npm - @agent-native/core - Versions diffs - 0.7.1 → 0.7.4 - Mend

@agent-native/core 0.7.1 → 0.7.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (358) hide show

package/dist/action.d.ts +8 -0
package/dist/action.d.ts.map +1 -1
package/dist/action.js +18 -0
package/dist/action.js.map +1 -1
package/dist/agent/production-agent.d.ts +9 -0
package/dist/agent/production-agent.d.ts.map +1 -1
package/dist/agent/production-agent.js +148 -36
package/dist/agent/production-agent.js.map +1 -1
package/dist/agent/run-manager.d.ts.map +1 -1
package/dist/agent/run-manager.js +20 -1
package/dist/agent/run-manager.js.map +1 -1
package/dist/agent/run-store.d.ts +14 -0
package/dist/agent/run-store.d.ts.map +1 -1
package/dist/agent/run-store.js +63 -6
package/dist/agent/run-store.js.map +1 -1
package/dist/agent/types.d.ts +2 -0
package/dist/agent/types.d.ts.map +1 -1
package/dist/cli/create.js +1 -1
package/dist/cli/create.js.map +1 -1
package/dist/cli/setup-agents.d.ts.map +1 -1
package/dist/cli/setup-agents.js +0 -2
package/dist/cli/setup-agents.js.map +1 -1
package/dist/cli/templates-meta.d.ts +52 -0
package/dist/cli/templates-meta.d.ts.map +1 -0
package/dist/cli/templates-meta.js +165 -0
package/dist/cli/templates-meta.js.map +1 -0
package/dist/client/AgentPanel.d.ts +5 -1
package/dist/client/AgentPanel.d.ts.map +1 -1
package/dist/client/AgentPanel.js +279 -30
package/dist/client/AgentPanel.js.map +1 -1
package/dist/client/AssistantChat.d.ts +2 -1
package/dist/client/AssistantChat.d.ts.map +1 -1
package/dist/client/AssistantChat.js +172 -40
package/dist/client/AssistantChat.js.map +1 -1
package/dist/client/ConnectBuilderCard.d.ts +21 -0
package/dist/client/ConnectBuilderCard.d.ts.map +1 -0
package/dist/client/ConnectBuilderCard.js +196 -0
package/dist/client/ConnectBuilderCard.js.map +1 -0
package/dist/client/FeedbackButton.d.ts +17 -0
package/dist/client/FeedbackButton.d.ts.map +1 -0
package/dist/client/FeedbackButton.js +147 -0
package/dist/client/FeedbackButton.js.map +1 -0
package/dist/client/IframeEmbed.d.ts +17 -0
package/dist/client/IframeEmbed.d.ts.map +1 -0
package/dist/client/IframeEmbed.js +108 -0
package/dist/client/IframeEmbed.js.map +1 -0
package/dist/client/MultiTabAssistantChat.d.ts.map +1 -1
package/dist/client/MultiTabAssistantChat.js +34 -7
package/dist/client/MultiTabAssistantChat.js.map +1 -1
package/dist/client/agent-chat-adapter.d.ts.map +1 -1
package/dist/client/agent-chat-adapter.js +34 -15
package/dist/client/agent-chat-adapter.js.map +1 -1
package/dist/client/agent-chat.d.ts +6 -0
package/dist/client/agent-chat.d.ts.map +1 -1
package/dist/client/agent-chat.js +7 -0
package/dist/client/agent-chat.js.map +1 -1
package/dist/client/composer/MentionPopover.d.ts.map +1 -1
package/dist/client/composer/MentionPopover.js +27 -24
package/dist/client/composer/MentionPopover.js.map +1 -1
package/dist/client/composer/TiptapComposer.d.ts +3 -1
package/dist/client/composer/TiptapComposer.d.ts.map +1 -1
package/dist/client/composer/TiptapComposer.js +21 -4
package/dist/client/composer/TiptapComposer.js.map +1 -1
package/dist/client/embed.d.ts +28 -0
package/dist/client/embed.d.ts.map +1 -0
package/dist/client/embed.js +50 -0
package/dist/client/embed.js.map +1 -0
package/dist/client/index.d.ts +5 -1
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +5 -1
package/dist/client/index.js.map +1 -1
package/dist/client/integrations/IntegrationsPanel.js +2 -2
package/dist/client/integrations/IntegrationsPanel.js.map +1 -1
package/dist/client/onboarding/OnboardingBanner.js +2 -2
package/dist/client/onboarding/OnboardingBanner.js.map +1 -1
package/dist/client/onboarding/OnboardingPanel.d.ts.map +1 -1
package/dist/client/onboarding/OnboardingPanel.js +139 -52
package/dist/client/onboarding/OnboardingPanel.js.map +1 -1
package/dist/client/onboarding/SetupButton.d.ts.map +1 -1
package/dist/client/onboarding/SetupButton.js +13 -3
package/dist/client/onboarding/SetupButton.js.map +1 -1
package/dist/client/org/TeamPage.d.ts.map +1 -1
package/dist/client/org/TeamPage.js +12 -7
package/dist/client/org/TeamPage.js.map +1 -1
package/dist/client/resources/ResourceEditor.d.ts.map +1 -1
package/dist/client/resources/ResourceEditor.js +57 -2
package/dist/client/resources/ResourceEditor.js.map +1 -1
package/dist/client/resources/ResourceTree.d.ts +5 -1
package/dist/client/resources/ResourceTree.d.ts.map +1 -1
package/dist/client/resources/ResourceTree.js +17 -10
package/dist/client/resources/ResourceTree.js.map +1 -1
package/dist/client/resources/ResourcesPanel.d.ts.map +1 -1
package/dist/client/resources/ResourcesPanel.js +12 -10
package/dist/client/resources/ResourcesPanel.js.map +1 -1
package/dist/client/settings/AgentsSection.d.ts.map +1 -1
package/dist/client/settings/AgentsSection.js +6 -3
package/dist/client/settings/AgentsSection.js.map +1 -1
package/dist/client/settings/ComingSoonSection.js +1 -1
package/dist/client/settings/ComingSoonSection.js.map +1 -1
package/dist/client/settings/LLMSection.d.ts.map +1 -1
package/dist/client/settings/LLMSection.js +1 -1
package/dist/client/settings/LLMSection.js.map +1 -1
package/dist/client/settings/SecretsSection.d.ts +12 -0
package/dist/client/settings/SecretsSection.d.ts.map +1 -0
package/dist/client/settings/SecretsSection.js +148 -0
package/dist/client/settings/SecretsSection.js.map +1 -0
package/dist/client/settings/SettingsPanel.d.ts.map +1 -1
