npm - @agent-native/core - Versions diffs - 0.6.1 → 0.7.2 - Mend

@agent-native/core 0.6.1 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (598) hide show

package/README.md +43 -3
package/dist/action.d.ts +8 -0
package/dist/action.d.ts.map +1 -1
package/dist/action.js +18 -0
package/dist/action.js.map +1 -1
package/dist/agent/production-agent.d.ts +9 -0
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +301 -39
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts.map +1 -1
package/dist/agent/run-manager.js +20 -1
package/dist/agent/run-manager.js.map +1 -1
package/dist/agent/run-store.d.ts +14 -0
package/dist/agent/run-store.d.ts.map +1 -1
package/dist/agent/run-store.js +63 -6
package/dist/agent/run-store.js.map +1 -1
package/dist/agent/types.d.ts +3 -1
package/dist/agent/types.d.ts.map +1 -1
package/dist/cli/create-workspace.d.ts +8 -0
package/dist/cli/create-workspace.d.ts.map +1 -0
package/dist/cli/create-workspace.js +18 -0
package/dist/cli/create-workspace.js.map +1 -0
package/dist/cli/create.d.ts +35 -7
package/dist/cli/create.d.ts.map +1 -1
package/dist/cli/create.js +444 -251
package/dist/cli/create.js.map +1 -1
package/dist/cli/index.js +59 -5
package/dist/cli/index.js.map +1 -1
package/dist/cli/setup-agents.d.ts.map +1 -1
package/dist/cli/setup-agents.js +0 -2
package/dist/cli/setup-agents.js.map +1 -1
package/dist/cli/templates-meta.d.ts +52 -0
package/dist/cli/templates-meta.d.ts.map +1 -0
package/dist/cli/templates-meta.js +165 -0
package/dist/cli/templates-meta.js.map +1 -0
package/dist/cli/workspacify.d.ts +18 -0
package/dist/cli/workspacify.d.ts.map +1 -0
package/dist/cli/workspacify.js +74 -0
package/dist/cli/workspacify.js.map +1 -0
package/dist/client/AgentPanel.d.ts +6 -2
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +328 -241
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AssistantChat.d.ts +2 -1
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +172 -40
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts +21 -0
package/dist/client/ConnectBuilderCard.d.ts.map +1 -0
package/dist/client/ConnectBuilderCard.js +196 -0
package/dist/client/ConnectBuilderCard.js.map +1 -0
package/dist/client/FeedbackButton.d.ts +15 -0
package/dist/client/FeedbackButton.d.ts.map +1 -0
package/dist/client/FeedbackButton.js +72 -0
package/dist/client/FeedbackButton.js.map +1 -0
package/dist/client/IframeEmbed.d.ts +17 -0
package/dist/client/IframeEmbed.d.ts.map +1 -0
package/dist/client/IframeEmbed.js +108 -0
package/dist/client/IframeEmbed.js.map +1 -0
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +34 -7
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +34 -15
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.d.ts +6 -0
package/dist/client/agent-chat.d.ts.map +1 -1
package/dist/client/agent-chat.js +7 -0
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/components/CodeRequiredDialog.d.ts.map +1 -1
package/dist/client/components/CodeRequiredDialog.js +86 -5
package/dist/client/components/CodeRequiredDialog.js.map +1 -1
package/dist/client/composer/MentionPopover.d.ts.map +1 -1
package/dist/client/composer/MentionPopover.js +42 -26
package/dist/client/composer/MentionPopover.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +3 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +24 -5
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/composer/types.d.ts +1 -1
package/dist/client/composer/types.d.ts.map +1 -1
package/dist/client/embed.d.ts +28 -0
package/dist/client/embed.d.ts.map +1 -0
package/dist/client/embed.js +50 -0
package/dist/client/embed.js.map +1 -0
package/dist/client/index.d.ts +4 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +4 -1
package/dist/client/index.js.map +1 -1
package/dist/client/integrations/IntegrationsPanel.d.ts.map +1 -1
package/dist/client/integrations/IntegrationsPanel.js +22 -9
package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
package/dist/client/onboarding/OnboardingBanner.d.ts +13 -0
package/dist/client/onboarding/OnboardingBanner.d.ts.map +1 -0
package/dist/client/onboarding/OnboardingBanner.js +36 -0
package/dist/client/onboarding/OnboardingBanner.js.map +1 -0
package/dist/client/onboarding/OnboardingPanel.d.ts +16 -0
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -0
package/dist/client/onboarding/OnboardingPanel.js +447 -0
package/dist/client/onboarding/OnboardingPanel.js.map +1 -0
package/dist/client/onboarding/SetupButton.d.ts +10 -0
package/dist/client/onboarding/SetupButton.d.ts.map +1 -0
package/dist/client/onboarding/SetupButton.js +36 -0
package/dist/client/onboarding/SetupButton.js.map +1 -0
package/dist/client/onboarding/index.d.ts +12 -0
package/dist/client/onboarding/index.d.ts.map +1 -0
package/dist/client/onboarding/index.js +11 -0
package/dist/client/onboarding/index.js.map +1 -0
package/dist/client/onboarding/use-onboarding.d.ts +34 -0
package/dist/client/onboarding/use-onboarding.d.ts.map +1 -0
package/dist/client/onboarding/use-onboarding.js +101 -0
package/dist/client/onboarding/use-onboarding.js.map +1 -0
package/dist/client/org/TeamPage.d.ts +6 -1
package/dist/client/org/TeamPage.d.ts.map +1 -1
package/dist/client/org/TeamPage.js +97 -21
package/dist/client/org/TeamPage.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
package/dist/client/resources/ResourceEditor.js +104 -78
package/dist/client/resources/ResourceEditor.js.map +1 -1
package/dist/client/resources/ResourceTree.d.ts +5 -1
package/dist/client/resources/ResourceTree.d.ts.map +1 -1
package/dist/client/resources/ResourceTree.js +31 -11
package/dist/client/resources/ResourceTree.js.map +1 -1
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +142 -14
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/resources/use-resources.d.ts +5 -0
package/dist/client/resources/use-resources.d.ts.map +1 -1
package/dist/client/resources/use-resources.js.map +1 -1
package/dist/client/settings/AgentsSection.d.ts +2 -0
package/dist/client/settings/AgentsSection.d.ts.map +1 -0
package/dist/client/settings/AgentsSection.js +201 -0
package/dist/client/settings/AgentsSection.js.map +1 -0
package/dist/client/settings/BackgroundAgentSection.d.ts +2 -0
package/dist/client/settings/BackgroundAgentSection.d.ts.map +1 -0
package/dist/client/settings/BackgroundAgentSection.js +46 -0
package/dist/client/settings/BackgroundAgentSection.js.map +1 -0
package/dist/client/settings/BrowserSection.d.ts +2 -0
package/dist/client/settings/BrowserSection.d.ts.map +1 -0
package/dist/client/settings/BrowserSection.js +10 -0
package/dist/client/settings/BrowserSection.js.map +1 -0
package/dist/client/settings/ComingSoonSection.d.ts +13 -0
package/dist/client/settings/ComingSoonSection.d.ts.map +1 -0
package/dist/client/settings/ComingSoonSection.js +9 -0
package/dist/client/settings/ComingSoonSection.js.map +1 -0
package/dist/client/settings/LLMSection.d.ts +2 -0
package/dist/client/settings/LLMSection.d.ts.map +1 -0
package/dist/client/settings/LLMSection.js +64 -0
package/dist/client/settings/LLMSection.js.map +1 -0
package/dist/client/settings/SettingsPanel.d.ts +8 -0
package/dist/client/settings/SettingsPanel.d.ts.map +1 -0
package/dist/client/settings/SettingsPanel.js +111 -0
