@agent-native/core 0.7.13 → 0.7.15

package/dist/server/agent-chat-plugin.js

@@ -1,20 +1,22 @@
-import { runWithRequestContext, getRequestOrgId } from "./request-context.js";
+import { runWithRequestContext, getRequestOrgId, getRequestUserEmail, getRequestRunContext, ensureRequestRunContext, } from "./request-context.js";
 import { getSetting, putSetting } from "../settings/store.js";
 import { getH3App, trackPluginInit } from "./framework-request-handler.js";
 import { createProductionAgentHandler, runAgentLoop, actionsToEngineTools, getActiveRunForThreadAsync, abortRun, subscribeToRun, } from "../agent/production-agent.js";
 import { resolveEngine, createAnthropicEngine } from "../agent/engine/index.js";
+import { DEFAULT_MODEL } from "../agent/default-model.js";
 import { McpClientManager, loadMcpConfig, autoDetectMcpConfig, mcpToolsToActionEntries, syncMcpActionEntries, mountMcpServersRoutes, mountMcpHubRoutes, buildMergedConfig, getHubStatus, isHubServeEnabled, } from "../mcp-client/index.js";
 import { discoverAgents } from "./agent-discovery.js";
 import { loadSchemaPromptBlock } from "./schema-prompt.js";
 import { buildAssistantMessage, extractThreadMeta, } from "../agent/thread-data-builder.js";
 import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getQuery, getHeader, } from "h3";
-import { getSession } from "./auth.js";
+import { getSession, DEV_MODE_USER_EMAIL } from "./auth.js";
 import { getOrigin } from "./google-oauth.js";
-import { createThread, getThread, listThreads, searchThreads, updateThreadData, withThreadDataLock, deleteThread, setThreadQueuedMessages, } from "../chat-threads/store.js";
+import { createThread, forkThread, getThread, listThreads, searchThreads, updateThreadData, withThreadDataLock, deleteThread, setThreadQueuedMessages, } from "../chat-threads/store.js";
 import { resourceListAccessible, resourceList, resourceGet, resourceGetByPath, ensurePersonalDefaults, SHARED_OWNER, } from "../resources/store.js";
 import nodePath from "node:path";
 import { readBody } from "./h3-helpers.js";
 import { getBuilderBrowserConnectUrl } from "./builder-browser.js";
+import { captureCliOutput } from "./cli-capture.js";
 // Lazy fs — loaded via dynamic import() on first use.
 // This avoids require() which bundlers convert to createRequire(import.meta.url)
 // that crashes on CF Workers where import.meta.url is undefined.
@@ -27,7 +29,9 @@ async function lazyFs() {
 }
 /**
  * Wraps a core CLI script (that writes to console.log) as a ActionEntry
- * by capturing stdout.
+ * by capturing stdout. Uses an AsyncLocalStorage-backed capture so
+ * concurrent tool calls do not corrupt the global console/stdout pointers
+ * (see `cli-capture.ts`).
  */
 function wrapCliScript(tool, cliDefault, opts) {
     return {
@@ -38,39 +42,7 @@ function wrapCliScript(tool, cliDefault, opts) {
             for (const [k, v] of Object.entries(args)) {
                 cliArgs.push(`--${k}`, v);
             }
-            const logs = [];
-            const origLog = console.log;
-            const origError = console.error;
-            const origStdoutWrite = process.stdout.write;
-            console.log = (...a) => {
-                logs.push(a.map(String).join(" "));
-            };
-            console.error = (...a) => {
-                logs.push(a.map(String).join(" "));
-            };
-            // Intercept process.stdout.write so scripts that write directly
-            // (e.g. resource-read) have their output captured
-            process.stdout.write = ((chunk, ...rest) => {
-                if (typeof chunk === "string") {
-                    logs.push(chunk);
-                }
-                else if (Buffer.isBuffer(chunk)) {
-                    logs.push(chunk.toString());
-                }
-                return true;
-            });
-            try {
-                await cliDefault(cliArgs);
-            }
-            catch (err) {
-                logs.push(`Error: ${err?.message ?? String(err)}`);
-            }
-            finally {
-                console.log = origLog;
-                console.error = origError;
-                process.stdout.write = origStdoutWrite;
-            }
-            return logs.join("\n") || "(no output)";
+            return captureCliOutput(() => cliDefault(cliArgs));
         },
     };
 }
@@ -156,6 +128,12 @@ function createRefreshScreenEntry() {
 }
 /** Well-known application-state key used by the refresh-screen tool. */
 const SCREEN_REFRESH_KEY = "__screen_refresh__";
+/**
+ * In-memory rate-limit tracker for `/generate-title`. Keyed by user email,
+ * value is recent invocation timestamps within the rolling window. Stale
+ * entries are pruned on read.
+ */
+const generateTitleRateLimit = new Map();
 /**
  * Creates the `set-search-params` / `set-url-path` tools. Writes a one-shot
  * URL command to application_state; the client's URLSync component applies
@@ -673,17 +651,94 @@ function createBuilderBrowserTool(deps) {
                 },
             },
             run: async (args) => {
-                const configured = !!(process.env.BUILDER_PRIVATE_KEY && process.env.BUILDER_PUBLIC_KEY);
+                const { resolveBuilderCredentials } = await import("./credential-provider.js");
+                const creds = await resolveBuilderCredentials();
+                const configured = !!(creds.privateKey && creds.publicKey);
                 const prompt = typeof args?.prompt === "string" ? args.prompt : "";
                 return JSON.stringify({
                     kind: "connect-builder-card",
                     configured,
                     connectUrl: getBuilderBrowserConnectUrl(deps.getOrigin()),
-                    orgName: process.env.BUILDER_ORG_NAME || null,
+                    orgName: creds.orgName || null,
                     prompt,
                 });
             },
         },
+        "activate-browser": {
+            tool: {
+                description: "Activate browser automation tools. Call this when you need to interact with a real browser — e.g. to extract design tokens from a rendered page, take screenshots, read computed styles from JS-heavy sites, or test a live URL. After activation, chrome-devtools MCP tools (navigate, click, evaluate_script, take_screenshot, etc.) become available on your next action. Requires Builder.io connection.",
+                parameters: {
+                    type: "object",
+                    properties: {
+                        sessionId: {
+                            type: "string",
+                            description: "Optional session identifier for the browser connection. Auto-generated if omitted.",
+                        },
+                    },
+                },
+            },
+            run: async (args) => {
+                const { resolveBuilderCredentials } = await import("./credential-provider.js");
+                const creds = await resolveBuilderCredentials();
+                if (!creds.privateKey || !creds.publicKey) {
+                    return JSON.stringify({
+                        error: "builder-not-connected",
+                        message: "Builder.io is not connected. Call `connect-builder` first to enable browser automation.",
+                    });
+                }
+                const { requestBuilderBrowserConnection } = await import("./builder-browser.js");
+                const sessionId = (typeof args?.sessionId === "string" && args.sessionId) ||
+                    `an-browser-${Date.now()}`;
+                let connection;
+                try {
+                    connection = await requestBuilderBrowserConnection({ sessionId });
+                }
+                catch (err) {
+                    return JSON.stringify({
+                        error: "browser-connection-failed",
+                        message: `Failed to get browser connection: ${err?.message ?? err}`,
+                    });
+                }
+                const wsUrl = connection.wsUrl;
+                if (!wsUrl) {
+                    return JSON.stringify({
+                        error: "no-ws-url",
+                        message: "Browser connection did not return a WebSocket URL.",
+                    });
+                }
+                const manager = getGlobalMcpManager();
+                if (!manager) {
+                    return JSON.stringify({
+                        error: "no-mcp-manager",
+                        message: "MCP manager is not available.",
+                    });
+                }
+                // Add chrome-devtools-mcp server pointing at the provisioned browser
+                const currentConfig = manager.getConfig();
+                const servers = { ...(currentConfig?.servers ?? {}) };
+                servers["chrome-devtools"] = {
+                    command: "npx",
+                    args: [
+                        "-y",
+                        "chrome-devtools-mcp@latest",
+                        "--wsEndpoint",
+                        wsUrl,
+                        "--categoryEmulation=false",
+                    ],
+                    type: "stdio",
+                };
+                await manager.reconfigure({
+                    servers,
+                    source: currentConfig?.source ?? "runtime",
+                });
+                return JSON.stringify({
+                    success: true,
+                    message: "Browser activated. Chrome DevTools MCP tools (mcp__chrome-devtools__*) are now available. Use them on your next action to navigate pages, read DOM, take screenshots, evaluate JavaScript, etc.",
+                    wsUrl,
+                    sessionId,
+                });
+            },
+        },
     };
 }
 /**
@@ -875,6 +930,9 @@ const FRAMEWORK_CORE_COMPACT = `
 5. **Screen refresh is automatic** — The framework auto-refreshes after mutating tool calls. Only call \`refresh-screen\` when you mutated data via a path the framework can't detect.
 6. **Memory** — Use \`save-memory\` proactively when you learn preferences, corrections, or project context.
 7. **Security** — Always use parameterized queries. Never \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`.
+8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
+9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the action threw, it did NOT succeed.
 