package/dist/client/settings/SettingsPanel.js +114 -23
package/dist/client/settings/SettingsPanel.js.map +1 -1
package/dist/client/settings/SettingsSection.js +2 -2
package/dist/client/settings/SettingsSection.js.map +1 -1
package/dist/client/settings/UsageSection.d.ts +2 -0
package/dist/client/settings/UsageSection.d.ts.map +1 -0
package/dist/client/settings/UsageSection.js +70 -0
package/dist/client/settings/UsageSection.js.map +1 -0
package/dist/client/settings/index.d.ts +1 -0
package/dist/client/settings/index.d.ts.map +1 -1
package/dist/client/settings/index.js +1 -0
package/dist/client/settings/index.js.map +1 -1
package/dist/client/sharing/ShareButton.d.ts +14 -0
package/dist/client/sharing/ShareButton.d.ts.map +1 -0
package/dist/client/sharing/ShareButton.js +43 -0
package/dist/client/sharing/ShareButton.js.map +1 -0
package/dist/client/sharing/ShareDialog.d.ts +15 -0
package/dist/client/sharing/ShareDialog.d.ts.map +1 -0
package/dist/client/sharing/ShareDialog.js +209 -0
package/dist/client/sharing/ShareDialog.js.map +1 -0
package/dist/client/sharing/VisibilityBadge.d.ts +11 -0
package/dist/client/sharing/VisibilityBadge.d.ts.map +1 -0
package/dist/client/sharing/VisibilityBadge.js +20 -0
package/dist/client/sharing/VisibilityBadge.js.map +1 -0
package/dist/client/sharing/index.d.ts +4 -0
package/dist/client/sharing/index.d.ts.map +1 -0
package/dist/client/sharing/index.js +4 -0
package/dist/client/sharing/index.js.map +1 -0
package/dist/client/use-action.d.ts.map +1 -1
package/dist/client/use-action.js +74 -6
package/dist/client/use-action.js.map +1 -1
package/dist/client/use-db-sync.d.ts +25 -2
package/dist/client/use-db-sync.d.ts.map +1 -1
package/dist/client/use-db-sync.js +62 -1
package/dist/client/use-db-sync.js.map +1 -1
package/dist/client/use-dev-mode.d.ts.map +1 -1
package/dist/client/use-dev-mode.js +16 -1
package/dist/client/use-dev-mode.js.map +1 -1
package/dist/db/client.d.ts +12 -0
package/dist/db/client.d.ts.map +1 -1
package/dist/db/client.js +89 -2
package/dist/db/client.js.map +1 -1
package/dist/db/create-get-db.d.ts +11 -0
package/dist/db/create-get-db.d.ts.map +1 -1
package/dist/db/create-get-db.js +47 -3
package/dist/db/create-get-db.js.map +1 -1
package/dist/db/migrations.d.ts.map +1 -1
package/dist/db/migrations.js +62 -5
package/dist/db/migrations.js.map +1 -1
package/dist/db/schema.d.ts +1 -0
package/dist/db/schema.d.ts.map +1 -1
package/dist/db/schema.js +4 -0
package/dist/db/schema.js.map +1 -1
package/dist/deploy/build.js +22 -3
package/dist/deploy/build.js.map +1 -1
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +6 -0
package/dist/index.js.map +1 -1
package/dist/jobs/scheduler.d.ts.map +1 -1
package/dist/jobs/scheduler.js +7 -2
package/dist/jobs/scheduler.js.map +1 -1
package/dist/oauth-tokens/google-refresh.d.ts +31 -0
package/dist/oauth-tokens/google-refresh.d.ts.map +1 -0
package/dist/oauth-tokens/google-refresh.js +115 -0
package/dist/oauth-tokens/google-refresh.js.map +1 -0
package/dist/oauth-tokens/index.d.ts +1 -0
package/dist/oauth-tokens/index.d.ts.map +1 -1
package/dist/oauth-tokens/index.js +1 -0
package/dist/oauth-tokens/index.js.map +1 -1
package/dist/onboarding/default-steps.d.ts.map +1 -1
package/dist/onboarding/default-steps.js +62 -18
package/dist/onboarding/default-steps.js.map +1 -1
package/dist/org/accept-pending.d.ts +22 -0
package/dist/org/accept-pending.d.ts.map +1 -0
package/dist/org/accept-pending.js +75 -0
package/dist/org/accept-pending.js.map +1 -0
package/dist/org/context.js +1 -1
package/dist/org/handlers.d.ts +2 -0
package/dist/org/handlers.d.ts.map +1 -1
package/dist/org/handlers.js +87 -11
package/dist/org/handlers.js.map +1 -1
package/dist/org/index.d.ts +2 -0
package/dist/org/index.d.ts.map +1 -1
package/dist/org/index.js +1 -0
package/dist/org/index.js.map +1 -1
package/dist/org/plugin.d.ts.map +1 -1
package/dist/org/plugin.js +37 -22
package/dist/org/plugin.js.map +1 -1
package/dist/resources/handlers.js +1 -1
package/dist/resources/handlers.js.map +1 -1
package/dist/resources/metadata.d.ts.map +1 -1
package/dist/resources/metadata.js +2 -2
package/dist/resources/metadata.js.map +1 -1
package/dist/resources/store.d.ts.map +1 -1
package/dist/resources/store.js +27 -1
package/dist/resources/store.js.map +1 -1
package/dist/scripts/db/patch.d.ts.map +1 -1
package/dist/scripts/db/patch.js +273 -11
package/dist/scripts/db/patch.js.map +1 -1
package/dist/secrets/index.d.ts +15 -0
package/dist/secrets/index.d.ts.map +1 -0
package/dist/secrets/index.js +15 -0
package/dist/secrets/index.js.map +1 -0
package/dist/secrets/onboarding.d.ts +18 -0
package/dist/secrets/onboarding.d.ts.map +1 -0
package/dist/secrets/onboarding.js +87 -0
package/dist/secrets/onboarding.js.map +1 -0
package/dist/secrets/register.d.ts +63 -0
package/dist/secrets/register.d.ts.map +1 -0
package/dist/secrets/register.js +55 -0
package/dist/secrets/register.js.map +1 -0
package/dist/secrets/routes.d.ts +67 -0
package/dist/secrets/routes.d.ts.map +1 -0
package/dist/secrets/routes.js +275 -0
package/dist/secrets/routes.js.map +1 -0
package/dist/secrets/schema.d.ts +154 -0
package/dist/secrets/schema.d.ts.map +1 -0
package/dist/secrets/schema.js +41 -0
package/dist/secrets/schema.js.map +1 -0
package/dist/secrets/storage.d.ts +54 -0
package/dist/secrets/storage.d.ts.map +1 -0
package/dist/secrets/storage.js +181 -0
