templates/workspace-core/AGENTS.md +62 -0
package/src/templates/workspace-core/actions/company-directory.ts +38 -0
package/src/templates/workspace-core/package.json +39 -0
package/src/templates/workspace-core/skills/company-policies/SKILL.md +42 -0
package/src/templates/workspace-core/src/client/AuthenticatedLayout.tsx +37 -0
package/src/templates/workspace-core/src/client/index.ts +26 -0
package/src/templates/workspace-core/src/credentials.ts +29 -0
package/src/templates/workspace-core/src/index.ts +21 -0
package/src/templates/workspace-core/src/server/agent-chat-plugin.ts +30 -0
package/src/templates/workspace-core/src/server/auth-plugin.ts +35 -0
package/src/templates/workspace-core/src/server/index.ts +22 -0
package/src/templates/workspace-core/tailwind.preset.ts +34 -0
package/src/templates/workspace-core/tsconfig.json +9 -0
package/src/templates/workspace-root/.env.example +37 -0
package/src/templates/workspace-root/README.md +62 -0
package/src/templates/workspace-root/_gitignore +23 -0
package/src/templates/workspace-root/package.json +18 -0
package/src/templates/workspace-root/pnpm-workspace.yaml +3 -0
package/src/templates/workspace-root/tsconfig.base.json +21 -0
package/dist/templates/templates/default/.agents/skills/actions/SKILL.md +0 -142
package/dist/templates/templates/default/.agents/skills/agent-engines/SKILL.md +0 -127
package/dist/templates/templates/default/.agents/skills/capture-learnings/SKILL.md +0 -50
package/dist/templates/templates/default/.agents/skills/create-skill/SKILL.md +0 -167
package/dist/templates/templates/default/.agents/skills/delegate-to-agent/SKILL.md +0 -90
package/dist/templates/templates/default/.agents/skills/frontend-design/SKILL.md +0 -69
package/dist/templates/templates/default/.agents/skills/real-time-collab/SKILL.md +0 -183
package/dist/templates/templates/default/.agents/skills/real-time-sync/SKILL.md +0 -112
package/dist/templates/templates/default/.agents/skills/security/SKILL.md +0 -108
package/dist/templates/templates/default/.agents/skills/self-modifying-code/SKILL.md +0 -79
package/dist/templates/templates/default/.agents/skills/storing-data/SKILL.md +0 -110
package/dist/templates/templates/default/.claude/settings.json +0 -100
package/dist/templates/templates/default/.env.example +0 -5
package/dist/templates/templates/default/.ignore +0 -0
package/dist/templates/templates/default/.prettierrc +0 -5
package/dist/templates/templates/default/AGENTS.md +0 -110
package/dist/templates/templates/default/DEVELOPING.md +0 -117
package/dist/templates/templates/default/_gitignore +0 -37
package/dist/templates/templates/default/actions/hello.ts +0 -20
package/dist/templates/templates/default/actions/navigate.ts +0 -53
package/dist/templates/templates/default/actions/run.ts +0 -2
package/dist/templates/templates/default/actions/view-screen.ts +0 -39
package/dist/templates/templates/default/app/entry.client.tsx +0 -4
package/dist/templates/templates/default/app/entry.server.tsx +0 -56
package/dist/templates/templates/default/app/global.css +0 -95
package/dist/templates/templates/default/app/lib/utils.ts +0 -1
package/dist/templates/templates/default/app/root.tsx +0 -107
package/dist/templates/templates/default/app/routes/_index.tsx +0 -62
package/dist/templates/templates/default/app/routes.ts +0 -4
package/dist/templates/templates/default/app/vite-env.d.ts +0 -6
package/dist/templates/templates/default/components.json +0 -20
package/dist/templates/templates/default/data/.gitkeep +0 -0
package/dist/templates/templates/default/data/sync-config.json +0 -1
package/dist/templates/templates/default/learnings.defaults.md +0 -5
package/dist/templates/templates/default/learnings.md +0 -0
package/dist/templates/templates/default/package.json +0 -46
package/dist/templates/templates/default/postcss.config.js +0 -6
package/dist/templates/templates/default/public/icon-180.svg +0 -4
package/dist/templates/templates/default/public/icon-192.svg +0 -4
package/dist/templates/templates/default/public/icon-512.svg +0 -4
package/dist/templates/templates/default/public/manifest.json +0 -13
package/dist/templates/templates/default/react-router.config.ts +0 -6
package/dist/templates/templates/default/server/middleware/auth.ts +0 -15
package/dist/templates/templates/default/server/plugins/.gitkeep +0 -0
package/dist/templates/templates/default/server/routes/[...page].get.ts +0 -5
package/dist/templates/templates/default/server/routes/api/hello.get.ts +0 -5
package/dist/templates/templates/default/shared/api.ts +0 -6
package/dist/templates/templates/default/ssr-entry.ts +0 -20
package/dist/templates/templates/default/tailwind.config.ts +0 -7
package/dist/templates/templates/default/tsconfig.json +0 -11
package/dist/templates/templates/default/vite.config.ts +0 -6

