@agent-native/core 0.7.13 → 0.7.15

package/dist/server/core-routes-plugin.js

@@ -5,10 +5,12 @@ import { createPollHandler } from "./poll.js";
 import { createSSEHandler } from "./sse.js";
 import { upsertEnvFile } from "./create-server.js";
 import { readBody } from "./h3-helpers.js";
-import { BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, buildBuilderCliAuthUrl, createBuilderBrowserCallbackPage, getBuilderBrowserStatusForEvent, getBuilderCallbackEnvVars, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderCallbackState, } from "./builder-browser.js";
+import { BUILDER_ENV_KEYS, BUILDER_STATE_PARAM, buildBuilderCliAuthUrl, createBuilderBrowserCallbackErrorPage, createBuilderBrowserCallbackPage, getBuilderBrowserStatusForEvent, resolveSafePreviewUrl, runBuilderAgent, signBuilderCallbackState, verifyBuilderCallbackState, } from "./builder-browser.js";
 import { getState, putState, deleteState, listComposeDrafts, getComposeDraft, putComposeDraft, deleteComposeDraft, deleteAllComposeDrafts, } from "../application-state/handlers.js";
 import { getSetting, putSetting, deleteSetting } from "../settings/store.js";
-import { getSession } from "./auth.js";
+import { getUserSetting, putUserSetting, deleteUserSetting, } from "../settings/user-settings.js";
+import { getSession, isDevEnvironment, DEV_MODE_USER_EMAIL } from "./auth.js";
+import { isLocalDatabase } from "../db/client.js";
 import { getOrigin } from "./google-oauth.js";
 import { findWorkspaceRoot } from "../scripts/utils.js";
 import { listOnboardingSteps } from "../onboarding/registry.js";
@@ -21,14 +23,63 @@ import { registerBuiltinNotificationChannels } from "../notifications/channels.j
 import { createNotificationsHandler } from "../notifications/routes.js";
 import { createProgressHandler } from "../progress/routes.js";
 import { createTranscribeVoiceHandler } from "./transcribe-voice.js";
+import { runWithRequestContext } from "./request-context.js";
+import { createVoiceProvidersStatusHandler } from "./voice-providers-status.js";
 import { PROVIDER_ENV_META } from "../agent/engine/provider-env-vars.js";
-import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, isStoredEngineUsable, } from "../agent/engine/registry.js";
+import { isAgentEngineSettingConfigured, getAgentEngineEntry, detectEngineFromEnv, detectEngineFromUserSecrets, isStoredEngineUsable, } from "../agent/engine/registry.js";
 /**
  * The base path prefix for all framework-level routes.
  * All agent-native core routes live under this namespace to avoid
  * collisions with template-specific `/api/*` routes.
  */
 export const FRAMEWORK_ROUTE_PREFIX = "/_agent-native";
+/**
+ * Whether deployment-wide `process.env` writes (and rehydration from the
+ * unscoped `persisted-env-vars` settings row) are safe on this deployment.
+ *
+ * Allowed only when:
+ *   - we're running against a local SQLite-only database in a development
+ *     environment (no shared-tenant exposure), OR
+ *   - the operator has explicitly opted in via
+ *     `AGENT_NATIVE_ALLOW_ENV_VAR_WRITES=1` (single-tenant self-hosted).
+ *
+ * On any hosted multi-tenant deploy this returns false: env vars are
+ * deployment-wide globals and one tenant could otherwise overwrite Stripe /
+ * OpenAI / Sentry keys for every other tenant. Per-org credentials must use
+ * the per-user/org `app_secrets` store via `saveCredential()` instead.
+ */
+function isEnvVarWriteAllowed() {
+    if (process.env.AGENT_NATIVE_ALLOW_ENV_VAR_WRITES === "1")
+        return true;
+    return isDevEnvironment() && isLocalDatabase();
+}
+function normalizeAppBasePath(value) {
+    if (!value || value === "/")
+        return "";
+    const trimmed = value.trim();
+    if (!trimmed || trimmed === "/")
+        return "";
+    return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
+}
+function stripAppBasePath(pathname) {
+    const basePath = normalizeAppBasePath(process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH);
+    if (!basePath)
+        return pathname;
+    if (pathname === basePath)
+        return "/";
+    if (pathname.startsWith(`${basePath}/`)) {
+        return pathname.slice(basePath.length) || "/";
+    }
+    return pathname;
+}
+function redactValues(text, values) {
+    let out = text;
+    for (const value of values) {
+        if (value)
+            out = out.split(value).join("[redacted]");
+    }
+    return out;
+}
 /**
  * Creates a Nitro plugin that mounts all standard agent-native framework routes.
  *
@@ -59,14 +110,46 @@ export function createCoreRoutesPlugin(options = {}) {
         // writes don't persist across invocations — the DB is the durable
         // store. Only set keys that are currently empty so explicit env
         // vars (Netlify dashboard, process-level) always win.
