@agent-native/core 0.7.14 → 0.7.16

package/dist/server/agent-chat-plugin.js

@@ -1,20 +1,22 @@
-import { runWithRequestContext, getRequestOrgId } from "./request-context.js";
+import { runWithRequestContext, getRequestOrgId, getRequestUserEmail, getRequestRunContext, ensureRequestRunContext, } from "./request-context.js";
 import { getSetting, putSetting } from "../settings/store.js";
 import { getH3App, trackPluginInit } from "./framework-request-handler.js";
 import { createProductionAgentHandler, runAgentLoop, actionsToEngineTools, getActiveRunForThreadAsync, abortRun, subscribeToRun, } from "../agent/production-agent.js";
 import { resolveEngine, createAnthropicEngine } from "../agent/engine/index.js";
+import { DEFAULT_MODEL } from "../agent/default-model.js";
 import { McpClientManager, loadMcpConfig, autoDetectMcpConfig, mcpToolsToActionEntries, syncMcpActionEntries, mountMcpServersRoutes, mountMcpHubRoutes, buildMergedConfig, getHubStatus, isHubServeEnabled, } from "../mcp-client/index.js";
 import { discoverAgents } from "./agent-discovery.js";
 import { loadSchemaPromptBlock } from "./schema-prompt.js";
 import { buildAssistantMessage, extractThreadMeta, } from "../agent/thread-data-builder.js";
 import { defineEventHandler, setResponseStatus, setResponseHeader, getMethod, getQuery, getHeader, } from "h3";
-import { getSession } from "./auth.js";
+import { getSession, DEV_MODE_USER_EMAIL } from "./auth.js";
 import { getOrigin } from "./google-oauth.js";
 import { createThread, forkThread, getThread, listThreads, searchThreads, updateThreadData, withThreadDataLock, deleteThread, setThreadQueuedMessages, } from "../chat-threads/store.js";
 import { resourceListAccessible, resourceList, resourceGet, resourceGetByPath, ensurePersonalDefaults, SHARED_OWNER, } from "../resources/store.js";
 import nodePath from "node:path";
 import { readBody } from "./h3-helpers.js";
 import { getBuilderBrowserConnectUrl } from "./builder-browser.js";
+import { captureCliOutput } from "./cli-capture.js";
 // Lazy fs — loaded via dynamic import() on first use.
 // This avoids require() which bundlers convert to createRequire(import.meta.url)
 // that crashes on CF Workers where import.meta.url is undefined.
@@ -27,7 +29,9 @@ async function lazyFs() {
 }
 /**
  * Wraps a core CLI script (that writes to console.log) as a ActionEntry
- * by capturing stdout.
+ * by capturing stdout. Uses an AsyncLocalStorage-backed capture so
+ * concurrent tool calls do not corrupt the global console/stdout pointers
+ * (see `cli-capture.ts`).
  */
 function wrapCliScript(tool, cliDefault, opts) {
     return {
@@ -38,39 +42,7 @@ function wrapCliScript(tool, cliDefault, opts) {
             for (const [k, v] of Object.entries(args)) {
                 cliArgs.push(`--${k}`, v);
             }
-            const logs = [];
-            const origLog = console.log;
-            const origError = console.error;
-            const origStdoutWrite = process.stdout.write;
-            console.log = (...a) => {
-                logs.push(a.map(String).join(" "));
-            };
-            console.error = (...a) => {
-                logs.push(a.map(String).join(" "));
-            };
-            // Intercept process.stdout.write so scripts that write directly
-            // (e.g. resource-read) have their output captured
-            process.stdout.write = ((chunk, ...rest) => {
-                if (typeof chunk === "string") {
-                    logs.push(chunk);
-                }
-                else if (Buffer.isBuffer(chunk)) {
-                    logs.push(chunk.toString());
-                }
-                return true;
-            });
-            try {
-                await cliDefault(cliArgs);
-            }
-            catch (err) {
-                logs.push(`Error: ${err?.message ?? String(err)}`);
-            }
-            finally {
-                console.log = origLog;
-                console.error = origError;
-                process.stdout.write = origStdoutWrite;
-            }
-            return logs.join("\n") || "(no output)";
+            return captureCliOutput(() => cliDefault(cliArgs));
         },
     };
 }
@@ -156,6 +128,12 @@ function createRefreshScreenEntry() {
 }
 /** Well-known application-state key used by the refresh-screen tool. */
 const SCREEN_REFRESH_KEY = "__screen_refresh__";
+/**
+ * In-memory rate-limit tracker for `/generate-title`. Keyed by user email,
+ * value is recent invocation timestamps within the rolling window. Stale
+ * entries are pruned on read.
+ */
+const generateTitleRateLimit = new Map();
 /**
  * Creates the `set-search-params` / `set-url-path` tools. Writes a one-shot
  * URL command to application_state; the client's URLSync component applies
@@ -953,6 +931,8 @@ const FRAMEWORK_CORE_COMPACT = `
 6. **Memory** — Use \`save-memory\` proactively when you learn preferences, corrections, or project context.
 7. **Security** — Always use parameterized queries. Never \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`.
 8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
+9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the action threw, it did NOT succeed.
 
 ### Resources
 
@@ -1117,6 +1097,8 @@ const FRAMEWORK_CORE = `
 6. **Memory** — Use the structured memory system to persist knowledge across sessions. Use \`save-memory\` proactively when you learn preferences, corrections, or project context. Update shared AGENTS.md for instructions that should apply to all users.
 7. **Security** — Always use \`defineAction\` with a Zod \`schema:\` for input validation. Never construct SQL with string concatenation — use parameterized queries via db-query/db-exec. Never use \`dangerouslySetInnerHTML\`, \`innerHTML\`, or \`eval()\`. Never expose secrets in responses or source code. Every table with user data must have \`owner_email\`.
 8. **\`db-*\` tools are internal only** — \`db-query\`, \`db-exec\`, \`db-patch\` ONLY access the app's own SQL database (settings, application_state, template tables). They CANNOT reach BigQuery, HubSpot, GA4, Jira, or any external data source. If the user asks about a table that is NOT in the app schema (e.g. \`dbt_analytics.*\`, \`dbt_mart.*\`, or any fully-qualified \`project.dataset.table\`), use the appropriate template action instead — \`bigquery\` for warehouse tables, \`ga4-report\` for Google Analytics, \`hubspot-deals\` for HubSpot, etc. **Never use \`db-query\` for external data — it will fail.**
+9. **Never fabricate data** — Do NOT invent numbers, metrics, records, or query results. Do NOT present estimated or example data as if it were real. If a data source is unavailable (missing credentials, connection error, tool failure), say so clearly, note the gap, and work with whatever data you do have. If no data can be retrieved at all, say "I can't retrieve this data right now" and explain why. Presenting made-up data as real is a critical failure — it is worse than admitting the limitation.
