@agent-native/core 0.7.14 → 0.7.15

package/dist/server/csrf.js

@@ -0,0 +1,165 @@
+/**
+ * Defense-in-depth CSRF check for framework state-changing routes.
+ *
+ * Threat model: action endpoints (`/_agent-native/actions/*`), tool endpoints
+ * (`/_agent-native/tools/*`), and a handful of other state-changing
+ * `/_agent-native/*` routes use the better-auth session cookie, which is
+ * configured with `SameSite=None; Secure; Partitioned` so the iframe editor
+ * (and other cross-site embeds) can authenticate. `SameSite=None` means the
+ * browser ships the session cookie on top-level form POSTs from any origin —
+ * which is exactly the precondition for classic cross-site request forgery.
+ *
+ * The browser still gates "non-simple" requests behind a CORS preflight, so
+ * an attacker who has to send `Content-Type: application/json` is forced
+ * through OPTIONS, which our CORS middleware (`create-server.ts`) rejects
+ * for disallowed origins. But the simple-request bypass (`Content-Type:
+ * text/plain` on a `<form enctype="text/plain">` POST, or `multipart/form-data`)
+ * never preflights — the browser delivers it cross-origin with cookies.
+ *
+ * Mitigation: this middleware rejects any state-changing
+ * (`POST/PUT/PATCH/DELETE`) request to `/_agent-native/*` that
+ *
+ *   1. carries the auth-cookie pattern (any cookie at all is a heuristic
+ *      good-enough proxy — we don't want to deny anonymous fetches), AND
+ *   2. is NOT clearly same-origin / first-party. We trust:
+ *      - `Sec-Fetch-Site: same-origin` (sent by every modern browser on
+ *        same-origin fetch — Chrome/Firefox/Safari/Edge all support it).
+ *      - `X-Agent-Native-CSRF` custom header. Custom headers force a
+ *        preflight, so an attacker can't add one cross-origin.
+ *      - `Content-Type: application/json` request body. Same logic — JSON
+ *        Content-Type is a non-simple request that triggers preflight.
+ *
+ * Why the existing CORS check isn't enough: a simple-request POST never
+ * preflights, so the browser sends it through and only blocks the *response*
+ * from being readable cross-origin. The state change (delete-account, write
+ * SQL, etc.) happens server-side regardless. We need a server-side check that
+ * proves first-party intent before running the action.
+ *
+ * Opt-out marker: a handful of routes legitimately accept cross-origin POSTs
+ * — webhook endpoints (Slack, Telegram, email), the public A2A endpoint
+ * (`/_agent-native/a2a`), the integrations process-task self-fire, and so on.
+ * Those are listed in `CSRF_ALLOWLIST_PREFIXES` below; if you add a new
+ * cross-origin-callable route, add it there.
+ */
+import { defineEventHandler, getMethod, getRequestHeader, setResponseStatus, } from "h3";
+/**
+ * Path prefixes (relative to the framework prefix `/_agent-native`) that are
+ * allowed to receive cross-origin state-changing POSTs without first-party
+ * markers. These are signed/authenticated through other mechanisms (HMAC,
+ * JWT, internal token) so they don't need cookie-based CSRF protection.
+ */
+const CSRF_ALLOWLIST_PREFIXES = [
+    // Integration webhooks — verified by HMAC against a per-integration secret.
+    "/integrations/",
+    // A2A JSON-RPC endpoints — verified by signed JWT (when A2A_SECRET set) or
+    // explicitly opt-in unauthenticated (handled at the A2A layer).
+    "/a2a",
+    // Better Auth's own login/sign-in/social-callback routes. Better Auth
+    // ships its own CSRF protection (Origin/Sec-Fetch checks on its handlers)
+    // and cookies are needed for the OAuth callback round-trip.
+    "/auth/",
+    // Stripe / Paddle / billing webhooks dropped in by templates.
+    "/billing/webhook",
+    // Public share endpoints — read-only and never cookie-driven, but kept
+    // here so a templated POST (e.g. comment-on-public-recording) doesn't 403.
+    "/share/",
+    // OAuth callbacks (Builder, Google, Slack, Notion, Zoom). These get a
+    // `code` query param via top-level navigation — they DO ride the session
+    // cookie and they SHOULD validate state, but the framework can't see the
+    // state token. Each callback handler is responsible for its own CSRF
+    // check (signed state tokens).
+    "/oauth/",
+    // Builder's CLI-auth callback — uses the BUILDER_STATE_PARAM signed token
+    // to authenticate the round-trip; framework CSRF check would block it.
+    "/builder/callback",
+];
+const STATE_CHANGING_METHODS = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+/**
+ * Decide whether a request is "first-party enough" to trust as not-CSRF.
+ * Any of the following make a request non-CSRF:
+ *
+ *   - `Sec-Fetch-Site: same-origin` (or `none` for top-level navigations
+ *     to our own pages — but state-changing methods don't ship `none`).
+ *   - `X-Agent-Native-CSRF` header (any value, even "1"). This is a custom
+ *     header so the browser forces a preflight cross-origin, which our
+ *     CORS layer rejects for disallowed origins.
+ *   - `Content-Type: application/json` (case-insensitive). JSON content
+ *     type is a non-simple request that triggers preflight.
+ *
+ * We accept ANY of these — the goal is "did the request come through a
+ * channel the browser would have preflighted", not a strict-mode token.
+ */
+function looksFirstParty(event) {
+    const sfs = getRequestHeader(event, "sec-fetch-site");
+    if (sfs === "same-origin" || sfs === "same-site" || sfs === "none") {
+        return true;
+    }
+    if (getRequestHeader(event, "x-agent-native-csrf")) {
+        return true;
+    }
+    const contentType = getRequestHeader(event, "content-type");
+    if (contentType &&
+        typeof contentType === "string" &&
+        contentType.toLowerCase().includes("application/json")) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Returns true when the request carries any cookie. We use "has any cookie"
+ * as a coarse heuristic for "the browser is going to attach the session
+ * cookie" — anonymous tools (curl, server-to-server) typically don't send
+ * cookies, so they bypass this check entirely.
+ */
+function requestHasCookies(event) {
+    const cookie = getRequestHeader(event, "cookie");
+    return typeof cookie === "string" && cookie.trim().length > 0;
+}
+/**
+ * Path passed in is the full request URL pathname (e.g. `/_agent-native/actions/foo`).
+ * `frameworkPrefix` should be the framework route prefix without trailing slash,
+ * e.g. `/_agent-native`.
+ */
+function isOnAllowlist(pathname, frameworkPrefix) {
+    if (!pathname.startsWith(frameworkPrefix))
+        return false;
+    const sub = pathname.slice(frameworkPrefix.length);
+    for (const allowed of CSRF_ALLOWLIST_PREFIXES) {
+        if (sub.startsWith(allowed))
+            return true;
+    }
+    return false;
+}
+/**
+ * Create the framework CSRF middleware.
+ *
+ * Mount this BEFORE any state-changing route handler. The middleware
+ *   - lets every non-state-changing method through (GET/HEAD/OPTIONS).
+ *   - lets requests without cookies through (anonymous/server tools).
+ *   - lets allowlisted paths through (webhooks, A2A, OAuth callbacks).
+ *   - lets first-party-shaped requests through (custom header, JSON
+ *     Content-Type, or `Sec-Fetch-Site: same-origin`).
+ *   - rejects everything else with 403.
+ */
+export function createCsrfMiddleware(frameworkPrefix = "/_agent-native") {
+    return defineEventHandler((event) => {
+        const method = getMethod(event);
+        if (!STATE_CHANGING_METHODS.has(method))
+            return undefined;
+        const pathname = event.url?.pathname ?? "";
+        if (!pathname.startsWith(frameworkPrefix))
+            return undefined;
+        if (isOnAllowlist(pathname, frameworkPrefix))
+            return undefined;
+        // No cookie = no risk of confused-deputy CSRF on the session cookie.
+        if (!requestHasCookies(event))
+            return undefined;
+        if (looksFirstParty(event))
+            return undefined;
+        setResponseStatus(event, 403);
+        return {
+            error: "CSRF check failed: state-changing requests must include a same-origin marker. Set Content-Type: application/json or X-Agent-Native-CSRF: 1.",
+        };
+    });
+}
+//# sourceMappingURL=csrf.js.map