package/dist/server/index.js CHANGED Viewed

@@ -25,8 +25,11 @@ export { wrapWithAnalytics } from "./analytics.js";
 export { getH3App, awaitBootstrap, } from "./framework-request-handler.js";
 export { autoDiscoverActions, autoDiscoverScripts, } from "./action-discovery.js";
 export { mountActionRoutes, } from "./action-routes.js";
+export { createOnboardingPlugin, defaultOnboardingPlugin, } from "../onboarding/plugin.js";
+export { registerFileUploadProvider, unregisterFileUploadProvider, listFileUploadProviders, getActiveFileUploadProvider, uploadFile, builderFileUploadProvider, } from "../file-upload/index.js";
 export { createIntegrationsPlugin, defaultIntegrationsPlugin, slackAdapter, telegramAdapter, whatsappAdapter, } from "../integrations/index.js";
 export { isElectron, isMobile, getOrigin, encodeOAuthState, decodeOAuthState, resolveOAuthOwner, createOAuthSession, oauthCallbackResponse, oauthErrorPage, } from "./google-oauth.js";
+export { FeatureNotConfiguredError, hasBuilderPrivateKey, getBuilderProxyOrigin, getBuilderAuthHeader, } from "./credential-provider.js";
 export function defineNitroPlugin(def) {
     return def;
 }

package/dist/server/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,GAGb,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAY7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,GAGb,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,YAAY,EACZ,eAAe,EACf,eAAe,GAMhB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,GAIf,MAAM,mBAAmB,CAAC;~~AAW3B~~,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,GAGd,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAA0B,MAAM,UAAU,CAAC;AACpE,OAAO,EACL,mBAAmB,EACnB,aAAa,EACb,UAAU,EACV,UAAU,EACV,aAAa,EACb,eAAe,EACf,YAAY,GAGb,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,aAAa,EAA2B,MAAM,kBAAkB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAA4B,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,4BAA4B,GAY7B,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAElE,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,eAAe,GAChB,MAAM,WAAW,CAAC;AACnB,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACvE,2EAA2E;AAC3E,2EAA2E;AAC3E,8DAA8D;AAC9D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,EACL,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GAEvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,YAAY,EACZ,SAAS,EACT,WAAW,EACX,gBAAgB,EAChB,YAAY,GAGb,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,qBAAqB,EACrB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,GAEvB,MAAM,yBAAyB,CAAC;AACjC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GAEtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,kBAAkB,GAEnB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,SAAS,EACT,OAAO,EACP,eAAe,EACf,SAAS,EACT,UAAU,EACV,eAAe,GAGhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACxE,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACL,QAAQ,EACR,cAAc,GAEf,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,iBAAiB,GAElB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,sBAAsB,EACtB,uBAAuB,GACxB,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,0BAA0B,EAC1B,4BAA4B,EAC5B,uBAAuB,EACvB,2BAA2B,EAC3B,UAAU,EACV,yBAAyB,GAI1B,MAAM,yBAAyB,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,yBAAyB,EACzB,YAAY,EACZ,eAAe,EACf,eAAe,GAMhB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,SAAS,EACT,gBAAgB,EAChB,gBAAgB,EAChB,iBAAiB,EACjB,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,GAIf,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,yBAAyB,EACzB,oBAAoB,EACpB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,0BAA0B,CAAC;AAWlC,MAAM,UAAU,iBAAiB,CAAC,GAAmB;IACnD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/server/oauth-helpers.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ export declare function isOAuthConnected(provider: string, forEmail?: string): P
 /**
  * Get OAuth accounts for a provider, scoped to the given owner.
  * Always scopes by owner email — never returns tokens across users.
+ * Returns empty array when forEmail is not provided (prevents leaking all accounts).
  */
 export declare function getOAuthAccounts(provider: string, forEmail?: string): Promise<Array<{
     accountId: string;

package/dist/server/oauth-helpers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-helpers.d.ts","sourceRoot":"","sources":["../../src/server/oauth-helpers.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED~~;;;GAGG~~;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,CAAC,CAKxE"}
1	+ {"version":3,"file":"oauth-helpers.d.ts","sourceRoot":"","sources":["../../src/server/oauth-helpers.ts"],"names":[],"mappings":"AAMA;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAMlB;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CAAE,CAAC,CAAC,CAKxE"}