package/dist/secrets/storage.js.map +1 -0
package/dist/server/action-discovery.d.ts +18 -0
package/dist/server/action-discovery.d.ts.map +1 -1
package/dist/server/action-discovery.js +97 -0
package/dist/server/action-discovery.js.map +1 -1
package/dist/server/action-routes.d.ts.map +1 -1
package/dist/server/action-routes.js +26 -0
package/dist/server/action-routes.js.map +1 -1
package/dist/server/agent-chat-plugin.d.ts +12 -0
package/dist/server/agent-chat-plugin.d.ts.map +1 -1
package/dist/server/agent-chat-plugin.js +507 -48
package/dist/server/agent-chat-plugin.js.map +1 -1
package/dist/server/agent-discovery.js +2 -2
package/dist/server/agent-discovery.js.map +1 -1
package/dist/server/agent-teams.d.ts.map +1 -1
package/dist/server/agent-teams.js +21 -58
package/dist/server/agent-teams.js.map +1 -1
package/dist/server/app-name.d.ts +13 -0
package/dist/server/app-name.d.ts.map +1 -0
package/dist/server/app-name.js +41 -0
package/dist/server/app-name.js.map +1 -0
package/dist/server/app-url.d.ts +24 -0
package/dist/server/app-url.d.ts.map +1 -0
package/dist/server/app-url.js +68 -0
package/dist/server/app-url.js.map +1 -0
package/dist/server/auth.d.ts +6 -0
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +284 -41
package/dist/server/auth.js.map +1 -1
package/dist/server/better-auth-instance.d.ts +1 -1
package/dist/server/better-auth-instance.d.ts.map +1 -1
package/dist/server/better-auth-instance.js +102 -7
package/dist/server/better-auth-instance.js.map +1 -1
package/dist/server/builder-browser.d.ts +21 -0
package/dist/server/builder-browser.d.ts.map +1 -1
package/dist/server/builder-browser.js +67 -4
package/dist/server/builder-browser.js.map +1 -1
package/dist/server/core-routes-plugin.d.ts.map +1 -1
package/dist/server/core-routes-plugin.js +151 -4
package/dist/server/core-routes-plugin.js.map +1 -1
package/dist/server/desktop-sso.d.ts +30 -0
package/dist/server/desktop-sso.d.ts.map +1 -0
package/dist/server/desktop-sso.js +74 -0
package/dist/server/desktop-sso.js.map +1 -0
package/dist/server/email-template.d.ts +51 -0
package/dist/server/email-template.d.ts.map +1 -0
package/dist/server/email-template.js +146 -0
package/dist/server/email-template.js.map +1 -0
package/dist/server/email.d.ts +23 -0
package/dist/server/email.d.ts.map +1 -0
package/dist/server/email.js +105 -0
package/dist/server/email.js.map +1 -0
package/dist/server/framework-request-handler.d.ts.map +1 -1
package/dist/server/framework-request-handler.js +29 -0
package/dist/server/framework-request-handler.js.map +1 -1
package/dist/server/google-oauth.d.ts.map +1 -1
package/dist/server/google-oauth.js +19 -3
package/dist/server/google-oauth.js.map +1 -1
package/dist/server/index.d.ts +5 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +5 -1
package/dist/server/index.js.map +1 -1
package/dist/server/local-migration.d.ts +9 -0
package/dist/server/local-migration.d.ts.map +1 -1
package/dist/server/local-migration.js +44 -14
package/dist/server/local-migration.js.map +1 -1
package/dist/server/oauth-helpers.d.ts +2 -0
package/dist/server/oauth-helpers.d.ts.map +1 -1
package/dist/server/oauth-helpers.js +2 -0
package/dist/server/oauth-helpers.js.map +1 -1
package/dist/server/onboarding-html.d.ts +6 -0
package/dist/server/onboarding-html.d.ts.map +1 -1
package/dist/server/onboarding-html.js +229 -25
package/dist/server/onboarding-html.js.map +1 -1
package/dist/server/poll.d.ts.map +1 -1
package/dist/server/poll.js +48 -0
package/dist/server/poll.js.map +1 -1
package/dist/sharing/access.d.ts +56 -0
package/dist/sharing/access.d.ts.map +1 -0
package/dist/sharing/access.js +149 -0
package/dist/sharing/access.js.map +1 -0
package/dist/sharing/actions/list-resource-shares.d.ts +3 -0
package/dist/sharing/actions/list-resource-shares.d.ts.map +1 -0
package/dist/sharing/actions/list-resource-shares.js +38 -0
package/dist/sharing/actions/list-resource-shares.js.map +1 -0
package/dist/sharing/actions/set-resource-visibility.d.ts +3 -0
package/dist/sharing/actions/set-resource-visibility.d.ts.map +1 -0
package/dist/sharing/actions/set-resource-visibility.js +24 -0
package/dist/sharing/actions/set-resource-visibility.js.map +1 -0
package/dist/sharing/actions/share-resource.d.ts +3 -0
package/dist/sharing/actions/share-resource.d.ts.map +1 -0
package/dist/sharing/actions/share-resource.js +64 -0
package/dist/sharing/actions/share-resource.js.map +1 -0
package/dist/sharing/actions/unshare-resource.d.ts +3 -0
package/dist/sharing/actions/unshare-resource.d.ts.map +1 -0
package/dist/sharing/actions/unshare-resource.js +24 -0
package/dist/sharing/actions/unshare-resource.js.map +1 -0
package/dist/sharing/index.d.ts +11 -0
package/dist/sharing/index.d.ts.map +1 -0
package/dist/sharing/index.js +11 -0
package/dist/sharing/index.js.map +1 -0
package/dist/sharing/registry.d.ts +44 -0
package/dist/sharing/registry.d.ts.map +1 -0
package/dist/sharing/registry.js +54 -0
package/dist/sharing/registry.js.map +1 -0
package/dist/sharing/schema.d.ts +202 -0
package/dist/sharing/schema.d.ts.map +1 -0
package/dist/sharing/schema.js +88 -0
package/dist/sharing/schema.js.map +1 -0
package/dist/templates/default/.agents/skills/inline-embeds/SKILL.md +88 -0
package/dist/usage/store.d.ts +74 -12
package/dist/usage/store.d.ts.map +1 -1
package/dist/usage/store.js +210 -44
package/dist/usage/store.js.map +1 -1