package/dist/client/settings/SettingsPanel.js.map +1 -0
package/dist/client/settings/SettingsSection.d.ts +19 -0
package/dist/client/settings/SettingsSection.d.ts.map +1 -0
package/dist/client/settings/SettingsSection.js +10 -0
package/dist/client/settings/SettingsSection.js.map +1 -0
package/dist/client/settings/UsageSection.d.ts +2 -0
package/dist/client/settings/UsageSection.d.ts.map +1 -0
package/dist/client/settings/UsageSection.js +70 -0
package/dist/client/settings/UsageSection.js.map +1 -0
package/dist/client/settings/index.d.ts +3 -0
package/dist/client/settings/index.d.ts.map +1 -0
package/dist/client/settings/index.js +3 -0
package/dist/client/settings/index.js.map +1 -0
package/dist/client/settings/useBuilderStatus.d.ts +22 -0
package/dist/client/settings/useBuilderStatus.d.ts.map +1 -0
package/dist/client/settings/useBuilderStatus.js +41 -0
package/dist/client/settings/useBuilderStatus.js.map +1 -0
package/dist/client/use-action.d.ts.map +1 -1
package/dist/client/use-action.js +67 -4
package/dist/client/use-action.js.map +1 -1
package/dist/client/use-db-sync.d.ts +25 -2
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +62 -1
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-dev-mode.d.ts.map +1 -1
package/dist/client/use-dev-mode.js +16 -1
package/dist/client/use-dev-mode.js.map +1 -1
package/dist/db/client.d.ts +12 -0
package/dist/db/client.d.ts.map +1 -1
package/dist/db/client.js +89 -2
package/dist/db/client.js.map +1 -1
package/dist/db/create-get-db.d.ts +11 -0
package/dist/db/create-get-db.d.ts.map +1 -1
package/dist/db/create-get-db.js +47 -3
package/dist/db/create-get-db.js.map +1 -1
package/dist/db/migrations.d.ts.map +1 -1
package/dist/db/migrations.js +62 -5
package/dist/db/migrations.js.map +1 -1
package/dist/deploy/build.js +198 -54
package/dist/deploy/build.js.map +1 -1
package/dist/deploy/route-discovery.d.ts +5 -0
package/dist/deploy/route-discovery.d.ts.map +1 -1
package/dist/deploy/route-discovery.js +38 -7
package/dist/deploy/route-discovery.js.map +1 -1
package/dist/deploy/workspace-core.d.ts +28 -0
package/dist/deploy/workspace-core.d.ts.map +1 -0
package/dist/deploy/workspace-core.js +223 -0
package/dist/deploy/workspace-core.js.map +1 -0
package/dist/deploy/workspace-deploy.d.ts +11 -0
package/dist/deploy/workspace-deploy.d.ts.map +1 -0
package/dist/deploy/workspace-deploy.js +148 -0
package/dist/deploy/workspace-deploy.js.map +1 -0
package/dist/file-upload/builder.d.ts +11 -0
package/dist/file-upload/builder.d.ts.map +1 -0
package/dist/file-upload/builder.js +53 -0
package/dist/file-upload/builder.js.map +1 -0
package/dist/file-upload/index.d.ts +4 -0
package/dist/file-upload/index.d.ts.map +1 -0
package/dist/file-upload/index.js +3 -0
package/dist/file-upload/index.js.map +1 -0
package/dist/file-upload/registry.d.ts +23 -0
package/dist/file-upload/registry.d.ts.map +1 -0
package/dist/file-upload/registry.js +52 -0
package/dist/file-upload/registry.js.map +1 -0
package/dist/file-upload/types.d.ts +37 -0
package/dist/file-upload/types.d.ts.map +1 -0
package/dist/file-upload/types.js +10 -0
package/dist/file-upload/types.js.map +1 -0
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/integrations/adapters/google-docs.d.ts +89 -0
package/dist/integrations/adapters/google-docs.d.ts.map +1 -0
package/dist/integrations/adapters/google-docs.js +261 -0
package/dist/integrations/adapters/google-docs.js.map +1 -0
package/dist/integrations/adapters/slack.d.ts.map +1 -1
package/dist/integrations/adapters/slack.js +34 -0
package/dist/integrations/adapters/slack.js.map +1 -1
package/dist/integrations/adapters/telegram.d.ts.map +1 -1
package/dist/integrations/adapters/telegram.js +32 -0
package/dist/integrations/adapters/telegram.js.map +1 -1
package/dist/integrations/google-docs-poller.d.ts +54 -0
package/dist/integrations/google-docs-poller.d.ts.map +1 -0
package/dist/integrations/google-docs-poller.js +442 -0
package/dist/integrations/google-docs-poller.js.map +1 -0
package/dist/integrations/index.d.ts +2 -0
package/dist/integrations/index.d.ts.map +1 -1
package/dist/integrations/index.js +3 -0
package/dist/integrations/index.js.map +1 -1
package/dist/integrations/plugin.d.ts.map +1 -1
package/dist/integrations/plugin.js +49 -2
package/dist/integrations/plugin.js.map +1 -1
package/dist/integrations/types.d.ts +33 -0
package/dist/integrations/types.d.ts.map +1 -1
package/dist/integrations/webhook-handler.d.ts +10 -1
package/dist/integrations/webhook-handler.d.ts.map +1 -1
package/dist/integrations/webhook-handler.js +13 -3
package/dist/integrations/webhook-handler.js.map +1 -1
package/dist/jobs/scheduler.d.ts +3 -0
package/dist/jobs/scheduler.d.ts.map +1 -1
package/dist/jobs/scheduler.js +87 -61
package/dist/jobs/scheduler.js.map +1 -1
package/dist/jobs/tools.d.ts.map +1 -1
package/dist/jobs/tools.js +20 -3
package/dist/jobs/tools.js.map +1 -1
package/dist/mcp-client/config.d.ts +46 -0
package/dist/mcp-client/config.d.ts.map +1 -0
package/dist/mcp-client/config.js +152 -0
package/dist/mcp-client/config.js.map +1 -0
package/dist/mcp-client/index.d.ts +17 -0
package/dist/mcp-client/index.d.ts.map +1 -0
package/dist/mcp-client/index.js +53 -0
package/dist/mcp-client/index.js.map +1 -0
package/dist/mcp-client/manager.d.ts +76 -0
package/dist/mcp-client/manager.d.ts.map +1 -0
package/dist/mcp-client/manager.js +212 -0
package/dist/mcp-client/manager.js.map +1 -0
package/dist/oauth-tokens/google-refresh.d.ts +31 -0
package/dist/oauth-tokens/google-refresh.d.ts.map +1 -0
package/dist/oauth-tokens/google-refresh.js +115 -0
package/dist/oauth-tokens/google-refresh.js.map +1 -0
package/dist/oauth-tokens/index.d.ts +1 -0
package/dist/oauth-tokens/index.d.ts.map +1 -1
package/dist/oauth-tokens/index.js +1 -0
package/dist/oauth-tokens/index.js.map +1 -1
package/dist/oauth-tokens/store.d.ts.map +1 -1
package/dist/oauth-tokens/store.js +3 -1
package/dist/oauth-tokens/store.js.map +1 -1
package/dist/onboarding/default-steps.d.ts +10 -0
package/dist/onboarding/default-steps.d.ts.map +1 -0
package/dist/onboarding/default-steps.js +203 -0
package/dist/onboarding/default-steps.js.map +1 -0
package/dist/onboarding/index.d.ts +12 -0
package/dist/onboarding/index.d.ts.map +1 -0
package/dist/onboarding/index.js +11 -0
package/dist/onboarding/index.js.map +1 -0
package/dist/onboarding/plugin.d.ts +19 -0
package/dist/onboarding/plugin.d.ts.map +1 -0
package/dist/onboarding/plugin.js +147 -0
package/dist/onboarding/plugin.js.map +1 -0
package/dist/onboarding/registry.d.ts +24 -0
package/dist/onboarding/registry.d.ts.map +1 -0
package/dist/onboarding/registry.js +40 -0
package/dist/onboarding/registry.js.map +1 -0
package/dist/onboarding/types.d.ts +71 -0
package/dist/onboarding/types.d.ts.map +1 -0
package/dist/onboarding/types.js +10 -0
package/dist/onboarding/types.js.map +1 -0
package/dist/org/context.js +1 -1
package/dist/org/handlers.d.ts.map +1 -1
package/dist/org/handlers.js +35 -10
package/dist/org/handlers.js.map +1 -1
package/dist/org/plugin.d.ts.map +1 -1
package/dist/org/plugin.js +37 -22
package/dist/org/plugin.js.map +1 -1
package/dist/resources/agents.d.ts +4 -0