 ### Resources
 
@@ -887,7 +945,7 @@ When the user says "show me", "go to", "open", etc., ALWAYS use \`navigate\` fir
 
 ### Extended Capabilities
 
-You also have tools for: inline embeds, chat history search, agent teams/sub-agents, recurring jobs, A2A cross-app calls, structured memory, and browser access. Call \`get-framework-context\` to read detailed instructions for any of these when needed.
+You also have tools for: inline embeds, chat history search, agent teams/sub-agents, recurring jobs, A2A cross-app calls, structured memory, and browser automation (\`activate-browser\` to provision a real Chrome). Call \`get-framework-context\` to read detailed instructions for any of these when needed.
 `;
 /**
  * Verbose framework sections returned by the `get-framework-context` tool.
@@ -954,11 +1012,26 @@ Convert natural language to 5-field cron format:
     builder: `### Connecting Builder.io
 
 When the user asks to connect Builder.io or you hit a "Builder not configured" error, call the \`connect-builder\` tool. It renders a one-click Connect card inline — do NOT write out multi-step setup instructions yourself.`,
-    browser: `### Browser Access
-
-Use \`connect-builder\` when you need browser access backed by Builder. It renders a Connect card that provisions a browser session.
-
-- If Builder is not configured, the card will guide the user through setup.`,
+    browser: `### Browser Automation
+
+You can activate a real Chrome browser via Builder.io for tasks that need full page rendering:
+- Extracting design tokens from JS-heavy or SPA websites (computed styles, rendered colors/fonts)
+- Taking screenshots of live pages
+- Testing interactive flows on deployed URLs
+- Reading content from pages that require JavaScript execution
+
+**How to use:**
+1. Call \`activate-browser\` — this provisions a Chrome instance and registers chrome-devtools MCP tools
+2. On your next action, use \`mcp__chrome-devtools__navigate_page\`, \`mcp__chrome-devtools__evaluate_script\`, \`mcp__chrome-devtools__take_screenshot\`, etc.
+3. If Builder is not connected, call \`connect-builder\` first
+
+**When to recommend browser automation:**
+- User wants to import a design system from a URL (JS-rendered sites give almost no useful data from plain HTML fetch)
+- User asks you to check how a deployed site looks or behaves
+- Any task involving reading computed/rendered page state
+- When \`web-request\` returns minimal/skeleton HTML from a modern SPA
+
+Prefer \`web-request\` for simple API calls and static pages. Use browser automation when you need the real rendered page.`,
     "call-agent": `### call-agent — External Apps Only
 
 The \`call-agent\` tool sends a message to a DIFFERENT, separately-deployed app's agent (A2A protocol). It is **not** for calling actions within the current app.
@@ -1023,6 +1096,9 @@ const FRAMEWORK_CORE = `
 5. **Screen refresh is automatic after action calls** — The framework auto-emits a refresh event after any successful mutating tool call (template actions like \`log-meal\`, \`update-form\`, \`edit-document\`, and the \`db-exec\` / \`db-patch\` tools). The UI re-fetches its queries without a full page reload. You do NOT need to call \`refresh-screen\` after an action — it's already handled. Only call \`refresh-screen\` explicitly when (a) you mutated data via a path the framework can't detect (e.g. writing directly to an external system whose results the app mirrors), or (b) you want to pass a \`scope\` hint so the UI narrows which queries to refetch. Do NOT tell the user to reload the page.
 6. **Memory** — Use the structured memory system to persist knowledge across sessions. Use \`save-memory\` proactively when you learn preferences, corrections, or project context. Update shared AGENTS.md for instructions that should apply to all users.
 7. **Security** — Always use \`defineAction\` with a Zod \`schema:\` for input validation. Never construct SQL with string concatenation — use parameterized queries via db-query/db-exec. Never use \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`. Never expose secrets in responses or source code. Every table with user data must have \`owner_email\`.
+8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
+9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative, format a result table, or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the underlying action threw (visible in the error text), the action did NOT succeed — report the error, do not describe a successful outcome.
 
 ### Resources
 
@@ -1123,11 +1199,9 @@ Job instructions should be self-contained — include which actions to call, wha
 
 When the user asks to connect Builder.io, needs Builder for LLM access / browser automation, or you hit a "Builder not configured" error, call the \`connect-builder\` tool. It renders a one-click Connect card inline in the chat — do NOT write out multi-step setup instructions yourself (no "Option 1 / Option 2", no terminal commands). Just call the tool and let the card handle the rest.
 
-### Browser Access
+### Browser Automation
 
-Use \`connect-builder\` when you need browser access backed by Builder. It renders a Connect card that provisions a browser session.
-
-- If Builder is not configured, the card will guide the user through setup.
+Call \`activate-browser\` to provision a real Chrome browser. After activation, chrome-devtools MCP tools become available for navigating pages, reading rendered DOM, taking screenshots, and evaluating JavaScript. If Builder is not connected, call \`connect-builder\` first. Use browser automation proactively when tasks benefit from full page rendering (design system extraction from URLs, visual verification, SPA content reading).
 
 ### call-agent — External Apps Only
 
@@ -1182,8 +1256,16 @@ The agent and the UI are equal partners — everything the UI can do, you can do
 
 **In production mode, you operate through registered actions exposed as tools.** These are your capabilities — use them to read data, take actions, and help the user. You cannot edit source code or access the filesystem directly. Your tools are the app's API.
 
+### Tools (Mini-Apps) — Use \`create-tool\` for tools / widgets / dashboards
+
+If the user asks you to create, build, or make a **tool**, **widget**, **dashboard**, **calculator**, **mini-app**, or any small self-contained interactive utility — call \`create-tool\` immediately with a self-contained Alpine.js HTML body. This is **NOT** a code change and does **NOT** go through \`connect-builder\`. Tools are sandboxed mini-apps stored in the database — no source files are touched, no PR is opened, no build is required. The tool appears in the Tools view and can be edited later via \`update-tool\`.
+
+When in doubt — if the request mentions "tool", "widget", "dashboard", "calculator", or asks for a small interactive utility — choose \`create-tool\`. Do **not** preface the call with planning text like "let me build the dashboard…" — just call \`create-tool\` directly. One tool call, one response.
+
 ### Code Changes Not Available — Call \`connect-builder\` Immediately
 
+If the request matches the Tools section above (tool / widget / dashboard / calculator / mini-app), use \`create-tool\` instead — do NOT route it to \`connect-builder\`.
+
 When the user asks you to change the UI, modify code, add a feature, fix a bug in the app itself, change styles, add a hook, create a component, add a route, add an integration, or anything else that requires editing source files — you MUST take exactly these steps, in order:
 
 1. Call the \`connect-builder\` tool, passing the user's full request verbatim as the \`prompt\` argument. This renders an inline card. If Builder is connected, the card hands the prompt off to Builder's cloud agent on one click and returns a branch URL; otherwise it shows a connect / waitlist flow. Either way, Builder writes the code — no local setup, no clone, no install.
@@ -1231,9 +1313,13 @@ The agent and the UI are equal partners — everything the UI can do, you can do
 
 **In production mode, you operate through registered actions exposed as tools.** These are your capabilities — use them to read data, take actions, and help the user. You cannot edit source code or access the filesystem directly. Your tools are the app's API.
 