package/dist/vite/action-types-plugin.d.ts +5 -0
package/dist/vite/action-types-plugin.d.ts.map +1 -1
package/dist/vite/action-types-plugin.js +129 -28
package/dist/vite/action-types-plugin.js.map +1 -1
package/dist/vite/client.d.ts.map +1 -1
package/dist/vite/client.js +55 -0
package/dist/vite/client.js.map +1 -1
package/docs/content/deployment.md +59 -2
package/docs/content/resources.md +9 -9
package/docs/content/workspace-management.md +2 -2
package/package.json +13 -5
package/src/templates/default/.agents/skills/inline-embeds/SKILL.md +88 -0
/package/dist/templates/workspace-core/{skills → .agents/skills}/company-policies/SKILL.md +0 -0
/package/src/templates/workspace-core/{skills → .agents/skills}/company-policies/SKILL.md +0 -0

package/dist/server/app-url.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"app-url.d.ts","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAiB,KAAK,OAAO,EAAE,MAAM,IAAI,CAAC;AAwBjD;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,GAAG,SAAS,CAKzD;AAED,wBAAgB,mBAAmB,CAAC,KAAK,CAAC,EAAE,OAAO,GAAG,MAAM,CAiB3D"}

package/dist/server/app-url.js ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Resolve the canonical URL of this app — used in transactional emails,
+ * invite links, and anywhere we need an absolute URL that remains valid
+ * outside the current request context.
+ *
+ * Resolution order:
+ *   1. `APP_URL` env var — explicit override
+ *   2. `BETTER_AUTH_URL` env var — Better Auth's canonical URL
+ *   3. First-party template `prodUrl` from the registry (matched by
+ *      package.json name) — lets deployed first-party apps (mail,
+ *      calendar, analytics, …) use e.g. `analytics.agent-native.com`
+ *      instead of their Netlify preview hostname.
+ *   4. Incoming request's origin (when an H3Event is available)
+ *   5. `http://localhost:3000`
+ */
+import { getRequestURL } from "h3";
+import path from "node:path";
+import fs from "node:fs";
+import { TEMPLATES } from "../cli/templates-meta.js";
+let cachedPkgName = null;
+function readPackageName() {
+    if (cachedPkgName !== null)
+        return cachedPkgName ?? undefined;
+    try {
+        const pkgPath = path.join(process.cwd(), "package.json");
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+        cachedPkgName = typeof pkg?.name === "string" ? pkg.name : undefined;
+    }
+    catch {
+        cachedPkgName = undefined;
+    }
+    return cachedPkgName ?? undefined;
+}
+/** Strip trailing slashes for consistent URL concatenation. */
+function stripTrailingSlash(u) {
+    return u.replace(/\/+$/, "");
+}
+/**
+ * Look up the first-party template `prodUrl` for the current app based on
+ * its `package.json` name. Returns undefined if the app isn't a known
+ * first-party template or the template has no `prodUrl`.
+ */
+export function getFirstPartyProdUrl() {
+    const name = readPackageName();
+    if (!name)
+        return undefined;
+    const t = TEMPLATES.find((t) => t.name === name);
+    return t?.prodUrl;
+}
+export function getAppProductionUrl(event) {
+    const envUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL;
+    if (envUrl)
+        return stripTrailingSlash(envUrl);
+    const firstParty = getFirstPartyProdUrl();
+    if (firstParty)
+        return stripTrailingSlash(firstParty);
+    if (event) {
+        try {
+            const url = getRequestURL(event);
+            return `${url.protocol}//${url.host}`;
+        }
+        catch {
+            // fall through
+        }
+    }
+    return "http://localhost:3000";
+}
+//# sourceMappingURL=app-url.js.map

package/dist/server/app-url.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"app-url.js","sourceRoot":"","sources":["../../src/server/app-url.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,EAAE,aAAa,EAAgB,MAAM,IAAI,CAAC;AACjD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AAErD,IAAI,aAAa,GAA8B,IAAI,CAAC;AAEpD,SAAS,eAAe;IACtB,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,IAAI,SAAS,CAAC;IAC9D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,cAAc,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;QACzD,aAAa,GAAG,OAAO,GAAG,EAAE,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IACvE,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,SAAS,CAAC;IAC5B,CAAC;IACD,OAAO,aAAa,IAAI,SAAS,CAAC;AACpC,CAAC;AAED,+DAA+D;AAC/D,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAC/B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC;IAC/B,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,EAAE,OAAO,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAe;IACjD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAClE,IAAI,MAAM;QAAE,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAE9C,MAAM,UAAU,GAAG,oBAAoB,EAAE,CAAC;IAC1C,IAAI,UAAU;QAAE,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAEtD,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;YACjC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC"}

package/dist/server/auth.d.ts CHANGED Viewed

@@ -2,6 +2,11 @@ import type { H3Event } from "h3";
 import type { H3AppShim } from "./framework-request-handler.js";
 type H3App = H3AppShim;
 import type { BetterAuthConfig } from "./better-auth-instance.js";
+/**
+ * Get the configured session max age. Desktop SSO broker writes from
+ * OAuth flows read this so expiration stays consistent with the cookie.