package/dist/resources/agents.d.ts.map +1 -0
package/dist/resources/agents.js +44 -0
package/dist/resources/agents.js.map +1 -0
package/dist/resources/handlers.d.ts +17 -0
package/dist/resources/handlers.d.ts.map +1 -1
package/dist/resources/handlers.js +49 -12
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/metadata.d.ts +48 -0
package/dist/resources/metadata.d.ts.map +1 -0
package/dist/resources/metadata.js +150 -0
package/dist/resources/metadata.js.map +1 -0
package/dist/resources/script-helpers.d.ts.map +1 -1
package/dist/resources/script-helpers.js +3 -2
package/dist/resources/script-helpers.js.map +1 -1
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +59 -18
package/dist/resources/store.js.map +1 -1
package/dist/scripts/call-agent.d.ts.map +1 -1
package/dist/scripts/call-agent.js +3 -2
package/dist/scripts/call-agent.js.map +1 -1
package/dist/scripts/chat/search-chats.d.ts.map +1 -1
package/dist/scripts/chat/search-chats.js +2 -1
package/dist/scripts/chat/search-chats.js.map +1 -1
package/dist/scripts/core-scripts.d.ts.map +1 -1
package/dist/scripts/core-scripts.js +2 -0
package/dist/scripts/core-scripts.js.map +1 -1
package/dist/scripts/db/patch.d.ts.map +1 -1
package/dist/scripts/db/patch.js +273 -11
package/dist/scripts/db/patch.js.map +1 -1
package/dist/scripts/db/scoping.d.ts.map +1 -1
package/dist/scripts/db/scoping.js +3 -2
package/dist/scripts/db/scoping.js.map +1 -1
package/dist/scripts/docs/index.d.ts +2 -0
package/dist/scripts/docs/index.d.ts.map +1 -0
package/dist/scripts/docs/index.js +4 -0
package/dist/scripts/docs/index.js.map +1 -0
package/dist/scripts/docs/search.d.ts +13 -0
package/dist/scripts/docs/search.d.ts.map +1 -0
package/dist/scripts/docs/search.js +130 -0
package/dist/scripts/docs/search.js.map +1 -0
package/dist/scripts/resources/delete-memory.d.ts +7 -0
package/dist/scripts/resources/delete-memory.d.ts.map +1 -0
package/dist/scripts/resources/delete-memory.js +49 -0
package/dist/scripts/resources/delete-memory.js.map +1 -0
package/dist/scripts/resources/delete.d.ts.map +1 -1
package/dist/scripts/resources/delete.js +2 -1
package/dist/scripts/resources/delete.js.map +1 -1
package/dist/scripts/resources/index.d.ts.map +1 -1
package/dist/scripts/resources/index.js +2 -0
package/dist/scripts/resources/index.js.map +1 -1
package/dist/scripts/resources/list.d.ts.map +1 -1
package/dist/scripts/resources/list.js +2 -1
package/dist/scripts/resources/list.js.map +1 -1
package/dist/scripts/resources/migrate-learnings.d.ts.map +1 -1
package/dist/scripts/resources/migrate-learnings.js +2 -1
package/dist/scripts/resources/migrate-learnings.js.map +1 -1
package/dist/scripts/resources/read.d.ts.map +1 -1
package/dist/scripts/resources/read.js +2 -1
package/dist/scripts/resources/read.js.map +1 -1
package/dist/scripts/resources/save-memory.d.ts +9 -0
package/dist/scripts/resources/save-memory.d.ts.map +1 -0
package/dist/scripts/resources/save-memory.js +78 -0
package/dist/scripts/resources/save-memory.js.map +1 -0
package/dist/scripts/resources/write.d.ts.map +1 -1
package/dist/scripts/resources/write.js +2 -1
package/dist/scripts/resources/write.js.map +1 -1
package/dist/scripts/utils.d.ts +10 -1
package/dist/scripts/utils.d.ts.map +1 -1
package/dist/scripts/utils.js +45 -2
package/dist/scripts/utils.js.map +1 -1
package/dist/server/action-discovery.d.ts +5 -0
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +53 -20
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/action-routes.d.ts.map +1 -1
package/dist/server/action-routes.js +88 -56
package/dist/server/action-routes.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts +15 -0
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +853 -91
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.d.ts.map +1 -1
package/dist/server/agent-discovery.js +13 -25
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/agent-teams.d.ts.map +1 -1
package/dist/server/agent-teams.js +23 -59
package/dist/server/agent-teams.js.map +1 -1
package/dist/server/agents-bundle.d.ts +33 -5
package/dist/server/agents-bundle.d.ts.map +1 -1
package/dist/server/agents-bundle.js +108 -64
package/dist/server/agents-bundle.js.map +1 -1
package/dist/server/auth.d.ts +7 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +448 -93
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +1 -1
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +272 -10
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +61 -0
package/dist/server/builder-browser.d.ts.map +1 -0
package/dist/server/builder-browser.js +229 -0
package/dist/server/builder-browser.js.map +1 -0
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +273 -9
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/credential-provider.d.ts +37 -0
package/dist/server/credential-provider.d.ts.map +1 -0
package/dist/server/credential-provider.js +49 -0
package/dist/server/credential-provider.js.map +1 -0
package/dist/server/desktop-sso.d.ts +30 -0
package/dist/server/desktop-sso.d.ts.map +1 -0
package/dist/server/desktop-sso.js +74 -0
package/dist/server/desktop-sso.js.map +1 -0
package/dist/server/email.d.ts +23 -0
package/dist/server/email.d.ts.map +1 -0
package/dist/server/email.js +105 -0
package/dist/server/email.js.map +1 -0
package/dist/server/framework-request-handler.d.ts.map +1 -1
package/dist/server/framework-request-handler.js +71 -3
package/dist/server/framework-request-handler.js.map +1 -1
package/dist/server/google-auth-plugin.js +1 -1
package/dist/server/google-oauth.d.ts +1 -1
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +34 -13
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +3 -0
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +3 -0
package/dist/server/index.js.map +1 -1
package/dist/server/local-migration.d.ts +9 -0
package/dist/server/local-migration.d.ts.map +1 -1
package/dist/server/local-migration.js +44 -14
package/dist/server/local-migration.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +3 -0
package/dist/server/oauth-helpers.d.ts.map +1 -1
package/dist/server/oauth-helpers.js +7 -4
package/dist/server/oauth-helpers.js.map +1 -1
package/dist/server/onboarding-html.d.ts +6 -0
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +323 -28
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +48 -0
package/dist/server/poll.js.map +1 -1
package/dist/server/request-context.d.ts +20 -0
package/dist/server/request-context.d.ts.map +1 -0
package/dist/server/request-context.js +41 -0
package/dist/server/request-context.js.map +1 -0
package/dist/templates/default/.agents/skills/actions/SKILL.md +2 -1
package/dist/templates/default/.agents/skills/inline-embeds/SKILL.md +88 -0
package/dist/templates/default/.agents/skills/security/SKILL.md +145 -40
package/dist/templates/default/.agents/skills/storing-data/SKILL.md +7 -1
package/dist/templates/default/_gitignore +1 -0
package/dist/templates/default/app/root.tsx +4 -1
package/dist/templates/workspace-core/.agents/skills/company-policies/SKILL.md +42 -0
package/dist/templates/workspace-core/AGENTS.md +62 -0
package/dist/templates/workspace-core/actions/company-directory.ts +38 -0
package/dist/templates/workspace-core/package.json +39 -0