+        //
+        // GATED: only rehydrate into `process.env` on local-dev SQLite (or
+        // with the explicit single-tenant opt-in). On a shared-DB hosted
+        // multi-tenant deploy the `persisted-env-vars` row is deployment-wide
+        // global state — pushing user-supplied values into `process.env` from
+        // it would let any one tenant's writes (or a stale dev seed) leak
+        // into every other tenant's process. The opt-out scrub of legacy
+        // BUILDER_* values still runs unconditionally so existing rows on
+        // multi-tenant deploys self-heal, but new env-var writes never land
+        // in `process.env` outside the allowed contexts.
         try {
             const persisted = (await getSetting("persisted-env-vars"));
             if (persisted) {
+                const builderKeys = new Set(BUILDER_ENV_KEYS);
+                const writesAllowed = isEnvVarWriteAllowed();
+                let scrubbed = 0;
                 for (const [k, v] of Object.entries(persisted)) {
-                    if (typeof v === "string" && !process.env[k]) {
+                    if (builderKeys.has(k)) {
+                        scrubbed++;
+                        continue;
+                    }
+                    if (writesAllowed && typeof v === "string" && !process.env[k]) {
                         process.env[k] = v;
                     }
                 }
+                if (scrubbed > 0) {
+                    try {
+                        const cleaned = {};
+                        for (const [k, v] of Object.entries(persisted)) {
+                            if (!builderKeys.has(k))
+                                cleaned[k] = v;
+                        }
+                        await putSetting("persisted-env-vars", cleaned);
+                        console.warn(`[core] Removed ${scrubbed} legacy BUILDER_* key(s) from persisted-env-vars (cross-tenant leak fix).`);
+                    }
+                    catch {
+                        // Couldn't rewrite the row — the skip-on-rehydrate above
+                        // is the load-bearing protection. We'll try again next boot.
+                    }
+                }
             }
         }
         catch {
@@ -107,6 +190,12 @@ export function createCoreRoutesPlugin(options = {}) {
             // Observability module not available — skip
         }
         const P = FRAMEWORK_ROUTE_PREFIX;
+        // Security response headers — emitted on every framework response.
+        // Mounted before route handlers so 4xx/5xx error pages also carry the
+        // headers. Routes that need to relax a specific header (e.g. the tools
+        // /render route allowing same-origin framing) override via setResponseHeader.
+        const { createSecurityHeadersMiddleware } = await import("./security-headers.js");
+        getH3App(nitroApp).use(createSecurityHeadersMiddleware());
         // CORS for framework routes. Desktop tray apps (Tauri/Electron) run on
         // their own dev origin (e.g. localhost:1420) and make credentialed
         // requests against the template's server at a different port. We echo
@@ -116,32 +205,81 @@ export function createCoreRoutesPlugin(options = {}) {
             .split(",")
             .map((s) => s.trim())
             .filter(Boolean);
+        const isProduction = process.env.NODE_ENV === "production";
+        const LOCALHOST_RE = /^https?:\/\/(localhost|127\.0\.0\.1|tauri\.localhost)(:\d+)?$/;
         getH3App(nitroApp).use(defineEventHandler((event) => {
-            const url = event.node?.req?.url ?? event.path ?? "/";
-            if (!url.startsWith(P) && !url.startsWith("/api/"))
+            const pathname = stripAppBasePath(event.url?.pathname ??
+                String(event.node?.req?.url ?? event.path ?? "/").split("?")[0]);
+            if (!pathname.startsWith(P) && !pathname.startsWith("/api/"))
                 return;
             const reqHeaders = (event.node?.req?.headers ?? {});
             const originRaw = reqHeaders["origin"];
             const origin = Array.isArray(originRaw) ? originRaw[0] : originRaw;
-            if (!origin)
-                return;
-            const allowed = allowlist.length === 0 ||
-                allowlist.includes(origin) ||
-                // Dev convenience: allow any localhost origin (tray windows,
-                // frame, docs) without requiring an explicit allowlist.
-                /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
-            if (!allowed)
-                return;
-            setResponseHeader(event, "Access-Control-Allow-Origin", origin);
-            setResponseHeader(event, "Vary", "Origin");
-            setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
-            setResponseHeader(event, "Access-Control-Allow-Methods", "GET,POST,PUT,PATCH,DELETE,OPTIONS");
-            setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With");
-            if (getMethod(event) === "OPTIONS") {
+            const method = getMethod(event);
+            // Decide whether this origin is allowed. We never fall back to the
+            // first allowlist entry — that previously echoed `Access-Control-
+            // Allow-Origin: <unrelated-allowed-origin>` for disallowed callers,
+            // which is permissive enough that some clients followed through.
+            let allowedOrigin = null;
+            if (origin) {
+                if (allowlist.length > 0) {
+                    if (allowlist.includes(origin))
+                        allowedOrigin = origin;
+                }
+                else {
+                    // No allowlist configured. In production we only allow
+                    // localhost-style origins (desktop tray dev usage); in dev we
+                    // allow any origin echo. This prevents a fresh deploy without
+                    // CORS_ALLOWED_ORIGINS from accepting credentialed requests
+                    // from any origin.