+ */
+export declare function getSessionMaxAge(): number;
 export interface AuthSession {
     email: string;
     userId?: string;
@@ -43,6 +48,7 @@ export interface AuthOptions {
      */
     betterAuth?: BetterAuthConfig;
 }
+export declare const COOKIE_NAME: string;
 /**
  * Create a new session in the legacy sessions table.
  * Used by google-oauth.ts for mobile deep linking.

package/dist/server/auth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAsBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAOhE,KAAK,KAAK,GAAG,SAAS,CAAC;~~AAGvB~~,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;~~AASlE~~,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;~~AAgHD~~;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAS7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOhE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiB3E;~~AAgCD~~;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqFD;;;;;;;;;;;;GAYG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,~~CAiG5E~~;~~AA6nBD~~;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,~~CAiJlB~~;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}
1	+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/server/auth.ts"],"names":[],"mappings":"AAsBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,gCAAgC,CAAC;AAOhE,KAAK,KAAK,GAAG,SAAS,CAAC;AAQvB,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAWlE;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAMD,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oEAAoE;IACpE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kEAAkE;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,mDAAmD;IACnD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC7D;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;OAEG;IACH,UAAU,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAqBD,eAAO,MAAM,WAAW,QAER,CAAC;AA2HjB;;;GAGG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAS7E;AAED,uDAAuD;AACvD,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAOhE;AAED;;;GAGG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAiB3E;AA0CD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,OAAO,GACb,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,CAG5C;AAqFD;;;;;;;;;;;;GAYG;AACH,wBAAsB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CA0I5E;AAmxBD;;;;;;;;;;;;GAYG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,KAAK,EACV,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,OAAO,CAAC,CA6JlB;AAMD;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAEzE"}

package/dist/server/auth.js CHANGED Viewed

@@ -14,20 +14,47 @@ import { defineEventHandler, getMethod, getQuery, setResponseHeader, setResponse
 function toWebRequest(event) {
     return event.req;
 }
-import { getDbExec, isPostgres, intType } from "../db/client.js";
+import { getDbExec, isPostgres, intType, isLocalDatabase, } from "../db/client.js";
 import { getBetterAuth, getBetterAuthSync } from "./better-auth-instance.js";
-import { getOnboardingHtml } from "./onboarding-html.js";
+import { getOnboardingHtml, getResetPasswordHtml } from "./onboarding-html.js";
 import { migrateLocalUserData } from "./local-migration.js";
 import { readBody } from "../server/h3-helpers.js";
+import { readDesktopSso, writeDesktopSso, clearDesktopSso, } from "./desktop-sso.js";
+import { isElectron as isElectronRequest } from "./google-oauth.js";
+/**
+ * Get the configured session max age. Desktop SSO broker writes from
+ * OAuth flows read this so expiration stays consistent with the cookie.
+ */
+export function getSessionMaxAge() {
+    return sessionMaxAge;
+}
 // ---------------------------------------------------------------------------
 // Constants
 // ---------------------------------------------------------------------------
-const COOKIE_NAME = "an_session";
+/**
+ * Cookie name for the framework's session cookie.
+ *
+ * Browsers scope cookies by host (NOT host+port — RFC 6265), so two apps
+ * running on different localhost ports share one cookie jar. When multiple
+ * templates run side-by-side (`dev:all`, the desktop app, multi-template
+ * deploys on a shared domain), they would otherwise stomp on each other's
+ * `an_session` cookie and ping-pong each other into a logged-out state.
+ *
+ * When `APP_NAME` is set, suffix the cookie so each app gets its own slot.
+ */
+const APP_NAME_SLUG = (process.env.APP_NAME || "")
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "_")
+    .replace(/^_+|_+$/g, "");
+export const COOKIE_NAME = APP_NAME_SLUG
+    ? `an_session_${APP_NAME_SLUG}`
+    : "an_session";
 const DEFAULT_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
 const LOCAL_MODE_MARKER_PATH = path.resolve(process.cwd(), ".agent-native", "auth-mode");
 // ---------------------------------------------------------------------------
 // AUTH_MODE detection
 // ---------------------------------------------------------------------------
+let _warnedRemoteLocalMode = false;
 /**
  * Check if the app is in local-only mode (no auth).
  *
@@ -39,8 +66,20 @@ const LOCAL_MODE_MARKER_PATH = path.resolve(process.cwd(), ".agent-native", "aut
  * no auth is used. In development, getSession() also falls back to
  * local@localhost automatically if no other auth method succeeds, so
  * apps are always usable without configuration in dev.
+ *
+ * Refuses to enable on any non-local database (Postgres, Turso, D1): local
+ * mode uses a single shared virtual user with no per-machine scoping, so on
+ * a shared DB every developer would land on the same account and collide.
  */
 async function isLocalModeEnabled() {
+    if (!isLocalDatabase()) {
+        if (process.env.AUTH_MODE === "local" && !_warnedRemoteLocalMode) {
+            _warnedRemoteLocalMode = true;
+            console.warn("[agent-native] AUTH_MODE=local ignored: database is not local SQLite. " +
+                "local@localhost has no per-user scoping and would collide across developers on a shared DB.");
+        }
+        return false;
+    }
     if (process.env.AUTH_MODE === "local")
         return true;
     try {
@@ -174,6 +213,15 @@ let _authGuardConfig = null;
  * /_agent-native/* routes).