+### Tools (Mini-Apps) — Use \`create-tool\`
+
+If the user asks for a **tool**, **widget**, **dashboard**, **calculator**, or **mini-app**, call \`create-tool\` immediately with a self-contained Alpine.js HTML body. This is NOT a code change — tools are sandboxed mini-apps stored in the database. Do not preface with "let me build…" — just call \`create-tool\`.
+
 ### Code Changes — Call \`connect-builder\`
 
-When the user asks to change the UI, modify code, add a feature, or fix a bug in the app itself — call \`connect-builder\` immediately, passing the user's request as the \`prompt\`. Do NOT write code, list files, make plans, or spawn sub-agents for code changes. Builder handles it in the cloud. Mention \`npx agent-native create <app-name>\` as an offline fallback.
+When the user asks to change the UI, modify code, add a feature, or fix a bug in the app itself — call \`connect-builder\` immediately, passing the user's request as the \`prompt\`. (Tool / widget / dashboard requests use \`create-tool\` instead — see above.) Do NOT write code, list files, make plans, or spawn sub-agents for code changes. Builder handles it in the cloud. Mention \`npx agent-native create <app-name>\` as an offline fallback.
 ${FRAMEWORK_CORE_COMPACT}`;
 const DEV_FRAMEWORK_PROMPT_COMPACT = `## Agent-Native Framework — Development Mode
 