+                    if (isProduction) {
+                        if (LOCALHOST_RE.test(origin))
+                            allowedOrigin = origin;
+                    }
+                    else {
+                        if (LOCALHOST_RE.test(origin))
+                            allowedOrigin = origin;
+                    }
+                }
+            }
+            // Reject preflights from disallowed cross-origin callers BEFORE
+            // returning 204. Previously the OPTIONS short-circuit returned 204
+            // with no ACAO header, which the browser then treats as a CORS
+            // failure — but also short-circuited any further checks. Now we
+            // explicitly 403 disallowed cross-origin preflights.
+            if (method === "OPTIONS") {
+                if (origin && !allowedOrigin) {
+                    setResponseStatus(event, 403);
+                    return "";
+                }
+                if (allowedOrigin) {
+                    setResponseHeader(event, "Access-Control-Allow-Origin", allowedOrigin);
+                    setResponseHeader(event, "Vary", "Origin");
+                    setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
+                    setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
+                    setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
+                }
                 setResponseStatus(event, 204);
                 return "";
             }
+            // Non-preflight requests: only set CORS response headers when we
+            // have an allowed origin. Same-origin / no-origin requests fall
+            // through without explicit CORS headers (browser treats them as
+            // same-origin by default).
+            if (!allowedOrigin)
+                return;
+            setResponseHeader(event, "Access-Control-Allow-Origin", allowedOrigin);
+            setResponseHeader(event, "Vary", "Origin");
+            setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
+            setResponseHeader(event, "Access-Control-Allow-Methods", "GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS");
+            setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type,Authorization,X-Requested-With,X-Request-Source,X-Agent-Native-CSRF");
         }));
+        // Defense-in-depth CSRF check for state-changing /_agent-native/* routes.
+        // Mounted AFTER the CORS layer so disallowed-origin OPTIONS preflights
+        // 403 first (rather than being rejected on a stale cookie heuristic).
+        // See `csrf.ts` for the threat model and allowlist.
+        const { createCsrfMiddleware } = await import("./csrf.js");
+        getH3App(nitroApp).use(createCsrfMiddleware(P));
         // Polling
         getH3App(nitroApp).use(`${P}/poll`, createPollHandler());
         // SSE
@@ -156,14 +294,92 @@ export function createCoreRoutesPlugin(options = {}) {
             })));
         }
         getH3App(nitroApp).use(`${P}/builder/status`, defineEventHandler(async (event) => {
-            const status = getBuilderBrowserStatusForEvent(event);
-            // Honor the SQL disconnect flag even when process.env still has
-            // BUILDER_* (dev env-runner weirdness — see plugin init above).
-            try {
-                const disconnected = await getSetting("builder-disconnected");
-                if (disconnected) {
+            const envStatus = getBuilderBrowserStatusForEvent(event);
+            // Read session once so we can establish per-user request context for
+            // credential resolution. Without this, resolveBuilderCredentials()
+            // calls getRequestUserEmail() on an empty AsyncLocalStorage store and
+            // falls through to process.env — causing the connection state to
+            // flicker between requests depending on stale env values.
+            const session = await getSession(event).catch(() => null);
+            const userEmail = session?.email;
+            return runWithRequestContext({ userEmail }, async () => {
+                // Check per-user credentials first (stored in app_secrets).
+                try {
+                    const { resolveBuilderCredentials } = await import("./credential-provider.js");
+                    const creds = await resolveBuilderCredentials();
+                    if (creds.privateKey) {
+                        return {
+                            ...envStatus,
+                            configured: true,
+                            privateKeyConfigured: true,
+                            publicKeyConfigured: !!creds.publicKey,
+                            userId: creds.userId || envStatus.userId,
+                            orgName: creds.orgName || envStatus.orgName,
+                            orgKind: creds.orgKind || envStatus.orgKind,
+                        };
+                    }
+                }
+                catch {
+                    // Secrets table not ready — fall through to env status
+                }
+                // Surface a recent OAuth callback failure so the parent's polling
+                // stops with a clear message instead of timing out at 5min. The
+                // callback handler writes a `builder-connect-error:<email>` row
+                // when `writeBuilderCredentials` throws; this read self-clears so
+                // the message only fires once.
+                try {
+                    if (userEmail) {
+                        const errKey = `builder-connect-error:${userEmail}`;
+                        const errRow = await getSetting(errKey);
+                        if (errRow && typeof errRow.message === "string") {
+                            await deleteSetting(errKey).catch(() => { });
+                            return {
+                                ...envStatus,
+                                configured: false,
+                                privateKeyConfigured: false,
+                                publicKeyConfigured: false,
+                                userId: undefined,
+                                orgName: undefined,
+                                orgKind: undefined,
+                                connectError: {
+                                    message: errRow.message,
+                                    at: typeof errRow.at === "number"
+                                        ? errRow.at
+                                        : Date.now(),
+                                },
+                            };
+                        }
+                    }
+                }
+                catch {
+                    // settings store unavailable — fall through to legacy/env status
+                }
+                // Honor legacy disconnect flag for existing deployments.