+10. **Never fabricate success from tool errors** — When any tool call returns an error (marked \`isError: true\`, contains "Command failed", "Error:", or non-zero exit output), the operation FAILED. Do NOT synthesize a success narrative, format a result table, or describe what the action "would have" produced. Report the failure verbatim from the tool output. This applies especially to \`shell(command="pnpm action ...")\` calls: if the underlying action threw (visible in the error text), the action did NOT succeed — report the error, do not describe a successful outcome.
 
 ### Resources
 
@@ -1274,8 +1256,16 @@ The agent and the UI are equal partners — everything the UI can do, you can do
 
 **In production mode, you operate through registered actions exposed as tools.** These are your capabilities — use them to read data, take actions, and help the user. You cannot edit source code or access the filesystem directly. Your tools are the app's API.
 
+### Tools (Mini-Apps) — Use \`create-tool\` for tools / widgets / dashboards
+
+If the user asks you to create, build, or make a **tool**, **widget**, **dashboard**, **calculator**, **mini-app**, or any small self-contained interactive utility — call \`create-tool\` immediately with a self-contained Alpine.js HTML body. This is **NOT** a code change and does **NOT** go through \`connect-builder\`. Tools are sandboxed mini-apps stored in the database — no source files are touched, no PR is opened, no build is required. The tool appears in the Tools view and can be edited later via \`update-tool\`.
+
+When in doubt — if the request mentions "tool", "widget", "dashboard", "calculator", or asks for a small interactive utility — choose \`create-tool\`. Do **not** preface the call with planning text like "let me build the dashboard…" — just call \`create-tool\` directly. One tool call, one response.
+
 ### Code Changes Not Available — Call \`connect-builder\` Immediately
 
+If the request matches the Tools section above (tool / widget / dashboard / calculator / mini-app), use \`create-tool\` instead — do NOT route it to \`connect-builder\`.
+
 When the user asks you to change the UI, modify code, add a feature, fix a bug in the app itself, change styles, add a hook, create a component, add a route, add an integration, or anything else that requires editing source files — you MUST take exactly these steps, in order:
 
 1. Call the \`connect-builder\` tool, passing the user's full request verbatim as the \`prompt\` argument. This renders an inline card. If Builder is connected, the card hands the prompt off to Builder's cloud agent on one click and returns a branch URL; otherwise it shows a connect / waitlist flow. Either way, Builder writes the code — no local setup, no clone, no install.
@@ -1323,9 +1313,13 @@ The agent and the UI are equal partners — everything the UI can do, you can do
 
 **In production mode, you operate through registered actions exposed as tools.** These are your capabilities — use them to read data, take actions, and help the user. You cannot edit source code or access the filesystem directly. Your tools are the app's API.
 
+### Tools (Mini-Apps) — Use \`create-tool\`
+
+If the user asks for a **tool**, **widget**, **dashboard**, **calculator**, or **mini-app**, call \`create-tool\` immediately with a self-contained Alpine.js HTML body. This is NOT a code change — tools are sandboxed mini-apps stored in the database. Do not preface with "let me build…" — just call \`create-tool\`.
+
 ### Code Changes — Call \`connect-builder\`
 
-When the user asks to change the UI, modify code, add a feature, or fix a bug in the app itself — call \`connect-builder\` immediately, passing the user's request as the \`prompt\`. Do NOT write code, list files, make plans, or spawn sub-agents for code changes. Builder handles it in the cloud. Mention \`npx agent-native create <app-name>\` as an offline fallback.
+When the user asks to change the UI, modify code, add a feature, or fix a bug in the app itself — call \`connect-builder\` immediately, passing the user's request as the \`prompt\`. (Tool / widget / dashboard requests use \`create-tool\` instead — see above.) Do NOT write code, list files, make plans, or spawn sub-agents for code changes. Builder handles it in the cloud. Mention \`npx agent-native create <app-name>\` as an offline fallback.
 ${FRAMEWORK_CORE_COMPACT}`;
 const DEV_FRAMEWORK_PROMPT_COMPACT = `## Agent-Native Framework — Development Mode
 
@@ -1760,9 +1754,8 @@ export function createAgentChatPlugin(options) {
                 ...engineScripts,
             };
             const callAgentScript = await createCallAgentScriptEntry(options?.appId);
-            let _currentRequestOrigin = "http://localhost:3000";
             const browserTools = createBuilderBrowserTool({
-                getOrigin: () => _currentRequestOrigin,
+                getOrigin: () => getRequestRunContext()?.requestOrigin ?? "http://localhost:3000",
             });
             // Auto-mount A2A protocol endpoints so every app is discoverable
             // and callable by other agents via the standard protocol.
@@ -1893,27 +1886,57 @@ export function createAgentChatPlugin(options) {
                 }
                 catch { }
             }
-            // Mutable owner — set per-request by the production handler, read by
-            // automation tools and fetch tool via closure. Declared here (before
-            // allScripts) so the tools are in scope when allScripts is built.
-            let _currentRunOwner = "local@localhost";
-            // Automation tools + fetch tool — depend on _currentRunOwner via callback
+            // Per-request owner is read from the AsyncLocalStorage run context
+            // (populated by prepareRun). Module-scope `let` would race across
+            // concurrent requests on a long-lived Node process — overlapping
+            // tool calls would observe whichever request wrote last. ALS gives
+            // each async call-chain its own view of the owner.
+            //
+            // Falls back to `getRequestUserEmail()` so callers that wrap work
+            // in `runWithRequestContext({ userEmail }, …)` without going through
+            // `prepareRun` (recurring jobs, trigger dispatcher) still see the
+            // correct owner.
+            //
+            // SECURITY: returns `null` when neither the run context nor the
+            // request user-email is populated. Consumers MUST short-circuit
+            // with an explicit error rather than fall back to a sentinel
+            // identity (e.g. DEV_MODE_USER_EMAIL). The previous fallback to
+            // `local@localhost` slipped past `guard-no-localhost-fallback`
+            // because the literal was hidden behind a symbolic alias —
+            // any agent loop that reached this code without a populated
+            // session would resolve `${keys.NAME}` against the dev-shim's
+            // `app_secrets WHERE scope_id='local@localhost'` rows. See
+            // audit 02 (HIGH: getCurrentRunOwner) and the
+            // 2026-04-29 credentials-leak incident for the prior shape.
+            const getCurrentRunOwner = () => getRequestRunContext()?.owner ?? getRequestUserEmail() ?? null;
+            const requireCurrentRunOwner = (operation) => {
+                const owner = getCurrentRunOwner();
+                if (!owner) {
+                    throw new Error(`[agent-chat] No authenticated owner in run context — ` +
+                        `refusing to ${operation}. Ensure the request goes through ` +
+                        `prepareRun() or is wrapped in runWithRequestContext({ userEmail, ... }).`);
+                }
+                return owner;
+            };
+            // Automation tools + fetch tool — depend on owner via callback.