package/dist/server/oauth-helpers.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { hasOAuthTokens, listOAuthAccountsByOwner, listOAuthAccounts, } from "../oauth-tokens/index.js";
+import { hasOAuthTokens, listOAuthAccountsByOwner, } from "../oauth-tokens/index.js";
 /**
  * Check if any OAuth tokens exist for a provider, scoped to the given owner.
  * Always scopes by owner email — never returns tokens across users.
@@ -13,11 +13,12 @@ export async function isOAuthConnected(provider, forEmail) {
 /**
  * Get OAuth accounts for a provider, scoped to the given owner.
  * Always scopes by owner email — never returns tokens across users.
+ * Returns empty array when forEmail is not provided (prevents leaking all accounts).
  */
 export async function getOAuthAccounts(provider, forEmail) {
-    if (forEmail) {
-        return listOAuthAccountsByOwner(provider, forEmail);
+    if (!forEmail) {
+        return [];
     }
-    return listOAuthAccounts(provider);
+    return listOAuthAccountsByOwner(provider, forEmail);
 }
 //# sourceMappingURL=oauth-helpers.js.map

package/dist/server/oauth-helpers.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"oauth-helpers.js","sourceRoot":"","sources":["../../src/server/oauth-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,wBAAwB,~~EACxB~~,~~iBAAiB,GAClB,~~MAAM,0BAA0B,CAAC;AAElC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,QAAiB;IAEjB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACpE,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,cAAc,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED~~;;;GAGG~~;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,QAAiB;IAEjB,IAAI,QAAQ,EAAE,CAAC;~~QACb~~,OAAO,~~wBAAwB,CAAC,QAAQ,~~EAAE,~~QAAQ,~~CAAC~~,CAAC~~;~~IACtD~~,CAAC;IACD,OAAO,~~iBAAiB~~,CAAC,QAAQ,CAAC,CAAC;~~AACrC~~,CAAC"}
1	+ {"version":3,"file":"oauth-helpers.js","sourceRoot":"","sources":["../../src/server/oauth-helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EACd,wBAAwB,GAEzB,MAAM,0BAA0B,CAAC;AAElC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,QAAiB;IAEjB,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACpE,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7B,CAAC;IACD,OAAO,cAAc,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,QAAiB;IAEjB,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,wBAAwB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;AACtD,CAAC"}

package/dist/server/onboarding-html.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;~~AAWH~~,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;~~AAED~~,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,~~CA8U1E~~;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC"}
1	+ {"version":3,"file":"onboarding-html.d.ts","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAwBH,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAID,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,qBAA0B,GAAG,MAAM,CAyZ1E;AAED,kDAAkD;AAClD,eAAO,MAAM,eAAe,QAAsB,CAAC"}