+                try {
+                    const disconnected = await getSetting("builder-disconnected");
+                    if (disconnected) {
+                        return {
+                            ...envStatus,
+                            configured: false,
+                            privateKeyConfigured: false,
+                            publicKeyConfigured: false,
+                            userId: undefined,
+                            orgName: undefined,
+                            orgKind: undefined,
+                        };
+                    }
+                }
+                catch {
+                    // DB not reachable — fall back to env-only status.
+                }
+                // For authenticated non-local users who have no per-user credentials,
+                // explicitly return not-configured rather than deploy-level env keys.
+                // This is consistent with resolveBuilderCredential()'s design which
+                // refuses the env fallback for authenticated users to prevent
+                // cross-tenant credential leakage in shared-DB deployments.
+                if (userEmail && userEmail !== DEV_MODE_USER_EMAIL) {
                     return {
-                        ...status,
+                        ...envStatus,
                         configured: false,
                         privateKeyConfigured: false,
                         publicKeyConfigured: false,
@@ -172,11 +388,8 @@ export function createCoreRoutesPlugin(options = {}) {
                         orgKind: undefined,
                     };
                 }
-            }
-            catch {
-                // DB not reachable — fall back to env-only status.
-            }
-            return status;
+                return envStatus;
+            });
         }));
         // Lightweight 302 to the Builder CLI-auth URL. Lets clients do
         // `window.open('/_agent-native/builder/connect', '_blank')` synchronously
@@ -222,14 +435,15 @@ export function createCoreRoutesPlugin(options = {}) {
             // caller isn't a named user we should spend a Builder private key
             // on. Allow it only when the environment explicitly opts into
             // local mode (dev, tests, or AUTH_MODE=local).
-            if (session.email === "local@localhost" &&
+            if (session.email === DEV_MODE_USER_EMAIL &&
                 process.env.NODE_ENV === "production" &&
                 process.env.AUTH_MODE !== "local") {
                 setResponseStatus(event, 401);
                 return { error: "A signed-in user is required to run Builder" };
             }
             const userEmail = session.email;
-            const builderUserId = process.env.BUILDER_USER_ID || undefined;
+            const { resolveBuilderCredential: resolveBuilderCred } = await import("./credential-provider.js");
+            const builderUserId = (await resolveBuilderCred("BUILDER_USER_ID")) || undefined;
             // Server-controlled projectId — don't let clients target arbitrary
             // Builder projects with our private key. When this feature graduates
             // past the hardcoded preview, the projectId will come from
@@ -280,49 +494,65 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 400);
                 return { error: "Missing Builder credentials in callback" };
             }
-            const vars = getBuilderCallbackEnvVars({
-                privateKey,
-                publicKey,
-                userId: requestUrl.searchParams.get("user-id"),
-                orgName: requestUrl.searchParams.get("org-name"),
-                orgKind: requestUrl.searchParams.get("kind"),
-            });
-            // Clear the disconnect flag first — a prior disconnect would
-            // otherwise cause the plugin init to scrub these keys right back
-            // out on the next env-runner reload.
+            const userId = requestUrl.searchParams.get("user-id");
+            const orgName = requestUrl.searchParams.get("org-name");
+            const orgKind = requestUrl.searchParams.get("kind");
+            // Store per-user in app_secrets so each user's Builder connection
+            // is independent. No more shared env vars that the last connector
+            // overwrites.
+            //
+            // Failure handling: a silent catch here (returning the success page
+            // anyway) was Midhun's bug on 2026-04-28 — popup said "yay", parent
+            // window polled `/builder/status` for 5 minutes seeing
+            // configured:false, never got a real error. Now we surface the
+            // failure two ways: (a) a settings row that the next /builder/status
+            // poll picks up, and (b) postMessage from the error page itself,
+            // wired into the popup HTML, so the parent stops polling immediately.
+            let writeError = null;
             try {
-                await deleteSetting("builder-disconnected");
+                const { writeBuilderCredentials } = await import("./credential-provider.js");
+                await writeBuilderCredentials(session.email, {
+                    privateKey,
+                    publicKey,
+                    userId,
+                    orgName,
+                    orgKind,
+                });
             }
-            catch {
-                // DB not ready — proceed; the worst case is a stale disconnect
-                // flag that gets cleared on the next reconnect attempt.
+            catch (err) {
+                writeError = err?.message ?? String(err);
+                console.error("[builder] Failed to persist per-user credentials:", writeError);
+            }
+            if (writeError) {
+                // Best-effort signal to /builder/status. If putSetting also fails
+                // (entire DB unreachable) the popup's postMessage still notifies
+                // the parent. If both fail the parent times out at 5min as today.