+            // Each callback short-circuits with a clear error when the run context
+            // has no authenticated owner (see SECURITY note on getCurrentRunOwner).
             let automationTools = {};
             try {
                 const { createAutomationToolEntries } = await import("../triggers/actions.js");
-                automationTools = createAutomationToolEntries(() => _currentRunOwner);
+                automationTools = createAutomationToolEntries(() => requireCurrentRunOwner("manage automations"));
             }
             catch { }
             let notificationTools = {};
             try {
                 const { createNotificationToolEntries } = await import("../notifications/actions.js");
-                notificationTools = createNotificationToolEntries(() => _currentRunOwner);
+                notificationTools = createNotificationToolEntries(() => requireCurrentRunOwner("manage notifications"));
             }
             catch { }
             let progressTools = {};
             try {
                 const { createProgressToolEntries } = await import("../progress/actions.js");
-                progressTools = createProgressToolEntries(() => _currentRunOwner);
+                progressTools = createProgressToolEntries(() => requireCurrentRunOwner("manage progress"));
             }
             catch { }
             let fetchTool = {};
@@ -1921,10 +1944,10 @@ export function createAgentChatPlugin(options) {
                 const { createFetchToolEntry } = await import("../tools/fetch-tool.js");
                 const { resolveKeyReferences, validateUrlAllowlist, getKeyAllowlist } = await import("../secrets/substitution.js");
                 fetchTool = createFetchToolEntry({
-                    resolveKeys: async (text) => resolveKeyReferences(text, "user", _currentRunOwner),
+                    resolveKeys: async (text) => resolveKeyReferences(text, "user", requireCurrentRunOwner("resolve key references")),
                     validateUrl: async (url, usedKeys) => {
                         for (const keyName of usedKeys) {
-                            const allowlist = await getKeyAllowlist(keyName, "user", _currentRunOwner);
+                            const allowlist = await getKeyAllowlist(keyName, "user", requireCurrentRunOwner("validate URL allowlist"));
                             if (allowlist && !validateUrlAllowlist(url, allowlist)) {
                                 return false;
                             }
@@ -1994,11 +2017,80 @@ export function createAgentChatPlugin(options) {
                 streaming: true,
                 handler: async function* (message, context) {
                     // Resolve the caller's identity for user-scoped data access.
+                    // Priority: A2A-JWT verified email (set by the A2A handler in
+                    // request-context) > dev session DB (dev only) > Google OAuth
+                    // tokeninfo (prod only). Without the JWT-verified-email path,
+                    // cross-app A2A calls landed owned by `local@localhost` (dev) or
+                    // `dispatch@shared`, which made resources invisible to the actual
+                    // signed-in user.
+                    //
+                    // SECURITY: we deliberately do NOT trust `context.metadata.userEmail`
+                    // as a fallback. The A2A endpoint runs in three modes — JWT-signed
+                    // (verified email lands in request context), API-key (caller is
+                    // app-authenticated but NOT user-authenticated), and unsigned
+                    // (no auth at all). Trusting caller-supplied metadata on the latter
+                    // two paths would let any reachable caller forge `metadata.userEmail`
+                    // and impersonate an arbitrary user. The JWT path already populates
+                    // the request context, so the metadata fallback was only ever used
+                    // on the unauthenticated paths — exactly where it's unsafe.
                     const isDev = process.env.NODE_ENV !== "production";
                     let userEmail;
-                    if (isDev) {
-                        userEmail = context.metadata?.userEmail || undefined;
-                        if (!userEmail) {
+                    // 1. JWT-verified email from A2A receiver (auth boundary already
+                    //    enforced upstream). Works in dev AND prod.
+                    try {
+                        const { getRequestUserEmail } = await import("./request-context.js");
+                        userEmail = getRequestUserEmail();
+                    }
+                    catch { }
+                    // Dev-mode-only: when no JWT-verified email is present, fall back
+                    // to the most recently logged-in session. This is convenient for a
+                    // single-developer dev box but is a silent-impersonation hole if
+                    // it ever fires in production or on an exposed dev environment
+                    // (preview deploys, ngrok tunnels, etc.).
+                    //
+                    // SECURITY: gate this fallback narrowly:
+                    //   - NODE_ENV strictly === "development" (not "test", not unset).
+                    //   - AUTH_MODE === "local" (the dev-only auth shim).
+                    //   - Request host is localhost / 127.0.0.1 (best-effort: when the
+                    //     A2A handler doesn't have direct H3 event access, we rely on
+                    //     env-based shape checks).
+                    //
+                    // In production this MUST never fire — the runtime assertion
+                    // below crashes loud if NODE_ENV === "production" somehow reaches
+                    // this block.
+                    if (!userEmail && isDev) {
+                        if (process.env.NODE_ENV === "production") {
+                            throw new Error("[agent-chat] Dev-mode 'latest session' fallback reached in production — refusing.");
+                        }
+                        const strictlyDev = process.env.NODE_ENV === "development";
+                        const localAuthMode = process.env.AUTH_MODE === "local";
+                        // Request host check: rely on the request-context request origin
+                        // which prepareRun() / mountActionRoutes populate. The A2A
+                        // handler doesn't have direct H3 event access, but on a
+                        // misconfigured non-localhost dev box we still want to refuse.
+                        let isLocalHost = false;
+                        try {
+                            const origin = getRequestRunContext()?.requestOrigin;
+                            if (origin) {
+                                const url = new URL(origin);
+                                isLocalHost =
+                                    url.hostname === "localhost" ||
+                                        url.hostname === "127.0.0.1" ||
+                                        url.hostname === "::1";
+                            }
+                            else {
+                                // No origin in context — the A2A handler runs without an
+                                // explicit request origin. Treat absence as permissive only
+                                // when we're confident the process is dev-only (NODE_ENV
+                                // strictly "development" + AUTH_MODE=local). Otherwise
+                                // refuse.
+                                isLocalHost = strictlyDev && localAuthMode;
+                            }
+                        }
+                        catch {
+                            isLocalHost = false;
+                        }
+                        if (strictlyDev && localAuthMode && isLocalHost) {
                             try {
                                 const { getDbExec } = await import("../db/client.js");
                                 const db = getDbExec();
@@ -2012,7 +2104,7 @@ export function createAgentChatPlugin(options) {
                             catch { }
                         }
                     }
-                    else {
+                    if (!userEmail && !isDev) {
                         const googleToken = context.metadata?.googleToken;
                         if (googleToken) {
                             try {
@@ -2027,9 +2119,6 @@ export function createAgentChatPlugin(options) {
                             catch { }
                         }
                     }
-                    if (userEmail) {
-                        process.env.AGENT_USER_EMAIL = userEmail;
-                    }
                     const text = message.parts
                         .filter((p) => p.type === "text")
                         .map((p) => p.text)
@@ -2053,7 +2142,9 @@ export function createAgentChatPlugin(options) {
                     const devActive = isDevMode();
                     const handler = devActive && devHandler ? devHandler : prodHandler;
                     // Build the same system prompt the interactive agent uses
-                    const owner = userEmail || "local@localhost";
+                    if (!userEmail)
+                        throw new Error("no authenticated user");
+                    const owner = userEmail;
                     const resources = await loadResourcesForPrompt(owner, lazyContext);
                     const schemaBlock = lazyContext
                         ? ""
@@ -2061,7 +2152,7 @@ export function createAgentChatPlugin(options) {
                     const systemPrompt = devActive
                         ? devPrompt + resources + schemaBlock
                         : basePrompt + resources + schemaBlock;
-                    const model = options?.model ?? "claude-sonnet-4-6";
+                    const model = options?.model ?? DEFAULT_MODEL;
                     // Build tools — same as interactive handler but WITHOUT call-agent
                     // to prevent infinite recursive A2A loops (agent calling itself).