  */
 let _authGuardFn = null;
+/**
+ * The H3 app the auth routes + guard were last mounted on. Module-level
+ * state survives Vite HMR restarts, but each HMR cycle creates a fresh
+ * nitroApp/H3 instance whose middleware array is empty again. Tracking the
+ * app here lets autoMountAuth detect "same module state, new app" and
+ * re-mount routes instead of silently skipping them because `_authGuardFn`
+ * looks populated from a previous cycle.
+ */
+let _mountedApp = null;
 /**
  * Run the auth guard on an event. Returns a Response/object to block the
  * request (login page or 401), or undefined to allow it through.
@@ -314,6 +362,14 @@ export async function getSession(event) {
         const session = await customGetSession(event);
         if (session)
             return session;
+        // Desktop SSO broker: even with BYOA auth, fall back to the broker
+        // for Electron requests so cross-template SSO works for custom-auth
+        // templates too.
+        if (isElectronRequest(event)) {
+            const sso = await readDesktopSso();
+            if (sso?.email)
+                return { email: sso.email, token: sso.token };
+        }
         // Fall through to mobile _session check
     }
     else {
@@ -325,6 +381,9 @@ export async function getSession(event) {
                     headers: event.headers,
                 });
                 if (baSession?.user?.email) {
+                    // Successful real sign-in — clear the upgrade-pending marker so
+                    // the dev fallback becomes reachable again for future local work.
+                    clearUpgradePendingCookie(event);
                     return mapBetterAuthSession(baSession);
                 }
             }
@@ -336,8 +395,24 @@ export async function getSession(event) {
         const cookie = getCookie(event, COOKIE_NAME);
         if (cookie) {
             const email = await getSessionEmail(cookie);
-            if (email)
+            if (email) {
+                clearUpgradePendingCookie(event);
                 return { email, token: cookie };
+            }
+        }
+        // 5b. Desktop SSO broker fallback.
+        // Each template in the Electron desktop app has its own database, so
+        // a session token created by one template doesn't resolve in another.
+        // When an Electron request has no resolvable session, trust the
+        // home-dir SSO record written by whichever template the user signed
+        // into. Gated on Electron user-agent so no non-desktop code path
+        // consults the file.
+        if (isElectronRequest(event)) {
+            const sso = await readDesktopSso();
+            if (sso?.email) {
+                clearUpgradePendingCookie(event);
+                return { email: sso.email, token: sso.token };
+            }
         }
     }
     // 6. Mobile WebView bridge — _session query param
@@ -347,8 +422,7 @@ export async function getSession(event) {
         if (email) {
             setCookie(event, COOKIE_NAME, qToken, {
                 httpOnly: true,
-                secure: !isDevEnvironment(),
-                sameSite: "lax",
+                ...crossSiteCookieAttrs(event),
                 path: "/",
                 maxAge: sessionMaxAge,
             });
@@ -356,15 +430,113 @@ export async function getSession(event) {
             return { email, token: qToken };
         }
     }
-    // 7. Dev-mode safety net — in development, always fall back to local@localhost
-    // so the app is usable without any auth configuration. This prevents 401
-    // errors when Better Auth isn't configured, the marker file is missing, or
-    // the user simply wants to play around locally.
-    if (isDevEnvironment()) {
+    // 7. Dev-mode safety net — in development on a local SQLite database, fall
+    // back to local@localhost so the app is usable without any auth configuration.
+    // This prevents 401 errors when Better Auth isn't configured, the marker file
+    // is missing, or the user simply wants to play around locally.
+    //
+    // Gated on isLocalDatabase() because local@localhost has no per-user scoping:
+    // on a shared DB (Postgres, Turso, D1) this fallback would land every
+    // developer on the same account and expose each other's data.
+    //
+    // EXCEPTION: if the user has explicitly exited local mode (clicked "Upgrade
+    // to real account"), they've signaled they want real auth. The upgrade
+    // cookie suppresses this fallback so the onboarding/sign-in page is served
+    // instead of silently re-authenticating them as local@localhost.
+    if (isDevEnvironment() &&
+        isLocalDatabase() &&
+        !isUpgradePending(event) &&
+        !hasSignInFlag(event)) {
         return LOCAL_SESSION;
     }
     return null;
 }
+/**
+ * Cookie set by POST /_agent-native/auth/exit-local-mode so we know the user
+ * is in the middle of upgrading from local@localhost to a real account.
+ * While this cookie is present we skip the dev-mode "auto local session"
+ * fallback so the onboarding/sign-in page can actually render.
+ * Cleared on successful sign-in/sign-up.
+ */
+const UPGRADE_COOKIE = "an_upgrade_pending";
+function isUpgradePending(event) {
+    try {
+        return getCookie(event, UPGRADE_COOKIE) === "1";
+    }
+    catch {
+        return false;
+    }
+}
+function setUpgradePendingCookie(event) {
+    setCookie(event, UPGRADE_COOKIE, "1", {
+        httpOnly: true,
+        ...crossSiteCookieAttrs(event),
+        path: "/",
+        maxAge: 60 * 60, // 1 hour — enough to complete sign-in
+    });
+}
+/**
+ * URL-flag fallback for third-party iframe contexts (e.g. the Builder.io
+ * editor) where SameSite=Lax cookies from an exit-local-mode POST are not
+ * delivered on the subsequent reload. TeamPage reloads with ?signin=1 so
+ * we can reliably suppress the dev-mode local fallback without a cookie.
+ */
+function hasSignInFlag(event) {
+    try {
+        return getQuery(event)?.signin === "1";
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Cookie attributes that work in both same-site and third-party iframe
+ * contexts. Over HTTPS we emit `SameSite=None; Secure` (required by browsers
+ * to ship the cookie back inside a cross-origin iframe); for plain HTTP dev
+ * we keep `SameSite=Lax` since `None` requires Secure.