+                try {
+                    await putSetting(`builder-connect-error:${session.email}`, {
+                        message: writeError,
+                        at: Date.now(),
+                    });
+                }
+                catch (settingsErr) {
+                    console.error("[builder] Couldn't even record connect-error to settings:", settingsErr?.message ?? settingsErr);
+                }
+                setResponseStatus(event, 500);
+                setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
+                return createBuilderBrowserCallbackErrorPage(writeError);
             }
-            // Prefer the workspace root .env when in an enterprise workspace so
-            // Builder credentials are shared across every app automatically.
+            // Clear any legacy disconnect flag and any prior connect-error row
+            // (so a successful retry doesn't surface the previous failure).
             try {
-                const workspaceRoot = findWorkspaceRoot(process.cwd());
-                const envPath = workspaceRoot
-                    ? path.join(workspaceRoot, ".env")
-                    : path.join(process.cwd(), ".env");
-                await upsertEnvFile(envPath, vars);
+                await deleteSetting("builder-disconnected");
             }
             catch {
-                // Edge runtime — skip file write
-            }
-            for (const { key, value } of vars) {
-                process.env[key] = value;
+                // DB not ready — proceed
             }
-            // Persist to settings table so serverless cold starts can
-            // restore credentials (.env writes don't survive on Netlify).
             try {
-                const envMap = {};
-                for (const { key, value } of vars)
-                    envMap[key] = value;
-                const existing = (await getSetting("persisted-env-vars")) ?? {};
-                await putSetting("persisted-env-vars", { ...existing, ...envMap });
+                await deleteSetting(`builder-connect-error:${session.email}`);
             }
             catch {
-                // DB not ready yet — skip
+                // No prior error row — fine
             }
             const previewUrl = resolveSafePreviewUrl(requestUrl.searchParams.get("preview-url"), event);
             setResponseHeader(event, "Content-Type", "text/html; charset=utf-8");
@@ -344,63 +574,20 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 401);
                 return { error: "unauthorized" };
             }
-            // We intentionally do NOT rewrite the `.env` file on disconnect.
-            // A `.env` write triggers nitro's file watcher → env-runner
-            // restart, which tears down in-flight SSE / HMR connections and
-            // surfaces as `read ECONNRESET` in the vite overlay. The
-            // authoritative disconnect signal is the SQL `builder-disconnected`
-            // flag (checked in plugin init, the status endpoint, and the
-            // Builder engine before any gateway call). `.env` keys, if any
-            // survive, are neutered by the flag-driven scrub in plugin init.
-            // 1. Write the disconnect flag. This is load-bearing — every
-            // subsequent check (plugin init scrub, /builder/status override,
-            // BuilderEngine.stream short-circuit) reads this flag. If the
-            // write fails, we FAIL HARD: clearing process.env without
-            // persisting the flag means the next env-runner reload would
-            // silently restore BUILDER_* from whatever inherited env the
-            // worker was spawned with, and the user would see "Disconnected"
-            // in the UI that flips back to "Connected" moments later.
+            // Delete per-user Builder credentials from app_secrets.
             try {
-                await putSetting("builder-disconnected", { at: Date.now() });
+                const { deleteBuilderCredentials } = await import("./credential-provider.js");
+                await deleteBuilderCredentials(session.email);
             }
             catch (err) {
                 setResponseStatus(event, 500);
                 return {
                     ok: false,
-                    error: "Could not persist disconnect flag — your Builder connection is unchanged. Please retry.",
+                    error: "Could not remove Builder credentials — your connection is unchanged. Please retry.",
                     cause: err instanceof Error ? err.message : String(err),
                 };
             }
-            // 2. Scrub the persisted-env-vars row so serverless cold starts
-            // don't rehydrate BUILDER_* from SQL. Best-effort: the disconnect
-            // flag above already prevents Builder from being used; this is
-            // cleanup.
-            let warnPersisted;
-            try {
-                const existing = (await getSetting("persisted-env-vars")) ?? {};
-                const cleaned = {};
-                for (const [k, v] of Object.entries(existing)) {
-                    if (!BUILDER_ENV_KEYS.includes(k))
-                        cleaned[k] = v;
-                }
-                await putSetting("persisted-env-vars", cleaned);
-            }
-            catch (err) {
-                warnPersisted = err instanceof Error ? err.message : String(err);
-            }
-            // 3. Clear in-process env vars so the current worker stops routing
-            // through Builder immediately. Nitro's env-runner may re-populate
-            // these across a module reload, but by then the `builder-disconnected`
-            // flag will be enforced at the plugin-init scrub.