package/dist/server/onboarding-html.js CHANGED Viewed

@@ -17,16 +17,34 @@ function isProductionEnv() {
 function hasGoogleOAuth() {
     return !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
 }
+function getConnectionLabel() {
+    const url = process.env.DATABASE_URL || "";
+    if (!url)
+        return "SQLite (local file)";
+    if (url.startsWith("postgres://") || url.startsWith("postgresql://")) {
+        if (url.includes("neon.tech"))
+            return "Neon Postgres";
+        if (url.includes("supabase"))
+            return "Supabase Postgres";
+        return "Postgres";
+    }
+    if (url.startsWith("file:"))
+        return "SQLite (local file)";
+    if (url.startsWith("libsql://") || url.includes("turso.io"))
+        return "Turso";
+    return "SQL database";
+}
+const MIGRATE_FLAG_KEY = "an_migrate_from_local";
 export function getOnboardingHtml(opts = {}) {
     const showLocalMode = !isProductionEnv() && !opts.googleOnly;
     const showGoogle = hasGoogleOAuth();
     const googleOnly = !!opts.googleOnly;
     const localModeBlock = showLocalMode
         ? `
-  <div class="divider">or</div>
+  <div class="divider" id="local-divider">or</div>
   <button class="btn-secondary" id="local-btn" onclick="useLocally()">Use locally without an account</button>
-  <p class="local-info">Skip auth for solo local development. You can create an account later.</p>`
+  <p class="local-info" id="local-info">Skip auth for solo local development. You can create an account later.</p>`
         : "";
     const localModeScript = showLocalMode
         ? `
@@ -35,6 +53,11 @@ export function getOnboardingHtml(opts = {}) {
     btn.disabled = true;
     btn.textContent = 'Setting up...';
     try {
+      try {
+        if (localStorage.getItem('${MIGRATE_FLAG_KEY}')) {
+          localStorage.removeItem('${MIGRATE_FLAG_KEY}');
+        }
+      } catch (e) {}
       var res = await fetch('/_agent-native/auth/local-mode', { method: 'POST' });
       if (res.ok) {
         window.location.reload();
@@ -52,7 +75,7 @@ export function getOnboardingHtml(opts = {}) {
 <html lang="en">
 <head>
 <meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
 <title>Welcome</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
@@ -61,9 +84,11 @@ export function getOnboardingHtml(opts = {}) {
     background: #0a0a0a;
     color: #e5e5e5;
     display: flex;
+    flex-direction: column;
     align-items: center;
     justify-content: center;
     min-height: 100vh;
+    padding: 1rem;
   }
   .card {
     width: 100%;
@@ -166,6 +191,18 @@ export function getOnboardingHtml(opts = {}) {
     margin-top: 0.5rem;
     line-height: 1.4;
   }
+  .upgrade-note {
+    margin-bottom: 1rem;
+    padding: 0.75rem;
+    border: 1px solid rgba(255,255,255,0.08);
+    border-radius: 8px;
+    background: rgba(255,255,255,0.03);
+    font-size: 0.75rem;
+    line-height: 1.5;
+    color: #a1a1aa;
+    display: none;
+  }
+  .upgrade-note.show { display: block; }
   .btn-google {
     width: 100%;
     display: flex;
@@ -186,12 +223,32 @@ export function getOnboardingHtml(opts = {}) {
   .btn-google svg { width: 18px; height: 18px; flex-shrink: 0; }
   .google-error { margin-top: 0.5rem; font-size: 0.8125rem; color: #f87171; display: none; }
   .google-error.show { display: block; }
+  .local-note {
+    display: none;
+    max-width: 400px;
+    width: 100%;
+    margin-top: 1rem;
+    padding: 0.625rem 0.875rem;
+    font-size: 0.6875rem;
+    line-height: 1.5;
+    color: #666;
+    border: 1px dashed rgba(255,255,255,0.08);
+    border-radius: 8px;
+    text-align: center;
+  }
+  .local-note.show { display: block; }
+  .local-note strong { color: #999; font-weight: 500; }
+  .local-note a { color: #888; text-decoration: underline; text-underline-offset: 2px; }
+  .local-note a:hover { color: #bbb; }
 </style>
 </head>
 <body>
 <div class="card">
   <h1>Welcome</h1>
   <p class="subtitle">Create an account to get started</p>
+  <p class="upgrade-note" id="upgrade-note">
+    You started this flow from <code>local@localhost</code>. Continue signing in to upgrade this workspace to a real account and migrate your local data. If you want to cancel that and keep using local mode, use the secondary button below.
+  </p>
 ${showGoogle
         ? `
@@ -238,7 +295,19 @@ ${googleOnly
   </form>`}
 ${localModeBlock}
 </div>
+<p class="local-note" id="local-note">
+  This account lives in <strong>your app</strong>, not an external service. Current connection: <strong>${getConnectionLabel()}</strong>.
+  <br />
+  <a href="https://github.com/BuilderIO/agent-native#readme" target="_blank" rel="noreferrer">Connect a different database or auth provider →</a>
+</p>
 <script>
+  (function revealLocalNote() {
+    var h = location.hostname;
+    if (h === 'localhost' || h === '127.0.0.1' || h === '::1' || h.endsWith('.local')) {
+      var n = document.getElementById('local-note');
+      if (n) n.classList.add('show');
+    }
+  })();
 ${googleOnly
         ? ""
         : `  var tabs = document.querySelectorAll('.tab');
@@ -306,6 +375,28 @@ ${googleOnly
     }
   });
 `}${localModeScript}
+${showLocalMode
+        ? `
+  (function syncUpgradeFromLocalUi() {
+    var subtitle = document.querySelector('.subtitle');
+    var note = document.getElementById('upgrade-note');
+    var localBtn = document.getElementById('local-btn');
+    var localInfo = document.getElementById('local-info');
+    var divider = document.getElementById('local-divider');
+    if (!subtitle || !note || !localBtn || !localInfo || !divider) return;
+    try {
+      if (!localStorage.getItem('${MIGRATE_FLAG_KEY}')) return;
+    } catch (e) {
+      return;
+    }
+    subtitle.textContent = 'Sign in to upgrade your local workspace';
+    note.classList.add('show');
+    localBtn.textContent = 'Stay in local mode';
+    localInfo.textContent = 'Use this if you want to cancel the upgrade and go back to local@localhost on this device.';
+    divider.textContent = 'or stay local';
+  })();
+`
+        : ""}
 ${showGoogle
         ? `
   async function signInWithGoogle() {