@@ -1590,7 +1676,7 @@ export function createAgentChatPlugin(options) {
                 if (mcpConfig?.source) {
                     console.log(`[mcp-client] loaded config from ${mcpConfig.source} (${Object.keys(mcpConfig.servers).length} server(s))`);
                 }
-                else {
+                else if (process.env.DEBUG) {
                     console.log("[mcp-client] no configured MCP servers — skipping MCP tools");
                 }
             }
@@ -1668,9 +1754,8 @@ export function createAgentChatPlugin(options) {
                 ...engineScripts,
             };
             const callAgentScript = await createCallAgentScriptEntry(options?.appId);
-            let _currentRequestOrigin = "http://localhost:3000";
             const browserTools = createBuilderBrowserTool({
-                getOrigin: () => _currentRequestOrigin,
+                getOrigin: () => getRequestRunContext()?.requestOrigin ?? "http://localhost:3000",
             });
             // Auto-mount A2A protocol endpoints so every app is discoverable
             // and callable by other agents via the standard protocol.
@@ -1801,27 +1886,57 @@ export function createAgentChatPlugin(options) {
                 }
                 catch { }
             }
-            // Mutable owner — set per-request by the production handler, read by
-            // automation tools and fetch tool via closure. Declared here (before
-            // allScripts) so the tools are in scope when allScripts is built.
-            let _currentRunOwner = "local@localhost";
-            // Automation tools + fetch tool — depend on _currentRunOwner via callback
+            // Per-request owner is read from the AsyncLocalStorage run context
+            // (populated by prepareRun). Module-scope `let` would race across
+            // concurrent requests on a long-lived Node process — overlapping
+            // tool calls would observe whichever request wrote last. ALS gives
+            // each async call-chain its own view of the owner.
+            //
+            // Falls back to `getRequestUserEmail()` so callers that wrap work
+            // in `runWithRequestContext({ userEmail }, …)` without going through
+            // `prepareRun` (recurring jobs, trigger dispatcher) still see the
+            // correct owner.
+            //
+            // SECURITY: returns `null` when neither the run context nor the
+            // request user-email is populated. Consumers MUST short-circuit
+            // with an explicit error rather than fall back to a sentinel
+            // identity (e.g. DEV_MODE_USER_EMAIL). The previous fallback to
+            // `local@localhost` slipped past `guard-no-localhost-fallback`
+            // because the literal was hidden behind a symbolic alias —
+            // any agent loop that reached this code without a populated
+            // session would resolve `${keys.NAME}` against the dev-shim's
+            // `app_secrets WHERE scope_id='local@localhost'` rows. See
+            // audit 02 (HIGH: getCurrentRunOwner) and the
+            // 2026-04-29 credentials-leak incident for the prior shape.
+            const getCurrentRunOwner = () => getRequestRunContext()?.owner ?? getRequestUserEmail() ?? null;
+            const requireCurrentRunOwner = (operation) => {
+                const owner = getCurrentRunOwner();
+                if (!owner) {
+                    throw new Error(`[agent-chat] No authenticated owner in run context — ` +
+                        `refusing to ${operation}. Ensure the request goes through ` +
+                        `prepareRun() or is wrapped in runWithRequestContext({ userEmail, ... }).`);
+                }
+                return owner;
+            };
+            // Automation tools + fetch tool — depend on owner via callback.
+            // Each callback short-circuits with a clear error when the run context
+            // has no authenticated owner (see SECURITY note on getCurrentRunOwner).
             let automationTools = {};
             try {
                 const { createAutomationToolEntries } = await import("../triggers/actions.js");
-                automationTools = createAutomationToolEntries(() => _currentRunOwner);
+                automationTools = createAutomationToolEntries(() => requireCurrentRunOwner("manage automations"));
             }
             catch { }
             let notificationTools = {};
             try {
                 const { createNotificationToolEntries } = await import("../notifications/actions.js");
-                notificationTools = createNotificationToolEntries(() => _currentRunOwner);
+                notificationTools = createNotificationToolEntries(() => requireCurrentRunOwner("manage notifications"));
             }
             catch { }
             let progressTools = {};
             try {
                 const { createProgressToolEntries } = await import("../progress/actions.js");
-                progressTools = createProgressToolEntries(() => _currentRunOwner);
+                progressTools = createProgressToolEntries(() => requireCurrentRunOwner("manage progress"));
             }
             catch { }
             let fetchTool = {};
@@ -1829,10 +1944,10 @@ export function createAgentChatPlugin(options) {
                 const { createFetchToolEntry } = await import("../tools/fetch-tool.js");
                 const { resolveKeyReferences, validateUrlAllowlist, getKeyAllowlist } = await import("../secrets/substitution.js");
                 fetchTool = createFetchToolEntry({
-                    resolveKeys: async (text) => resolveKeyReferences(text, "user", _currentRunOwner),
+                    resolveKeys: async (text) => resolveKeyReferences(text, "user", requireCurrentRunOwner("resolve key references")),
                     validateUrl: async (url, usedKeys) => {
                         for (const keyName of usedKeys) {
-                            const allowlist = await getKeyAllowlist(keyName, "user", _currentRunOwner);
+                            const allowlist = await getKeyAllowlist(keyName, "user", requireCurrentRunOwner("validate URL allowlist"));
                             if (allowlist && !validateUrlAllowlist(url, allowlist)) {
                                 return false;
                             }
@@ -1842,6 +1957,12 @@ export function createAgentChatPlugin(options) {
                 });
             }
             catch { }
+            let toolActions = {};
+            try {
+                const { createToolActionEntries } = await import("../tools/actions.js");
+                toolActions = createToolActionEntries();
+            }
+            catch { }
             // In dev mode, template actions (templateScripts and discoveredActions) are
             // NOT registered as native tools — the agent invokes them via shell instead.
             // This avoids degenerate empty-object tool calls that Anthropic models
@@ -1852,12 +1973,14 @@ export function createAgentChatPlugin(options) {
                     ...resourceScripts,
                     ...docsScripts,
                     ...(lazyContext ? frameworkContextTool : {}),
+                    ...urlTools,
                     ...chatScripts,
                     ...callAgentScript,
                     ...automationTools,
                     ...notificationTools,
                     ...progressTools,
                     ...fetchTool,
+                    ...toolActions,
                     ...browserTools,
                     ...devScriptsForA2A,
                 }
@@ -1876,6 +1999,7 @@ export function createAgentChatPlugin(options) {
                     ...notificationTools,
                     ...progressTools,
                     ...fetchTool,
+                    ...toolActions,
                     ...browserTools,
                     ...devScriptsForA2A,
                 };
@@ -1893,11 +2017,80 @@ export function createAgentChatPlugin(options) {
                 streaming: true,
                 handler: async function* (message, context) {
                     // Resolve the caller's identity for user-scoped data access.
+                    // Priority: A2A-JWT verified email (set by the A2A handler in
+                    // request-context) > dev session DB (dev only) > Google OAuth
+                    // tokeninfo (prod only). Without the JWT-verified-email path,
+                    // cross-app A2A calls landed owned by `local@localhost` (dev) or
+                    // `dispatch@shared`, which made resources invisible to the actual
+                    // signed-in user.
+                    //
+                    // SECURITY: we deliberately do NOT trust `context.metadata.userEmail`
+                    // as a fallback. The A2A endpoint runs in three modes — JWT-signed
+                    // (verified email lands in request context), API-key (caller is
+                    // app-authenticated but NOT user-authenticated), and unsigned
+                    // (no auth at all). Trusting caller-supplied metadata on the latter
+                    // two paths would let any reachable caller forge `metadata.userEmail`
+                    // and impersonate an arbitrary user. The JWT path already populates
+                    // the request context, so the metadata fallback was only ever used
+                    // on the unauthenticated paths — exactly where it's unsafe.
                     const isDev = process.env.NODE_ENV !== "production";
                     let userEmail;
-                    if (isDev) {
-                        userEmail = context.metadata?.userEmail || undefined;
-                        if (!userEmail) {
+                    // 1. JWT-verified email from A2A receiver (auth boundary already
+                    //    enforced upstream). Works in dev AND prod.
+                    try {
+                        const { getRequestUserEmail } = await import("./request-context.js");
+                        userEmail = getRequestUserEmail();
+                    }
+                    catch { }
+                    // Dev-mode-only: when no JWT-verified email is present, fall back
+                    // to the most recently logged-in session. This is convenient for a
+                    // single-developer dev box but is a silent-impersonation hole if
+                    // it ever fires in production or on an exposed dev environment
+                    // (preview deploys, ngrok tunnels, etc.).
+                    //
+                    // SECURITY: gate this fallback narrowly:
+                    //   - NODE_ENV strictly === "development" (not "test", not unset).
+                    //   - AUTH_MODE === "local" (the dev-only auth shim).
+                    //   - Request host is localhost / 127.0.0.1 (best-effort: when the
+                    //     A2A handler doesn't have direct H3 event access, we rely on
+                    //     env-based shape checks).
+                    //
+                    // In production this MUST never fire — the runtime assertion
+                    // below crashes loud if NODE_ENV === "production" somehow reaches
+                    // this block.
+                    if (!userEmail && isDev) {
+                        if (process.env.NODE_ENV === "production") {
+                            throw new Error("[agent-chat] Dev-mode 'latest session' fallback reached in production — refusing.");
+                        }
+                        const strictlyDev = process.env.NODE_ENV === "development";
+                        const localAuthMode = process.env.AUTH_MODE === "local";
+                        // Request host check: rely on the request-context request origin
+                        // which prepareRun() / mountActionRoutes populate. The A2A
+                        // handler doesn't have direct H3 event access, but on a
+                        // misconfigured non-localhost dev box we still want to refuse.
+                        let isLocalHost = false;
+                        try {
+                            const origin = getRequestRunContext()?.requestOrigin;
+                            if (origin) {
+                                const url = new URL(origin);
+                                isLocalHost =
+                                    url.hostname === "localhost" ||
+                                        url.hostname === "127.0.0.1" ||
+                                        url.hostname === "::1";
+                            }
+                            else {
+                                // No origin in context — the A2A handler runs without an
+                                // explicit request origin. Treat absence as permissive only
+                                // when we're confident the process is dev-only (NODE_ENV
+                                // strictly "development" + AUTH_MODE=local). Otherwise
+                                // refuse.
+                                isLocalHost = strictlyDev && localAuthMode;
+                            }
+                        }
+                        catch {
+                            isLocalHost = false;
+                        }
+                        if (strictlyDev && localAuthMode && isLocalHost) {
                             try {
                                 const { getDbExec } = await import("../db/client.js");
                                 const db = getDbExec();
@@ -1911,7 +2104,7 @@ export function createAgentChatPlugin(options) {
                             catch { }