-            for (const key of BUILDER_ENV_KEYS) {
-                delete process.env[key];
-            }
-            return {
-                ok: true,
-                ...(warnPersisted
-                    ? { warnings: { persistedEnvVars: warnPersisted } }
-                    : {}),
-            };
+            return { ok: true };
         }));
         // Proxy to Builder's agents-run API for background code changes.
         getH3App(nitroApp).use(`${P}/builder/agents-run`, defineEventHandler(async (event) => {
@@ -408,47 +595,56 @@ export function createCoreRoutesPlugin(options = {}) {
                 setResponseStatus(event, 405);
                 return { error: "Method not allowed" };
             }
-            const privateKey = process.env.BUILDER_PRIVATE_KEY;
-            const publicKey = process.env.BUILDER_PUBLIC_KEY;
-            if (!privateKey || !publicKey) {
-                setResponseStatus(event, 400);
-                return {
-                    error: "Builder not connected. Connect Builder in Setup to use background agent.",
-                };
-            }
-            const body = (await readBody(event));
-            if (!body?.userMessage) {
-                setResponseStatus(event, 400);
-                return { error: "userMessage is required" };
+            const session = await getSession(event).catch(() => null);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "unauthorized" };
             }
-            const apiHost = process.env.BUILDER_API_HOST || "https://ai-services.builder.io";
-            try {
-                const res = await fetch(`${apiHost}/agents/run?apiKey=${encodeURIComponent(publicKey)}`, {
-                    method: "POST",
-                    headers: {
-                        "Content-Type": "application/json",
-                        Authorization: `Bearer ${privateKey}`,
-                    },
-                    body: JSON.stringify({
-                        userMessage: {
-                            userPrompt: body.userMessage,
+            return runWithRequestContext({ userEmail: session.email, orgId: session.orgId ?? undefined }, async () => {
+                const { resolveBuilderCredentials: resolveCreds } = await import("./credential-provider.js");
+                const creds = await resolveCreds();
+                if (!creds.privateKey || !creds.publicKey) {
+                    setResponseStatus(event, 400);
+                    return {
+                        error: "Builder not connected. Connect Builder in Setup to use background agent.",
+                    };
+                }
+                const body = (await readBody(event));
+                if (!body?.userMessage) {
+                    setResponseStatus(event, 400);
+                    return { error: "userMessage is required" };
+                }
+                const apiHost = process.env.BUILDER_API_HOST || "https://ai-services.builder.io";
+                try {
+                    const res = await fetch(`${apiHost}/agents/run?apiKey=${encodeURIComponent(creds.publicKey)}`, {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            Authorization: `Bearer ${creds.privateKey}`,
                         },
-                        branchName: body.branchName,
-                    }),
-                });
-                if (!res.ok) {
-                    const err = await res.text().catch(() => "Unknown error");
-                    setResponseStatus(event, res.status);
-                    return { error: err };
+                        body: JSON.stringify({
+                            userMessage: {
+                                userPrompt: body.userMessage,
+                            },
+                            branchName: body.branchName,
+                        }),
+                    });
+                    if (!res.ok) {
+                        const err = await res.text().catch(() => "Unknown error");
+                        setResponseStatus(event, res.status);
+                        return {
+                            error: redactValues(err, [creds.privateKey, creds.publicKey]),
+                        };
+                    }
+                    return await res.json();
                 }
-                return await res.json();
-            }
-            catch (err) {
-                setResponseStatus(event, 500);
-                return {
-                    error: err?.message || "Failed to reach Builder agents-run API",
-                };
-            }
+                catch (err) {
+                    setResponseStatus(event, 500);
+                    return {
+                        error: redactValues(err?.message || "Failed to reach Builder agents-run API", [creds.privateKey, creds.publicKey]),
+                    };
+                }
+            });
         }));
         // Env key management — framework keys are always included
         const frameworkEnvKeys = [
@@ -489,12 +685,25 @@ export function createCoreRoutesPlugin(options = {}) {
                 label: cfg.label,
                 required: cfg.required ?? false,
                 configured: !!process.env[cfg.key],
+                ...(cfg.helpText ? { helpText: cfg.helpText } : {}),
             }))));
             getH3App(nitroApp).use(`${P}/env-vars`, defineEventHandler(async (event) => {
                 if (getMethod(event) !== "POST") {
                     setResponseStatus(event, 405);
                     return { error: "Method not allowed" };
                 }
+                // Env vars are deployment-wide globals, not per-tenant. On any
+                // shared-DB multi-tenant deploy, allowing authenticated users to
+                // write here lets one tenant overwrite Stripe / OpenAI / Sentry
+                // keys for every other tenant. Disable the endpoint outside of
+                // local-dev SQLite or an explicit single-tenant opt-in, and
+                // direct callers to the per-org credential store instead.
+                if (!isEnvVarWriteAllowed()) {
+                    setResponseStatus(event, 403);
+                    return {
+                        error: "env-vars endpoint disabled on multi-tenant deployments. Use saveCredential(key, value, { userEmail, orgId, scope: 'org' }) to store per-org credentials.",
+                    };
+                }
                 const body = await readBody(event);
                 const { vars } = body;
                 if (!Array.isArray(vars) || vars.length === 0) {
@@ -579,6 +788,19 @@ export function createCoreRoutesPlugin(options = {}) {
                         };
                     }
                 }
+                // Per-user app_secrets — a user who connected Builder (or pasted
+                // their own provider key) may not have any deploy-level env vars
+                // set, so check their per-user secret store before reporting "no
+                // engine configured" and re-showing the onboarding gate.