+ */
+function crossSiteCookieAttrs(event) {
+    return isHttpsRequest(event)
+        ? { sameSite: "none", secure: true }
+        : { sameSite: "lax", secure: false };
+}
+function isHttpsRequest(event) {
+    try {
+        const req = event.req ?? event.node?.req;
+        const headers = req?.headers;
+        const get = (k) => {
+            if (!headers)
+                return undefined;
+            if (typeof headers.get === "function") {
+                return headers.get(k) ?? undefined;
+            }
+            const v = headers[k];
+            return Array.isArray(v) ? v[0] : v;
+        };
+        const xfProto = get("x-forwarded-proto");
+        if (xfProto && String(xfProto).split(",")[0].trim() === "https") {
+            return true;
+        }
+        const url = req?.url;
+        if (typeof url === "string" && url.startsWith("https://"))
+            return true;
+        const appUrl = process.env.APP_URL || process.env.BETTER_AUTH_URL || "";
+        if (appUrl.startsWith("https://"))
+            return true;
+    }
+    catch {
+        // ignore
+    }
+    return false;
+}
+function clearUpgradePendingCookie(event) {
+    try {
+        deleteCookie(event, UPGRADE_COOKIE, { path: "/" });
+    }
+    catch {
+        // ignore
+    }
+}
 // ---------------------------------------------------------------------------
 // Public path matching
 // ---------------------------------------------------------------------------
@@ -489,6 +661,38 @@ async function removeAuthModeLocal() {
         return false;
     }
 }
+/**
+ * POST /_agent-native/auth/migrate-local-data handler. Exposed here (not
+ * inlined in a single mount function) because it must be registered from
+ * every auth-mount path — including local-mode and fallback — so the
+ * upgrade-from-local flow never 500s when BetterAuth init is skipped or
+ * failed. Previously this was only mounted inside mountBetterAuthRoutes()
+ * which meant that in local mode (or when BetterAuth failed to init) the
+ * request fell through to the Nitro SSR renderer and produced a 500.
+ */
+const migrateLocalDataHandler = defineEventHandler(async (event) => {
+    if (getMethod(event) !== "POST") {
+        setResponseStatus(event, 405);
+        return { error: "Method not allowed" };
+    }
+    const session = await getSession(event);
+    if (!session?.email || session.email === "local@localhost") {
+        setResponseStatus(event, 401);
+        return { error: "Not authenticated as a real account" };
+    }
+    try {
+        const result = await migrateLocalUserData(session.email);
+        return { ok: true, ...result };
+    }
+    catch (e) {
+        console.error("[migrate-local-data] Migration threw for", session.email, e);
+        setResponseStatus(event, 500);
+        return {
+            error: e?.message || "Migration failed",
+            stack: isDevEnvironment() ? e?.stack : undefined,
+        };
+    }
+});
 // ---------------------------------------------------------------------------
 // mountBetterAuthRoutes — Better Auth powered auth with backward-compat routes
 // ---------------------------------------------------------------------------
@@ -549,6 +753,9 @@ async function mountBetterAuthRoutes(app, options) {
             setResponseStatus(event, 500);
             return { error: "Failed to disable local mode" };
         }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
         return { ok: true };
     }));
     // Backward-compat: POST /_agent-native/auth/login
@@ -570,8 +777,7 @@ async function mountBetterAuthRoutes(app, options) {
             await addSession(sessionToken, "user");
             setCookie(event, COOKIE_NAME, sessionToken, {
                 httpOnly: true,
-                secure: !isDevEnvironment(),
-                sameSite: "lax",
+                ...crossSiteCookieAttrs(event),
                 path: "/",
                 maxAge: sessionMaxAge,
             });
@@ -591,12 +797,18 @@ async function mountBetterAuthRoutes(app, options) {
             if (result?.token) {
                 setCookie(event, COOKIE_NAME, result.token, {
                     httpOnly: true,
-                    secure: !isDevEnvironment(),
-                    sameSite: "lax",
+                    ...crossSiteCookieAttrs(event),
                     path: "/",
                     maxAge: sessionMaxAge,
                 });
                 await addSession(result.token, email);
+                if (isElectronRequest(event)) {
+                    await writeDesktopSso({
+                        email,
+                        token: result.token,
+                        expiresAt: Date.now() + sessionMaxAge * 1000,
+                    });
+                }
             }
             return { ok: true };
         }
@@ -645,6 +857,8 @@ async function mountBetterAuthRoutes(app, options) {
         catch {
             // Ignore if no Better Auth session
         }
+        if (isElectronRequest(event))
+            await clearDesktopSso();
         return { ok: true };
     }));
     // GET /_agent-native/auth/session
@@ -659,24 +873,18 @@ async function mountBetterAuthRoutes(app, options) {
     // POST /_agent-native/auth/migrate-local-data — move local-mode data to
     // the currently signed-in account. Called by the UI after a user upgrades
     // from local mode to a real account so they don't lose their data.
-    app.use("/_agent-native/auth/migrate-local-data", defineEventHandler(async (event) => {
-        if (getMethod(event) !== "POST") {
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
+    // GET /_agent-native/auth/reset — HTML page shown when a user clicks the
+    // reset link in their email. Reads ?token=... and POSTs to Better Auth's
+    // /reset-password endpoint on submit.
+    app.use("/_agent-native/auth/reset", defineEventHandler((event) => {
+        if (getMethod(event) !== "GET") {
             setResponseStatus(event, 405);
             return { error: "Method not allowed" };
         }
-        const session = await getSession(event);
-        if (!session?.email || session.email === "local@localhost") {
-            setResponseStatus(event, 401);
-            return { error: "Not authenticated as a real account" };
-        }
-        try {
-            const result = await migrateLocalUserData(session.email);
-            return { ok: true, ...result };
-        }
-        catch (e) {
-            setResponseStatus(event, 500);
-            return { error: e?.message || "Migration failed" };
-        }
+        return new Response(getResetPasswordHtml(), {
+            headers: { "Content-Type": "text/html; charset=utf-8" },
+        });
     }));
     // Auth guard — stored both in framework middleware registry AND in
     // _authGuardFn so the server middleware can enforce it on ALL routes.