                         }
                     }
-                    else {
+                    if (!userEmail && !isDev) {
                         const googleToken = context.metadata?.googleToken;
                         if (googleToken) {
                             try {
@@ -1926,9 +2119,6 @@ export function createAgentChatPlugin(options) {
                             catch { }
                         }
                     }
-                    if (userEmail) {
-                        process.env.AGENT_USER_EMAIL = userEmail;
-                    }
                     const text = message.parts
                         .filter((p) => p.type === "text")
                         .map((p) => p.text)
@@ -1952,7 +2142,9 @@ export function createAgentChatPlugin(options) {
                     const devActive = isDevMode();
                     const handler = devActive && devHandler ? devHandler : prodHandler;
                     // Build the same system prompt the interactive agent uses
-                    const owner = userEmail || "local@localhost";
+                    if (!userEmail)
+                        throw new Error("no authenticated user");
+                    const owner = userEmail;
                     const resources = await loadResourcesForPrompt(owner, lazyContext);
                     const schemaBlock = lazyContext
                         ? ""
@@ -1960,8 +2152,7 @@ export function createAgentChatPlugin(options) {
                     const systemPrompt = devActive
                         ? devPrompt + resources + schemaBlock
                         : basePrompt + resources + schemaBlock;
-                    const model = options?.model ??
-                        (canToggle ? "claude-sonnet-4-6" : "claude-haiku-4-5-20251001");
+                    const model = options?.model ?? DEFAULT_MODEL;
                     // Build tools — same as interactive handler but WITHOUT call-agent
                     // to prevent infinite recursive A2A loops (agent calling itself).
                     // In dev mode, template actions are invoked via shell (not native tools),
@@ -1971,7 +2162,9 @@ export function createAgentChatPlugin(options) {
                             ...resourceScripts,
                             ...docsScripts,
                             ...(lazyContext ? frameworkContextTool : {}),
+                            ...urlTools,
                             ...chatScripts,
+                            ...toolActions,
                             ...browserTools,
                             ...devScriptsForA2A,
                         }
@@ -1984,6 +2177,7 @@ export function createAgentChatPlugin(options) {
                             ...(lazyContext ? frameworkContextTool : {}),
                             ...urlTools,
                             ...chatScripts,
+                            ...toolActions,
                             ...browserTools,
                         };
                     const a2aTools = actionsToEngineTools(a2aActions);
@@ -2078,8 +2272,7 @@ export function createAgentChatPlugin(options) {
                         engineOption: options?.engine,
                         apiKey: options?.apiKey,
                     });
-                    const model = options?.model ??
-                        (canToggle ? "claude-sonnet-4-6" : "claude-haiku-4-5-20251001");
+                    const model = options?.model ?? DEFAULT_MODEL;
                     // Same actions as A2A — without call-agent to prevent loops.
                     // In dev mode, template actions go through shell, not native tools.
                     const devActiveMcp = isDevMode();
@@ -2088,7 +2281,9 @@ export function createAgentChatPlugin(options) {
                             ...resourceScripts,
                             ...docsScripts,
                             ...(lazyContext ? frameworkContextTool : {}),
+                            ...urlTools,
                             ...chatScripts,
+                            ...toolActions,
                             ...devScriptsForA2A,
                         }
                         : {
@@ -2100,12 +2295,13 @@ export function createAgentChatPlugin(options) {
                             ...(lazyContext ? frameworkContextTool : {}),
                             ...urlTools,
                             ...chatScripts,
+                            ...toolActions,
                         };
                     const mcpTools = actionsToEngineTools(mcpActions);
-                    const resources = await loadResourcesForPrompt("local@localhost", lazyContext);
+                    const resources = await loadResourcesForPrompt(DEV_MODE_USER_EMAIL, lazyContext);
                     const schemaBlock = lazyContext
                         ? ""
-                        : await buildSchemaBlock("local@localhost", devActiveMcp);
+                        : await buildSchemaBlock(DEV_MODE_USER_EMAIL, devActiveMcp);
                     // Build the MCP handler's own prompt — always use the shell-based
                     // dev prompt in dev mode because mcpActions routes template actions
                     // through shell (`devScriptsForA2A`), regardless of `nativeActionsInDev`.
@@ -2143,13 +2339,15 @@ export function createAgentChatPlugin(options) {
             });
             // Resolve owner from the H3 event's session — matches how resources are created
             const getOwnerFromEvent = async (event) => {
-                try {
-                    const session = await getSession(event);
-                    return session?.email || "local@localhost";
-                }
-                catch {
-                    return "local@localhost";
+                const session = await getSession(event);
+                if (!session?.email) {
+                    const { createError } = await import("h3");
+                    throw createError({
+                        statusCode: 401,
+                        statusMessage: "Unauthenticated",
+                    });
                 }
+                return session.email;
             };
             // Auto-mount template actions as HTTP endpoints under /_agent-native/actions/
             // Include engine management script so the UI can call manage-agent-engine.
@@ -2241,6 +2439,15 @@ export function createAgentChatPlugin(options) {
                         else {
                             repo.messages.push(assistantMsg);
                         }
+                        // Store debug metadata so we can inspect what the LLM actually
+                        // received (system prompt, model, engine) when diagnosing issues.
+                        const runCtx = getRequestRunContext();
+                        repo._debug = {
+                            systemPrompt: runCtx?.systemPrompt,
+                            model: runCtx?.model ?? resolvedModel,
+                            engine: runCtx?.engine?.name ?? "unknown",
+                            timestamp: Date.now(),
+                        };
                         const meta = extractThreadMeta(repo);
                         await updateThreadData(threadId, JSON.stringify(repo), meta.title || thread.title, meta.preview || thread.preview, repo.messages.length);
                     }
@@ -2248,13 +2455,32 @@ export function createAgentChatPlugin(options) {
                         // Best-effort — don't break cleanup
                     }
                 });
-                // Emit agent.turn.completed for automation triggers
+                // Emit agent.turn.completed for automation triggers.
+                //
+                // SECURITY: include `owner` so the trigger dispatcher's tenant-scope
+                // check engages (see triggers/dispatcher.ts:212-218). Without an
+                // owner, every user's matching `agent.turn.completed` trigger
+                // would fire when ANY user's chat turn completes — cross-tenant
+                // fan-out (audit 12 #9). Owner comes from the thread row when
+                // available (most reliable; persisted at thread create time),
+                // falling back to the current run context's owner. If neither
+                // resolves we skip emission entirely rather than emit unowned.
                 try {
-                    const { emit } = await import("../event-bus/index.js");
-                    emit("agent.turn.completed", {
-                        threadId,
-                        model: resolvedModel,
-                    });
+                    let ownerEmail;
+                    try {
+                        const ownerThread = await getThread(threadId);
+                        ownerEmail = ownerThread?.ownerEmail;
+                    }
+                    catch {
+                        // ignore — fall through to run-context owner
+                    }
+                    if (!ownerEmail) {
+                        ownerEmail = getRequestRunContext()?.owner;
+                    }
+                    if (ownerEmail) {
+                        const { emit } = await import("../event-bus/index.js");
+                        emit("agent.turn.completed", { threadId, model: resolvedModel }, { owner: ownerEmail });
+                    }
                 }
                 catch {
                     // Event bus not available — skip
@@ -2315,20 +2541,10 @@ export function createAgentChatPlugin(options) {
             // Each run gets its own send function, keyed by threadId so concurrent
             // requests for different threads don't clobber each other.
             const _runSendByThread = new Map();
-            let _currentRunUserApiKey;
-            let _currentRunThreadId = "";
-            let _currentRunSystemPrompt = basePrompt;
-            // Populated by onEngineResolved per request so sub-agents inherit
-            // whichever provider + model the user configured (OpenRouter, Groq, …)
-            // instead of silently falling back to Anthropic + Claude.
-            let _currentRunEngine;
-            let _currentRunModel;
-            // Default to Haiku in production mode to manage costs for hosted apps
-            const resolvedModel = options?.model ??
-                (canToggle ? "claude-sonnet-4-6" : "claude-haiku-4-5-20251001");
+            const resolvedModel = options?.model ?? DEFAULT_MODEL;
             const teamTools = createTeamTools({
-                getOwner: () => _currentRunOwner,
-                getSystemPrompt: () => _currentRunSystemPrompt,
+                getOwner: () => requireCurrentRunOwner("spawn or manage sub-agents"),
+                getSystemPrompt: () => getRequestRunContext()?.systemPrompt ?? basePrompt,
                 getActions: () => isDevMode()
                     ? {
                         // Sub-agents spawned in dev mode also invoke template actions
@@ -2349,20 +2565,24 @@ export function createAgentChatPlugin(options) {
                         ...urlTools,
                         ...chatScripts,
                     },
-                getEngine: () => _currentRunEngine ??
-                    createAnthropicEngine({
-                        // Sub-agents must inherit the parent run's resolved key so a
-                        // BYO-key user can't bypass the free-tier check on the parent
-                        // run and then have agent-teams spawn delegations bill the platform key.
-                        apiKey: _currentRunUserApiKey ??
-                            options?.apiKey ??
-                            process.env.ANTHROPIC_API_KEY,
-                    }),
-                getModel: () => _currentRunModel ?? resolvedModel,
-                getParentThreadId: () => _currentRunThreadId,
+                getEngine: () => {
+                    const runCtx = getRequestRunContext();
+                    return (runCtx?.engine ??
+                        createAnthropicEngine({
+                            // Sub-agents must inherit the parent run's resolved key so a
+                            // BYO-key user can't bypass the free-tier check on the parent
+                            // run and then have agent-teams spawn delegations bill the platform key.
+                            apiKey: runCtx?.userApiKey ??
+                                options?.apiKey ??
+                                process.env.ANTHROPIC_API_KEY,
+                        }));
+                },
+                getModel: () => getRequestRunContext()?.model ?? resolvedModel,
+                getParentThreadId: () => getRequestRunContext()?.threadId ?? "",
                 getSend: () => {
                     // Return the send for the current run's thread
-                    const send = _runSendByThread.get(_currentRunThreadId);
+                    const threadId = getRequestRunContext()?.threadId ?? "";
+                    const send = _runSendByThread.get(threadId);
                     return send ?? null;
                 },
             });
@@ -2374,6 +2594,19 @@ export function createAgentChatPlugin(options) {
                 jobTools = createJobTools();
             }
             catch { }
+            // Lean mode: only template actions + essential framework tools. Drop
+            // web-request, browser tools, teams, jobs, automations, notifications,
+            // progress, call-agent, and MCP entries to keep the tool list tight and
+            // prevent the LLM from reaching for web-request instead of the
+            // template's native actions (e.g. log-meal).
+            const leanActions = {