+                const detectedFromUser = await detectEngineFromUserSecrets();
+                if (detectedFromUser) {
+                    return {
+                        configured: true,
+                        engine: detectedFromUser.name,
+                        source: "app_secrets",
+                        envVar: detectedFromUser.requiredEnvVars[0],
+                    };
+                }
                 const detected = detectEngineFromEnv();
                 if (detected) {
                     return {
@@ -638,17 +860,51 @@ export function createCoreRoutesPlugin(options = {}) {
         // ─── File upload primitive ──────────────────────────────────────
         // GET  /_agent-native/file-upload/status — report active provider
         // POST /_agent-native/file-upload        — upload a file, return { url }
-        getH3App(nitroApp).use(`${P}/file-upload/status`, defineEventHandler(() => {
+        getH3App(nitroApp).use(`${P}/file-upload/status`, defineEventHandler(async (event) => {
             const active = getActiveFileUploadProvider();
+            // resolveBuilderPrivateKey() reads per-user credentials from app_secrets
+            // (DB), which requires request context (AsyncLocalStorage) to know which
+            // user to scope by. Without runWithRequestContext() the ALS store is empty
+            // and it falls back to process.env only — missing OAuth-connected users.
+            const session = await getSession(event).catch(() => null);
+            const userEmail = session?.email;
+            let builderConfigured = !!process.env.BUILDER_PRIVATE_KEY;
+            try {
+                const { resolveBuilderPrivateKey } = await import("./credential-provider.js");
+                const resolve = () => resolveBuilderPrivateKey().then((k) => !!k);
+                builderConfigured = userEmail
+                    ? await runWithRequestContext({ userEmail }, resolve)
+                    : await resolve();
+            }
+            catch {
+                // fall back to env check above
+            }
+            // When the builder builtin is selected via env var, its sync
+            // isConfigured() doesn't reflect per-user OAuth credentials. Use the
+            // async builderConfigured check so the status accurately represents
+            // whether this specific user can actually upload (thread 7 fix).
+            const isBuilderEnvActive = active?.id === "builder";
+            const configured = isBuilderEnvActive
+                ? builderConfigured
+                : !!active || builderConfigured;
+            const activeProvider = isBuilderEnvActive
+                ? builderConfigured
+                    ? { id: "builder", name: "Builder.io" }
+                    : null
+                : active
+                    ? { id: active.id, name: active.name }
+                    : builderConfigured
+                        ? { id: "builder", name: "Builder.io" }
+                        : null;
             return {
-                configured: !!active,
-                activeProvider: active ? { id: active.id, name: active.name } : null,
+                configured,
+                activeProvider,
                 providers: listFileUploadProviders().map((p) => ({
                     id: p.id,
                     name: p.name,
                     configured: p.isConfigured(),
                 })),
-                builderConfigured: !!process.env.BUILDER_PRIVATE_KEY,
+                builderConfigured,
             };
         }));
         getH3App(nitroApp).use(`${P}/file-upload`, defineEventHandler(async (event) => {
@@ -663,12 +919,17 @@ export function createCoreRoutesPlugin(options = {}) {
                 return { error: "No file uploaded" };
             }
             const session = await getSession(event);
-            const result = await uploadFile({
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "Unauthorized" };
+            }
+            const userEmail = session.email;
+            const result = await runWithRequestContext({ userEmail }, () => uploadFile({
                 data: filePart.data,
                 filename: filePart.filename,
                 mimeType: filePart.type,
-                ownerEmail: session?.email,
-            });
+                ownerEmail: userEmail,
+            }));
             if (result) {
                 setResponseStatus(event, 201);
                 return result;
@@ -681,6 +942,10 @@ export function createCoreRoutesPlugin(options = {}) {
         // ─── Voice transcription (Whisper) ───────────────────────────────
         // POST /_agent-native/transcribe-voice — multipart audio → text
         getH3App(nitroApp).use(`${P}/transcribe-voice`, createTranscribeVoiceHandler());
+        // ─── Voice provider status ───────────────────────────────────────
+        // GET /_agent-native/voice-providers/status — which providers are
+        // configured for the current user (powers the Settings UI pills).