                     // In dev mode, template actions are invoked via shell (not native tools),
@@ -2181,7 +2272,7 @@ export function createAgentChatPlugin(options) {
                         engineOption: options?.engine,
                         apiKey: options?.apiKey,
                     });
-                    const model = options?.model ?? "claude-sonnet-4-6";
+                    const model = options?.model ?? DEFAULT_MODEL;
                     // Same actions as A2A — without call-agent to prevent loops.
                     // In dev mode, template actions go through shell, not native tools.
                     const devActiveMcp = isDevMode();
@@ -2207,10 +2298,10 @@ export function createAgentChatPlugin(options) {
                             ...toolActions,
                         };
                     const mcpTools = actionsToEngineTools(mcpActions);
-                    const resources = await loadResourcesForPrompt("local@localhost", lazyContext);
+                    const resources = await loadResourcesForPrompt(DEV_MODE_USER_EMAIL, lazyContext);
                     const schemaBlock = lazyContext
                         ? ""
-                        : await buildSchemaBlock("local@localhost", devActiveMcp);
+                        : await buildSchemaBlock(DEV_MODE_USER_EMAIL, devActiveMcp);
                     // Build the MCP handler's own prompt — always use the shell-based
                     // dev prompt in dev mode because mcpActions routes template actions
                     // through shell (`devScriptsForA2A`), regardless of `nativeActionsInDev`.
@@ -2248,13 +2339,15 @@ export function createAgentChatPlugin(options) {
             });
             // Resolve owner from the H3 event's session — matches how resources are created
             const getOwnerFromEvent = async (event) => {
-                try {
-                    const session = await getSession(event);
-                    return session?.email || "local@localhost";
-                }
-                catch {
-                    return "local@localhost";
+                const session = await getSession(event);
+                if (!session?.email) {
+                    const { createError } = await import("h3");
+                    throw createError({
+                        statusCode: 401,
+                        statusMessage: "Unauthenticated",
+                    });
                 }
+                return session.email;
             };
             // Auto-mount template actions as HTTP endpoints under /_agent-native/actions/
             // Include engine management script so the UI can call manage-agent-engine.
@@ -2348,10 +2441,11 @@ export function createAgentChatPlugin(options) {
                         }
                         // Store debug metadata so we can inspect what the LLM actually
                         // received (system prompt, model, engine) when diagnosing issues.
+                        const runCtx = getRequestRunContext();
                         repo._debug = {
-                            systemPrompt: _currentRunSystemPrompt,
-                            model: _currentRunModel ?? resolvedModel,
-                            engine: _currentRunEngine?.name ?? "unknown",
+                            systemPrompt: runCtx?.systemPrompt,
+                            model: runCtx?.model ?? resolvedModel,
+                            engine: runCtx?.engine?.name ?? "unknown",
                             timestamp: Date.now(),
                         };
                         const meta = extractThreadMeta(repo);
@@ -2361,13 +2455,32 @@ export function createAgentChatPlugin(options) {
                         // Best-effort — don't break cleanup
                     }
                 });
-                // Emit agent.turn.completed for automation triggers
+                // Emit agent.turn.completed for automation triggers.
+                //
+                // SECURITY: include `owner` so the trigger dispatcher's tenant-scope
+                // check engages (see triggers/dispatcher.ts:212-218). Without an
+                // owner, every user's matching `agent.turn.completed` trigger
+                // would fire when ANY user's chat turn completes — cross-tenant
+                // fan-out (audit 12 #9). Owner comes from the thread row when
+                // available (most reliable; persisted at thread create time),
+                // falling back to the current run context's owner. If neither
+                // resolves we skip emission entirely rather than emit unowned.
                 try {
-                    const { emit } = await import("../event-bus/index.js");
-                    emit("agent.turn.completed", {
-                        threadId,
-                        model: resolvedModel,
-                    });
+                    let ownerEmail;
+                    try {
+                        const ownerThread = await getThread(threadId);
+                        ownerEmail = ownerThread?.ownerEmail;
+                    }
+                    catch {
+                        // ignore — fall through to run-context owner
+                    }
+                    if (!ownerEmail) {
+                        ownerEmail = getRequestRunContext()?.owner;
+                    }
+                    if (ownerEmail) {
+                        const { emit } = await import("../event-bus/index.js");
+                        emit("agent.turn.completed", { threadId, model: resolvedModel }, { owner: ownerEmail });
+                    }
                 }
                 catch {
                     // Event bus not available — skip
@@ -2428,18 +2541,10 @@ export function createAgentChatPlugin(options) {
             // Each run gets its own send function, keyed by threadId so concurrent
             // requests for different threads don't clobber each other.
             const _runSendByThread = new Map();
-            let _currentRunUserApiKey;
-            let _currentRunThreadId = "";
-            let _currentRunSystemPrompt = basePrompt;
-            // Populated by onEngineResolved per request so sub-agents inherit
-            // whichever provider + model the user configured (OpenRouter, Groq, …)
-            // instead of silently falling back to Anthropic + Claude.
-            let _currentRunEngine;
-            let _currentRunModel;
-            const resolvedModel = options?.model ?? "claude-sonnet-4-6";
+            const resolvedModel = options?.model ?? DEFAULT_MODEL;
             const teamTools = createTeamTools({
-                getOwner: () => _currentRunOwner,
-                getSystemPrompt: () => _currentRunSystemPrompt,
+                getOwner: () => requireCurrentRunOwner("spawn or manage sub-agents"),
+                getSystemPrompt: () => getRequestRunContext()?.systemPrompt ?? basePrompt,
                 getActions: () => isDevMode()
                     ? {
                         // Sub-agents spawned in dev mode also invoke template actions
@@ -2460,20 +2565,24 @@ export function createAgentChatPlugin(options) {
                         ...urlTools,
                         ...chatScripts,
                     },
-                getEngine: () => _currentRunEngine ??
-                    createAnthropicEngine({
-                        // Sub-agents must inherit the parent run's resolved key so a
-                        // BYO-key user can't bypass the free-tier check on the parent
-                        // run and then have agent-teams spawn delegations bill the platform key.
-                        apiKey: _currentRunUserApiKey ??
-                            options?.apiKey ??