package/dist/server/csrf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.js","sourceRoot":"","sources":["../../src/server/csrf.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAEH,OAAO,EACL,kBAAkB,EAClB,SAAS,EACT,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,IAAI,CAAC;AAEZ;;;;;GAKG;AACH,MAAM,uBAAuB,GAAG;IAC9B,4EAA4E;IAC5E,gBAAgB;IAChB,2EAA2E;IAC3E,gEAAgE;IAChE,MAAM;IACN,sEAAsE;IACtE,0EAA0E;IAC1E,4DAA4D;IAC5D,QAAQ;IACR,8DAA8D;IAC9D,kBAAkB;IAClB,uEAAuE;IACvE,2EAA2E;IAC3E,SAAS;IACT,sEAAsE;IACtE,yEAAyE;IACzE,yEAAyE;IACzE,qEAAqE;IACrE,+BAA+B;IAC/B,SAAS;IACT,0EAA0E;IAC1E,uEAAuE;IACvE,mBAAmB;CACpB,CAAC;AAEF,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AAE3E;;;;;;;;;;;;;;GAcG;AACH,SAAS,eAAe,CAAC,KAAU;IACjC,MAAM,GAAG,GAAG,gBAAgB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IACtD,IAAI,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,MAAM,EAAE,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,WAAW,GAAG,gBAAgB,CAAC,KAAK,EAAE,cAAc,CAAC,CAAC;IAC5D,IACE,WAAW;QACX,OAAO,WAAW,KAAK,QAAQ;QAC/B,WAAW,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EACtD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,KAAU;IACnC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACjD,OAAO,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AAChE,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,QAAgB,EAAE,eAAuB;IAC9D,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACnD,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;QAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,oBAAoB,CAClC,kBAA0B,gBAAgB;IAE1C,OAAO,kBAAkB,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,SAAS,CAAC;QAE1D,MAAM,QAAQ,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;QAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAC5D,IAAI,aAAa,CAAC,QAAQ,EAAE,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAE/D,qEAAqE;QACrE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAEhD,IAAI,eAAe,CAAC,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAE7C,iBAAiB,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAC9B,OAAO;YACL,KAAK,EACH,6IAA6I;SAChJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/server/framework-request-handler.d.ts

@@ -58,5 +58,25 @@ export declare function trackPluginInit(nitroApp: any, promise: Promise<void>):
  * middleware before dispatching framework routes.
  */
 export declare function awaitPluginsReady(nitroApp: any): Promise<void>;
+/**
+ * Load a workspace-core's `/server` entry, transparently handling TS source.
+ *
+ * The scaffolded workspace-core template ships TS sources without a build
+ * step (exports point at `./src/server/index.ts`), so plain `await import()`
+ * blows up the moment Node hits a relative `.js` import inside (the standard
+ * TS ESM convention) — and even before that, Node may resolve the package
+ * relative to the framework's own location rather than the user's monorepo.
+ *
+ * We try Node's plain `import()` first (fastest path when the user has
+ * compiled to dist/) and fall through to jiti on any error. jiti is anchored
+ * to a real file inside the workspace-core's directory, so its module
+ * resolution starts in the right node_modules tree (handles pnpm hoisting
+ * and linked workspaces) AND handles TS source files + `.js` → `.ts` ESM
+ * extension remapping.
+ *
+ * Edge runtimes without `fs` won't be able to load jiti at all; the outer
+ * try/catch silently falls through to framework defaults in that case.
+ */
+export declare function loadWorkspaceCoreServer(packageName: string, packageDir: string): Promise<any>;
 export { FRAMEWORK_PREFIX };
 //# sourceMappingURL=framework-request-handler.d.ts.map

package/dist/server/framework-request-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"framework-request-handler.d.ts","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,IAAI,CAAC;AAMhD,QAAA,MAAM,gBAAgB,mBAAmB,CAAC;AAK1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC/C,GAAG,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,GAAG,GAAG,SAAS,CA2CjD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAOjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAiB3E;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAMpE;AAiQD,OAAO,EAAE,gBAAgB,EAAE,CAAC"}
+{"version":3,"file":"framework-request-handler.d.ts","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,KAAK,EAAE,YAAY,EAAW,MAAM,IAAI,CAAC;AAMhD,QAAA,MAAM,gBAAgB,mBAAmB,CAAC;AAyC1C;;;GAGG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;IAC/C,GAAG,CAAC,OAAO,EAAE,YAAY,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;GAQG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,GAAG,GAAG,SAAS,CA2CjD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAOjE;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAiB3E;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAMpE;AAgQD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,uBAAuB,CAC3C,WAAW,EAAE,MAAM,EACnB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,GAAG,CAAC,CAyBd;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/server/framework-request-handler.js