+        getH3App(nitroApp).use(`${P}/voice-providers/status`, createVoiceProvidersStatusHandler());
         // ─── Ad-hoc secrets (user-created keys) ────────────────────────────
         // Must mount before the generic /secrets handler to avoid shadowing.
         const adHocSecretHandler = createAdHocSecretHandler();
@@ -720,6 +985,22 @@ export function createCoreRoutesPlugin(options = {}) {
         // POST   /_agent-native/notifications/read-all
         // DELETE /_agent-native/notifications/:id
         getH3App(nitroApp).use(`${P}/notifications`, createNotificationsHandler());
+        // ─── Tools (mini-app runtime + proxy) ───────────────────────────────
+        try {
+            const { ensureToolsTables, registerToolsShareable } = await import("../tools/store.js");
+            const { createToolsHandler } = await import("../tools/routes.js");
+            ensureToolsTables().catch(() => { });
+            registerToolsShareable();
+            getH3App(nitroApp).use(`${P}/tools`, createToolsHandler());
+            // Tool extension-point slots — sub-system of tools.
+            const { ensureSlotTables } = await import("../tools/slots/store.js");
+            const { createSlotsHandler } = await import("../tools/slots/routes.js");
+            ensureSlotTables().catch(() => { });
+            getH3App(nitroApp).use(`${P}/slots`, createSlotsHandler());
+        }
+        catch {
+            // Tools module not available — skip
+        }
         // ─── Agent run progress ───────────────────────────────────────────
         // GET    /_agent-native/runs[?active&limit]
         // GET    /_agent-native/runs/:id
@@ -733,11 +1014,25 @@ export function createCoreRoutesPlugin(options = {}) {
             const pathname = (event.url?.pathname || "")
                 .replace(/^\/+/, "")
                 .replace(/\/+$/, "");
+            // Auth check applies to every method. Without this, any anonymous
+            // caller could `POST /fire-test` to emit unowned events that fan
+            // out across every tenant's matching trigger (the dispatcher
+            // short-circuits its owner check when `eventMeta.owner` is
+            // undefined). See audit 12 / fire-test finding.
+            const session = await getSession(event).catch(() => null);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "Unauthenticated" };
+            }
             if (pathname === "fire-test" && method === "POST") {
                 try {
                     const { emit } = await import("../event-bus/index.js");
                     const body = (await readBody(event).catch(() => ({})));
-                    emit("test.event.fired", { data: body.data ?? {} });
+                    // Scope the test event to the current user so only their
+                    // automations fire, not those owned by other tenants.
+                    emit("test.event.fired", { data: body.data ?? {} }, {
+                        owner: session.email,
+                    });
                     return { ok: true };
                 }
                 catch (err) {
@@ -750,8 +1045,7 @@ export function createCoreRoutesPlugin(options = {}) {
                 return { error: "Method not allowed" };
             }
             try {
-                const session = await getSession(event).catch(() => null);
-                const owner = session?.email || "local@localhost";
+                const owner = session.email;
                 const { resourceListAllOwners, SHARED_OWNER } = await import("../resources/store.js");
                 const allResources = await resourceListAllOwners("jobs/");
                 const resources = allResources.filter((r) => r.owner === owner || r.owner === SHARED_OWNER);
@@ -813,6 +1107,47 @@ export function createCoreRoutesPlugin(options = {}) {
         }));
         // ─── Application State CRUD ──────────────────────────────────────
         // Auto-mounted so templates don't need boilerplate route files.
+        // ─── User-scoped settings store ────────────────────────────────────
+        // GET    /_agent-native/settings/:key   — read current user's value
+        // PUT    /_agent-native/settings/:key   — write current user's value
+        // DELETE /_agent-native/settings/:key   — clear current user's value
+        //
+        // Keys are auto-prefixed with `u:<email>:` so each user gets their
+        // own row — no leakage between sessions sharing the same DB.
+        getH3App(nitroApp).use(`${P}/settings`, defineEventHandler(async (event) => {
+            const rawKey = (event.url?.pathname || "").replace(/^\/+/, "").split("/")[0] || "";
+            const key = rawKey.replace(/[^a-zA-Z0-9_-]/g, "");
+            if (!key) {
+                setResponseStatus(event, 404);
+                return { error: "Settings key required" };
+            }
+            const session = await getSession(event);
+            if (!session?.email) {
+                setResponseStatus(event, 401);
+                return { error: "unauthorized" };
+            }
+            const method = getMethod(event);
+            const requestSource = event.node?.req?.headers?.["x-request-source"] || undefined;
+            if (method === "GET") {
+                const value = await getUserSetting(session.email, key);
+                if (!value) {
+                    setResponseStatus(event, 404);
+                    return { error: `No setting for ${key}` };
+                }
+                return value;
+            }
+            if (method === "PUT") {
+                const body = await readBody(event);
+                await putUserSetting(session.email, key, body, { requestSource });
+                return body;
+            }
+            if (method === "DELETE") {
+                await deleteUserSetting(session.email, key, { requestSource });
+                return { ok: true };
+            }
+            setResponseStatus(event, 405);
+            return { error: "Method not allowed" };
+        }));
         // ─── Avatar routes ──────────────────────────────────────────────────
         // GET /_agent-native/avatar/:email — fetch any user's avatar (public)
         // PUT /_agent-native/avatar       — update current user's avatar (auth required)