+                ...templateScripts,
+                ...resourceScripts,
+                ...refreshScreenTool,
+                ...urlTools,
+                ...chatScripts,
+                ...toolActions,
+            };
             const prodActions = {
                 ...templateScripts,
                 ...resourceScripts,
@@ -2390,6 +2623,7 @@ export function createAgentChatPlugin(options) {
                 ...notificationTools,
                 ...progressTools,
                 ...fetchTool,
+                ...toolActions,
                 ...browserTools,
                 ...mcpActionEntries,
             };
@@ -2420,27 +2654,37 @@ export function createAgentChatPlugin(options) {
             // and tokens that minimal/voice apps don't need.
             const leanBasePrompt = (options?.systemPrompt ?? "") + prodActionsPrompt;
             // Per-request preamble shared by both prod and dev handlers. Resolves
-            // owner + user API key (stashed on the closure so downstream tools can
-            // reach them) and the template-authored `extraContext`. `extraContext`
-            // runs in every prompt variant (lean, lazy, full) — if a template
-            // defined it, they opted in; framework-provided content is what the
-            // token-saving modes strip.
+            // owner + user API key onto the AsyncLocalStorage run context so
+            // downstream tool closures (automation, fetch, team) read the
+            // current request's identity without racing against concurrent
+            // requests. `extraContext` runs in every prompt variant (lean, lazy,
+            // full) — if a template defined it, they opted in; framework-provided
+            // content is what the token-saving modes strip.
             const prepareRun = async (event) => {
-                _currentRequestOrigin = getOrigin(event);
                 const owner = await getOwnerFromEvent(event);
-                _currentRunOwner = owner;
                 const { getOwnerActiveApiKey } = await import("../agent/production-agent.js");
-                _currentRunUserApiKey = await getOwnerActiveApiKey(owner);
+                const userApiKey = await getOwnerActiveApiKey(owner);
+                const runCtx = ensureRequestRunContext();
+                if (runCtx) {
+                    runCtx.requestOrigin = getOrigin(event);
+                    runCtx.owner = owner;
+                    runCtx.userApiKey = userApiKey;
+                }
                 const extra = await resolveExtraContext(event, owner);
                 return { owner, extra };
             };
+            const setSystemPromptOnContext = (prompt) => {
+                const runCtx = ensureRequestRunContext();
+                if (runCtx)
+                    runCtx.systemPrompt = prompt;
+                return prompt;
+            };
             const prodHandler = createProductionAgentHandler({
-                actions: prodActions,
+                actions: leanPrompt ? leanActions : prodActions,
                 systemPrompt: async (event) => {
                     const { owner, extra } = await prepareRun(event);
                     if (leanPrompt) {
-                        _currentRunSystemPrompt = leanBasePrompt + extra;
-                        return _currentRunSystemPrompt;
+                        return setSystemPromptOnContext(leanBasePrompt + extra);
                     }
                     const resources = await loadResourcesForPrompt(owner, lazyContext);
                     // In lazy context mode, skip embedding the full schema — the agent
@@ -2448,21 +2692,23 @@ export function createAgentChatPlugin(options) {
                     const schemaBlock = lazyContext
                         ? ""
                         : await buildSchemaBlock(owner, false);
-                    _currentRunSystemPrompt =
-                        basePrompt + resources + schemaBlock + extra;
-                    return _currentRunSystemPrompt;
+                    return setSystemPromptOnContext(basePrompt + resources + schemaBlock + extra);
                 },
-                model: options?.model ??
-                    (isHostedProd ? "claude-haiku-4-5-20251001" : undefined),
+                model: options?.model ?? DEFAULT_MODEL,
                 apiKey: options?.apiKey,
                 skipFilesContext: leanPrompt,
                 onEngineResolved: (engine, model) => {
-                    _currentRunEngine = engine;
-                    _currentRunModel = model;
+                    const runCtx = ensureRequestRunContext();
+                    if (runCtx) {
+                        runCtx.engine = engine;
+                        runCtx.model = model;
+                    }
                 },
                 onRunStart: (send, threadId) => {
                     _runSendByThread.set(threadId, send);
-                    _currentRunThreadId = threadId;
+                    const runCtx = ensureRequestRunContext();
+                    if (runCtx)
+                        runCtx.threadId = threadId;
                 },
                 onRunComplete: async (run, threadId) => {
                     if (threadId)
@@ -2487,28 +2733,31 @@ export function createAgentChatPlugin(options) {
                 // template's actions as native tools instead of routing through shell.
                 // Templates with structured-arg actions (objects/arrays) need this to
                 // avoid round-tripping JSON through the CLI parser.
-                const devActions = devNative
-                    ? prodActions
-                    : {
-                        ...resourceScripts,
-                        ...docsScripts,
-                        ...(lazyContext ? frameworkContextTool : {}),
-                        ...chatScripts,
-                        ...callAgentScript,
-                        ...teamTools,
-                        ...jobTools,
-                        ...automationTools,
-                        ...notificationTools,
-                        ...progressTools,
-                        ...fetchTool,
-                        ...browserTools,
-                        ...mcpActionEntries,
-                        ...(await createDevScriptRegistry()),
-                    };
+                const devActions = leanPrompt
+                    ? leanActions
+                    : devNative
+                        ? prodActions
+                        : {
+                            ...resourceScripts,
+                            ...docsScripts,
+                            ...(lazyContext ? frameworkContextTool : {}),
+                            ...chatScripts,
+                            ...callAgentScript,
+                            ...teamTools,
+                            ...jobTools,
+                            ...automationTools,
+                            ...notificationTools,
+                            ...progressTools,
+                            ...fetchTool,
+                            ...toolActions,
+                            ...browserTools,
+                            ...mcpActionEntries,
+                            ...(await createDevScriptRegistry()),
+                        };
                 // Keep dev action dict in sync with runtime MCP additions. When
                 // native-actions mode is on (lean or `nativeActionsInDev`), devActions
                 // === prodActions so the prod listener already covers it.
-                if (devActions !== prodActions) {
+                if (devActions !== prodActions && devActions !== leanActions) {
                     mcpManager.onChange(() => {
                         syncMcpActionEntries(mcpManager, devActions);
                     });
@@ -2518,27 +2767,29 @@ export function createAgentChatPlugin(options) {
                     systemPrompt: async (event) => {
                         const { owner, extra } = await prepareRun(event);
                         if (leanPrompt) {
-                            _currentRunSystemPrompt = leanBasePrompt + extra;
-                            return _currentRunSystemPrompt;
+                            return setSystemPromptOnContext(leanBasePrompt + extra);
                         }
                         const resources = await loadResourcesForPrompt(owner, lazyContext);
                         const schemaBlock = lazyContext
                             ? ""
                             : await buildSchemaBlock(owner, true);
-                        _currentRunSystemPrompt =
-                            devPrompt + resources + schemaBlock + extra;
-                        return _currentRunSystemPrompt;
+                        return setSystemPromptOnContext(devPrompt + resources + schemaBlock + extra);
                     },
                     model: options?.model,
                     apiKey: options?.apiKey,
                     skipFilesContext: leanPrompt,
                     onEngineResolved: (engine, model) => {
-                        _currentRunEngine = engine;
-                        _currentRunModel = model;
+                        const runCtx = ensureRequestRunContext();
+                        if (runCtx) {
+                            runCtx.engine = engine;
+                            runCtx.model = model;
+                        }
                     },
                     onRunStart: (send, threadId) => {
                         _runSendByThread.set(threadId, send);
-                        _currentRunThreadId = threadId;
+                        const runCtx = ensureRequestRunContext();
+                        if (runCtx)
+                            runCtx.threadId = threadId;
                     },
                     onRunComplete: async (run, threadId) => {
                         if (threadId)
@@ -2586,10 +2837,11 @@ export function createAgentChatPlugin(options) {
                 return { devMode: currentDevMode, canToggle };
             }));
             // Mount save-key BEFORE the prefix handler so it isn't shadowed.
-            // Persists the user's key per-owner in the SQL settings table so it
-            // survives across serverless invocations (where mutating process.env
-            // and writing .env are both no-ops). Also updates process.env and
-            // .env when running locally for fast pickup by other handlers.
+            // Persists the user's API key in `app_secrets` (encrypted, scope=user,
+            // scopeId=email). Hard rule: never mutates process.env, never writes
+            // .env. User-pasted secrets must not become deploy-level identity —
+            // that's the cross-tenant leak class (KVesta Space, 2026-04).
+            // Consumers read these values per-request via `resolveSecret(key)`.
             getH3App(nitroApp).use(`${routePath}/save-key`, defineEventHandler(async (event) => {
                 if (getMethod(event) !== "POST") {
                     setResponseStatus(event, 405);
@@ -2603,75 +2855,35 @@ export function createAgentChatPlugin(options) {
                     return { error: "API key is required" };
                 }
                 const trimmedKey = key.trim();
-                // Persist per-owner so the key survives cold starts in serverless
-                // and so the user's key isn't shared across users on multi-tenant
-                // hosted deployments. We require a real authenticated owner here —
-                // `local@localhost` is the unauthenticated fallback and must never
-                // become the shared key bucket on hosted deployments.
                 const ownerEmail = await getOwnerFromEvent(event);
-                if (isHostedProd &&
-                    (!ownerEmail || ownerEmail === "local@localhost")) {
+                if (!ownerEmail || ownerEmail === DEV_MODE_USER_EMAIL) {
                     setResponseStatus(event, 401);
                     return { error: "Authentication required" };
                 }
-                if (ownerEmail && ownerEmail !== "local@localhost") {
-                    try {
-                        await putSetting(`user-api-key:${provider}:${ownerEmail}`, {
-                            key: trimmedKey,
-                        });
-                        // Verify the write actually landed — some managed DB drivers
-                        // swallow errors on degraded connections. Without this the
-                        // client sees "saved", reloads, and the usage-limit card
-                        // re-appears on the next message because the key isn't
-                        // really persisted.
-                        const check = await getSetting(`user-api-key:${provider}:${ownerEmail}`);
-                        if (!check ||
-                            typeof check.key !== "string" ||
-                            check.key !== trimmedKey) {
-                            throw new Error("settings write did not persist");
-                        }
-                    }
-                    catch (err) {
-                        if (isHostedProd) {
-                            console.error("[agent-chat] save-key persistence failed:", err instanceof Error ? err.message : err);
-                            setResponseStatus(event, 500);
-                            return {
-                                error: "Failed to persist API key. Please try again or contact support.",
-                            };
-                        }
-                        // Local dev falls through to the env-file path below.
-                    }
-                }