package/dist/templates/workspace-core/src/client/AuthenticatedLayout.tsx +37 -0
package/dist/templates/workspace-core/src/client/index.ts +26 -0
package/dist/templates/workspace-core/src/credentials.ts +29 -0
package/dist/templates/workspace-core/src/index.ts +21 -0
package/dist/templates/workspace-core/src/server/agent-chat-plugin.ts +30 -0
package/dist/templates/workspace-core/src/server/auth-plugin.ts +35 -0
package/dist/templates/workspace-core/src/server/index.ts +22 -0
package/dist/templates/workspace-core/tailwind.preset.ts +34 -0
package/dist/templates/workspace-core/tsconfig.json +9 -0
package/dist/templates/workspace-root/.env.example +37 -0
package/dist/templates/workspace-root/README.md +62 -0
package/dist/templates/workspace-root/_gitignore +23 -0
package/dist/templates/workspace-root/package.json +18 -0
package/dist/templates/workspace-root/pnpm-workspace.yaml +3 -0
package/dist/templates/workspace-root/tsconfig.base.json +21 -0
package/dist/usage/store.d.ts +74 -12
package/dist/usage/store.d.ts.map +1 -1
package/dist/usage/store.js +210 -44
package/dist/usage/store.js.map +1 -1
package/dist/vite/agents-bundle-plugin.d.ts.map +1 -1
package/dist/vite/agents-bundle-plugin.js +65 -15
package/dist/vite/agents-bundle-plugin.js.map +1 -1
package/dist/vite/client.d.ts +16 -0
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +130 -0
package/dist/vite/client.js.map +1 -1
package/docs/content/a2a-protocol.md +223 -0
package/docs/content/actions.md +129 -0
package/docs/content/agent-mentions.md +171 -0
package/docs/content/authentication.md +155 -0
package/docs/content/cli-adapters.md +244 -0
package/docs/content/client.md +175 -0
package/docs/content/context-awareness.md +168 -0
package/docs/content/creating-templates.md +311 -0
package/docs/content/database.md +82 -0
package/docs/content/deployment.md +237 -0
package/docs/content/enterprise-workspace.md +235 -0
package/docs/content/faq.md +101 -0
package/docs/content/file-uploads.md +102 -0
package/docs/content/frames.md +47 -0
package/docs/content/getting-started.md +104 -0
package/docs/content/integrations.md +198 -0
package/docs/content/key-concepts.md +246 -0
package/docs/content/mcp-clients.md +110 -0
package/docs/content/mcp-protocol.md +168 -0
package/docs/content/onboarding.md +107 -0
package/docs/content/real-time-collaboration.md +185 -0
package/docs/content/resources.md +277 -0
package/docs/content/security.md +158 -0
package/docs/content/server.md +200 -0
package/docs/content/skills-guide.md +107 -0
package/docs/content/what-is-agent-native.md +100 -0
package/docs/content/workspace-management.md +224 -0
package/package.json +13 -3
package/src/templates/default/.agents/skills/actions/SKILL.md +2 -1
package/src/templates/default/.agents/skills/inline-embeds/SKILL.md +88 -0
package/src/templates/default/.agents/skills/security/SKILL.md +145 -40
package/src/templates/default/.agents/skills/storing-data/SKILL.md +7 -1
package/src/templates/default/_gitignore +1 -0
package/src/templates/default/app/root.tsx +4 -1
package/src/templates/workspace-core/.agents/skills/company-policies/SKILL.md +42 -0
package/src/templates/workspace-core/AGENTS.md +62 -0
package/src/templates/workspace-core/actions/company-directory.ts +38 -0
package/src/templates/workspace-core/package.json +39 -0
package/src/templates/workspace-core/src/client/AuthenticatedLayout.tsx +37 -0
package/src/templates/workspace-core/src/client/index.ts +26 -0
package/src/templates/workspace-core/src/credentials.ts +29 -0
package/src/templates/workspace-core/src/index.ts +21 -0
package/src/templates/workspace-core/src/server/agent-chat-plugin.ts +30 -0
package/src/templates/workspace-core/src/server/auth-plugin.ts +35 -0
package/src/templates/workspace-core/src/server/index.ts +22 -0
package/src/templates/workspace-core/tailwind.preset.ts +34 -0
package/src/templates/workspace-core/tsconfig.json +9 -0
package/src/templates/workspace-root/.env.example +37 -0
package/src/templates/workspace-root/README.md +62 -0
package/src/templates/workspace-root/_gitignore +23 -0
package/src/templates/workspace-root/package.json +18 -0
package/src/templates/workspace-root/pnpm-workspace.yaml +3 -0
package/src/templates/workspace-root/tsconfig.base.json +21 -0
package/dist/templates/templates/default/.agents/skills/actions/SKILL.md +0 -142
package/dist/templates/templates/default/.agents/skills/agent-engines/SKILL.md +0 -127
package/dist/templates/templates/default/.agents/skills/capture-learnings/SKILL.md +0 -50
package/dist/templates/templates/default/.agents/skills/create-skill/SKILL.md +0 -167
package/dist/templates/templates/default/.agents/skills/delegate-to-agent/SKILL.md +0 -90
package/dist/templates/templates/default/.agents/skills/frontend-design/SKILL.md +0 -69
package/dist/templates/templates/default/.agents/skills/real-time-collab/SKILL.md +0 -183
package/dist/templates/templates/default/.agents/skills/real-time-sync/SKILL.md +0 -112
package/dist/templates/templates/default/.agents/skills/security/SKILL.md +0 -108
package/dist/templates/templates/default/.agents/skills/self-modifying-code/SKILL.md +0 -79
package/dist/templates/templates/default/.agents/skills/storing-data/SKILL.md +0 -110
package/dist/templates/templates/default/.claude/settings.json +0 -100
package/dist/templates/templates/default/.env.example +0 -5
package/dist/templates/templates/default/.ignore +0 -0
package/dist/templates/templates/default/.prettierrc +0 -5
package/dist/templates/templates/default/AGENTS.md +0 -110
package/dist/templates/templates/default/DEVELOPING.md +0 -117
package/dist/templates/templates/default/_gitignore +0 -37
package/dist/templates/templates/default/actions/hello.ts +0 -20
package/dist/templates/templates/default/actions/navigate.ts +0 -53
package/dist/templates/templates/default/actions/run.ts +0 -2
package/dist/templates/templates/default/actions/view-screen.ts +0 -39
package/dist/templates/templates/default/app/entry.client.tsx +0 -4
package/dist/templates/templates/default/app/entry.server.tsx +0 -56
package/dist/templates/templates/default/app/global.css +0 -95
package/dist/templates/templates/default/app/lib/utils.ts +0 -1
package/dist/templates/templates/default/app/root.tsx +0 -107
package/dist/templates/templates/default/app/routes/_index.tsx +0 -62
package/dist/templates/templates/default/app/routes.ts +0 -4
package/dist/templates/templates/default/app/vite-env.d.ts +0 -6
package/dist/templates/templates/default/components.json +0 -20
package/dist/templates/templates/default/data/.gitkeep +0 -0
package/dist/templates/templates/default/data/sync-config.json +0 -1
package/dist/templates/templates/default/learnings.defaults.md +0 -5
package/dist/templates/templates/default/learnings.md +0 -0
package/dist/templates/templates/default/package.json +0 -46
package/dist/templates/templates/default/postcss.config.js +0 -6
package/dist/templates/templates/default/public/icon-180.svg +0 -4
package/dist/templates/templates/default/public/icon-192.svg +0 -4
package/dist/templates/templates/default/public/icon-512.svg +0 -4
package/dist/templates/templates/default/public/manifest.json +0 -13