package/dist/server/onboarding-html.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"onboarding-html.js","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAC9E,CAAC;AAWD,MAAM,UAAU,iBAAiB,CAAC,OAA8B,EAAE;IAChE,MAAM,aAAa,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC7D,MAAM,UAAU,GAAG,cAAc,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC;IACrC,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;;;;~~mGAI6F~~;QAC/F,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,eAAe,GAAG,aAAa;QACnC,CAAC,CAAC~~;;;;;;;;;;;;;;;;;IAiBF~~;QACA,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkJP~~,UAAU;QACR,CAAC,CAAC;;;;;;EAMJ,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,qCAAqC;CACxD;QACG,CAAC,CAAC,UAAU;YACV,CAAC,CAAC;;;;;CAKP;YACK,CAAC,CAAC,EACR;EAEE,UAAU;QACR,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;UAwBN;EACE,cAAc;;;~~EAId~~,UAAU;QACR,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiEN,GAAG,eAAe;EAEhB,UAAU;QACR,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BF;QACA,CAAC,CAAC,EACN;;;QAGQ,CAAC;AACT,CAAC;AAED,kDAAkD;AAClD,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC"}
1	+ {"version":3,"file":"onboarding-html.js","sourceRoot":"","sources":["../../src/server/onboarding-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;IAC3C,IAAI,CAAC,GAAG;QAAE,OAAO,qBAAqB,CAAC;IACvC,IAAI,GAAG,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;QACrE,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,eAAe,CAAC;QACtD,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,mBAAmB,CAAC;QACzD,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,qBAAqB,CAAC;IAC1D,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,OAAO,CAAC;IAC5E,OAAO,cAAc,CAAC;AACxB,CAAC;AAWD,MAAM,gBAAgB,GAAG,uBAAuB,CAAC;AAEjD,MAAM,UAAU,iBAAiB,CAAC,OAA8B,EAAE;IAChE,MAAM,aAAa,GAAG,CAAC,eAAe,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC;IAC7D,MAAM,UAAU,GAAG,cAAc,EAAE,CAAC;IACpC,MAAM,UAAU,GAAG,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC;IACrC,MAAM,cAAc,GAAG,aAAa;QAClC,CAAC,CAAC;;;;mHAI6G;QAC/G,CAAC,CAAC,EAAE,CAAC;IAEP,MAAM,eAAe,GAAG,aAAa;QACnC,CAAC,CAAC;;;;;;;oCAO8B,gBAAgB;qCACf,gBAAgB;;;;;;;;;;;;;;IAcjD;QACA,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAoLP,UAAU;QACR,CAAC,CAAC;;;;;;EAMJ,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,qCAAqC;CACxD;QACG,CAAC,CAAC,UAAU;YACV,CAAC,CAAC;;;;;CAKP;YACK,CAAC,CAAC,EACR;EAEE,UAAU;QACR,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;UAwBN;EACE,cAAc;;;0GAG0F,kBAAkB,EAAE;;;;;;;;;;;;EAa5H,UAAU;QACR,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiEN,GAAG,eAAe;EAEhB,aAAa;QACX,CAAC,CAAC;;;;;;;;;mCAS6B,gBAAgB;;;;;;;;;;CAUlD;QACG,CAAC,CAAC,EACN;EAEE,UAAU;QACR,CAAC,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA6BF;QACA,CAAC,CAAC,EACN;;;QAGQ,CAAC;AACT,CAAC;AAED,kDAAkD;AAClD,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC"}

package/dist/server/request-context.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+export interface RequestContext {
+    userEmail?: string;
+    orgId?: string;
+}
+/**
+ * Run a callback within a per-request context. The context is available to all
+ * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.
+ */
+export declare function runWithRequestContext<T>(ctx: RequestContext, fn: () => T | Promise<T>): T | Promise<T>;
+/**
+ * Get the current request's user email.
+ * Falls back to `process.env.AGENT_USER_EMAIL` for CLI scripts.
+ */
+export declare function getRequestUserEmail(): string | undefined;
+/**
+ * Get the current request's org ID.
+ * Falls back to `process.env.AGENT_ORG_ID` for CLI scripts.
+ */
+export declare function getRequestOrgId(): string | undefined;
+//# sourceMappingURL=request-context.d.ts.map

package/dist/server/request-context.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"request-context.d.ts","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAmBA,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACrC,GAAG,EAAE,cAAc,EACnB,EAAE,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GACvB,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAEhB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAExD;AAED;;;GAGG;AACH,wBAAgB,eAAe,IAAI,MAAM,GAAG,SAAS,CAEpD"}

package/dist/server/request-context.js ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * Per-request context using AsyncLocalStorage.
+ *
+ * Replaces the unsafe pattern of mutating `process.env.AGENT_USER_EMAIL` /
+ * `process.env.AGENT_ORG_ID` on every request. On Node.js (Netlify, self-hosted)
+ * concurrent requests would overwrite each other's env vars. AsyncLocalStorage
+ * gives each async call-chain its own isolated context.
+ *
+ * Supported on all deployment targets:
+ * - Node.js (native)
+ * - Cloudflare Workers (via nodejs_compat flag)
+ * - Deno Deploy (via node:async_hooks compat)
+ *
+ * For CLI scripts that run outside a request context, the getters fall back to
+ * process.env so existing `AGENT_USER_EMAIL=x pnpm action foo` invocations
+ * continue to work.
+ */
+import { AsyncLocalStorage } from "node:async_hooks";
+const als = new AsyncLocalStorage();
+/**
+ * Run a callback within a per-request context. The context is available to all
+ * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.
+ */
+export function runWithRequestContext(ctx, fn) {
+    return als.run(ctx, fn);
+}
+/**
+ * Get the current request's user email.
+ * Falls back to `process.env.AGENT_USER_EMAIL` for CLI scripts.
+ */
+export function getRequestUserEmail() {
+    return als.getStore()?.userEmail ?? process.env.AGENT_USER_EMAIL;
+}
+/**
+ * Get the current request's org ID.
+ * Falls back to `process.env.AGENT_ORG_ID` for CLI scripts.
+ */
+export function getRequestOrgId() {
+    return als.getStore()?.orgId ?? process.env.AGENT_ORG_ID;
+}
+//# sourceMappingURL=request-context.js.map

package/dist/server/request-context.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"request-context.js","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAOrD,MAAM,GAAG,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAEpD;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAmB,EACnB,EAAwB;IAExB,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AACnE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AAC3D,CAAC"}

package/dist/templates/default/.agents/skills/actions/SKILL.md CHANGED Viewed

@@ -84,7 +84,8 @@ This is the canonical approach for new apps. Action names must be lowercase with
 ## Guidelines
 - **One action, one job.** Keep actions focused on a single operation. The agent composes multiple action calls for complex operations.
-- **Use `parseArgs()`** for structured argument parsing. It converts `--key value` pairs to a `Record<string, string>`.
+- **Always use `defineAction` with a Zod `schema:`** for input validation. The framework validates automatically and returns clear error messages for invalid input. This prevents malicious or malformed input from reaching your code. The legacy `parseArgs()` format has no runtime validation — use it only for internal/dev scripts, not user-facing actions.
+- **Never construct SQL with string concatenation** — use the `db-exec`/`db-query` tools which parameterize queries automatically (`?` placeholders). Drizzle ORM queries are always safe.
 - **Use `loadEnv()`** if the action needs environment variables (API keys, etc.).
 - **Use `fail()`** for user-friendly error messages (exits with message, no stack trace).
 - **Write results to the database.** The agent and UI will pick them up via db sync polling.

package/dist/templates/default/.agents/skills/security/SKILL.md CHANGED Viewed

@@ -1,14 +1,144 @@
 ---
 name: security
 description: >-
-  Data security model, user/org scoping, and auth patterns. Use when adding
-  tables with user data, implementing multi-user features, setting up A2A
-  cross-app calls, or reviewing data access patterns.
+  Secure coding guide for agent-native apps. Covers input validation, SQL
+  injection prevention, XSS, secrets management, auth patterns, data scoping,
+  and A2A security. Read this when generating any code that handles user data.
 ---
-# Security & Data Scoping
+# Security
-## How Data Isolation Works
+The framework provides strong security primitives. Use them — don't reinvent security.
+## Input Validation
+**Always use `defineAction` with a Zod `schema:`** for every action that accepts user input. The framework validates automatically and returns clear error messages.
+```ts
+// SECURE — framework validates before run() is called
+export default defineAction({
+  description: "Create a note",
+  schema: z.object({
+    title: z.string().min(1).max(200),
+    content: z.string().optional(),
+  }),
+  run: async (args) => {
+    // args is guaranteed valid — { title: string; content?: string }
+  },
+});
+```
+The legacy `parameters:` format (plain JSON Schema) has **no runtime validation** — the agent receives whatever the caller sends. Do not use it for new code.
+Actions without a `schema:` are unvalidated. This is acceptable for internal/dev scripts but never for user-facing operations.
+## SQL Injection Prevention
+The framework's `db-query` and `db-exec` tools use **parameterized queries** (`?` placeholders). The database driver handles escaping — user input never touches the SQL string.
+```ts
+// WRONG — SQL injection vulnerability
+await exec(`INSERT INTO notes (title) VALUES ('${title}')`)
+await exec(`SELECT * FROM notes WHERE title LIKE '%${search}%'`)
+// RIGHT — parameterized queries (framework default)
+await exec({ sql: "INSERT INTO notes (title) VALUES (?)", args: [title] })
+await exec({ sql: "SELECT * FROM notes WHERE title LIKE ?", args: [`%${search}%`] })
+```
+**Drizzle ORM is always safe** — it generates parameterized queries automatically:
+```ts
+const notes = await db.select().from(notesTable).where(eq(notesTable.title, title));
+```
+**When is SQL injection a risk?**
+- Only when writing raw SQL with string concatenation in server routes or actions
+- Never when using `db-query`/`db-exec` with `args` arrays
+- Never when using Drizzle ORM
+## XSS Prevention
+React auto-escapes all JSX expressions by default. Trust it.
+```tsx
+// SAFE — React escapes the output
+<p>{userInput}</p>
+<span>{comment.text}</span>
+// DANGEROUS — bypasses React's escaping
+<div dangerouslySetInnerHTML={{ __html: userInput }} />  // NEVER with user content
+element.innerHTML = userInput;                             // NEVER
+eval(userInput);                                           // NEVER
+document.write(userInput);                                 // NEVER
+new Function(userInput);                                   // NEVER
+```
+**For rich text:** Use TipTap (framework dependency) with the Collaboration extension. TipTap sanitizes content through its schema — only allowed node types render.
+**For markdown:** Use `react-markdown` (already used in the framework). It parses markdown to React elements without `dangerouslySetInnerHTML`.
+**For HTML from external sources:** If you absolutely must render external HTML, use a sanitization library like `dompurify`. But prefer structured data (markdown, TipTap JSON) over raw HTML.
+## Secrets Management
+| Secret type | Where to store | Why |
+|-------------|---------------|-----|
+| API keys (OpenAI, Stripe, etc.) | `.env` file (gitignored) | Never committed, server-side only |
+| OAuth tokens (Google, GitHub) | `oauth_tokens` store | Per-user, per-provider, server-side |
+| App configuration | `settings` store | OK for non-secret config (themes, preferences) |
+| Session tokens | Framework handles | Automatic via Better Auth |
+**Rules:**
+- Never store secrets in `settings`, `application_state`, or source code
+- Never return secrets in action responses — they may appear in agent chat or client UI
+- Never log secrets (tokens, keys, passwords)
+- Never commit `.env` files — they're gitignored by default
+- Access env vars via `process.env` in actions/server code, never send them to the client
+## Auth Patterns
+### Use `defineAction` (recommended)
+Actions defined with `defineAction` are automatically protected by the auth guard. Unauthenticated requests get a 401 response. This is the safest pattern.
+```ts
+// Auto-protected — auth guard runs before this code
+export default defineAction({
+  description: "Delete a note",
+  schema: z.object({ id: z.string() }),
+  run: async (args) => {
+    // Only authenticated users reach here
+  },
+});
+```
+### Custom `/api/` routes (use sparingly)
+If you must create custom routes (file uploads, streaming, webhooks), always check auth:
+```ts
+// server/routes/api/upload.ts
+import { getSession } from "@agent-native/core/server";
+export default defineEventHandler(async (event) => {
+  const session = await getSession(event);
+  if (!session?.email) {
+    setResponseStatus(event, 401);
+    return { error: "Unauthorized" };
+  }
+  // ... handle upload with session.email
+});
+```
+### CSRF Protection
+The framework uses `SameSite=lax` cookies with `httpOnly` flag. This prevents most CSRF attacks. Additional rules:
+- State-changing actions should use POST (the default for `defineAction`)
+- GET actions (`http: { method: "GET" }`) should be read-only
+- Never perform writes in response to GET requests
+## Data Scoping