@@ -6,6 +6,35 @@ const FRAMEWORK_PREFIX = "/_agent-native";
 const APP_SHIM_KEY = "_agentNativeH3Shim";
 const BOOTSTRAP_PROMISE_KEY = "_agentNativeBootstrapPromise";
 const PLUGIN_READY_KEY = "_agentNativePluginReadyPromise";
+function normalizeAppBasePath(value) {
+    if (!value || value === "/")
+        return "";
+    const trimmed = value.trim();
+    if (!trimmed || trimmed === "/")
+        return "";
+    return `/${trimmed.replace(/^\/+/, "").replace(/\/+$/, "")}`;
+}
+function getAppBasePath() {
+    return normalizeAppBasePath(process.env.VITE_APP_BASE_PATH || process.env.APP_BASE_PATH);
+}
+function pathMatchesPrefix(reqPath, prefix) {
+    return reqPath === prefix || reqPath.startsWith(prefix + "/");
+}
+function resolveMountMatch(reqPath, path) {
+    if (pathMatchesPrefix(reqPath, path)) {
+        return { mountPath: path, strippedPath: reqPath.slice(path.length) || "/" };
+    }
+    const appBasePath = getAppBasePath();
+    if (!appBasePath || !path.startsWith(FRAMEWORK_PREFIX))
+        return null;
+    const prefixedPath = `${appBasePath}${path}`;
+    if (!pathMatchesPrefix(reqPath, prefixedPath))
+        return null;
+    return {
+        mountPath: prefixedPath,
+        strippedPath: reqPath.slice(prefixedPath.length) || "/",
+    };
+}
 /**
  * Get (or create) the shared H3 app wrapper for a nitroApp. Plugins use this
  * to register routes via `.use(path, handler)`.
@@ -128,19 +157,58 @@ function registerMiddleware(nitroApp, path, handler) {
     }
     const middleware = async (event, next) => {
         let originalPathname;
+        let originalEventPath;
+        let hadEventPath = false;
+        const restoreOriginalPath = () => {
+            if (originalPathname !== undefined) {
+                try {
+                    event.url.pathname = originalPathname;
+                }
+                catch {
+                    // ignore
+                }
+                originalPathname = undefined;
+            }
+            if (hadEventPath) {
+                try {
+                    event.path = originalEventPath;
+                }
+                catch {
+                    // ignore
+                }
+            }
+            else {
+                try {
+                    delete event.path;
+                }
+                catch {
+                    // ignore
+                }
+            }
+        };
         if (path) {
             const reqPath = event.url?.pathname ?? "";
-            if (reqPath !== path && !reqPath.startsWith(path + "/")) {
+            const match = resolveMountMatch(reqPath, path);
+            if (!match) {
                 return next();
             }
             // Strip the mount prefix from event.url.pathname so handlers that
             // dispatch sub-routes can read `event.path` (or `event.url.pathname`)
             // and see the path RELATIVE to their mount point — matching h3 v1's
             // `app.use(path, handler)` semantics.
+            const eventAny = event;
+            hadEventPath = "path" in eventAny;
+            originalEventPath = eventAny.path;
             try {
                 originalPathname = event.url.pathname;
-                const stripped = originalPathname.slice(path.length) || "/";
-                event.url.pathname = stripped;
+                // Save the full path in context so handlers that need the original URL
+                // (e.g. Better Auth, which extracts its own basePath prefix) can
+                // reconstruct a Request with the un-stripped URL.
+                eventAny.context = eventAny.context ?? {};
+                eventAny.context._mountedPathname = originalPathname;
+                eventAny.context._mountPrefix = match.mountPath;
+                event.url.pathname = match.strippedPath;
+                eventAny.path = `${match.strippedPath}${event.url.search || ""}`;
             }
             catch {
                 // event.url is read-only on some runtimes — fall through. Handlers
@@ -154,15 +222,7 @@ function registerMiddleware(nitroApp, path, handler) {
                 // middleware sees the full URL — not the stripped mount-relative path.
                 // Matches h3 v2's own sub-app middleware pattern where the restore
                 // happens inside the next() callback, not after it returns.
-                if (originalPathname !== undefined) {
-                    try {
-                        event.url.pathname = originalPathname;
-                    }
-                    catch {
-                        // ignore
-                    }
-                    originalPathname = undefined;
-                }
+                restoreOriginalPath();
                 return next();
             }
             return result;
@@ -190,7 +250,15 @@ function registerMiddleware(nitroApp, path, handler) {
             }
             return {
                 error: e?.message || "Internal server error",
-                ...(status >= 500 && process.env.NODE_ENV !== "production" && e?.stack
+                // Only surface the stack to clients when explicitly enabled.
+                // `NODE_ENV !== "production"` was unsafe — preview deploys and
+                // any host that forgets to set NODE_ENV=production leaked stack
+                // traces (file paths, dependency versions, internal route
+                // topology) to anonymous callers. Operators who want stacks in
+                // dev set `AGENT_NATIVE_DEBUG_ERRORS=1` explicitly.
+                ...(status >= 500 &&
+                    process.env.AGENT_NATIVE_DEBUG_ERRORS === "1" &&
+                    e?.stack
                     ? { stack: e.stack }
                     : {}),
             };
@@ -198,14 +266,7 @@ function registerMiddleware(nitroApp, path, handler) {
         finally {
             // Restore the original pathname so downstream middleware sees the
             // full URL.
-            if (originalPathname !== undefined) {
-                try {
-                    event.url.pathname = originalPathname;
-                }
-                catch {
-                    // ignore
-                }
-            }
+            restoreOriginalPath();
         }
     };
     h3["~middleware"].push(middleware);
@@ -267,7 +328,19 @@ async function bootstrapDefaultPlugins(nitroApp) {
                     }
                 }
                 catch (e) {
-                    console.warn(`[agent-native] Failed to load workspace core ${ws.packageName}/server:`, e.message);
+                    const msg = e.message ?? "";
+                    // Common cause: workspace-core's package.json points "./server"
+                    // at a TS source file (the scaffold default), but Node can't
+                    // resolve relative `.js` imports inside it without a TS loader.
+                    // Tell the user to compile to dist/ rather than just dumping the
+                    // raw resolution error.
+                    const tsLoadHint = /\.js' imported from .*\.ts/.test(msg)
+                        ? " — workspace-core src is TypeScript but isn't being compiled. " +
+                            "Run `pnpm --filter " +
+                            ws.packageName +
+                            " build` and point its `./server` export at dist/server/index.js."
+                        : "";
+                    console.warn(`[agent-native] Failed to load workspace core ${ws.packageName}/server: ${msg}${tsLoadHint}`);
                 }
             }
         }
@@ -300,25 +373,28 @@ async function bootstrapDefaultPlugins(nitroApp) {
  * The scaffolded workspace-core template ships TS sources without a build
  * step (exports point at `./src/server/index.ts`), so plain `await import()`
  * blows up the moment Node hits a relative `.js` import inside (the standard
- * TS ESM convention). Try Node's plain `import()` first — fastest path when
- * the user has compiled to dist/ — then fall back to jiti, which handles TS
- * source files and re-maps the `.js` ESM extension convention back to `.ts`
- * at resolve time.
+ * TS ESM convention) — and even before that, Node may resolve the package
+ * relative to the framework's own location rather than the user's monorepo.
+ *
+ * We try Node's plain `import()` first (fastest path when the user has
+ * compiled to dist/) and fall through to jiti on any error. jiti is anchored
+ * to a real file inside the workspace-core's directory, so its module
+ * resolution starts in the right node_modules tree (handles pnpm hoisting
+ * and linked workspaces) AND handles TS source files + `.js` → `.ts` ESM
+ * extension remapping.
  *
  * Edge runtimes without `fs` won't be able to load jiti at all; the outer
  * try/catch silently falls through to framework defaults in that case.
  */
-async function loadWorkspaceCoreServer(packageName, packageDir) {
+export async function loadWorkspaceCoreServer(packageName, packageDir) {
+    let firstErr;
     try {
         return await import(/* @vite-ignore */ `${packageName}/server`);
     }
-    catch (firstErr) {
-        const msg = firstErr?.message ?? "";
-        const looksLikeTsResolution = /\.js' imported from .*\.ts/.test(msg) ||
-            /Cannot find module .*\.js' imported/.test(msg) ||
-            /Unknown file extension "\.ts"/.test(msg);
-        if (!looksLikeTsResolution)
-            throw firstErr;
+    catch (e) {
+        firstErr = e;
+    }
+    try {
         const { createJiti } = await import("jiti");
         const { pathToFileURL } = await import("node:url");
         const path = await import("node:path");
@@ -329,6 +405,11 @@ async function loadWorkspaceCoreServer(packageName, packageDir) {
         const jiti = createJiti(anchor, { interopDefault: true });
         return await jiti.import(`${packageName}/server`);
     }
+    catch (jitiErr) {
+        // jiti also failed — rethrow the original Node error since it's usually
+        // more informative about *why* the package wasn't resolvable.
+        throw firstErr ?? jitiErr;
+    }
 }
 export { FRAMEWORK_PREFIX };
 //# sourceMappingURL=framework-request-handler.js.map