-                // In hosted/multi-tenant mode we deliberately do NOT touch
-                // process.env or .env: the per-owner SQL lookup above is the
-                // single source of truth, and overwriting the shared env key
-                // would leak one tenant's credentials into every subsequent
-                // request that hit the same warm instance without its own key.
-                if (!isHostedProd) {
-                    const providerToEnv = {
-                        anthropic: "ANTHROPIC_API_KEY",
-                        openai: "OPENAI_API_KEY",
-                        google: "GOOGLE_GENERATIVE_AI_API_KEY",
-                        groq: "GROQ_API_KEY",
-                        mistral: "MISTRAL_API_KEY",
-                        cohere: "COHERE_API_KEY",
+                const providerToEnv = {
+                    anthropic: "ANTHROPIC_API_KEY",
+                    openai: "OPENAI_API_KEY",
+                    google: "GOOGLE_GENERATIVE_AI_API_KEY",
+                    groq: "GROQ_API_KEY",
+                    mistral: "MISTRAL_API_KEY",
+                    cohere: "COHERE_API_KEY",
+                };
+                const secretKey = providerToEnv[provider] ?? `${provider.toUpperCase()}_API_KEY`;
+                try {
+                    const { writeAppSecret } = await import("../secrets/storage.js");
+                    await writeAppSecret({
+                        key: secretKey,
+                        value: trimmedKey,
+                        scope: "user",
+                        scopeId: ownerEmail,
+                    });
+                }
+                catch (err) {
+                    console.error("[agent-chat] save-key persistence failed:", err instanceof Error ? err.message : err);
+                    setResponseStatus(event, 500);
+                    return {
+                        error: "Failed to persist API key. Please try again or contact support.",
                     };
-                    const envVar = providerToEnv[provider] ?? `${provider.toUpperCase()}_API_KEY`;
-                    try {
-                        const path = await import("path");
-                        const { upsertEnvFile } = await import("./create-server.js");
-                        const envPath = path.join(process.cwd(), ".env");
-                        await upsertEnvFile(envPath, [
-                            { key: envVar, value: trimmedKey },
-                        ]);
-                    }
-                    catch {
-                        // Edge runtime — can't write .env, but can still update process.env
-                    }
-                    // Update process.env so the agent works immediately in the
-                    // current local-dev invocation; the SQL persist above covers
-                    // future invocations.
-                    process.env[envVar] = trimmedKey;
                 }
                 return { ok: true };
             }));
@@ -2709,7 +2921,7 @@ export function createAgentChatPlugin(options) {
                 // Query resources
                 try {
                     const resources = currentDevMode
-                        ? await resourceListAccessible("local@localhost")
+                        ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
                         : await resourceList(SHARED_OWNER);
                     for (const r of resources) {
                         if (!seen.has(r.path)) {
@@ -2794,7 +3006,7 @@ export function createAgentChatPlugin(options) {
                 // Query resources with skills/ prefix
                 try {
                     const resourceSkills = currentDevMode
-                        ? await resourceListAccessible("local@localhost", "skills/")
+                        ? await resourceListAccessible(DEV_MODE_USER_EMAIL, "skills/")
                         : await resourceList(SHARED_OWNER, "skills/");
                     for (const r of resourceSkills) {
                         // Try to get content to parse frontmatter
@@ -2839,6 +3051,22 @@ export function createAgentChatPlugin(options) {
                     setResponseStatus(event, 405);
                     return { error: "Method not allowed" };
                 }
+                // Resolve the caller and run the entire stream inside a request
+                // context so custom mention providers can use `accessFilter` /
+                // `resolveAccess` when querying ownable tables. Without this,
+                // a provider that searches `decks` (or any sharable resource)
+                // would see every row regardless of ownership.
+                const mentionsOwner = await getOwnerFromEvent(event).catch(() => undefined);
+                let mentionsOrgId;
+                if (options?.resolveOrgId) {
+                    try {
+                        const resolved = await options.resolveOrgId(event);
+                        mentionsOrgId = resolved ?? undefined;
+                    }
+                    catch {
+                        mentionsOrgId = undefined;
+                    }
+                }
                 const query = getQuery(event);
                 const q = typeof query.q === "string" ? query.q.toLowerCase() : "";
                 const matchesQuery = (item) => !q ||
@@ -2849,148 +3077,154 @@ export function createAgentChatPlugin(options) {
                 setResponseHeader(event, "Content-Type", "application/x-ndjson");
                 setResponseHeader(event, "Cache-Control", "no-cache");
                 const stream = new ReadableStream({
-                    async start(controller) {
-                        const MAX_RESULTS = 50;
-                        let totalSent = 0;
-                        let cancelled = false;
-                        const flush = (batch) => {
-                            if (cancelled)
-                                return;
-                            const filtered = batch.filter(matchesQuery);
-                            if (filtered.length === 0)
-                                return;
-                            const remaining = MAX_RESULTS - totalSent;
-                            const toSend = filtered.slice(0, remaining);
-                            if (toSend.length > 0) {
-                                totalSent += toSend.length;
-                                try {
-                                    controller.enqueue(enc.encode(JSON.stringify({ items: toSend }) + "\n"));
-                                }
-                                catch {
-                                    // Stream was closed by client
-                                    cancelled = true;
-                                }
-                            }
-                        };
-                        // All sources run in parallel; each flushes independently.
-                        const sources = [];
-                        // 1. Resources from SQL (fast — flush first)
-                        sources.push((async () => {
+                    start(controller) {
+                        return runWithRequestContext({
+                            userEmail: mentionsOwner,
+                            orgId: mentionsOrgId,
+                        }, () => mentionsStreamWork(controller));
+                    },
+                    cancel() {
+                        // Client disconnected — stop enqueuing
+                    },
+                });
+                return stream;
+                async function mentionsStreamWork(controller) {
+                    const MAX_RESULTS = 50;
+                    let totalSent = 0;
+                    let cancelled = false;
+                    const flush = (batch) => {
+                        if (cancelled)
+                            return;
+                        const filtered = batch.filter(matchesQuery);
+                        if (filtered.length === 0)
+                            return;
+                        const remaining = MAX_RESULTS - totalSent;
+                        const toSend = filtered.slice(0, remaining);
+                        if (toSend.length > 0) {
+                            totalSent += toSend.length;
                             try {
-                                const resources = currentDevMode
-                                    ? await resourceListAccessible("local@localhost")
-                                    : await resourceList(SHARED_OWNER);
-                                flush(resources.map((r) => {
-                                    const isShared = r.owner === SHARED_OWNER;
-                                    return {
-                                        id: `resource:${r.path}`,
-                                        label: r.path.split("/").pop() || r.path,
-                                        description: r.path,
-                                        icon: "file",
-                                        source: isShared
-                                            ? "resource:shared"
-                                            : "resource:private",
-                                        refType: "file",
-                                        refPath: r.path,
-                                        section: "Files",
-                                    };
-                                }));
+                                controller.enqueue(enc.encode(JSON.stringify({ items: toSend }) + "\n"));
                             }
-                            catch { }
-                        })());
-                        // 2. Codebase files (dev mode only — can be slow on large repos)
-                        if (currentDevMode) {
-                            sources.push((async () => {
-                                const codebaseFiles = [];
-                                try {
-                                    await collectFiles(process.cwd(), "", 0, codebaseFiles);
-                                }
-                                catch { }
-                                flush(codebaseFiles.map((f) => ({
-                                    id: `codebase:${f.path}`,
-                                    label: f.name,
-                                    description: f.path !== f.name ? f.path : undefined,
-                                    icon: f.type,
-                                    source: "codebase",
+                            catch {
+                                // Stream was closed by client
+                                cancelled = true;
+                            }
+                        }
+                    };
+                    // All sources run in parallel; each flushes independently.
+                    const sources = [];
+                    // 1. Resources from SQL (fast — flush first)
+                    sources.push((async () => {
+                        try {
+                            const resources = currentDevMode
+                                ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
+                                : await resourceList(SHARED_OWNER);
+                            flush(resources.map((r) => {
+                                const isShared = r.owner === SHARED_OWNER;
+                                return {
+                                    id: `resource:${r.path}`,
+                                    label: r.path.split("/").pop() || r.path,
+                                    description: r.path,
+                                    icon: "file",
+                                    source: isShared
+                                        ? "resource:shared"
+                                        : "resource:private",
                                     refType: "file",
-                                    refPath: f.path,
+                                    refPath: r.path,
                                     section: "Files",
-                                })));
-                            })());
+                                };
+                            }));
                         }
-                        // 3. Custom mention providers (each flushes independently)
-                        for (const [key, provider] of Object.entries(mentionProviders)) {
-                            sources.push((async () => {
-                                try {
-                                    const providerItems = await provider.search(q, event);
-                                    flush(providerItems.map((item) => ({
-                                        id: item.id,
-                                        label: item.label,
-                                        description: item.description,
-                                        icon: item.icon || provider.icon || "file",
-                                        source: key,
-                                        refType: item.refType,
-                                        refPath: item.refPath,
-                                        refId: item.refId,
-                                        section: provider.label,
-                                    })));
-                                }
-                                catch (e) {
-                                    console.error(`[agent-native] Mention provider "${key}" failed:`, e);
-                                }
-                            })());
-                        }
-                        // 4. Custom workspace agents
+                        catch { }
+                    })());