package/dist/templates/templates/default/react-router.config.ts +0 -6
package/dist/templates/templates/default/server/middleware/auth.ts +0 -15
package/dist/templates/templates/default/server/plugins/.gitkeep +0 -0
package/dist/templates/templates/default/server/routes/[...page].get.ts +0 -5
package/dist/templates/templates/default/server/routes/api/hello.get.ts +0 -5
package/dist/templates/templates/default/shared/api.ts +0 -6
package/dist/templates/templates/default/ssr-entry.ts +0 -20
package/dist/templates/templates/default/tailwind.config.ts +0 -7
package/dist/templates/templates/default/tsconfig.json +0 -11
package/dist/templates/templates/default/vite.config.ts +0 -6

package/dist/server/auth.js CHANGED Viewed

@@ -14,48 +14,82 @@ import { defineEventHandler, getMethod, getQuery, setResponseHeader, setResponse
 function toWebRequest(event) {
     return event.req;
 }
-import { getDbExec, isPostgres, intType } from "../db/client.js";
+import { getDbExec, isPostgres, intType, isLocalDatabase, } from "../db/client.js";
 import { getBetterAuth, getBetterAuthSync } from "./better-auth-instance.js";
-import { getOnboardingHtml } from "./onboarding-html.js";
+import { getOnboardingHtml, getResetPasswordHtml } from "./onboarding-html.js";
 import { migrateLocalUserData } from "./local-migration.js";
 import { readBody } from "../server/h3-helpers.js";
+import { readDesktopSso, writeDesktopSso, clearDesktopSso, } from "./desktop-sso.js";
+import { isElectron as isElectronRequest } from "./google-oauth.js";
+/**
+ * Get the configured session max age. Desktop SSO broker writes from
+ * OAuth flows read this so expiration stays consistent with the cookie.
+ */
+export function getSessionMaxAge() {
+    return sessionMaxAge;
+}
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
-const COOKIE_NAME = "an_session";
+/**
+ * Cookie name for the framework's session cookie.
+ *
+ * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps
+ * running on different localhost ports share one cookie jar. When multiple
+ * templates run side-by-side (`dev:all`, the desktop app, multi-template
+ * deploys on a shared domain), they would otherwise stomp on each other's
+ * `an_session` cookie and ping-pong each other into a logged-out state.
+ *
+ * When `APP_NAME` is set, suffix the cookie so each app gets its own slot.
+ */
+const APP_NAME_SLUG = (process.env.APP_NAME || "")
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "_")
+    .replace(/^_+|_+$/g, "");
+export const COOKIE_NAME = APP_NAME_SLUG
+    ? `an_session_${APP_NAME_SLUG}`
+    : "an_session";
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
+const LOCAL_MODE_MARKER_PATH = path.resolve(process.cwd(), ".agent-native", "auth-mode");
 // ---------------------------------------------------------------------------
 // AUTH_MODE detection
 // ---------------------------------------------------------------------------
+let _warnedRemoteLocalMode = false;
 /**
  * Check if the app is in local-only mode (no auth).
  *
- * Returns true when:
- * - AUTH_MODE=local is explicitly set (escape hatch)
- * - In dev environment (NODE_ENV=development) with no explicit auth token
- *   configured (no ACCESS_TOKEN, no BYOA). This makes dev "just work"
- *   without requiring auth setup, while still respecting auth when configured.
+ * Returns true when AUTH_MODE=local is explicitly set or when the dev
+ * onboarding flow has enabled local mode for the current workspace via
+ * a runtime marker file.
  *
- * NOTE: GOOGLE_CLIENT_ID is intentionally NOT checked here — it is used for
- * Google Calendar / Gmail API access as well as Google Sign-In, and its
- * presence alone should not force authentication. Only ACCESS_TOKEN/ACCESS_TOKENS
- * (explicit token-based auth) or a custom getSession (BYOA) signal that the
- * developer has explicitly opted into requiring authentication.
+ * Local mode is an explicit escape hatch for when you want to guarantee
+ * no auth is used. In development, getSession() also falls back to
+ * local@localhost automatically if no other auth method succeeds, so
+ * apps are always usable without configuration in dev.
  *
- * BYOA (customGetSession) opts out of dev auto-local — templates that provide
- * their own auth (e.g. Supabase) shouldn't be silently bypassed in dev.
+ * Refuses to enable on any non-local database (Postgres, Turso, D1): local
+ * mode uses a single shared virtual user with no per-machine scoping, so on
+ * a shared DB every developer would land on the same account and collide.
  */
-function isLocalMode() {
+async function isLocalModeEnabled() {
+    if (!isLocalDatabase()) {
+        if (process.env.AUTH_MODE === "local" && !_warnedRemoteLocalMode) {
+            _warnedRemoteLocalMode = true;
+            console.warn("[agent-native] AUTH_MODE=local ignored: database is not local SQLite. " +
+                "local@localhost has no per-user scoping and would collide across developers on a shared DB.");
+        }
+        return false;
+    }
     if (process.env.AUTH_MODE === "local")
         return true;
-    // Default to local mode in dev when no explicit auth is configured
-    if (isDevEnvironment() &&
-        !process.env.ACCESS_TOKEN &&
-        !process.env.ACCESS_TOKENS &&
-        !customGetSession) {
-        return true;
+    try {
+        const fs = await getFs();
+        const mode = fs.readFileSync(LOCAL_MODE_MARKER_PATH, "utf-8").trim();
+        return mode === "local";
+    }
+    catch {
+        return false;
     }
-    return false;
 }
 /**
  * Check if we're in a development/test environment.
@@ -179,6 +213,15 @@ let _authGuardConfig = null;
  * /_agent-native/* routes).
  */
 let _authGuardFn = null;
+/**
+ * The H3 app the auth routes + guard were last mounted on. Module-level
+ * state survives Vite HMR restarts, but each HMR cycle creates a fresh
+ * nitroApp/H3 instance whose middleware array is empty again. Tracking the
+ * app here lets autoMountAuth detect "same module state, new app" and
+ * re-mount routes instead of silently skipping them because `_authGuardFn`
+ * looks populated from a previous cycle.
+ */
+let _mountedApp = null;
 /**
  * Run the auth guard on an event. Returns a Response/object to block the
  * request (login page or 401), or undefined to allow it through.
@@ -212,9 +255,12 @@ function createAuthGuardFn() {
         const { loginHtml, publicPaths } = config;
         const url = event.node?.req?.url ?? event.path ?? "/";
         const p = url.split("?")[0];
-        // Skip auth routes (all /_agent-native/auth/* and /_agent-native/google/*)
+        // Skip auth routes and specific Google OAuth endpoints that must be public
+        // (callback and auth-url). Other Google endpoints like /status require auth.
         if (p.startsWith("/_agent-native/auth/") ||
-            p.startsWith("/_agent-native/google/")) {
+            p === "/_agent-native/google/callback" ||
+            p === "/_agent-native/google/auth-url" ||
+            p === "/_agent-native/google/add-account/callback") {
             return;
         }
         // Skip static assets (Vite chunks, fonts, images, etc.)
@@ -267,10 +313,11 @@ function mapBetterAuthSession(baSession) {
  * 5. Better Auth → check session via Better Auth API (cookie or Bearer)
  * 6. Legacy cookie → check an_session cookie in legacy sessions table
  * 7. Mobile _session query param → promote to cookie
+ * 8. Dev-mode fallback → local@localhost (never block in development)
  */
 export async function getSession(event) {
     // 1. AUTH_MODE=local — explicit local-only mode
-    if (isLocalMode() || authDisabledMode) {
+    if ((await isLocalModeEnabled()) || authDisabledMode) {
         // Check for a real session cookie first (e.g. from Google OAuth)
         try {
             const cookie = getCookie(event, COOKIE_NAME);
@@ -315,6 +362,14 @@ export async function getSession(event) {
         const session = await customGetSession(event);
         if (session)
             return session;
+        // Desktop SSO broker: even with BYOA auth, fall back to the broker
+        // for Electron requests so cross-template SSO works for custom-auth
+        // templates too.
+        if (isElectronRequest(event)) {
+            const sso = await readDesktopSso();
+            if (sso?.email)
+                return { email: sso.email, token: sso.token };
+        }
         // Fall through to mobile _session check
     }
     else {
@@ -326,6 +381,9 @@ export async function getSession(event) {
                     headers: event.headers,
                 });
                 if (baSession?.user?.email) {
+                    // Successful real sign-in — clear the upgrade-pending marker so
+                    // the dev fallback becomes reachable again for future local work.
+                    clearUpgradePendingCookie(event);
                     return mapBetterAuthSession(baSession);
                 }
             }
@@ -337,8 +395,24 @@ export async function getSession(event) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie) {
             const email = await getSessionEmail(cookie);
-            if (email)
+            if (email) {
+                clearUpgradePendingCookie(event);
                 return { email, token: cookie };
+            }
+        }
+        // 5b. Desktop SSO broker fallback.
+        // Each template in the Electron desktop app has its own database, so
+        // a session token created by one template doesn't resolve in another.
+        // When an Electron request has no resolvable session, trust the
+        // home-dir SSO record written by whichever template the user signed
+        // into. Gated on Electron user-agent so no non-desktop code path
+        // consults the file.
+        if (isElectronRequest(event)) {
+            const sso = await readDesktopSso();
+            if (sso?.email) {
+                clearUpgradePendingCookie(event);
+                return { email: sso.email, token: sso.token };
+            }
         }
     }
     // 6. Mobile WebView bridge — _session query param
@@ -348,8 +422,7 @@ export async function getSession(event) {
         if (email) {
             setCookie(event, COOKIE_NAME, qToken, {
                 httpOnly: true,
-                secure: !isDevEnvironment(),
-                sameSite: "lax",
+                ...crossSiteCookieAttrs(event),
                 path: "/",
                 maxAge: sessionMaxAge,
             });
@@ -357,8 +430,113 @@ export async function getSession(event) {
             return { email, token: qToken };
         }
     }
+    // 7. Dev-mode safety net — in development on a local SQLite database, fall
+    // back to local@localhost so the app is usable without any auth configuration.
+    // This prevents 401 errors when Better Auth isn't configured, the marker file
+    // is missing, or the user simply wants to play around locally.
+    //
+    // Gated on isLocalDatabase() because local@localhost has no per-user scoping:
+    // on a shared DB (Postgres, Turso, D1) this fallback would land every
+    // developer on the same account and expose each other's data.
+    //
+    // EXCEPTION: if the user has explicitly exited local mode (clicked "Upgrade
+    // to real account"), they've signaled they want real auth. The upgrade
+    // cookie suppresses this fallback so the onboarding/sign-in page is served
+    // instead of silently re-authenticating them as local@localhost.
+    if (isDevEnvironment() &&
+        isLocalDatabase() &&
+        !isUpgradePending(event) &&
+        !hasSignInFlag(event)) {
+        return LOCAL_SESSION;
+    }
     return null;
 }
+/**
+ * Cookie set by POST /_agent-native/auth/exit-local-mode so we know the user
+ * is in the middle of upgrading from local@localhost to a real account.
+ * While this cookie is present we skip the dev-mode "auto local session"
+ * fallback so the onboarding/sign-in page can actually render.
+ * Cleared on successful sign-in/sign-up.
+ */
+const UPGRADE_COOKIE = "an_upgrade_pending";
+function isUpgradePending(event) {
+    try {
+        return getCookie(event, UPGRADE_COOKIE) === "1";
+    }
+    catch {
+        return false;
+    }
+}
+function setUpgradePendingCookie(event) {
+    setCookie(event, UPGRADE_COOKIE, "1", {
+        httpOnly: true,
+        ...crossSiteCookieAttrs(event),
+        path: "/",
+        maxAge: 60 * 60, // 1 hour — enough to complete sign-in
+    });
+}
+/**
+ * URL-flag fallback for third-party iframe contexts (e.g. the Builder.io
+ * editor) where SameSite=Lax cookies from an exit-local-mode POST are not
+ * delivered on the subsequent reload. TeamPage reloads with ?signin=1 so
+ * we can reliably suppress the dev-mode local fallback without a cookie.
+ */
+function hasSignInFlag(event) {
+    try {
+        return getQuery(event)?.signin === "1";
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Cookie attributes that work in both same-site and third-party iframe
+ * contexts. Over HTTPS we emit `SameSite=None; Secure` (required by browsers
+ * to ship the cookie back inside a cross-origin iframe); for plain HTTP dev
+ * we keep `SameSite=Lax` since `None` requires Secure.
+ */
+function crossSiteCookieAttrs(event) {
+    return isHttpsRequest(event)
+        ? { sameSite: "none", secure: true }
+        : { sameSite: "lax", secure: false };
+}
+function isHttpsRequest(event) {
+    try {
+        const req = event.req ?? event.node?.req;
+        const headers = req?.headers;
+        const get = (k) => {
+            if (!headers)
+                return undefined;
+            if (typeof headers.get === "function") {
+                return headers.get(k) ?? undefined;
+            }
+            const v = headers[k];
+            return Array.isArray(v) ? v[0] : v;
+        };
+        const xfProto = get("x-forwarded-proto");
+        if (xfProto && String(xfProto).split(",")[0].trim() === "https") {
+            return true;
+        }
+        const url = req?.url;
+        if (typeof url === "string" && url.startsWith("https://"))
+            return true;
+        const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || "";
+        if (appUrl.startsWith("https://"))
+            return true;
+    }
+    catch {
+        // ignore
+    }
+    return false;
+}
+function clearUpgradePendingCookie(event) {
+    try {
+        deleteCookie(event, UPGRADE_COOKIE, { path: "/" });
+    }
+    catch {
+        // ignore
+    }
+}
 // ---------------------------------------------------------------------------
 // Public path matching
 // ---------------------------------------------------------------------------
@@ -373,7 +551,7 @@ const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
 <title>Sign in</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
@@ -458,21 +636,8 @@ const TOKEN_LOGIN_HTML = `<!DOCTYPE html>
 async function setAuthModeLocal() {
     try {
         const fs = await getFs();
-        const envPath = path.resolve(process.cwd(), ".env");
-        let content = "";
-        try {
-            content = fs.readFileSync(envPath, "utf-8");
-        }
-        catch {
-            // .env doesn't exist yet
-        }
-        if (content.includes("AUTH_MODE=")) {
-            content = content.replace(/AUTH_MODE=.*/g, "AUTH_MODE=local");
-        }
-        else {
-            content = content.trimEnd() + "\nAUTH_MODE=local\n";
-        }
-        fs.writeFileSync(envPath, content, "utf-8");
+        fs.mkdirSync(path.dirname(LOCAL_MODE_MARKER_PATH), { recursive: true });
+        fs.writeFileSync(LOCAL_MODE_MARKER_PATH, "local\n", "utf-8");
         process.env.AUTH_MODE = "local";
         return true;
     }
@@ -483,20 +648,12 @@ async function setAuthModeLocal() {
 async function removeAuthModeLocal() {
     try {
         const fs = await getFs();
-        const envPath = path.resolve(process.cwd(), ".env");
-        let content = "";
         try {
-            content = fs.readFileSync(envPath, "utf-8");
+            fs.unlinkSync(LOCAL_MODE_MARKER_PATH);
         }
         catch {
-            return true; // No .env file means nothing to remove
-        }
-        // Remove AUTH_MODE=local line entirely
-        content = content
-            .split("\n")
-            .filter((line) => !line.match(/^\s*AUTH_MODE\s*=/))
-            .join("\n");
-        fs.writeFileSync(envPath, content, "utf-8");
+            // Marker already absent
+        }
         delete process.env.AUTH_MODE;
         return true;
     }
@@ -504,6 +661,38 @@ async function removeAuthModeLocal() {
         return false;
     }
 }
+/**
+ * POST /_agent-native/auth/migrate-local-data handler. Exposed here (not
+ * inlined in a single mount function) because it must be registered from
+ * every auth-mount path — including local-mode and fallback — so the
+ * upgrade-from-local flow never 500s when BetterAuth init is skipped or
+ * failed. Previously this was only mounted inside mountBetterAuthRoutes()
+ * which meant that in local mode (or when BetterAuth failed to init) the
+ * request fell through to the Nitro SSR renderer and produced a 500.
+ */
+const migrateLocalDataHandler = defineEventHandler(async (event) => {
+    if (getMethod(event) !== "POST") {
+        setResponseStatus(event, 405);
+        return { error: "Method not allowed" };
+    }
+    const session = await getSession(event);
+    if (!session?.email || session.email === "local@localhost") {
+        setResponseStatus(event, 401);
+        return { error: "Not authenticated as a real account" };
+    }
+    try {
+        const result = await migrateLocalUserData(session.email);
+        return { ok: true, ...result };
+    }
+    catch (e) {
+        console.error("[migrate-local-data] Migration threw for", session.email, e);
+        setResponseStatus(event, 500);
+        return {
+            error: e?.message || "Migration failed",
+            stack: isDevEnvironment() ? e?.stack : undefined,
+        };
+    }
+});
 // ---------------------------------------------------------------------------
 // mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes
 // ---------------------------------------------------------------------------
@@ -549,7 +738,7 @@ async function mountBetterAuthRoutes(app, options) {
         const ok = await setAuthModeLocal();
         if (!ok) {
             setResponseStatus(event, 500);
-            return { error: "Failed to set AUTH_MODE=local in .env" };
+            return { error: "Failed to enable local mode" };
         }
         return { ok: true };
     }));
@@ -562,8 +751,11 @@ async function mountBetterAuthRoutes(app, options) {
         const ok = await removeAuthModeLocal();
         if (!ok) {
             setResponseStatus(event, 500);
-            return { error: "Failed to remove AUTH_MODE from .env" };
+            return { error: "Failed to disable local mode" };
         }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
         return { ok: true };
     }));
     // Backward-compat: POST /_agent-native/auth/login
@@ -585,8 +777,7 @@ async function mountBetterAuthRoutes(app, options) {
             await addSession(sessionToken, "user");
             setCookie(event, COOKIE_NAME, sessionToken, {
                 httpOnly: true,
-                secure: !isDevEnvironment(),
-                sameSite: "lax",
+                ...crossSiteCookieAttrs(event),
                 path: "/",
                 maxAge: sessionMaxAge,
             });
@@ -606,12 +797,18 @@ async function mountBetterAuthRoutes(app, options) {
             if (result?.token) {
                 setCookie(event, COOKIE_NAME, result.token, {
                     httpOnly: true,
-                    secure: !isDevEnvironment(),
-                    sameSite: "lax",
+                    ...crossSiteCookieAttrs(event),
                     path: "/",
                     maxAge: sessionMaxAge,
                 });
                 await addSession(result.token, email);
+                if (isElectronRequest(event)) {
+                    await writeDesktopSso({
+                        email,
+                        token: result.token,
+                        expiresAt: Date.now() + sessionMaxAge * 1000,
+                    });
+                }
             }
             return { ok: true };
         }
@@ -660,6 +857,8 @@ async function mountBetterAuthRoutes(app, options) {
         catch {
             // Ignore if no Better Auth session
         }
+        if (isElectronRequest(event))
+            await clearDesktopSso();
         return { ok: true };
     }));
     // GET /_agent-native/auth/session
@@ -674,24 +873,18 @@ async function mountBetterAuthRoutes(app, options) {
     // POST /_agent-native/auth/migrate-local-data — move local-mode data to
     // the currently signed-in account. Called by the UI after a user upgrades
     // from local mode to a real account so they don't lose their data.
-    app.use("/_agent-native/auth/migrate-local-data", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
+    // GET /_agent-native/auth/reset — HTML page shown when a user clicks the
+    // reset link in their email. Reads ?token=... and POSTs to Better Auth's
+    // /reset-password endpoint on submit.
+    app.use("/_agent-native/auth/reset", defineEventHandler((event) => {
+        if (getMethod(event) !== "GET") {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
-        const session = await getSession(event);
-        if (!session?.email || session.email === "local@localhost") {
-            setResponseStatus(event, 401);
-            return { error: "Not authenticated as a real account" };
-        }
-        try {
-            const result = await migrateLocalUserData(session.email);
-            return { ok: true, ...result };
-        }
-        catch (e) {
-            setResponseStatus(event, 500);
-            return { error: e?.message || "Migration failed" };
-        }
+        return new Response(getResetPasswordHtml(), {
+            headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
     }));
     // Auth guard — stored both in framework middleware registry AND in
     // _authGuardFn so the server middleware can enforce it on ALL routes.
@@ -721,8 +914,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         await addSession(sessionToken, "user");
         setCookie(event, COOKIE_NAME, sessionToken, {
             httpOnly: true,
-            secure: !isDevEnvironment(),
-            sameSite: "lax",
+            ...crossSiteCookieAttrs(event),
             path: "/",
             maxAge: sessionMaxAge,
         });
@@ -733,6 +925,8 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         if (cookie)
             await removeSession(cookie);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
+        if (isElectronRequest(event))
+            await clearDesktopSso();
         return { ok: true };
     }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
@@ -743,6 +937,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
     _authGuardConfig = { loginHtml: TOKEN_LOGIN_HTML, publicPaths };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
@@ -770,10 +965,150 @@ function mountLocalModeRoutes(app) {
         const ok = await removeAuthModeLocal();
         if (!ok) {
             setResponseStatus(event, 500);
-            return { error: "Failed to remove AUTH_MODE from .env" };
+            return { error: "Failed to disable local mode" };
+        }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
+        return { ok: true };
+    }));
+    // Upgrade path: migrate-local-data must be reachable from local mode
+    // because the user is still in local mode when they trigger the upgrade.