package/dist/server/framework-request-handler.js.map

@@ -1 +1 @@
-{"version":3,"file":"framework-request-handler.js","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAC1D,OAAO,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAExE,MAAM,YAAY,GAAG,IAAI,OAAO,EAAU,CAAC;AAC3C,MAAM,YAAY,GAAG,IAAI,OAAO,EAAU,CAAC;AAC3C,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAC1C,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAC1C,MAAM,qBAAqB,GAAG,8BAA8B,CAAC;AAC7D,MAAM,gBAAgB,GAAG,gCAAgC,CAAC;AAW1D;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAa;IACpC,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAEjE,8DAA8D;IAC9D,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,CAA0B,CAAC;IAC/D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAc;QACtB,GAAG,CAAC,IAA2B,EAAE,IAAmB;YAClD,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAiB,CAAC;YACzE,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC9D,CAAC;YACD,kBAAkB,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;KACF,CAAC;IAEF,QAAQ,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,QAAQ,CAAC,qBAAqB,CAAC,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC,KAAK,CACvE,CAAC,GAAG,EAAE,EAAE;YACN,OAAO,CAAC,IAAI,CACV,sDAAsD,EACrD,GAAa,CAAC,OAAO,CACvB,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,kEAAkE;QAClE,iEAAiE;QACjE,iEAAiE;QACjE,2CAA2C;QAC3C,kBAAkB,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YACvE,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAClC,qDAAqD;YACrD,OAAO,SAAS,CAAC;QACnB,CAAC,CAAiB,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAa;IAChD,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO;IACpD,qEAAqE;IACrE,2DAA2D;IAC3D,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnB,MAAM,OAAO,GAAG,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IAChD,IAAI,OAAO;QAAE,MAAM,OAAO,CAAC;AAC7B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,QAAa,EAAE,OAAsB;IACnE,IAAI,CAAC,QAAQ;QAAE,OAAO;IACtB,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,OAAO,CAAC,KAAK,CACX,oCAAoC,EACnC,GAAa,CAAC,OAAO,IAAI,GAAG,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,gBAAgB,CAAgC,CAAC;IAC3E,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAa;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,gBAAgB,CAAgC,CAAC;IAC3E,IAAI,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5B,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CACzB,QAAa,EACb,IAAY,EACZ,OAAqB;IAErB,MAAM,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,sEAAsE;YACpE,iEAAiE,CACpE,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,EAAE,KAAc,EAAE,IAAe,EAAE,EAAE;QAC3D,IAAI,gBAAoC,CAAC;QACzC,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;YAC1C,IAAI,OAAO,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;gBACxD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,kEAAkE;YAClE,sEAAsE;YACtE,oEAAoE;YACpE,sCAAsC;YACtC,IAAI,CAAC;gBACH,gBAAgB,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC;gBACtC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,CAAC;gBAC5D,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,mEAAmE;gBACnE,mEAAmE;YACrE,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,oEAAoE;gBACpE,uEAAuE;gBACvE,mEAAmE;gBACnE,4DAA4D;gBAC5D,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;oBACnC,IAAI,CAAC;wBACH,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,gBAAgB,CAAC;oBACxC,CAAC;oBAAC,MAAM,CAAC;wBACP,SAAS;oBACX,CAAC;oBACD,gBAAgB,GAAG,SAAS,CAAC;gBAC/B,CAAC;gBACD,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,oEAAoE;YACpE,kEAAkE;YAClE,oEAAoE;YACpE,mEAAmE;YACnE,0BAA0B;YAC1B,MAAM,OAAO,GAAG,gBAAgB,IAAI,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;YAC9D,MAAM,CAAC,GAAG,GAAU,CAAC;YACrB,MAAM,MAAM,GACV,OAAO,CAAC,EAAE,UAAU,KAAK,QAAQ;gBAC/B,CAAC,CAAC,CAAC,CAAC,UAAU;gBACd,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,KAAK,QAAQ;oBAC7B,CAAC,CAAC,CAAC,CAAC,MAAM;oBACV,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,CAAC,KAAK,CACX,kBAAkB,KAAK,CAAC,MAAM,IAAI,EAAE,IAAI,OAAO,YAAY,MAAM,IAAI,EACrE,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,OAAO,IAAI,CAAC,CAC5B,CAAC;YACF,IAAI,CAAC;gBACH,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACjC,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,uCAAuC;YACzC,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,uBAAuB;gBAC5C,GAAG,CAAC,MAAM,IAAI,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,CAAC,EAAE,KAAK;oBACpE,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE;oBACpB,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,kEAAkE;YAClE,YAAY;YACZ,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;gBACnC,IAAI,CAAC;oBACH,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,gBAAgB,CAAC;gBACxC,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,uBAAuB,CAAC,QAAa;IAClD,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,MAAM,wBAAwB,CAAC,GAAG,CAAC,CAAC;QACpD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEjC,+DAA+D;QAC/D,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;QACtE,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACnD,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAEjE,MAAM,cAAc,GAGhB;YACF,YAAY,EAAG,YAAoB,CAAC,sBAAsB;YAC1D,IAAI,EAAG,YAAoB,CAAC,iBAAiB;YAC7C,aAAa,EAAG,YAAoB,CAAC,uBAAuB;YAC5D,YAAY,EAAG,kBAA0B,CAAC,yBAAyB;YACnE,UAAU,EAAG,gBAAwB,CAAC,uBAAuB;YAC7D,GAAG,EAAG,SAAiB,CAAC,gBAAgB;YACxC,SAAS,EAAG,YAAoB,CAAC,sBAAsB;YACvD,QAAQ,EAAG,cAAsB,CAAC,qBAAqB;SACxD,CAAC;QAEF,yEAAyE;QACzE,wEAAwE;QACxE,0EAA0E;QAC1E,qCAAqC;QACrC,IAAI,cAAc,GAGd,EAAE,CAAC;QACP,IAAI,CAAC;YACH,MAAM,EAAE,uBAAuB,EAAE,GAC/B,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAC9C,MAAM,EAAE,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;YAC9C,IAAI,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC;oBACH,MAAM,cAAc,GAAG,MAAM,uBAAuB,CAClD,EAAE,CAAC,WAAW,EACd,EAAE,CAAC,UAAU,CACd,CAAC;oBACF,KAAK,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC5D,IAAI,CAAC,UAAU;4BAAE,SAAS;wBAC1B,MAAM,IAAI,GAAI,cAAsB,CAAC,UAAU,CAAC,CAAC;wBACjD,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE,CAAC;4BAC/B,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;wBAC9B,CAAC;oBACH,CAAC;oBACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CACT,iCAAiC,EAAE,CAAC,WAAW,2BAA2B,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnH,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,CAAC,IAAI,CACV,gDAAgD,EAAE,CAAC,WAAW,UAAU,EACvE,CAAW,CAAC,OAAO,CACrB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,oEAAoE;QACtE,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,gCAAgC,OAAO,CAAC,MAAM,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1F,CAAC;QAEJ,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,qEAAqE;YACrE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;YAC1D,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC/B,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,CAAC,IAAI,CACV,sDAAsD,IAAI,GAAG,EAC5D,CAAW,CAAC,OAAO,CACrB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,KAAK,UAAU,uBAAuB,CACpC,WAAmB,EACnB,UAAkB;IAElB,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,kBAAkB,CAAC,GAAG,WAAW,SAAS,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,QAAQ,EAAE,CAAC;QAClB,MAAM,GAAG,GAAI,QAAkB,EAAE,OAAO,IAAI,EAAE,CAAC;QAC/C,MAAM,qBAAqB,GACzB,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC;YACtC,qCAAqC,CAAC,IAAI,CAAC,GAAG,CAAC;YAC/C,+BAA+B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,qBAAqB;YAAE,MAAM,QAAQ,CAAC;QAE3C,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACvC,sEAAsE;QACtE,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,MAAM,GAAG,aAAa,CAC1B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CACtC,CAAC,QAAQ,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,WAAW,SAAS,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}
+{"version":3,"file":"framework-request-handler.js","sourceRoot":"","sources":["../../src/server/framework-request-handler.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,IAAI,CAAC;AAC1D,OAAO,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAExE,MAAM,YAAY,GAAG,IAAI,OAAO,EAAU,CAAC;AAC3C,MAAM,YAAY,GAAG,IAAI,OAAO,EAAU,CAAC;AAC3C,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAC1C,MAAM,YAAY,GAAG,oBAAoB,CAAC;AAC1C,MAAM,qBAAqB,GAAG,8BAA8B,CAAC;AAC7D,MAAM,gBAAgB,GAAG,gCAAgC,CAAC;AAE1D,SAAS,oBAAoB,CAAC,KAAyB;IACrD,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7B,IAAI,CAAC,OAAO,IAAI,OAAO,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC;AAC/D,CAAC;AAED,SAAS,cAAc;IACrB,OAAO,oBAAoB,CACzB,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAC5D,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe,EAAE,MAAc;IACxD,OAAO,OAAO,KAAK,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,iBAAiB,CACxB,OAAe,EACf,IAAY;IAEZ,IAAI,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;IAC9E,CAAC;IAED,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IACrC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC;QAAE,OAAO,IAAI,CAAC;IAEpE,MAAM,YAAY,GAAG,GAAG,WAAW,GAAG,IAAI,EAAE,CAAC;IAC7C,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3D,OAAO;QACL,SAAS,EAAE,YAAY;QACvB,YAAY,EAAE,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,GAAG;KACxD,CAAC;AACJ,CAAC;AAWD;;;;;;;;GAQG;AACH,MAAM,UAAU,QAAQ,CAAC,QAAa;IACpC,IAAI,CAAC,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IAEjE,8DAA8D;IAC9D,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,CAA0B,CAAC;IAC/D,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,MAAM,IAAI,GAAc;QACtB,GAAG,CAAC,IAA2B,EAAE,IAAmB;YAClD,MAAM,IAAI,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,CAAC,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAiB,CAAC;YACzE,IAAI,OAAO,OAAO,KAAK,UAAU,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC9D,CAAC;YACD,kBAAkB,CAAC,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;KACF,CAAC;IAEF,QAAQ,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC3B,QAAQ,CAAC,qBAAqB,CAAC,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC,KAAK,CACvE,CAAC,GAAG,EAAE,EAAE;YACN,OAAO,CAAC,IAAI,CACV,sDAAsD,EACrD,GAAa,CAAC,OAAO,CACvB,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,kEAAkE;QAClE,iEAAiE;QACjE,iEAAiE;QACjE,2CAA2C;QAC3C,kBAAkB,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,KAAK,EAAE,KAAc,EAAE,EAAE;YACvE,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAClC,qDAAqD;YACrD,OAAO,SAAS,CAAC;QACnB,CAAC,CAAiB,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,QAAa;IAChD,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO;IACpD,qEAAqE;IACrE,2DAA2D;IAC3D,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnB,MAAM,OAAO,GAAG,QAAQ,CAAC,qBAAqB,CAAC,CAAC;IAChD,IAAI,OAAO;QAAE,MAAM,OAAO,CAAC;AAC7B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,QAAa,EAAE,OAAsB;IACnE,IAAI,CAAC,QAAQ;QAAE,OAAO;IACtB,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,OAAO,CAAC,KAAK,CACX,oCAAoC,EACnC,GAAa,CAAC,OAAO,IAAI,GAAG,CAC9B,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,MAAM,QAAQ,GAAG,QAAQ,CAAC,gBAAgB,CAAgC,CAAC;IAC3E,IAAI,QAAQ,EAAE,CAAC;QACb,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,QAAa;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,gBAAgB,CAAgC,CAAC;IAC3E,IAAI,QAAQ,EAAE,MAAM,EAAE,CAAC;QACrB,MAAM,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5B,QAAQ,CAAC,gBAAgB,CAAC,GAAG,EAAE,CAAC;IAClC,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CACzB,QAAa,EACb,IAAY,EACZ,OAAqB;IAErB,MAAM,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;IACvB,IAAI,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CACb,sEAAsE;YACpE,iEAAiE,CACpE,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,EAAE,KAAc,EAAE,IAAe,EAAE,EAAE;QAC3D,IAAI,gBAAoC,CAAC;QACzC,IAAI,iBAAqC,CAAC;QAC1C,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,MAAM,mBAAmB,GAAG,GAAG,EAAE;YAC/B,IAAI,gBAAgB,KAAK,SAAS,EAAE,CAAC;gBACnC,IAAI,CAAC;oBACH,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,gBAAgB,CAAC;gBACxC,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;gBACD,gBAAgB,GAAG,SAAS,CAAC;YAC/B,CAAC;YACD,IAAI,YAAY,EAAE,CAAC;gBACjB,IAAI,CAAC;oBACF,KAAa,CAAC,IAAI,GAAG,iBAAiB,CAAC;gBAC1C,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC;oBACH,OAAQ,KAAa,CAAC,IAAI,CAAC;gBAC7B,CAAC;gBAAC,MAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC,CAAC;QACF,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,OAAO,GAAG,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,kEAAkE;YAClE,sEAAsE;YACtE,oEAAoE;YACpE,sCAAsC;YACtC,MAAM,QAAQ,GAAG,KAAY,CAAC;YAC9B,YAAY,GAAG,MAAM,IAAI,QAAQ,CAAC;YAClC,iBAAiB,GAAG,QAAQ,CAAC,IAAI,CAAC;YAClC,IAAI,CAAC;gBACH,gBAAgB,GAAG,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC;gBACtC,uEAAuE;gBACvE,iEAAiE;gBACjE,kDAAkD;gBAClD,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC;gBAC1C,QAAQ,CAAC,OAAO,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;gBACrD,QAAQ,CAAC,OAAO,CAAC,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC;gBAChD,KAAK,CAAC,GAAG,CAAC,QAAQ,GAAG,KAAK,CAAC,YAAY,CAAC;gBACxC,QAAQ,CAAC,IAAI,GAAG,GAAG,KAAK,CAAC,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACnE,CAAC;YAAC,MAAM,CAAC;gBACP,mEAAmE;gBACnE,mEAAmE;YACrE,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,CAAC;YACpC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,oEAAoE;gBACpE,uEAAuE;gBACvE,mEAAmE;gBACnE,4DAA4D;gBAC5D,mBAAmB,EAAE,CAAC;gBACtB,OAAO,IAAI,EAAE,CAAC;YAChB,CAAC;YACD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,oEAAoE;YACpE,kEAAkE;YAClE,oEAAoE;YACpE,mEAAmE;YACnE,0BAA0B;YAC1B,MAAM,OAAO,GAAG,gBAAgB,IAAI,KAAK,CAAC,GAAG,EAAE,QAAQ,IAAI,EAAE,CAAC;YAC9D,MAAM,CAAC,GAAG,GAAU,CAAC;YACrB,MAAM,MAAM,GACV,OAAO,CAAC,EAAE,UAAU,KAAK,QAAQ;gBAC/B,CAAC,CAAC,CAAC,CAAC,UAAU;gBACd,CAAC,CAAC,OAAO,CAAC,EAAE,MAAM,KAAK,QAAQ;oBAC7B,CAAC,CAAC,CAAC,CAAC,MAAM;oBACV,CAAC,CAAC,GAAG,CAAC;YACZ,OAAO,CAAC,KAAK,CACX,kBAAkB,KAAK,CAAC,MAAM,IAAI,EAAE,IAAI,OAAO,YAAY,MAAM,IAAI,EACrE,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,OAAO,IAAI,CAAC,CAC5B,CAAC;YACF,IAAI,CAAC;gBACH,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACjC,iBAAiB,CAAC,KAAK,EAAE,cAAc,EAAE,kBAAkB,CAAC,CAAC;YAC/D,CAAC;YAAC,MAAM,CAAC;gBACP,uCAAuC;YACzC,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,CAAC,EAAE,OAAO,IAAI,uBAAuB;gBAC5C,6DAA6D;gBAC7D,+DAA+D;gBAC/D,gEAAgE;gBAChE,0DAA0D;gBAC1D,+DAA+D;gBAC/D,oDAAoD;gBACpD,GAAG,CAAC,MAAM,IAAI,GAAG;oBACjB,OAAO,CAAC,GAAG,CAAC,yBAAyB,KAAK,GAAG;oBAC7C,CAAC,EAAE,KAAK;oBACN,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE;oBACpB,CAAC,CAAC,EAAE,CAAC;aACR,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,kEAAkE;YAClE,YAAY;YACZ,mBAAmB,EAAE,CAAC;QACxB,CAAC;IACH,CAAC,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,uBAAuB,CAAC,QAAa;IAClD,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,OAAO,GAAG,MAAM,wBAAwB,CAAC,GAAG,CAAC,CAAC;QACpD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO;QAEjC,+DAA+D;QAC/D,MAAM,YAAY,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;QACtE,MAAM,kBAAkB,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACnD,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAEjE,MAAM,cAAc,GAGhB;YACF,YAAY,EAAG,YAAoB,CAAC,sBAAsB;YAC1D,IAAI,EAAG,YAAoB,CAAC,iBAAiB;YAC7C,aAAa,EAAG,YAAoB,CAAC,uBAAuB;YAC5D,YAAY,EAAG,kBAA0B,CAAC,yBAAyB;YACnE,UAAU,EAAG,gBAAwB,CAAC,uBAAuB;YAC7D,GAAG,EAAG,SAAiB,CAAC,gBAAgB;YACxC,SAAS,EAAG,YAAoB,CAAC,sBAAsB;YACvD,QAAQ,EAAG,cAAsB,CAAC,qBAAqB;SACxD,CAAC;QAEF,yEAAyE;QACzE,wEAAwE;QACxE,0EAA0E;QAC1E,qCAAqC;QACrC,IAAI,cAAc,GAGd,EAAE,CAAC;QACP,IAAI,CAAC;YACH,MAAM,EAAE,uBAAuB,EAAE,GAC/B,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;YAC9C,MAAM,EAAE,GAAG,MAAM,uBAAuB,CAAC,GAAG,CAAC,CAAC;YAC9C,IAAI,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC7C,IAAI,CAAC;oBACH,MAAM,cAAc,GAAG,MAAM,uBAAuB,CAClD,EAAE,CAAC,WAAW,EACd,EAAE,CAAC,UAAU,CACd,CAAC;oBACF,KAAK,MAAM,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC5D,IAAI,CAAC,UAAU;4BAAE,SAAS;wBAC1B,MAAM,IAAI,GAAI,cAAsB,CAAC,UAAU,CAAC,CAAC;wBACjD,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE,CAAC;4BAC/B,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;wBAC9B,CAAC;oBACH,CAAC;oBACD,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;wBACtB,OAAO,CAAC,GAAG,CACT,iCAAiC,EAAE,CAAC,WAAW,2BAA2B,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACnH,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,IAAI,EAAE,CAAC;oBACvC,gEAAgE;oBAChE,6DAA6D;oBAC7D,gEAAgE;oBAChE,iEAAiE;oBACjE,wBAAwB;oBACxB,MAAM,UAAU,GAAG,4BAA4B,CAAC,IAAI,CAAC,GAAG,CAAC;wBACvD,CAAC,CAAC,gEAAgE;4BAChE,qBAAqB;4BACrB,EAAE,CAAC,WAAW;4BACd,kEAAkE;wBACpE,CAAC,CAAC,EAAE,CAAC;oBACP,OAAO,CAAC,IAAI,CACV,gDAAgD,EAAE,CAAC,WAAW,YAAY,GAAG,GAAG,UAAU,EAAE,CAC7F,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;YACjE,oEAAoE;QACtE,CAAC;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK;YACnB,OAAO,CAAC,GAAG,CACT,gCAAgC,OAAO,CAAC,MAAM,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC1F,CAAC;QAEJ,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;YAC3B,qEAAqE;YACrE,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;YAC1D,IAAI,OAAO,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC/B,IAAI,CAAC;oBACH,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,CAAC,IAAI,CACV,sDAAsD,IAAI,GAAG,EAC5D,CAAW,CAAC,OAAO,CACrB,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,WAAmB,EACnB,UAAkB;IAElB,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,kBAAkB,CAAC,GAAG,WAAW,SAAS,CAAC,CAAC;IAClE,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QACnD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QACvC,sEAAsE;QACtE,wEAAwE;QACxE,mCAAmC;QACnC,MAAM,MAAM,GAAG,aAAa,CAC1B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CACtC,CAAC,QAAQ,EAAE,CAAC;QACb,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;QAC1D,OAAO,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,WAAW,SAAS,CAAC,CAAC;IACpD,CAAC;IAAC,OAAO,OAAO,EAAE,CAAC;QACjB,wEAAwE;QACxE,8DAA8D;QAC9D,MAAM,QAAQ,IAAI,OAAO,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/server/google-auth-plugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google-auth-plugin.d.ts","sourceRoot":"","sources":["../../src/server/google-auth-plugin.ts"],"names":[],"mappings":"AAEA,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAgGD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,CAAC,EAAE,uBAAuB,GAChC,cAAc,CAUhB"}
+{"version":3,"file":"google-auth-plugin.d.ts","sourceRoot":"","sources":["../../src/server/google-auth-plugin.ts"],"names":[],"mappings":"AAEA,KAAK,cAAc,GAAG,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;AAE9D,MAAM,WAAW,uBAAuB;IACtC,yDAAyD;IACzD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAwGD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,sBAAsB,CACpC,OAAO,CAAC,EAAE,uBAAuB,GAChC,cAAc,CAUhB"}