-                            process.env.ANTHROPIC_API_KEY,
-                    }),
-                getModel: () => _currentRunModel ?? resolvedModel,
-                getParentThreadId: () => _currentRunThreadId,
+                getEngine: () => {
+                    const runCtx = getRequestRunContext();
+                    return (runCtx?.engine ??
+                        createAnthropicEngine({
+                            // Sub-agents must inherit the parent run's resolved key so
+                            // delegations spawned by agent-teams don't silently fall back
+                            // to the platform key while the parent uses BYO credentials.
+                            apiKey: runCtx?.userApiKey ??
+                                options?.apiKey ??
+                                process.env.ANTHROPIC_API_KEY,
+                        }));
+                },
+                getModel: () => getRequestRunContext()?.model ?? resolvedModel,
+                getParentThreadId: () => getRequestRunContext()?.threadId ?? "",
                 getSend: () => {
                     // Return the send for the current run's thread
-                    const send = _runSendByThread.get(_currentRunThreadId);
+                    const threadId = getRequestRunContext()?.threadId ?? "";
+                    const send = _runSendByThread.get(threadId);
                     return send ?? null;
                 },
             });
@@ -2526,7 +2635,7 @@ export function createAgentChatPlugin(options) {
                 syncMcpActionEntries(mcpManager, prodActions);
             });
             // Always build the production handler (includes resource tools + call-agent + team tools)
-            // In production mode (!canToggle), enable usage tracking and limits
+            // In production mode (!canToggle), resolve the owner from the request session.
             const isHostedProd = !canToggle;
             const resolveExtraContext = async (event, owner) => {
                 if (!options?.extraContext)
@@ -2545,27 +2654,37 @@ export function createAgentChatPlugin(options) {
             // and tokens that minimal/voice apps don't need.
             const leanBasePrompt = (options?.systemPrompt ?? "") + prodActionsPrompt;
             // Per-request preamble shared by both prod and dev handlers. Resolves
-            // owner + user API key (stashed on the closure so downstream tools can
-            // reach them) and the template-authored `extraContext`. `extraContext`
-            // runs in every prompt variant (lean, lazy, full) — if a template
-            // defined it, they opted in; framework-provided content is what the
-            // token-saving modes strip.
+            // owner + user API key onto the AsyncLocalStorage run context so
+            // downstream tool closures (automation, fetch, team) read the
+            // current request's identity without racing against concurrent
+            // requests. `extraContext` runs in every prompt variant (lean, lazy,
+            // full) — if a template defined it, they opted in; framework-provided
+            // content is what the token-saving modes strip.
             const prepareRun = async (event) => {
-                _currentRequestOrigin = getOrigin(event);
                 const owner = await getOwnerFromEvent(event);
-                _currentRunOwner = owner;
                 const { getOwnerActiveApiKey } = await import("../agent/production-agent.js");
-                _currentRunUserApiKey = await getOwnerActiveApiKey(owner);
+                const userApiKey = await getOwnerActiveApiKey(owner);
+                const runCtx = ensureRequestRunContext();
+                if (runCtx) {
+                    runCtx.requestOrigin = getOrigin(event);
+                    runCtx.owner = owner;
+                    runCtx.userApiKey = userApiKey;
+                }
                 const extra = await resolveExtraContext(event, owner);
                 return { owner, extra };
             };
+            const setSystemPromptOnContext = (prompt) => {
+                const runCtx = ensureRequestRunContext();
+                if (runCtx)
+                    runCtx.systemPrompt = prompt;
+                return prompt;
+            };
             const prodHandler = createProductionAgentHandler({
                 actions: leanPrompt ? leanActions : prodActions,
                 systemPrompt: async (event) => {
                     const { owner, extra } = await prepareRun(event);
                     if (leanPrompt) {
-                        _currentRunSystemPrompt = leanBasePrompt + extra;
-                        return _currentRunSystemPrompt;
+                        return setSystemPromptOnContext(leanBasePrompt + extra);
                     }
                     const resources = await loadResourcesForPrompt(owner, lazyContext);
                     // In lazy context mode, skip embedding the full schema — the agent
@@ -2573,28 +2692,30 @@ export function createAgentChatPlugin(options) {
                     const schemaBlock = lazyContext
                         ? ""
                         : await buildSchemaBlock(owner, false);
-                    _currentRunSystemPrompt =
-                        basePrompt + resources + schemaBlock + extra;
-                    return _currentRunSystemPrompt;
+                    return setSystemPromptOnContext(basePrompt + resources + schemaBlock + extra);
                 },
-                model: options?.model ?? "claude-sonnet-4-6",
+                model: options?.model ?? DEFAULT_MODEL,
                 apiKey: options?.apiKey,
                 skipFilesContext: leanPrompt,
                 onEngineResolved: (engine, model) => {
-                    _currentRunEngine = engine;
-                    _currentRunModel = model;
+                    const runCtx = ensureRequestRunContext();
+                    if (runCtx) {
+                        runCtx.engine = engine;
+                        runCtx.model = model;
+                    }
                 },
                 onRunStart: (send, threadId) => {
                     _runSendByThread.set(threadId, send);
-                    _currentRunThreadId = threadId;
+                    const runCtx = ensureRequestRunContext();
+                    if (runCtx)
+                        runCtx.threadId = threadId;
                 },
                 onRunComplete: async (run, threadId) => {
                     if (threadId)
                         _runSendByThread.delete(threadId);
                     await onRunComplete(run, threadId);
                 },
-                // Usage tracking for hosted production deployments
-                trackUsage: isHostedProd,
+                // Resolve owner from session for usage attribution in hosted prod
                 resolveOwnerEmail: isHostedProd ? getOwnerFromEvent : undefined,
             });
             // Build the dev handler (with filesystem/shell/db tools) if environment allows toggling
@@ -2645,27 +2766,29 @@ export function createAgentChatPlugin(options) {
                     systemPrompt: async (event) => {
                         const { owner, extra } = await prepareRun(event);
                         if (leanPrompt) {
-                            _currentRunSystemPrompt = leanBasePrompt + extra;
-                            return _currentRunSystemPrompt;
+                            return setSystemPromptOnContext(leanBasePrompt + extra);
                         }
                         const resources = await loadResourcesForPrompt(owner, lazyContext);
                         const schemaBlock = lazyContext
                             ? ""
                             : await buildSchemaBlock(owner, true);
-                        _currentRunSystemPrompt =
-                            devPrompt + resources + schemaBlock + extra;
-                        return _currentRunSystemPrompt;
+                        return setSystemPromptOnContext(devPrompt + resources + schemaBlock + extra);
                     },
                     model: options?.model,
                     apiKey: options?.apiKey,
                     skipFilesContext: leanPrompt,
                     onEngineResolved: (engine, model) => {
-                        _currentRunEngine = engine;
-                        _currentRunModel = model;
+                        const runCtx = ensureRequestRunContext();
+                        if (runCtx) {
+                            runCtx.engine = engine;
+                            runCtx.model = model;
+                        }
                     },
                     onRunStart: (send, threadId) => {
                         _runSendByThread.set(threadId, send);
-                        _currentRunThreadId = threadId;
+                        const runCtx = ensureRequestRunContext();
+                        if (runCtx)
+                            runCtx.threadId = threadId;
                     },
                     onRunComplete: async (run, threadId) => {
                         if (threadId)
@@ -2713,10 +2836,11 @@ export function createAgentChatPlugin(options) {
                 return { devMode: currentDevMode, canToggle };
             }));
             // Mount save-key BEFORE the prefix handler so it isn't shadowed.