 In production, the framework enforces data isolation at the SQL level. Agents and users can only see and modify data they own. This is automatic — you don't write WHERE clauses yourself.
@@ -41,45 +171,17 @@ For multi-user apps where teams share data, add an `org_id` column:
 export const projects = table("projects", {
   id: text("id").primaryKey(),
   name: text("name").notNull(),
-  owner_email: text("owner_email").notNull(), // who created it
-  org_id: text("org_id").notNull(),           // which org it belongs to
+  owner_email: text("owner_email").notNull(),
+  org_id: text("org_id").notNull(),
 });
 ```
 When both columns are present, queries are scoped by **both**: `WHERE owner_email = ? AND org_id = ?`.
-The `org_id` comes from `AGENT_ORG_ID` which is automatically set from the user's active organization in Better Auth.
 ### Validation
 Run `pnpm action db-check-scoping` to verify all tables have proper ownership columns. Use `--require-org` for multi-org apps.
-## Auth Model
-### Better Auth (Default)
-The framework uses Better Auth for authentication. It's always on by default — users create an account on first visit.
-**Environment variables:**
-- `BETTER_AUTH_SECRET` — signing key (auto-generated if not set)
-- `GOOGLE_CLIENT_ID` + `GOOGLE_CLIENT_SECRET` — enable Google OAuth
-- `GITHUB_CLIENT_ID` + `GITHUB_CLIENT_SECRET` — enable GitHub OAuth
-- `AUTH_MODE=local` — disable auth for solo local dev (escape hatch)
-### Organizations
-Better Auth's organization plugin is built-in. Every app supports:
-- Creating organizations
-- Inviting members (owner/admin/member roles)
-- Switching active organization
-- Per-org data scoping via `org_id`
-The active organization ID flows from `session.orgId` → `AGENT_ORG_ID` → SQL scoping automatically.
-### ACCESS_TOKEN (Legacy)
-For simple deployments, set `ACCESS_TOKEN` or `ACCESS_TOKENS` (comma-separated) as environment variables. This provides a shared token for all users — no per-user identity.
 ## A2A Security
 ### Cross-App Identity
@@ -87,7 +189,6 @@ For simple deployments, set `ACCESS_TOKEN` or `ACCESS_TOKENS` (comma-separated)
 When apps call each other via A2A, they need to verify identity. Set the same `A2A_SECRET` on all apps that need to trust each other:
 ```bash
-# On both apps
 A2A_SECRET=your-shared-secret-at-least-32-chars
 ```
@@ -102,7 +203,11 @@ Without `A2A_SECRET`, A2A calls are unauthenticated (fine for local dev, not pro
 ## Rules for Agents
 1. **Every new table with user data must have `owner_email`.** No exceptions.
-2. **Never bypass scoping** — don't raw-query tables without going through `db-query`/`db-exec`.
-3. **Don't expose user data in application state** — application state is per-session, not per-user. Use SQL tables with `owner_email` for persistent user data.
-4. **Don't hardcode emails** — use `AGENT_USER_EMAIL` environment variable.
-5. **Test with multiple users** — create two accounts and verify data isolation.
+2. **Always use `defineAction` with a Zod `schema:`** for input validation on user-facing actions.
+3. **Never concatenate user input into SQL** — use parameterized queries or Drizzle ORM.
+4. **Never use `dangerouslySetInnerHTML`** or `innerHTML` with user-controlled content.
+5. **Never store secrets outside `.env` or `oauth_tokens`** — no settings, no source code, no responses.
+6. **Never bypass scoping** — don't raw-query tables without going through `db-query`/`db-exec`.
+7. **Never create unprotected routes that modify data** — use `defineAction` or check `getSession()`.
+8. **Don't hardcode emails** — use `AGENT_USER_EMAIL` environment variable.
+9. **Don't expose user data in application state** — it's per-session, not per-user. Use SQL tables with `owner_email`.

package/dist/templates/default/.agents/skills/storing-data/SKILL.md CHANGED Viewed

@@ -78,7 +78,7 @@ Query via `getDb()` singleton from `server/db/index.ts`.
 ### 4. OAuth Tokens — credentials
-For OAuth tokens acquired at runtime (Google, etc.). Never store these in settings — use the dedicated encrypted store.
+For OAuth tokens acquired at runtime (Google, etc.). Never store these in settings — use the dedicated store.
 ```ts
 import { saveOAuthTokens, getOAuthTokens, listOAuthAccounts } from "@agent-native/core/oauth-tokens";
@@ -108,3 +108,9 @@ Infrastructure config stays in `.env` — these differ per deployment:
 - `ACCESS_TOKEN` — production auth token
 Everything else (user settings, tokens, app state) goes in SQL.
+## Security Rules
+- **Never store API keys or secrets in Settings or Application State** — use `.env` for API keys (gitignored) and the `oauth_tokens` store for OAuth credentials. Settings and application state are readable by the client.
+- **Every Drizzle table with user data must have `owner_email`** — the framework auto-scopes queries in production so users only see their own data. Run `pnpm action db-check-scoping` to verify. See the `security` skill for the full model.
+- **Never return secrets in action responses** — action responses may be visible in the agent chat or sent to the client. Keep credentials server-side only.

package/dist/templates/default/_gitignore CHANGED Viewed

@@ -1,5 +1,6 @@
 # React Router generated types
 .react-router/
+.agent-native/
 # Logs
 logs

package/dist/templates/default/app/root.tsx CHANGED Viewed

@@ -23,7 +23,10 @@ export function Layout({ children }: { children: React.ReactNode }) {
     <html lang="en" suppressHydrationWarning>
       <head>
         <meta charSet="utf-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <meta
+          name="viewport"
+          content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"
+        />
         <link rel="manifest" href="/manifest.json" />
         <meta name="theme-color" content="#111111" />
         <meta name="mobile-web-app-capable" content="yes" />