package/dist/server/google-auth-plugin.js

@@ -60,13 +60,21 @@ const GOOGLE_LOGIN_HTML = `<!DOCTYPE html>
   <p class="error" id="err"></p>
 </div>
 <script>
+  function __anBasePath() {
+    var marker = '/_agent-native';
+    var idx = window.location.pathname.indexOf(marker);
+    return idx > 0 ? window.location.pathname.slice(0, idx) : '';
+  }
+  function __anPath(path) {
+    return __anBasePath() + path;
+  }
   async function signIn() {
     var btn = document.getElementById('btn');
     var err = document.getElementById('err');
     btn.disabled = true;
     err.classList.remove('show');
     try {
-      var res = await fetch('/_agent-native/google/auth-url');
+      var res = await fetch(__anPath('/_agent-native/google/auth-url'));
       var data = await res.json();
       if (data.url) {
         try { sessionStorage.setItem('__an_signin', '1'); } catch(e) {}
@@ -74,7 +82,7 @@ const GOOGLE_LOGIN_HTML = `<!DOCTYPE html>
         btn.disabled = false;
         btn.textContent = 'Waiting for sign-in…';
         var poll = setInterval(function() {
-          fetch('/_agent-native/auth/session').then(function(r) { return r.json(); }).then(function(s) {
+          fetch(__anPath('/_agent-native/auth/session')).then(function(r) { return r.json(); }).then(function(s) {
             if (s && s.email) { clearInterval(poll); window.location.reload(); }
           }).catch(function() {});
         }, 1500);

package/dist/server/google-auth-plugin.js.map

@@ -1 +1 @@
-{"version":3,"file":"google-auth-plugin.js","sourceRoot":"","sources":["../../src/server/google-auth-plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AASpD,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA4FlB,CAAC;AAET;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAiC;IAEjC,OAAO,gBAAgB,CAAC;QACtB,WAAW,EAAE;YACX,gCAAgC;YAChC,gCAAgC;YAChC,wBAAwB;YACxB,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,CAAC;SAChC;QACD,SAAS,EAAE,iBAAiB;KAC7B,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"google-auth-plugin.js","sourceRoot":"","sources":["../../src/server/google-auth-plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AASpD,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAoGlB,CAAC;AAET;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,sBAAsB,CACpC,OAAiC;IAEjC,OAAO,gBAAgB,CAAC;QACtB,WAAW,EAAE;YACX,gCAAgC;YAChC,gCAAgC;YAChC,wBAAwB;YACxB,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,CAAC;SAChC;QACD,SAAS,EAAE,iBAAiB;KAC7B,CAAC,CAAC;AACL,CAAC"}