@@ -706,8 +914,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         await addSession(sessionToken, "user");
         setCookie(event, COOKIE_NAME, sessionToken, {
             httpOnly: true,
-            secure: !isDevEnvironment(),
-            sameSite: "lax",
+            ...crossSiteCookieAttrs(event),
             path: "/",
             maxAge: sessionMaxAge,
         });
@@ -718,6 +925,8 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         if (cookie)
             await removeSession(cookie);
         deleteCookie(event, COOKIE_NAME, { path: "/" });
+        if (isElectronRequest(event))
+            await clearDesktopSso();
         return { ok: true };
     }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
@@ -728,6 +937,7 @@ function mountTokenOnlyRoutes(app, accessTokens, publicPaths = []) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
     _authGuardConfig = { loginHtml: TOKEN_LOGIN_HTML, publicPaths };
     const guardFn = createAuthGuardFn();
     _authGuardFn = guardFn;
@@ -757,8 +967,14 @@ function mountLocalModeRoutes(app) {
             setResponseStatus(event, 500);
             return { error: "Failed to disable local mode" };
         }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
         return { ok: true };
     }));
+    // Upgrade path: migrate-local-data must be reachable from local mode
+    // because the user is still in local mode when they trigger the upgrade.
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
 }
 // ---------------------------------------------------------------------------
 // mountAuthFallbackRoutes — minimal auth endpoints when Better Auth init fails
@@ -784,12 +1000,18 @@ function mountAuthFallbackRoutes(app) {
             if (result?.token) {
                 setCookie(event, COOKIE_NAME, result.token, {
                     httpOnly: true,
-                    secure: !isDevEnvironment(),
-                    sameSite: "lax",
+                    ...crossSiteCookieAttrs(event),
                     path: "/",
                     maxAge: sessionMaxAge,
                 });
                 await addSession(result.token, email);
+                if (isElectronRequest(event)) {
+                    await writeDesktopSso({
+                        email,
+                        token: result.token,
+                        expiresAt: Date.now() + sessionMaxAge * 1000,
+                    });
+                }
             }
             return { ok: true };
         }
@@ -838,6 +1060,8 @@ function mountAuthFallbackRoutes(app) {
         catch {
             // Ignore if Better Auth is still unavailable
         }
+        if (isElectronRequest(event))
+            await clearDesktopSso();
         return { ok: true };
     }));
     app.use("/_agent-native/auth/local-mode", defineEventHandler(async (event) => {
@@ -868,6 +1092,9 @@ function mountAuthFallbackRoutes(app) {
             setResponseStatus(event, 500);
             return { error: "Failed to disable local mode" };
         }
+        // Mark the browser so getSession's dev-mode fallback won't silently
+        // re-authenticate the user as local@localhost on the next request.
+        setUpgradePendingCookie(event);
         return { ok: true };
     }));
     app.use("/_agent-native/auth/session", defineEventHandler(async (event) => {
@@ -878,6 +1105,10 @@ function mountAuthFallbackRoutes(app) {
         const session = await getSession(event);
         return session ?? { error: "Not authenticated" };
     }));
+    // Must be reachable from fallback mode too — otherwise a user who
+    // upgrades-from-local on a server that couldn't init Better Auth gets a
+    // 500 instead of a clear 401.
+    app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
 }
 // ---------------------------------------------------------------------------
 // autoMountAuth — the recommended entry point
@@ -896,13 +1127,17 @@ function mountAuthFallbackRoutes(app) {
  * Returns true if auth was mounted, false if skipped.
  */
 export async function autoMountAuth(app, options = {}) {
-    // If auth is already mounted (e.g., default plugin ran before custom plugin),
-    // don't re-mount routes — but DO update the live config if custom options
-    // like googleOnly or loginHtml were provided. This fixes the production race
-    // where the default plugin (no googleOnly) mounts first, and the template's
-    // custom auth plugin runs later. Because createAuthGuardFn() reads from
-    // _authGuardConfig on every request, updating it here takes effect immediately.
-    if (_authGuardFn) {
+    // If auth is already mounted on THIS app (e.g., default plugin ran before
+    // custom plugin in the same server boot), don't re-mount routes — but DO
+    // update the live config if custom options like googleOnly or loginHtml
+    // were provided. createAuthGuardFn() reads from _authGuardConfig on every
+    // request, so updating it here takes effect immediately.
+    //
+    // We gate on `_mountedApp === app` because module-level state survives
+    // Vite HMR — without this check, an HMR-restarted Nitro instance (fresh
+    // H3 app, empty middleware) would short-circuit here and end up with no
+    // auth routes mounted at all.
+    if (_authGuardFn && _mountedApp === app) {
         if (_authGuardConfig) {
             if (options.googleOnly || options.loginHtml) {
                 _authGuardConfig.loginHtml =
@@ -918,6 +1153,11 @@ export async function autoMountAuth(app, options = {}) {
         }
         return true;
     }
+    // Fresh app (first boot, or HMR created a new Nitro instance) — reset
+    // the guard so the mount path below installs it on the new app.
+    _authGuardFn = null;
+    _authGuardConfig = null;
+    _mountedApp = app;
     if (!app) {
         if ((await isLocalModeEnabled()) || isDevEnvironment()) {
             authDisabledMode = false;
@@ -965,8 +1205,11 @@ export async function autoMountAuth(app, options = {}) {
             if (cookie)
                 await removeSession(cookie);
             deleteCookie(event, COOKIE_NAME, { path: "/" });
+            if (isElectronRequest(event))
+                await clearDesktopSso();
             return { ok: true };
         }));
+        app.use("/_agent-native/auth/migrate-local-data", migrateLocalDataHandler);
         const byoaLoginHtml = options.loginHtml ?? TOKEN_LOGIN_HTML;
         _authGuardConfig = { loginHtml: byoaLoginHtml, publicPaths };
         const guardFn = createAuthGuardFn();