-            // Persists the user's key per-owner in the SQL settings table so it
-            // survives across serverless invocations (where mutating process.env
-            // and writing .env are both no-ops). Also updates process.env and
-            // .env when running locally for fast pickup by other handlers.
+            // Persists the user's API key in `app_secrets` (encrypted, scope=user,
+            // scopeId=email). Hard rule: never mutates process.env, never writes
+            // .env. User-pasted secrets must not become deploy-level identity —
+            // that's the cross-tenant leak class (KVesta Space, 2026-04).
+            // Consumers read these values per-request via `resolveSecret(key)`.
             getH3App(nitroApp).use(`${routePath}/save-key`, defineEventHandler(async (event) => {
                 if (getMethod(event) !== "POST") {
                     setResponseStatus(event, 405);
@@ -2730,75 +2854,35 @@ export function createAgentChatPlugin(options) {
                     return { error: "API key is required" };
                 }
                 const trimmedKey = key.trim();
-                // Persist per-owner so the key survives cold starts in serverless
-                // and so the user's key isn't shared across users on multi-tenant
-                // hosted deployments. We require a real authenticated owner here —
-                // `local@localhost` is the unauthenticated fallback and must never
-                // become the shared key bucket on hosted deployments.
                 const ownerEmail = await getOwnerFromEvent(event);
-                if (isHostedProd &&
-                    (!ownerEmail || ownerEmail === "local@localhost")) {
+                if (!ownerEmail || ownerEmail === DEV_MODE_USER_EMAIL) {
                     setResponseStatus(event, 401);
                     return { error: "Authentication required" };
                 }
-                if (ownerEmail && ownerEmail !== "local@localhost") {
-                    try {
-                        await putSetting(`user-api-key:${provider}:${ownerEmail}`, {
-                            key: trimmedKey,
-                        });
-                        // Verify the write actually landed — some managed DB drivers
-                        // swallow errors on degraded connections. Without this the
-                        // client sees "saved", reloads, and the usage-limit card
-                        // re-appears on the next message because the key isn't
-                        // really persisted.
-                        const check = await getSetting(`user-api-key:${provider}:${ownerEmail}`);
-                        if (!check ||
-                            typeof check.key !== "string" ||
-                            check.key !== trimmedKey) {
-                            throw new Error("settings write did not persist");
-                        }
-                    }
-                    catch (err) {
-                        if (isHostedProd) {
-                            console.error("[agent-chat] save-key persistence failed:", err instanceof Error ? err.message : err);
-                            setResponseStatus(event, 500);
-                            return {
-                                error: "Failed to persist API key. Please try again or contact support.",
-                            };
-                        }
-                        // Local dev falls through to the env-file path below.
-                    }
-                }
-                // In hosted/multi-tenant mode we deliberately do NOT touch
-                // process.env or .env: the per-owner SQL lookup above is the
-                // single source of truth, and overwriting the shared env key
-                // would leak one tenant's credentials into every subsequent
-                // request that hit the same warm instance without its own key.
-                if (!isHostedProd) {
-                    const providerToEnv = {
-                        anthropic: "ANTHROPIC_API_KEY",
-                        openai: "OPENAI_API_KEY",
-                        google: "GOOGLE_GENERATIVE_AI_API_KEY",
-                        groq: "GROQ_API_KEY",
-                        mistral: "MISTRAL_API_KEY",
-                        cohere: "COHERE_API_KEY",
+                const providerToEnv = {
+                    anthropic: "ANTHROPIC_API_KEY",
+                    openai: "OPENAI_API_KEY",
+                    google: "GOOGLE_GENERATIVE_AI_API_KEY",
+                    groq: "GROQ_API_KEY",
+                    mistral: "MISTRAL_API_KEY",
+                    cohere: "COHERE_API_KEY",
+                };
+                const secretKey = providerToEnv[provider] ?? `${provider.toUpperCase()}_API_KEY`;
+                try {
+                    const { writeAppSecret } = await import("../secrets/storage.js");
+                    await writeAppSecret({
+                        key: secretKey,
+                        value: trimmedKey,
+                        scope: "user",
+                        scopeId: ownerEmail,
+                    });
+                }
+                catch (err) {
+                    console.error("[agent-chat] save-key persistence failed:", err instanceof Error ? err.message : err);
+                    setResponseStatus(event, 500);
+                    return {
+                        error: "Failed to persist API key. Please try again or contact support.",
                     };
-                    const envVar = providerToEnv[provider] ?? `${provider.toUpperCase()}_API_KEY`;
-                    try {
-                        const path = await import("path");
-                        const { upsertEnvFile } = await import("./create-server.js");
-                        const envPath = path.join(process.cwd(), ".env");
-                        await upsertEnvFile(envPath, [
-                            { key: envVar, value: trimmedKey },
-                        ]);
-                    }
-                    catch {
-                        // Edge runtime — can't write .env, but can still update process.env
-                    }
-                    // Update process.env so the agent works immediately in the
-                    // current local-dev invocation; the SQL persist above covers
-                    // future invocations.
-                    process.env[envVar] = trimmedKey;
                 }
                 return { ok: true };
             }));
@@ -2836,7 +2920,7 @@ export function createAgentChatPlugin(options) {
                 // Query resources
                 try {
                     const resources = currentDevMode
-                        ? await resourceListAccessible("local@localhost")
+                        ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
                         : await resourceList(SHARED_OWNER);
                     for (const r of resources) {
                         if (!seen.has(r.path)) {
@@ -2921,7 +3005,7 @@ export function createAgentChatPlugin(options) {
                 // Query resources with skills/ prefix
                 try {
                     const resourceSkills = currentDevMode
-                        ? await resourceListAccessible("local@localhost", "skills/")
+                        ? await resourceListAccessible(DEV_MODE_USER_EMAIL, "skills/")
                         : await resourceList(SHARED_OWNER, "skills/");
                     for (const r of resourceSkills) {
                         // Try to get content to parse frontmatter
@@ -2966,6 +3050,22 @@ export function createAgentChatPlugin(options) {
                     setResponseStatus(event, 405);
                     return { error: "Method not allowed" };
                 }
+                // Resolve the caller and run the entire stream inside a request
+                // context so custom mention providers can use `accessFilter` /
+                // `resolveAccess` when querying ownable tables. Without this,
+                // a provider that searches `decks` (or any sharable resource)
+                // would see every row regardless of ownership.