package/dist/server/google-oauth.d.ts

@@ -11,8 +11,62 @@ import { type H3Event } from "h3";
 export declare function isElectron(event: H3Event): boolean;
 /** Detect requests from a mobile browser (iOS/Android). */
 export declare function isMobile(event: H3Event): boolean;
-/** Get the origin from forwarded headers or Host. */
+/**
+ * Get the origin from forwarded headers or Host.
+ *
+ * Defends against Host-header injection: in production we require the
+ * resolved origin to match `APP_URL` / `BETTER_AUTH_URL`, falling back to
+ * those values when the inbound headers are missing or don't match. In
+ * dev we accept the inbound `Host` so localhost / ngrok / preview hosts
+ * keep working without configuration. The protocol defaults to `https`
+ * in production (so a TLS-terminating proxy that drops `x-forwarded-proto`
+ * doesn't downgrade us to plain HTTP).
+ */
 export declare function getOrigin(event: H3Event): string;
+/** App mount prefix, if the template is served under APP_BASE_PATH. */
+export declare function getAppBasePath(): string;
+/** Build an absolute same-origin URL that preserves APP_BASE_PATH. */
+export declare function getAppUrl(event: H3Event, path?: string): string;
+/**
+ * Validate a user-supplied `redirect_uri` for OAuth flows.
+ *
+ * Defends against authorization-code interception (RFC 6819 §4.4.1.7):
+ * even though the upstream provider (Google/Atlassian/Zoom) refuses
+ * unregistered redirect URIs, prefix-style registrations and side
+ * registrations on the same host let a malicious caller swap in an
+ * attacker-controlled URI that the provider still accepts. We reject any
+ * candidate that isn't on this server's own origin AND under the
+ * framework's `/_agent-native/` namespace. Returns the validated URI on
+ * success, or `undefined` on rejection — callers must treat `undefined`
+ * as a 400.
+ *
+ * The intentional shape is exact-prefix:
+ *   - Origin must equal `getOrigin(event)` — no Host-header injection
+ *     reusing somebody else's registered redirect URI.
+ *   - Path must start with `${appBasePath}/_agent-native/` so we never
+ *     hand auth codes to a public marketing or open-redirect endpoint
+ *     on the same registered host.
+ *
+ * For desktop / native flows that need ephemeral `http://127.0.0.1:<port>`
+ * loopback URIs, callers should validate those at the template level
+ * with a dedicated allowlist — this helper rejects them by design.
+ */
+export declare function isAllowedOAuthRedirectUri(candidate: string, event: H3Event): boolean;
+/**
+ * Resolve the `redirect_uri` for an outbound OAuth `auth-url` request.
+ *
+ * Reads `?redirect_uri=` from the query and validates it via
+ * `isAllowedOAuthRedirectUri`. Returns:
+ *   - the validated URI when supplied and allowed, OR
+ *   - the framework default when no override was supplied, OR
+ *   - `null` when an override was supplied but rejected — callers must
+ *     respond with 400 in that case.
+ *
+ * Templates that need a non-default redirect path can pass it via
+ * `defaultPath` (e.g. `"/_agent-native/google/desktop-callback"` for
+ * desktop flows).
+ */
+export declare function resolveOAuthRedirectUri(event: H3Event, defaultPath?: string): string | null;
 export interface OAuthStatePayload {
     redirectUri: string;
     owner?: string;
@@ -28,11 +82,36 @@ export interface OAuthStatePayload {
     returnUrl?: string;
     flowId?: string;
 }
+/**
+ * Options for the named-argument form of {@link encodeOAuthState}.
+ * Prefer this form — the positional overload is easy to misuse (the mail
+ * and calendar templates historically passed `flowId` in the `returnUrl`
+ * slot, smuggling state into a defence-in-depth path).
+ */
+export interface EncodeOAuthStateOptions {
+    redirectUri: string;
+    owner?: string;
+    desktop?: boolean;
+    addAccount?: boolean;
+    app?: string;
+    returnUrl?: string;
+    flowId?: string;
+}
 /**
  * Encode OAuth state into a signed base64url string.
  * The state is HMAC-signed so the callback can verify it wasn't forged,
  * preventing CSRF attacks on the OAuth flow.
+ *
+ * Two call shapes are supported:
+ *   - Recommended: pass an options object — clear, mismatch-proof.
+ *     `encodeOAuthState({ redirectUri, owner, desktop, ... })`
+ *   - Legacy positional form (kept working for backward compatibility):
+ *     `encodeOAuthState(redirectUri, owner, desktop, addAccount, app, returnUrl, flowId)`.
+ *     Callers should migrate to the options form — see the audit on
+ *     templates/mail and templates/calendar where the positional shape
+ *     led to `flowId` being smuggled in via the `returnUrl` slot.
  */
+export declare function encodeOAuthState(opts: EncodeOAuthStateOptions): string;
 export declare function encodeOAuthState(redirectUri: string, owner?: string, desktop?: boolean, addAccount?: boolean, app?: string, returnUrl?: string, flowId?: string): string;
 /**
  * Decode and verify OAuth state from the callback's state query parameter.
@@ -84,6 +163,9 @@ export declare function oauthCallbackResponse(event: H3Event, email: string, opt
     returnUrl?: string;
     flowId?: string;
 }): Response | string | void | Promise<Response | string | void>;
-/** HTML error page for OAuth failures. */
+/** HTML error page for OAuth failures. The message is HTML-escaped — most
+ *  callers pass `error.message` from a token-exchange or userinfo failure,
+ *  which can echo upstream provider strings (and historically attacker-
+ *  controlled query params via the `error_description` field). */
 export declare function oauthErrorPage(message: string): Response;
 //# sourceMappingURL=google-oauth.d.ts.map

package/dist/server/google-oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"google-oauth.d.ts","sourceRoot":"","sources":["../../src/server/google-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAML,KAAK,OAAO,EACb,MAAM,IAAI,CAAC;AAsBZ,6DAA6D;AAC7D,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAElD;AAED,2DAA2D;AAC3D,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEhD;AAED,qDAAqD;AACrD,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAIhD;AAID,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAsBD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,OAAO,EACjB,UAAU,CAAC,EAAE,OAAO,EACpB,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CAkBR;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,WAAW,EAAE,MAAM,GAClB,iBAAiB,CAoCnB;AAID,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,oBAAoB,EAAE,OAAO,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,OAAO,EACd,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,gBAAgB,CAAC,CAY3B;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,oBAAoB,EAAE,OAAO,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,kBAAkB,CAAC,CAiC7B;AAID;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,QAAQ,GAAG,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC,CAuD9D;AAED,0CAA0C;AAC1C,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAUxD"}
+{"version":3,"file":"google-oauth.d.ts","sourceRoot":"","sources":["../../src/server/google-oauth.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAOL,KAAK,OAAO,EACb,MAAM,IAAI,CAAC;AAoCZ,6DAA6D;AAC7D,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAElD;AAED,2DAA2D;AAC3D,wBAAgB,QAAQ,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEhD;AAsBD;;;;;;;;;;GAUG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAsBhD;AASD,uEAAuE;AACvE,wBAAgB,cAAc,IAAI,MAAM,CAIvC;AAED,sEAAsE;AACtE,wBAAgB,SAAS,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,SAAM,GAAG,MAAM,CAG5D;AAID;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,yBAAyB,CACvC,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,OAAO,GACb,OAAO,CAuBT;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,OAAO,EACd,WAAW,SAAmC,GAC7C,MAAM,GAAG,IAAI,CAMf;AAID,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;OAMG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AA6CD;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,uBAAuB,GAAG,MAAM,CAAC;AACxE,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,KAAK,CAAC,EAAE,MAAM,EACd,OAAO,CAAC,EAAE,OAAO,EACjB,UAAU,CAAC,EAAE,OAAO,EACpB,GAAG,CAAC,EAAE,MAAM,EACZ,SAAS,CAAC,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CAAC;AA0CV;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,WAAW,EAAE,MAAM,GAClB,iBAAiB,CAoCnB;AAID,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,oBAAoB,EAAE,OAAO,CAAC;CAC/B;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,OAAO,EACd,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,gBAAgB,CAAC,CAY3B;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,oBAAoB,EAAE,OAAO,CAAC;IAC9B,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GACA,OAAO,CAAC,kBAAkB,CAAC,CAiC7B;AAID;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IACJ,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GACA,QAAQ,GAAG,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC,CAmE9D;AAED;;;kEAGkE;AAClE,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAWxD"}