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
+}
+// ---------------------------------------------------------------------------
+// mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails
+// ---------------------------------------------------------------------------
+function mountAuthFallbackRoutes(app) {
+    app.use("/_agent-native/auth/login", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const body = await readBody(event);
+        const email = body?.email?.trim?.()?.toLowerCase?.();
+        const password = body?.password;
+        if (!email || !password) {
+            setResponseStatus(event, 400);
+            return { error: "Email and password are required" };
+        }
+        try {
+            const auth = await getBetterAuth();
+            const result = await auth.api.signInEmail({
+                body: { email, password },
+            });
+            if (result?.token) {
+                setCookie(event, COOKIE_NAME, result.token, {
+                    httpOnly: true,
+                    ...crossSiteCookieAttrs(event),
+                    path: "/",
+                    maxAge: sessionMaxAge,
+                });
+                await addSession(result.token, email);
+                if (isElectronRequest(event)) {
+                    await writeDesktopSso({
+                        email,
+                        token: result.token,
+                        expiresAt: Date.now() + sessionMaxAge * 1000,
+                    });
+                }
+            }
+            return { ok: true };
+        }
+        catch (e) {
+            setResponseStatus(event, 401);
+            return { error: e?.message || "Invalid email or password" };
+        }
+    }));
+    app.use("/_agent-native/auth/register", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const body = await readBody(event);
+        const email = body?.email?.trim?.()?.toLowerCase?.();
+        const password = body?.password;
+        if (!email || typeof email !== "string" || !email.includes("@")) {
+            setResponseStatus(event, 400);
+            return { error: "Valid email is required" };
+        }
+        if (!password || typeof password !== "string" || password.length < 8) {
+            setResponseStatus(event, 400);
+            return { error: "Password must be at least 8 characters" };
+        }
+        try {
+            const auth = await getBetterAuth();
+            await auth.api.signUpEmail({
+                body: { email, password, name: email.split("@")[0] },
+            });
+            return { ok: true };
+        }
+        catch (e) {
+            setResponseStatus(event, 409);
+            return { error: e?.message || "Registration failed" };
+        }
+    }));
+    app.use("/_agent-native/auth/logout", defineEventHandler(async (event) => {
+        const cookie = getCookie(event, COOKIE_NAME);
+        if (cookie)
+            await removeSession(cookie);
+        deleteCookie(event, COOKIE_NAME, { path: "/" });
+        try {
+            const auth = await getBetterAuth();
+            await auth.api.signOut({ headers: event.headers });
+        }
+        catch {
+            // Ignore if Better Auth is still unavailable
+        }
+        if (isElectronRequest(event))
+            await clearDesktopSso();
+        return { ok: true };
+    }));
+    app.use("/_agent-native/auth/local-mode", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        if (!isDevEnvironment()) {
+            setResponseStatus(event, 403);
+            return {
+                error: "Local mode is not available in production. Create an account to continue.",
+            };
+        }
+        const ok = await setAuthModeLocal();
+        if (!ok) {
+            setResponseStatus(event, 500);
+            return { error: "Failed to enable local mode" };
+        }
+        return { ok: true };
+    }));
+    app.use("/_agent-native/auth/exit-local-mode", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "POST") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const ok = await removeAuthModeLocal();
+        if (!ok) {
+            setResponseStatus(event, 500);
+            return { error: "Failed to disable local mode" };
         }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
         return { ok: true };
     }));
+    app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
+        if (getMethod(event) !== "GET") {
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }
+        const session = await getSession(event);
+        return session ?? { error: "Not authenticated" };
+    }));
+    // Must be reachable from fallback mode too — otherwise a user who
+    // upgrades-from-local on a server that couldn't init Better Auth gets a
+    // 500 instead of a clear 401.
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
 }
 // ---------------------------------------------------------------------------
 // autoMountAuth — the recommended entry point
@@ -792,13 +1127,17 @@ function mountLocalModeRoutes(app) {
  * Returns true if auth was mounted, false if skipped.
  */
 export async function autoMountAuth(app, options = {}) {
-    // If auth is already mounted (e.g., default plugin ran before custom plugin),
-    // don't re-mount routes — but DO update the live config if custom options
-    // like googleOnly or loginHtml were provided. This fixes the production race
-    // where the default plugin (no googleOnly) mounts first, and the template's
-    // custom auth plugin runs later. Because createAuthGuardFn() reads from
-    // _authGuardConfig on every request, updating it here takes effect immediately.
-    if (_authGuardFn) {
+    // If auth is already mounted on THIS app (e.g., default plugin ran before
+    // custom plugin in the same server boot), don't re-mount routes — but DO
+    // update the live config if custom options like googleOnly or loginHtml
+    // were provided. createAuthGuardFn() reads from _authGuardConfig on every
+    // request, so updating it here takes effect immediately.
+    //
+    // We gate on `_mountedApp === app` because module-level state survives
+    // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh
+    // H3 app, empty middleware) would short-circuit here and end up with no
+    // auth routes mounted at all.
+    if (_authGuardFn && _mountedApp === app) {
         if (_authGuardConfig) {
             if (options.googleOnly || options.loginHtml) {
                 _authGuardConfig.loginHtml =
@@ -814,8 +1153,13 @@ export async function autoMountAuth(app, options = {}) {
         }
         return true;
     }
+    // Fresh app (first boot, or HMR created a new Nitro instance) — reset
+    // the guard so the mount path below installs it on the new app.
+    _authGuardFn = null;
+    _authGuardConfig = null;
+    _mountedApp = app;
     if (!app) {
-        if (isLocalMode() || isDevEnvironment()) {
+        if ((await isLocalModeEnabled()) || isDevEnvironment()) {
             authDisabledMode = false;
             customGetSession = null;
             return false;
@@ -831,11 +1175,18 @@ export async function autoMountAuth(app, options = {}) {
         customGetSession = options.getSession;
     }
     // AUTH_MODE=local — explicit local-only mode (escape hatch)
-    if (isLocalMode()) {
-        mountLocalModeRoutes(app);
-        // Still init Better Auth in background so users can create accounts later
-        getBetterAuth(options.betterAuth).catch(() => { });
-        console.log("[agent-native] Auth mode: local (no auth required).");
+    if (await isLocalModeEnabled()) {
+        try {
+            // Mount the standard auth endpoints and guard even in local mode so the
+            // app can switch back to real auth immediately after AUTH_MODE is
+            // cleared, without waiting for a server restart/remount.
+            await mountBetterAuthRoutes(app, options);
+        }
+        catch (err) {
+            console.error("[agent-native] Failed to initialize Better Auth in local mode:", err);
+            mountLocalModeRoutes(app);
+        }
+        console.log("[agent-native] Auth mode: local (upgrade path enabled).");
         return false;
     }
     // BYOA — custom getSession provider
@@ -854,8 +1205,11 @@ export async function autoMountAuth(app, options = {}) {
             if (cookie)
                 await removeSession(cookie);
             deleteCookie(event, COOKIE_NAME, { path: "/" });
+            if (isElectronRequest(event))
+                await clearDesktopSso();
             return { ok: true };
         }));
+        app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
         const byoaLoginHtml = options.loginHtml ?? TOKEN_LOGIN_HTML;
         _authGuardConfig = { loginHtml: byoaLoginHtml, publicPaths };
         const guardFn = createAuthGuardFn();
@@ -886,6 +1240,7 @@ export async function autoMountAuth(app, options = {}) {
     }
     catch (err) {
         console.error("[agent-native] Failed to initialize Better Auth:", err);
+        mountAuthFallbackRoutes(app);
         // CRITICAL: Even if Better Auth fails, register the auth guard so
         // unauthenticated users can't access the app. They'll see the login
         // page but won't be able to sign in until the DB is available.