+                const mentionsOwner = await getOwnerFromEvent(event).catch(() => undefined);
+                let mentionsOrgId;
+                if (options?.resolveOrgId) {
+                    try {
+                        const resolved = await options.resolveOrgId(event);
+                        mentionsOrgId = resolved ?? undefined;
+                    }
+                    catch {
+                        mentionsOrgId = undefined;
+                    }
+                }
                 const query = getQuery(event);
                 const q = typeof query.q === "string" ? query.q.toLowerCase() : "";
                 const matchesQuery = (item) => !q ||
@@ -2976,148 +3076,154 @@ export function createAgentChatPlugin(options) {
                 setResponseHeader(event, "Content-Type", "application/x-ndjson");
                 setResponseHeader(event, "Cache-Control", "no-cache");
                 const stream = new ReadableStream({
-                    async start(controller) {
-                        const MAX_RESULTS = 50;
-                        let totalSent = 0;
-                        let cancelled = false;
-                        const flush = (batch) => {
-                            if (cancelled)
-                                return;
-                            const filtered = batch.filter(matchesQuery);
-                            if (filtered.length === 0)
-                                return;
-                            const remaining = MAX_RESULTS - totalSent;
-                            const toSend = filtered.slice(0, remaining);
-                            if (toSend.length > 0) {
-                                totalSent += toSend.length;
-                                try {
-                                    controller.enqueue(enc.encode(JSON.stringify({ items: toSend }) + "\n"));
-                                }
-                                catch {
-                                    // Stream was closed by client
-                                    cancelled = true;
-                                }
-                            }
-                        };
-                        // All sources run in parallel; each flushes independently.
-                        const sources = [];
-                        // 1. Resources from SQL (fast — flush first)
-                        sources.push((async () => {
+                    start(controller) {
+                        return runWithRequestContext({
+                            userEmail: mentionsOwner,
+                            orgId: mentionsOrgId,
+                        }, () => mentionsStreamWork(controller));
+                    },
+                    cancel() {
+                        // Client disconnected — stop enqueuing
+                    },
+                });
+                return stream;
+                async function mentionsStreamWork(controller) {
+                    const MAX_RESULTS = 50;
+                    let totalSent = 0;
+                    let cancelled = false;
+                    const flush = (batch) => {
+                        if (cancelled)
+                            return;
+                        const filtered = batch.filter(matchesQuery);
+                        if (filtered.length === 0)
+                            return;
+                        const remaining = MAX_RESULTS - totalSent;
+                        const toSend = filtered.slice(0, remaining);
+                        if (toSend.length > 0) {
+                            totalSent += toSend.length;
                             try {
-                                const resources = currentDevMode
-                                    ? await resourceListAccessible("local@localhost")
-                                    : await resourceList(SHARED_OWNER);
-                                flush(resources.map((r) => {
-                                    const isShared = r.owner === SHARED_OWNER;
-                                    return {
-                                        id: `resource:${r.path}`,
-                                        label: r.path.split("/").pop() || r.path,
-                                        description: r.path,
-                                        icon: "file",
-                                        source: isShared
-                                            ? "resource:shared"
-                                            : "resource:private",
-                                        refType: "file",
-                                        refPath: r.path,
-                                        section: "Files",
-                                    };
-                                }));
+                                controller.enqueue(enc.encode(JSON.stringify({ items: toSend }) + "\n"));
                             }
-                            catch { }
-                        })());
-                        // 2. Codebase files (dev mode only — can be slow on large repos)
-                        if (currentDevMode) {
-                            sources.push((async () => {
-                                const codebaseFiles = [];
-                                try {
-                                    await collectFiles(process.cwd(), "", 0, codebaseFiles);
-                                }
-                                catch { }
-                                flush(codebaseFiles.map((f) => ({
-                                    id: `codebase:${f.path}`,
-                                    label: f.name,
-                                    description: f.path !== f.name ? f.path : undefined,
-                                    icon: f.type,
-                                    source: "codebase",
+                            catch {
+                                // Stream was closed by client
+                                cancelled = true;
+                            }
+                        }
+                    };
+                    // All sources run in parallel; each flushes independently.
+                    const sources = [];
+                    // 1. Resources from SQL (fast — flush first)
+                    sources.push((async () => {
+                        try {
+                            const resources = currentDevMode
+                                ? await resourceListAccessible(DEV_MODE_USER_EMAIL)
+                                : await resourceList(SHARED_OWNER);
+                            flush(resources.map((r) => {
+                                const isShared = r.owner === SHARED_OWNER;
+                                return {
+                                    id: `resource:${r.path}`,
+                                    label: r.path.split("/").pop() || r.path,
+                                    description: r.path,
+                                    icon: "file",
+                                    source: isShared
+                                        ? "resource:shared"
+                                        : "resource:private",
                                     refType: "file",
-                                    refPath: f.path,
+                                    refPath: r.path,
                                     section: "Files",
-                                })));
-                            })());
-                        }
-                        // 3. Custom mention providers (each flushes independently)
-                        for (const [key, provider] of Object.entries(mentionProviders)) {
-                            sources.push((async () => {
-                                try {
-                                    const providerItems = await provider.search(q, event);
-                                    flush(providerItems.map((item) => ({
-                                        id: item.id,
-                                        label: item.label,
-                                        description: item.description,
-                                        icon: item.icon || provider.icon || "file",
-                                        source: key,
-                                        refType: item.refType,
-                                        refPath: item.refPath,
-                                        refId: item.refId,
-                                        section: provider.label,
-                                    })));
-                                }
-                                catch (e) {
-                                    console.error(`[agent-native] Mention provider "${key}" failed:`, e);
-                                }
-                            })());
+                                };
+                            }));
                         }
-                        // 4. Custom workspace agents
+                        catch { }
+                    })());
+                    // 2. Codebase files (dev mode only — can be slow on large repos)
+                    if (currentDevMode) {
                         sources.push((async () => {
+                            const codebaseFiles = [];
                             try {
-                                const owner = await getOwnerFromEvent(event);
-                                const { listAccessibleCustomAgents } = await import("../resources/agents.js");
-                                const agents = await listAccessibleCustomAgents(owner);
-                                flush(agents.map((agent) => ({
-                                    id: `custom-agent:${agent.id}`,
-                                    label: agent.name,
-                                    description: agent.description || agent.path,
-                                    icon: "agent",
-                                    source: "agent:custom",
-                                    refType: "custom-agent",
-                                    refPath: agent.path,
-                                    refId: agent.id,
-                                    section: "Agents",
-                                })));
-                            }
-                            catch (e) {
-                                console.error("[agent-native] Custom agent discovery failed:", e);
+                                await collectFiles(process.cwd(), "", 0, codebaseFiles);
                             }
+                            catch { }
+                            flush(codebaseFiles.map((f) => ({
+                                id: `codebase:${f.path}`,
+                                label: f.name,
+                                description: f.path !== f.name ? f.path : undefined,
+                                icon: f.type,
+                                source: "codebase",
+                                refType: "file",
+                                refPath: f.path,
+                                section: "Files",
+                            })));
                         })());
-                        // 5. Peer agent discovery (network call — often slowest)
+                    }
+                    // 3. Custom mention providers (each flushes independently)
+                    for (const [key, provider] of Object.entries(mentionProviders)) {
                         sources.push((async () => {
                             try {
-                                const agents = await discoverAgents(options?.appId);
-                                flush(agents.map((agent) => ({
-                                    id: `agent:${agent.id}`,
-                                    label: agent.name,
-                                    description: agent.description,
-                                    icon: "agent",
-                                    source: "agent",
-                                    refType: "agent",
-                                    refPath: agent.url,
-                                    refId: agent.id,
-                                    section: "Connected Agents",
+                                const providerItems = await provider.search(q, event);
+                                flush(providerItems.map((item) => ({
+                                    id: item.id,
+                                    label: item.label,
+                                    description: item.description,
+                                    icon: item.icon || provider.icon || "file",
+                                    source: key,
+                                    refType: item.refType,
+                                    refPath: item.refPath,
+                                    refId: item.refId,
+                                    section: provider.label,
                                 })));
                             }
                             catch (e) {
-                                console.error("[agent-native] Agent discovery failed:", e);
+                                console.error(`[agent-native] Mention provider "${key}" failed:`, e);
                             }
                         })());
-                        await Promise.all(sources);
-                        if (!cancelled)
-                            controller.close();
-                    },
-                    cancel() {
-                        // Client disconnected — stop enqueuing
-                    },
-                });
-                return stream;
+                    }
+                    // 4. Custom workspace agents
+                    sources.push((async () => {
+                        try {
+                            const owner = await getOwnerFromEvent(event);
+                            const { listAccessibleCustomAgents } = await import("../resources/agents.js");
+                            const agents = await listAccessibleCustomAgents(owner);
+                            flush(agents.map((agent) => ({
+                                id: `custom-agent:${agent.id}`,
+                                label: agent.name,
+                                description: agent.description || agent.path,
+                                icon: "agent",
+                                source: "agent:custom",
+                                refType: "custom-agent",
+                                refPath: agent.path,
+                                refId: agent.id,
+                                section: "Agents",
+                            })));
+                        }
+                        catch (e) {
+                            console.error("[agent-native] Custom agent discovery failed:", e);
+                        }
+                    })());
+                    // 5. Peer agent discovery (network call — often slowest)
+                    sources.push((async () => {
+                        try {
+                            const agents = await discoverAgents(options?.appId);
+                            flush(agents.map((agent) => ({
+                                id: `agent:${agent.id}`,
+                                label: agent.name,
+                                description: agent.description,
+                                icon: "agent",
+                                source: "agent",
+                                refType: "agent",
+                                refPath: agent.url,
+                                refId: agent.id,
+                                section: "Connected Agents",
+                            })));
+                        }
+                        catch (e) {
+                            console.error("[agent-native] Agent discovery failed:", e);
+                        }
+                    })());
+                    await Promise.all(sources);
+                    if (!cancelled)
+                        controller.close();
+                }
             }));
             // ─── Generate thread title ──────────────────────────────────────────
             getH3App(nitroApp).use(`${routePath}/generate-title`, defineEventHandler(async (event) => {
@@ -3126,6 +3232,19 @@ export function createAgentChatPlugin(options) {
                     return { error: "Method not allowed" };
                 }
                 const ownerEmail = await getOwnerFromEvent(event);
+                // Per-user rate limit: 10 calls / 60s. Prevents an authenticated
+                // user from spamming the endpoint to exhaust shared Anthropic
+                // credits on platform-key deployments.
+                const now = Date.now();
+                const limitWindowMs = 60_000;
+                const limitMax = 10;
+                const recent = (generateTitleRateLimit.get(ownerEmail) ?? []).filter((t) => now - t < limitWindowMs);
+                if (recent.length >= limitMax) {
+                    setResponseStatus(event, 429);
+                    return { error: "Rate limit exceeded" };
+                }
+                recent.push(now);
+                generateTitleRateLimit.set(ownerEmail, recent);
                 const body = await readBody(event);
                 const message = body?.message;
                 if (!message || typeof message !== "string") {
@@ -3498,14 +3617,6 @@ export function createAgentChatPlugin(options) {
                         // Session not available
                     }
                 }
-                // Also set process.env for backwards compat (CLI scripts, legacy readers)
-                process.env.AGENT_USER_EMAIL = owner;
-                if (resolvedOrgId) {
-                    process.env.AGENT_ORG_ID = resolvedOrgId;
-                }
-                else {
-                    delete process.env.AGENT_ORG_ID;
-                }
                 // Propagate the caller's IANA timezone from `x-user-timezone` so that
                 // tool calls made by the agent (e.g. log-meal with no explicit date)
                 // resolve "today" in the user's local timezone instead of server UTC.
@@ -3515,8 +3626,6 @@ export function createAgentChatPlugin(options) {
                     tzRaw.trim().length < 64
                     ? tzRaw.trim()
                     : undefined;
-                if (timezone)
-                    process.env.AGENT_USER_TIMEZONE = timezone;
                 return runWithRequestContext({ userEmail: owner, orgId: resolvedOrgId, timezone }, () => {
                     const handler = currentDevMode && devHandler ? devHandler : prodHandler;
                     return handler(event);
@@ -3635,9 +3744,10 @@ export function getGlobalMcpManager() {
     return _globalMcpManager;
 }
 function mountMcpHubStatusRoute(nitroApp) {
-    if (globalThis.__agentNativeMcpHubStatusMounted)
+    const mountedApps = (globalThis.__agentNativeMcpHubStatusMountedApps ??= new WeakSet());
+    if (mountedApps.has(nitroApp))
         return;
-    globalThis.__agentNativeMcpHubStatusMounted = true;
+    mountedApps.add(nitroApp);
     try {
         getH3App(nitroApp).use("/_agent-native/mcp/hub/status", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {
@@ -3653,10 +3763,11 @@ function mountMcpHubStatusRoute(nitroApp) {
     }
 }
 function mountMcpStatusRoute(nitroApp, manager) {
-    // Idempotent — agent-chat-plugin can be invoked once per process; guard anyway.
-    if (globalThis.__agentNativeMcpStatusMounted)
+    // Idempotent per Nitro app; dev-all may host multiple templates in one process.
+    const mountedApps = (globalThis.__agentNativeMcpStatusMountedApps ??= new WeakSet());
+    if (mountedApps.has(nitroApp))
         return;
-    globalThis.__agentNativeMcpStatusMounted = true;
+    mountedApps.add(nitroApp);
     try {
         getH3App(nitroApp).use("/_agent-native/mcp/status", defineEventHandler(async (event) => {
             if (getMethod(event) !== "GET") {