+                    // 2. Codebase files (dev mode only — can be slow on large repos)
+                    if (currentDevMode) {
                         sources.push((async () => {
+                            const codebaseFiles = [];
                             try {
-                                const owner = await getOwnerFromEvent(event);
-                                const { listAccessibleCustomAgents } = await import("../resources/agents.js");
-                                const agents = await listAccessibleCustomAgents(owner);
-                                flush(agents.map((agent) => ({
-                                    id: `custom-agent:${agent.id}`,
-                                    label: agent.name,
-                                    description: agent.description || agent.path,
-                                    icon: "agent",
-                                    source: "agent:custom",
-                                    refType: "custom-agent",
-                                    refPath: agent.path,
-                                    refId: agent.id,
-                                    section: "Agents",
-                                })));
-                            }
-                            catch (e) {
-                                console.error("[agent-native] Custom agent discovery failed:", e);
+                                await collectFiles(process.cwd(), "", 0, codebaseFiles);
                             }
+                            catch { }
+                            flush(codebaseFiles.map((f) => ({
+                                id: `codebase:${f.path}`,
+                                label: f.name,
+                                description: f.path !== f.name ? f.path : undefined,
+                                icon: f.type,
+                                source: "codebase",
+                                refType: "file",
+                                refPath: f.path,
+                                section: "Files",
+                            })));
                         })());
-                        // 5. Peer agent discovery (network call — often slowest)
+                    }
+                    // 3. Custom mention providers (each flushes independently)
+                    for (const [key, provider] of Object.entries(mentionProviders)) {
                         sources.push((async () => {
                             try {
-                                const agents = await discoverAgents(options?.appId);
-                                flush(agents.map((agent) => ({
-                                    id: `agent:${agent.id}`,
-                                    label: agent.name,
-                                    description: agent.description,
-                                    icon: "agent",
-                                    source: "agent",
-                                    refType: "agent",
-                                    refPath: agent.url,
-                                    refId: agent.id,
-                                    section: "Connected Agents",
+                                const providerItems = await provider.search(q, event);
+                                flush(providerItems.map((item) => ({
+                                    id: item.id,
+                                    label: item.label,
+                                    description: item.description,
+                                    icon: item.icon || provider.icon || "file",
+                                    source: key,
+                                    refType: item.refType,
+                                    refPath: item.refPath,
+                                    refId: item.refId,
+                                    section: provider.label,
                                 })));
                             }
                             catch (e) {
-                                console.error("[agent-native] Agent discovery failed:", e);
+                                console.error(`[agent-native] Mention provider "${key}" failed:`, e);
                             }
                         })());
-                        await Promise.all(sources);
-                        if (!cancelled)
-                            controller.close();
-                    },
-                    cancel() {
-                        // Client disconnected — stop enqueuing
-                    },
-                });
-                return stream;
+                    }
+                    // 4. Custom workspace agents
+                    sources.push((async () => {
+                        try {
+                            const owner = await getOwnerFromEvent(event);
+                            const { listAccessibleCustomAgents } = await import("../resources/agents.js");
+                            const agents = await listAccessibleCustomAgents(owner);
+                            flush(agents.map((agent) => ({
+                                id: `custom-agent:${agent.id}`,
+                                label: agent.name,
+                                description: agent.description || agent.path,
+                                icon: "agent",
+                                source: "agent:custom",
+                                refType: "custom-agent",
+                                refPath: agent.path,
+                                refId: agent.id,
+                                section: "Agents",
+                            })));
+                        }
+                        catch (e) {
+                            console.error("[agent-native] Custom agent discovery failed:", e);
+                        }
+                    })());
+                    // 5. Peer agent discovery (network call — often slowest)
+                    sources.push((async () => {
+                        try {
+                            const agents = await discoverAgents(options?.appId);
+                            flush(agents.map((agent) => ({
+                                id: `agent:${agent.id}`,
+                                label: agent.name,
+                                description: agent.description,
+                                icon: "agent",
+                                source: "agent",
+                                refType: "agent",
+                                refPath: agent.url,
+                                refId: agent.id,
+                                section: "Connected Agents",
+                            })));
+                        }
+                        catch (e) {
+                            console.error("[agent-native] Agent discovery failed:", e);
+                        }
+                    })());
+                    await Promise.all(sources);
+                    if (!cancelled)
+                        controller.close();
+                }
             }));
             // ─── Generate thread title ──────────────────────────────────────────
             getH3App(nitroApp).use(`${routePath}/generate-title`, defineEventHandler(async (event) => {
@@ -2999,6 +3233,19 @@ export function createAgentChatPlugin(options) {
                     return { error: "Method not allowed" };
                 }
                 const ownerEmail = await getOwnerFromEvent(event);
+                // Per-user rate limit: 10 calls / 60s. Prevents an authenticated
+                // user from spamming the endpoint to exhaust shared Anthropic
+                // credits on platform-key deployments.
+                const now = Date.now();
+                const limitWindowMs = 60_000;
+                const limitMax = 10;
+                const recent = (generateTitleRateLimit.get(ownerEmail) ?? []).filter((t) => now - t < limitWindowMs);
+                if (recent.length >= limitMax) {
+                    setResponseStatus(event, 429);
+                    return { error: "Rate limit exceeded" };
+                }
+                recent.push(now);
+                generateTitleRateLimit.set(ownerEmail, recent);
                 const body = await readBody(event);
                 const message = body?.message;
                 if (!message || typeof message !== "string") {
@@ -3091,10 +3338,15 @@ export function createAgentChatPlugin(options) {
                     // Check in-memory first, then SQL (cross-isolate on Workers)
                     const run = await getActiveRunForThreadAsync(threadId);
                     if (!run) {
-                        setResponseStatus(event, 404);
-                        return { error: "No active run for this thread" };
+                        return {
+                            active: false,
+                            threadId,
+                            status: "idle",
+                            heartbeatAt: null,
+                        };
                     }
                     return {
+                        active: true,
                         runId: run.runId,
                         threadId: run.threadId,
                         status: run.status,
@@ -3288,6 +3540,19 @@ export function createAgentChatPlugin(options) {
                         await setThreadQueuedMessages(threadId, queued);
                         return { ok: true };
                     }
+                    // POST /threads/:id/fork — duplicate a thread with all its messages
+                    if (method === "POST" &&
+                        /\/threads\/[^/?]+\/fork/.test(event.node?.req?.url || event.path || "")) {
+                        const body = await readBody(event);
+                        const forked = await forkThread(threadId, owner, {
+                            id: body?.id,
+                        });
+                        if (!forked) {
+                            setResponseStatus(event, 404);
+                            return { error: "Thread not found" };
+                        }
+                        return forked;
+                    }
                     if (method === "DELETE") {
                         const thread = await getThread(threadId);
                         if (!thread || thread.ownerEmail !== owner) {
@@ -3353,14 +3618,6 @@ export function createAgentChatPlugin(options) {
                         // Session not available
                     }
                 }
-                // Also set process.env for backwards compat (CLI scripts, legacy readers)
-                process.env.AGENT_USER_EMAIL = owner;
-                if (resolvedOrgId) {
-                    process.env.AGENT_ORG_ID = resolvedOrgId;
-                }
-                else {
-                    delete process.env.AGENT_ORG_ID;
-                }
                 // Propagate the caller's IANA timezone from `x-user-timezone` so that
                 // tool calls made by the agent (e.g. log-meal with no explicit date)
                 // resolve "today" in the user's local timezone instead of server UTC.
@@ -3370,8 +3627,6 @@ export function createAgentChatPlugin(options) {
                     tzRaw.trim().length < 64
                     ? tzRaw.trim()
                     : undefined;
-                if (timezone)
-                    process.env.AGENT_USER_TIMEZONE = timezone;
                 return runWithRequestContext({ userEmail: owner, orgId: resolvedOrgId, timezone }, () => {
                     const handler = currentDevMode && devHandler ? devHandler : prodHandler;
                     return handler(event);
@@ -3395,6 +3650,7 @@ export function createAgentChatPlugin(options) {
                         ...notificationTools,
                         ...progressTools,
                         ...fetchTool,
+                        ...toolActions,
                     }),
                     getSystemPrompt: async (owner) => {
                         const resources = await loadResourcesForPrompt(owner, lazyContext);
@@ -3435,6 +3691,7 @@ export function createAgentChatPlugin(options) {
                         ...notificationTools,
                         ...progressTools,
                         ...fetchTool,
+                        ...toolActions,
                     }),
                     getSystemPrompt: async (owner) => {
                         const resources = await loadResourcesForPrompt(owner, lazyContext);
@@ -3488,9 +3745,10 @@ export function getGlobalMcpManager() {
     return _globalMcpManager;
 }
 function mountMcpHubStatusRoute(nitroApp) {
-    if (globalThis.__agentNativeMcpHubStatusMounted)
+    const mountedApps = (globalThis.__agentNativeMcpHubStatusMountedApps ??= new WeakSet());
+    if (mountedApps.has(nitroApp))
         return;
-    globalThis.__agentNativeMcpHubStatusMounted = true;
+    mountedApps.add(nitroApp);
     try {
         getH3App(nitroApp).use("/_agent-native/mcp/hub/status", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {
@@ -3506,10 +3764,11 @@ function mountMcpHubStatusRoute(nitroApp) {
     }
 }
 function mountMcpStatusRoute(nitroApp, manager) {
-    // Idempotent — agent-chat-plugin can be invoked once per process; guard anyway.
-    if (globalThis.__agentNativeMcpStatusMounted)
+    // Idempotent per Nitro app; dev-all may host multiple templates in one process.
+    const mountedApps = (globalThis.__agentNativeMcpStatusMountedApps ??= new WeakSet());
+    if (mountedApps.has(nitroApp))
         return;
-    globalThis.__agentNativeMcpStatusMounted = true;
+    mountedApps.add(nitroApp);
     try {
         getH3App(nitroApp).use("/_agent-native/mcp/status", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {